From patchwork Mon Oct 9 10:51:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3386 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:b412:b0:f2:62eb:61c1 with SMTP id dj18csp1946144dyb; Mon, 9 Oct 2023 03:52:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFik/akrNKf/ObAhRCLoFhjlQDpjaoCzwahgI8VO4QhbyvOyUAoVnpam8igEGpoorU94eWC X-Received: by 2002:a05:6870:561e:b0:1d5:53c0:c1fe with SMTP id m30-20020a056870561e00b001d553c0c1femr15838684oao.3.1696848759812; Mon, 09 Oct 2023 03:52:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696848759; cv=none; d=google.com; s=arc-20160816; b=mgT2Re8yfdujUwasAoicsPdPzNtV+iy/bt9LlHp0o6K5g70wX1t3UnSq7kameUUdlO 9RcFYM+AVzpUbWmONoE5XH1sWDbq5qLwD8La0cOQjrEGXtOFW6CMH+nAfV61FspNLq0C EBE8apdUWUKFz/5EQZm7cmbHxM7cFp1DIvrMsQdl5+MnMN/q75Bd65gEnMBkWtEbWZEy I/SdHfXiEDuU/L03/AaTtE+bb83svw0akqkIR/6B8KISOpuwKelk6lMF5z0pyYFh/zNC +VbbDyAfEQLqm9f5Zl1Wtwjf2m0FJAC7wIFDryFMN9Cg2DATDfLCFo1p5jwbPyeUNCBc W7wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=IvsjZPN4pB4x0JLMUK+Tw5Jp6MIWKYveUJ8wiSk4zhQ=; fh=CfxSpwd5kfiMJoL3kcov7PTxVKT7pGe/79idnx9XlBs=; b=ROWyVoO5VaAu1XEbnmGSZ7wNJmSmXfCVyd9Vm9Qjioauglv2rPB5VZq1PC79+k2fWg yNdR2S5sOqUPhOTASgkBOYPq3kxTd1D0KopiVgN/3R18WpwlwY4kjfmcbPGbQgdXt21M IuYCDsCJO/5cZg/cgF+PjmhNxQGb0NpM8ZF1cGgwvj759HhytyVnBHXVKLY7APrTl0kL Cf1pBG95CiXmrba+IoBt+XQfzwb6WNlpRj3MCjtOKQX91vicuWCrdvKlzVPfXoQnOLW7 jqyvNB5owiH6Ki94fseVj28RDwI/haJ9hE6at25g3P+TMTAp26a161+IXFrrzcFc1CW8 T5vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="EjmpmY/z"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=atsp2cJo; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=vstImQhB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id n7-20020a634007000000b0056aea4cc1c9si9718876pga.653.2023.10.09.03.52.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Oct 2023 03:52:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="EjmpmY/z"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=atsp2cJo; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=vstImQhB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qpns0-0004ri-0z; Mon, 09 Oct 2023 10:52:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qpnrw-0004rU-Rs for openvpn-devel@lists.sourceforge.net; Mon, 09 Oct 2023 10:52:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+wUa2AZ0MGLh74AFBIeODdjppKANGxS6EeYUQ2N/mig=; b=EjmpmY/zsJ9u1tTf/me9hYNA1h 4objztiE2jd3NaGFDcFLS9nXZ+ZdVQnMJ/yO0ssyJe3sCFAVhPVNXvBeWEqEL70VmyEKowa2Hq8TR p7nWV66wQ3+4Ip+Y8YX1aYUV5mIFMKDyhXPvCgWp2nEwkfBCX+UJszS4+SAZjTrL+ENA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+wUa2AZ0MGLh74AFBIeODdjppKANGxS6EeYUQ2N/mig=; b=atsp2cJoSIaNCQk8Ct8KrJSgaV Z0P3i8jISd5tqJr60DrL8iHBWCnh+Vs6VH1BQ//rr/wZH0Zi6+CjZcMceWyH4RwB+liTvi7YRCl9N BUpha1ZyWHdIGDiHBkdy/PHOFAiawA7OCe1+ypxYTJOTVTVoEkxF0998CdqBLYV+ZFZg=; Received: from mout-p-103.mailbox.org ([80.241.56.161]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qpnrq-008Jwi-T3 for openvpn-devel@lists.sourceforge.net; Mon, 09 Oct 2023 10:52:12 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4S3wp14X1Gz9sSl; Mon, 9 Oct 2023 12:51:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1696848713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+wUa2AZ0MGLh74AFBIeODdjppKANGxS6EeYUQ2N/mig=; b=vstImQhBdAesJ871DLJQDkoBM3qsn5a69pmN+KKT0kCacyVScLYQIy0DHVf/4mr2ws8N3G DA8gojWxw98Bc8iPzgq7jpY0XGQCgVoD2OC+cHAjUxZjgoRGWSTj2twHEx2r5WyTIiGLZY Ez2qYaaQ6Y0z/8nljYSQAhoBTi2KaKVuHwFc6/wQ5sZyHgpWewex+bQehJWZjPgaEg0tZW bV2trsR9GTPpelzUrC5Ipmytz/ctCIhI82yIelAphrSyojgPrcHsiAHAEY3XaxdGESC2Ck eJhhZ0TDQmSdE+7BdNeqQHOQelQSgKxVgAKfMeC6nmQPHiY4lfhTVCL7bAWwwg== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Mon, 9 Oct 2023 12:51:51 +0200 Message-Id: <20231009105151.34074-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Since in the end this always ends up as an uint16_t anyway, just make the conversion much earlier. Cleans up the code and removes some -Wconversion warnings. v2: - proper error handling in options.c v4: - also introduce a minimum mssfix Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.161 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1qpnrq-008Jwi-T3 Subject: [Openvpn-devel] [PATCH] Change type of frame.mss_fix to uint16_t X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arne Schwabe Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1779274884753998609?