[Openvpn-devel,v1] tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
| Message ID | 20251122162553.12254-1-gert@greenie.muc.de |
|---|---|
| State | New |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp917846maw;
Sat, 22 Nov 2025 08:26:16 -0800 (PST)
X-Forwarded-Encrypted: i=2;
AJvYcCXdkaPofjYLVPuXLENVQes+y/Abw25okQZr619KPEGfKmrc1jy0cLhgKtdf+EPQIJnxd2bhsF1ndX4=@openvpn.net
X-Google-Smtp-Source:
AGHT+IGnzC2UKg1g0q5lFrVtmet+70yuFe5KWEEqs40zd2/SOfqoO9FG7k+cmmr/0P46s2z34wPb
X-Received: by 2002:a05:6808:2213:b0:450:50d:c6c2 with SMTP id
5614622812f47-45115b23b32mr2110890b6e.33.1763828776549;
Sat, 22 Nov 2025 08:26:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1763828776; cv=none;
d=google.com; s=arc-20240605;
b=J42yCyVG90pfColFRc1wXq4O+/dCiAcMAo1oH1VeqrGHefF72WQabtRFspxLD4hHC8
+wn9XqzIg8Yi079GVCOG1FRoFZSjWV+OWqQOlyIznclmBKG0ctl7u6MBE05U+luuuZBr
hv6BIOePyApvZgnJqNjxNmsJREtkFGAUHFFMI4IjrBrWSwvIr+VSOCohn8ho7wDPMz7j
8nv6ExYd6pFLsOGygvAghCSDGbjOfz0NhjP2VUiQWBvvIdi8JTlL9B6tko5ZlqbjKyuD
VCaNCI/Xsf92cy0ATfNIfhcIu9EYYhnzgE9rsIpjf9U+Qa4pHyXXwwg+j0nMZxtxUBKb
zH0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=UFQ3JVNnKpPDSmgofZSPggMXozMtTzMDMG+AnwX2DPc=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=WoXlFzLAslgKBIIZVw/aSY2lXeHrDL8mnXXB1X2wDrdiUB7TDyjddQOBH/FQ5Ir3O4
fhmEZDZwyrREaJhVLxwkwb25CVTjzEShsWhi+1IxjfUEOebNTSzColm3PK7+b/B/0hCH
c9tH+MGIfhKp19aOD1x2i/DM+AXClSPFEoDABjR47RF5clw8kAkmjqz4vcb19D9AUGKB
WsvDP/EbmDRLHt9qfghl2xiKKnH0QivwsPO1PXkjSXjovPYGjv2n6F5VpBbTQMRedXOH
eIZZ8dM+YL+Dc6NHlZ7ytfx3jGuuYAuX+nl8nz4wt6bbCl+vIptgWS3xk/MLNjTrVuVx
JZkw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=ROfY0wA9;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=j9T42LOO;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=f6CObFb8;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
46e09a7af769-7c78d44340asi1653309a34.548.2025.11.22.08.26.16
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Sat, 22 Nov 2025 08:26:16 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=ROfY0wA9;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=j9T42LOO;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=f6CObFb8;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=UFQ3JVNnKpPDSmgofZSPggMXozMtTzMDMG+AnwX2DPc=; b=ROfY0wA9Ynum6dHXT08bEbist2
2YaNXj9EHwgQ0jlevD2KVJKx9QYW83YgV4UmuOAATwwjDyopDskvRQ0uCZ7rDwkiBQqcpSTc6W15J
RAy/uoDF3aYG+RqhU1TqjldO2r07Ho7ib4iQwGZ107t3etfSYENdEJmlg+ZYx+ZyqG3Q=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1vMqR9-0003ii-FM;
Sat, 22 Nov 2025 16:26:11 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1vMqR7-0003ib-Lg
for openvpn-devel@lists.sourceforge.net;
Sat, 22 Nov 2025 16:26:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=fFeI3sKVp5t7uIhZHUrmLiFeOfCdX0HjzVMohZf/udg=; b=j9T42LOOWTi6Jz1P04/JIj928a
fiacSTPdJ6szougvRfxgcdVz0cxhZgPY4qdoKkVn8xYm0crGWJoaNVxZ12CLVj58tDhPaypgBAcvB
XvRtk6UuRoeRziBjVxbPBYOyCpr+QUWwcVbxEwNetMDPsLU6S9NKDGg80EuVMO8iEWE0=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=fFeI3sKVp5t7uIhZHUrmLiFeOfCdX0HjzVMohZf/udg=; b=f6CObFb8lqbtH1XE/s+3U68B2p
mR46gQHT5+w4U+zbCKyJ8XLvOzYL8MuXxEZ6HCduX0aldqffzXuyV1t5MlNG733vrddGuZvt2BB+U
BDiqdaNC0XcWFTo3phtc+OLFTqPnkZM3rPihdEYqIqLGWINAYZcsHlhvkkimQV5bLDxM=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1vMqR3-0003lM-IB for openvpn-devel@lists.sourceforge.net;
Sat, 22 Nov 2025 16:26:09 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AMGPrIN012275
for <openvpn-devel@lists.sourceforge.net>; Sat, 22 Nov 2025 17:25:53 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AMGPrsl012274
for openvpn-devel@lists.sourceforge.net; Sat, 22 Nov 2025 17:25:53 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 22 Nov 2025 17:25:47 +0100
Message-ID: <20251122162553.12254-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To:
<gerrit.1763650333000.Ie7308d549182a95b86cd113e4a8cc65ff45ba3d7@gerrit.openvpn.net>
References:
<gerrit.1763650333000.Ie7308d549182a95b86cd113e4a8cc65ff45ba3d7@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Frank Lichtenheld <frank@lichtenheld.com> Coverity
complained
about "overflow_before_widen" because there is a theoretical overflow that
can happen even though the target value is wide enough. For useful values
of max_days this is irrelevant [...]
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vMqR3-0003lM-IB
Subject: [Openvpn-devel] [PATCH v1] tls_crypt: Fix Coverity complaint in
tls_crypt_v2_check_client_key_age
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1849508523335205288?=
X-GMAIL-MSGID: =?utf-8?q?1849508523335205288?=
|
| Series |
[Openvpn-devel,v1] tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
|
|
Commit Message
Gert Doering
Nov. 22, 2025, 4:25 p.m. UTC
From: Frank Lichtenheld <frank@lichtenheld.com> Coverity complained about "overflow_before_widen" because there is a theoretical overflow that can happen even though the target value is wide enough. For useful values of max_days this is irrelevant but Coverity is not wrong, so change the code accordingly. Change-Id: Ie7308d549182a95b86cd113e4a8cc65ff45ba3d7 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1385 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1385 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <gert@greenie.muc.de>
Comments
What it says... :-) - stared-at, not tested in any meaningful way.
Your patch has been applied to the master branch.
commit 2969837ad347a227e1d33b1c71390d85f16aa2cd
Author: Frank Lichtenheld
Date: Sat Nov 22 17:25:47 2025 +0100
tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1385
Message-Id: <20251122162553.12254-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34585.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 318c939..9026cff 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -539,7 +539,7 @@ int64_t timestamp; memcpy(×tamp, metadata + 1, sizeof(int64_t)); timestamp = (int64_t)ntohll((uint64_t)timestamp); - int64_t max_age_in_seconds = max_days * 24 * 60 * 60; + int64_t max_age_in_seconds = (int64_t)max_days * 24 * 60 * 60; if (now - timestamp > max_age_in_seconds) { msg(M_WARN, "ERROR: Client key is too old.");