From patchwork Mon Nov 11 01:59:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "flichtenheld (Code Review)" X-Patchwork-Id: 3927 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2277995mad; Sun, 10 Nov 2024 18:00:06 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW13tcB92fhqOeeTe03VhXPD933PPx1iq5qL1GMDKE+Kjmw7Tla962hgj9IGuBX+eFdu2+7ORRRZkI=@openvpn.net X-Google-Smtp-Source: AGHT+IEgU/2sOQ5f1ciIcg6UToi6z+4QhiVvbhYp7Y2i6oGOJXHtCYUc4Pnr8PIxcZTDm5J51feR X-Received: by 2002:a05:6808:428b:b0:3e7:a284:9b13 with SMTP id 5614622812f47-3e7a2849cd2mr1474060b6e.21.1731290405894; Sun, 10 Nov 2024 18:00:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731290405; cv=none; d=google.com; s=arc-20240605; b=bTVbCukLhABtqCuOopUHXYnPLku8LgI8SJS8bFDUGAWlLZPF/Eh8QR4JKF2PWiPEoL Hm7jgl7bF9dKTTiriwvOtsm1iJa6raD2ZLneDIsjYpvzVHdfdPTjzKSD1k4W67Ge5do2 RIxqXcgOo7KRXd5s5nmE+FxfmPYkKyXdpBVwXd3tFRKea1shTeS75sDFVy3cD5YOuagQ 3t/OlVOmcQriJXGZIkOvX8TflzayFMZVp/AHzVDAiKPXyKMDrHwsRuj4I6UlWXmrwvOq QrSP8VyzxOc1DO0CNHkpt1MoY7XTeQN5YbN8PsN6GgETPirnb4SqKkSJcZr0fLPDqF6y u3FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=8CA5MDhSnxyGHcv2GY2EEMasT0wXDTiBoVcPhv3gDEQ=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=McdzZwifANgQiXsf4hxOWDTHyqiNJdke1LpnkquG8oNJ0JKrRXsCnMh98GV6xmXt35 gf24wrVRPEFS+U0bGFEcJLkKs8OP5sviaGVv/iwSBjlSFbdSPh0m3mNjnludwP7PPkA6 LDjoDGUvPZ8h2XUhIBAi/tWA84NGfs49qtt7d0O0M6U4XoUQ5xQi/dsMds18wDl/S3gO SRt2RbvU0PpTjy/nwQWuDnww9RG+TbH78aWFl/x+0ERvz2rk+okQE/ZNh+vQTsifxNJK jU77P3FFzJAr2jgPaAe6eLYOD0AvOxgImQRl3AB2PtIMh/wthNH0LJfKOW7jpzfOhPff EZdQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VPflm7xo; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=O8HHEKvy; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=DeA6jCb8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3e78cd6d768si4920178b6e.243.2024.11.10.18.00.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2024 18:00:05 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VPflm7xo; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=O8HHEKvy; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=DeA6jCb8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAJia-0007GI-U4; Mon, 11 Nov 2024 01:59:53 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAJiZ-0007GB-8y for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 01:59:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8OswPF+Ry5fwYLYwn7fUccgsIz4XRMsyj8UTstreg7c=; b=VPflm7xoNz4CcyFXAngP2p0PHV P/oc/sdogzBT6+SajsS+fLXpLefj+Om+yxYwEH3POBN9B8/8/keaorR8HBW7isgp/h4vua3nXmWuO DvcVnJ+Ba937ssJ/xOhk1/sg3WfrhdXIM5ubHpSzItJFwp7kfmPtcMs/InFTfysqInb0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=8OswPF+Ry5fwYLYwn7fUccgsIz4XRMsyj8UTstreg7c=; b=O 8HHEKvywI8lTq4+AflYTjo8RUl3t0P94t55dZ6DqfFoHbgZf+NkxEcTS3ptkZBlT3B5R6oO05LVCU nGu5XUqeKQgi1/P0yfBU9FMMDCS66Dg6FtwfdgQhYvH6AIECS2WxbmikznfyBpQ2Opsd8L/whCQ5D JQsZRWJv1O+mBmXs=; Received: from mail-wm1-f44.google.com ([209.85.128.44]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tAJiY-0001YK-4K for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 01:59:51 +0000 Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4315eac969aso22308385e9.1 for ; Sun, 10 Nov 2024 17:59:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1731290378; x=1731895178; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=8OswPF+Ry5fwYLYwn7fUccgsIz4XRMsyj8UTstreg7c=; b=DeA6jCb8S4qpuHzRPansLg/7PWPLkOZrH2TSa27+0D+WT2sKhXJa49nmRLDj+fbXSi 0FtHZqz8e4rIdjF0pbDF4PCNWyLiFGhrkYLeWJu5SKclwyDRbQTkhLNnQsaCcFtlvKr3 bKgzCT4Cm/keleg4NP0dLtVqvhlNm8hdMHsiaIwi0dm/Q6RhBTE3bCMf1y6VO0AZL34y vgK6R+B1n3EDktM3aR/NR/bMeDIvH46WaJIir6k3YaKm5VHWF+dSD4mKreSaoVMG4FfW 0pr5xpzZSR4YaxyWSXlDDdcTjvU/2zUW3clRYkGjdSM9aFccMcOPvwXt5VJskiidp6Jm I86w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731290378; x=1731895178; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8OswPF+Ry5fwYLYwn7fUccgsIz4XRMsyj8UTstreg7c=; b=EIW1yy7NBP5IXFR1a3xI5ZWIEcxQuB3QsTgr5hGuf4H/om9yQRt1yRp+6jyvnjpd9C cK/aj01r2SSvXSNn0AL7f+3gd3jr5RcUtsAjNKRU6jLB7Th3k/vkEVIYugE8OTjCxC2Y tQwhjo8jS8/XPTMmXVFKeRAgvMwemY/3MCIN4Dq58u5fp5O07h5FeKFKrAwILZPID05w OEcFvPEtOZBR8eQSXZBwxtEo4Z8hzvUmrh3in0nT9WNmo4pXjALTGJwfoWaub43Bt2so r5WVCeV2AVXoZk9X2pk70ONfO9MKLntm/zz6hKFThHgmOElxGRNFpRuaFOHICkRwOheh BFZA== X-Gm-Message-State: AOJu0YzvxevFhhQ7XxBglV+FK+L5068REqx2hWFMgCrCAhb9SrScbd9R 2/yQOfMTvZ9fAqIexLNA7V5CpENT0+NtFEiZH8JH1GnfkOVgyI+NHHr7icnePRMkZJXnfu77kbN Y X-Received: by 2002:a05:600c:a43:b0:42c:b991:98bc with SMTP id 5b1f17b1804b1-432b68078b3mr99305605e9.0.1731290378335; Sun, 10 Nov 2024 17:59:38 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-432aa73a2d8sm190585505e9.41.2024.11.10.17.59.