= X-GMAIL-MSGID: =?utf-8?q?1779274884753998609?= Since in the end this always ends up as an uint16_t anyway, just make the conversion much earlier. Cleans up the code and removes some -Wconversion warnings. v2: - proper error handling in options.c v4: - also introduce a minimum mssfix Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/268 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index dbd3681..d7ee4c2 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -44,7 +44,7 @@ * if yes, hand to mss_fixup_dowork() */ void -mss_fixup_ipv4(struct buffer *buf, int maxmss) +mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss) { const struct openvpn_iphdr *pip; int hlen; @@ -72,7 +72,7 @@ struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { - mss_fixup_dowork(&newbuf, (uint16_t) maxmss); + mss_fixup_dowork(&newbuf, maxmss); } } } @@ -84,7 +84,7 @@ * (IPv6 header structure is sufficiently different from IPv4...) */ void -mss_fixup_ipv6(struct buffer *buf, int maxmss) +mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss) { const struct openvpn_ipv6hdr *pip6; struct buffer newbuf; @@ -130,7 +130,7 @@ struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { - mss_fixup_dowork(&newbuf, (uint16_t) maxmss-20); + mss_fixup_dowork(&newbuf, maxmss-20); } } } @@ -191,13 +191,14 @@ { continue; } - mssval = (opt[2]<<8)+opt[3]; + mssval = opt[2] << 8; + mssval += opt[3]; if (mssval > maxmss) { - dmsg(D_MSS, "MSS: %d -> %d", (int) mssval, (int) maxmss); + dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss); accumulate = htons(mssval); - opt[2] = (maxmss>>8)&0xff; - opt[3] = maxmss&0xff; + opt[2] = (uint8_t)((maxmss>>8)&0xff); + opt[3] = (uint8_t)(maxmss&0xff); accumulate -= htons(maxmss); ADJUST_CHECKSUM(accumulate, tc->check); } @@ -291,7 +292,7 @@ { /* we subtract IPv4 and TCP overhead here, mssfix method will add the * extra 20 for IPv6 */ - frame->mss_fix = options->ce.mssfix - (20 + 20); + frame->mss_fix = (uint16_t)(options->ce.mssfix - (20 + 20)); return; } @@ -325,7 +326,7 @@ /* This is the target value our payload needs to be smaller */ unsigned int target = options->ce.mssfix - overhead; - frame->mss_fix = adjust_payload_max_cbc(kt, target) - payload_overhead; + frame->mss_fix = (uint16_t)(adjust_payload_max_cbc(kt, target) - payload_overhead); } diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 1c4704b..b2a68cf 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -29,9 +29,9 @@ #include "mtu.h" #include "ssl_common.h" -void mss_fixup_ipv4(struct buffer *buf, int maxmss); +void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss); -void mss_fixup_ipv6(struct buffer *buf, int maxmss); +void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 56db118..81851d3 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -203,7 +203,7 @@ buf_printf(&out, "%s ", prefix); } buf_printf(&out, "["); - buf_printf(&out, " mss_fix:%d", frame->mss_fix); + buf_printf(&out, " mss_fix:%" PRIu16, frame->mss_fix); #ifdef ENABLE_FRAGMENT buf_printf(&out, " max_frag:%d", frame->max_fragment_size); #endif diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index b602b86..c64398d 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -115,7 +115,7 @@ * decryption/encryption or compression. */ } buf; - unsigned int mss_fix; /**< The actual MSS value that should be + uint16_t mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For * IPv6 packets another 20 bytes must diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c6f9ac3..b42aa69 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7234,9 +7234,19 @@ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + int mssfix = positive_atoi(p[1]); + /* can be 0, but otherwise it needs to be high enough so we can + * substract room for headers. */ + if (mssfix != 0 + && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX)) + { + msg(msglevel, "--mssfix value '%s' is invalid", p[1]); + goto err; + } + /* value specified, assume encapsulation is not * included unless "mtu" follows later */ - options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix = mssfix; options->ce.mssfix_encap = false; options->ce.mssfix_default = false; }