From patchwork Tue Dec 6 13:36:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2887 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id cd13csp2339804qtb; Tue, 6 Dec 2022 05:37:50 -0800 (PST) X-Google-Smtp-Source: AA0mqf7ON5riRyRBeWuiJxCAkChntFmhtpG1HbHJ7J40eG8cZqa/2GCALBgYsFF57zeoPUpnAoKW X-Received: by 2002:a17:902:ea82:b0:189:9bb4:70 with SMTP id x2-20020a170902ea8200b001899bb40070mr36510388plb.108.1670333869960; Tue, 06 Dec 2022 05:37:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670333869; cv=none; d=google.com; s=arc-20160816; b=HXpqaJDA4Skf/37/HRSrQBMTcw2zTPs+M+n9ZnjT4IePmtcCB1Vfz8vZYCjaulUvDN pYG3NrNQajbG8mxNwZk5+eBUOa6iBtXPJ3x//si1QsyzbbJK0uURfuOOY6TVgQ8Wwfcb ZgHyktq5y+vr9geYC76XtouHnaEVYO7kUizkp0FLDGLJ4r/mqdaB0CWorNGsM4G0evIX TN8pm2WEd2OynueTaE74k05Gn5GTtOkQtAEsl4veTBbBT8VmD5bnz8b1T9DSS5qPeh6Y YTh2tcHkR8wPEZEc6cudBzBWTZwbapIzKac1bfeM+3T5BPbkkWzzG7rFc5MoLy2fDxyb pLuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=k4Zqk6vuRWGYmgDBdN+gNL+3Z5QpKB3R3k0CpWdADQs=; b=PbnJAP6bz0/A1SQb/X5s+sru68jjbmqDkD1K9YMZ+AxGZU8mX83UEQsjwbknDMnBNK mFgHCPbTDLyX4h3/PS8nMZA4hLCTLDXOjVYoIN63TRyeHoSSX1cEcuFI2AArVZ95NIWB ocgoQOqKZOce/fh3PuT9TlMUlMRlxCL3jv3Xx3Bg6867KkYrCggPKZUDb7iTBm1rhptK BkpJ8DhK5uYVtBtwE0f0U+UMGbCx9RxXeRhN51Gxhlk+6q1vWEIhbp6D3r67oyHxLjfm kLGFotZ2Fbml2fwDA4JbaAymvArTugfqGHA1TQwl6NQbjzPdIYw8vBg4mPvzOru71ooz WSqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ttiagex1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j0vFtLRm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id q17-20020a056a00089100b0056ce7a12b25si19092606pfj.137.2022.12.06.05.37.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Dec 2022 05:37:49 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ttiagex1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j0vFtLRm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p2Y8A-00085A-QM; Tue, 06 Dec 2022 13:37:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p2Y88-000854-8Z for openvpn-devel@lists.sourceforge.net; Tue, 06 Dec 2022 13:37:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xXQts88LV4INqOppCgWdYw87FEmhTBEnZg+OYq1o4D4=; b=Ttiagex16ksJamFyVbifyWtdlj y9pWucaq2LJId4Zj84epJXZLOid0NTLADT3OAk7CXNqVLdXtmSF72ErEbokzZ2rT3QWemP7piBEL1 tDSsSENKUwANJQuCIbcijmPajxm86dGEe+zOuRWlvge9Txs8oCOUsWDYgIRBQqR5eCgw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=xXQts88LV4INqOppCgWdYw87FEmhTBEnZg+OYq1o4D4=; b=j 0vFtLRmPZdjDM8TfXrCMJdHiiMEs/WXL0PoHIHMZRQgRxjThSxUDlX+Yiugwgq5ACtCkSu8wLSSC8 eZq3sG4MCfFKd/9gPuR+oZVg3cihaPJEIJg/BPGpiyVXkBmuWuPJY2efEHwQTnC6WhN8CKGtF4aSz N+NkT9l0BNA4DW90=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p2Y83-007x3v-87 for openvpn-devel@lists.sourceforge.net; Tue, 06 Dec 2022 13:37:04 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p2Y7r-000K2n-9n for openvpn-devel@lists.sourceforge.net; Tue, 06 Dec 2022 14:36:47 +0100 Received: (nullmailer pid 954770 invoked by uid 10006); Tue, 06 Dec 2022 13:36:47 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 6 Dec 2022 14:36:47 +0100 Message-Id: <20221206133647.954724-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We accidentially checked the adress family size instead of the address family. For unit test checks we need to consider endianess to ensure the hmac for the adress is always the same. The real code does not care about endian since it only needs it to be same on the same architec [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1p2Y83-007x3v-87 Subject: [Openvpn-devel] [PATCH] Fix connection cookie not including address and fix endianness in test X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1751472007875188741?