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 17:59:37 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 11 Nov 2024 01:59:37 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d X-Gerrit-Change-Number: 795 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 13c1eaf60a75ce4b19265c18caced77dfe83f561 References: Message-ID: <05e024ace659f10fd80849bbbf2b5423f140fff8-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.44 listed in list.dnswl.org] -0.7 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.44 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tAJiY-0001YK-4K Subject: [Openvpn-devel] [S] Change in openvpn[master]: Change --reneg-bytes and --reneg-packets to 64 bit counters X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815389568487211440?= X-GMAIL-MSGID: =?utf-8?q?1815389568487211440?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/795?usp=email to review the following change. Change subject: Change --reneg-bytes and --reneg-packets to 64 bit counters ...................................................................... Change --reneg-bytes and --reneg-packets to 64 bit counters reneg-bytes can currently only specify up to a maximum of 2GB. This makes it even problematic to use without extended counters. Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d Signed-off-by: Arne Schwabe --- M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl.c M src/openvpn/ssl_common.h 4 files changed, 24 insertions(+), 10 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/795/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1beb0ee..10ee9f6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2032,8 +2032,8 @@ SHOW_INT(tls_timeout); - SHOW_INT(renegotiate_bytes); - SHOW_INT(renegotiate_packets); + SHOW_INT64(renegotiate_bytes); + SHOW_INT64(renegotiate_packets); SHOW_INT(renegotiate_seconds); SHOW_INT(handshake_window); @@ -9187,12 +9187,26 @@ else if (streq(p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_bytes = positive_atoi(p[1]); + char *end; + long long reneg_bytes = strtoll(p[1], &end, 10); + if (*end != '\0' || reneg_bytes < 0) + { + msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_bytes = reneg_bytes; } else if (streq(p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_packets = positive_atoi(p[1]); + char *end; + long long pkt_max = strtoll(p[1], &end, 10); + if (*end != '\0' || pkt_max < 0) + { + msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_packets = pkt_max; } else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index ee39dbb..6ab92e2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -626,8 +626,8 @@ int tls_timeout; /* Data channel key renegotiation parameters */ - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; int renegotiate_seconds; int renegotiate_seconds_min; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c48a85c..ab55365 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -118,7 +118,7 @@ * May *not* be NULL. */ static void -tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) +tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes) { if (cipher_kt_insecure(ciphername)) { @@ -3028,7 +3028,7 @@ && should_trigger_renegotiation(session, ks)) { msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format - "/%d pkts=" counter_format "/%d", + "/%" PRIi64 " pkts=" counter_format "/%" PRIi64, (int) (now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes, session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 5bc2f2a..5840e2d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -331,8 +331,8 @@ int transition_window; int handshake_window; interval_t packet_timeout; - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; interval_t renegotiate_seconds; /* cert verification parms */