= X-GMAIL-MSGID: =?utf-8?q?1751472007875188741?= We accidentially checked the adress family size instead of the address family. For unit test checks we need to consider endianess to ensure the hmac for the adress is always the same. The real code does not care about endian since it only needs it to be same on the same architecture. Converting the session to endianess is strictly speaking unecessary for the actual function of the function but is almost no overhead and makes the unit testing more robust. Reported by David trying to the package on Red Hat/s390x and painfully debugged by setting up a s390x qemu machine that takes 40s just to run ./configure. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl_pkt.c | 4 ++-- tests/unit_tests/openvpn/test_pkt.c | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 7891e10ee..46bca21d8 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -495,7 +495,7 @@ calculate_session_id_hmac(struct session_id client_sid, /* Get the valid time quantisation for our hmac, * we divide time by handwindow/2 and allow the previous * and future session time if specified by offset */ - uint32_t session_id_time = now/((handwindow+1)/2) + offset; + uint32_t session_id_time = ntohl(now/((handwindow+1)/2) + offset); hmac_ctx_reset(hmac); /* We do not care about endian here since it does not need to be @@ -504,7 +504,7 @@ calculate_session_id_hmac(struct session_id client_sid, sizeof(session_id_time)); /* add client IP and port */ - switch (af_addr_size(from->addr.sa.sa_family)) + switch (from->addr.sa.sa_family) { case AF_INET: hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in4, sizeof(struct sockaddr_in)); diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c index 2d771e301..1af46b7fb 100644 --- a/tests/unit_tests/openvpn/test_pkt.c +++ b/tests/unit_tests/openvpn/test_pkt.c @@ -435,6 +435,8 @@ test_verify_hmac_none(void **ut_state) hmac_ctx_t *hmac = session_id_hmac_init(); struct link_socket_actual from = { 0 }; + from.dest.addr.sa.sa_family = AF_INET; + struct tls_auth_standalone tas = { 0 }; struct tls_pre_decrypt_state state = { 0 }; @@ -463,7 +465,7 @@ init_static_hmac(void) ASSERT(md_valid("SHA256")); hmac_ctx_t *hmac_ctx = hmac_ctx_new(); - uint8_t key[SHA256_DIGEST_LENGTH] = {1, 2, 3}; + uint8_t key[SHA256_DIGEST_LENGTH] = {1, 2, 3, 0}; hmac_ctx_init(hmac_ctx, key, "SHA256"); return hmac_ctx; @@ -475,14 +477,14 @@ test_calc_session_id_hmac_static(void **ut_state) hmac_ctx_t *hmac = init_static_hmac(); static const int handwindow = 100; - struct openvpn_sockaddr addr = {0 }; + struct openvpn_sockaddr addr = { 0 }; /* we do not use htons functions here since the hmac calculate function * also does not care about the endianness of the data but just assumes * the endianness doesn't change between calls */ addr.addr.in4.sin_family = AF_INET; - addr.addr.in4.sin_addr.s_addr = 0xff000ff; - addr.addr.in4.sin_port = 1194; + addr.addr.in4.sin_addr.s_addr = ntohl(0xff000ff); + addr.addr.in4.sin_port = ntohs(1195); struct session_id client_id = { {0, 1, 2, 3, 4, 5, 6, 7}}; @@ -490,7 +492,7 @@ test_calc_session_id_hmac_static(void **ut_state) now = 1005; struct session_id server_id = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 0); - struct session_id expected_server_id = { {0xba, 0x83, 0xa9, 0x00, 0x72, 0xbd, 0x93, 0xba }}; + struct session_id expected_server_id = { {0x84, 0x73, 0x52, 0x2b, 0x5b, 0xa9, 0x2a, 0x70 }}; assert_memory_equal(expected_server_id.id, server_id.id, SID_SIZE); struct session_id server_id_m1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);