From patchwork Thu Mar 12 17:31:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4819 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp708472maq; Thu, 12 Mar 2026 10:32:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVAwwdrqwOxZYRjGNxq5zwJC6nFoBaAaXVdLa5VZIs4BfvbYVYKdtt2NcYC+flMOg77JmolUkIXt6I=@openvpn.net X-Received: by 2002:a05:7300:6c27:b0:2ba:8706:d022 with SMTP id 5a478bee46e88-2bea54de53emr237712eec.18.1773336726228; Thu, 12 Mar 2026 10:32:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773336726; cv=none; d=google.com; s=arc-20240605; b=Frn044434em2WHh5SKirE5kyBmoMO25AUdzITgOyKaNtVBldq4HZqzQMlZ8my+7e11 l1sfJsiSyOXZPo28FiEnK86nAYQABy1a7XZPNgKJ8W8ZJmRBoGJ2L1tG98hh4YEGsuUy Fde+dhJuOJqOkCZqbDRahLAQdZj7cLoIHJIFpfdxXpfvtueGz9gWlsHyWUwz95ldHh2M XoGoOjbRNkUuUi4oaOVml2EJ/JYKTtKEjedivIkjbN0Mty5uSxzwIdIt4C9fXK1p8ZBY CpjXhKEhAHFPsjzM7qzj8aS3fTS6T52wLWjmUe/Ue1Ul0TX3uG7SnSO2JkOnatJ9YFVA a9xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=nWyUew86iUgCjL8r4pvMykk4//rYn94xQaWrf/fGkjg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ZLeQMxIN0ciRIVHptMRvv2pcp6ZCKn5yNMCskFL4WyP9WaIn0aTQWG5546gUldgHg1 TXKpsmA3+rnXLY504cyR1eNDWnx9USxXtvuJRVH+b5ue8GJzhey515qKNg781rIGZHFK KZoBLAmk1RqwVcX1iOz0eu8MLDi+H8nxos1ziMAjczWtWafVbnFva8qjgiIklQm1sIwW BoxnY2+FJoTBO/iQdTT6T71S/uBpaKC2cuCmhn29w2wBJ1J9pD8vWCMV5gxkn4C4ORK/ Nn8h8xLnZM2k26EDUgegoOWf/zSEG5Tw866bcXaf7gn6bp7JpYbuwqa1C4WUzHUpp+4a 35Yw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fSHDpart; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="XQCeRZ/S"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b5lHc7A5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5a478bee46e88-2be8a83cc4bsi13092403eec.17.2026.03.12.10.32.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Mar 2026 10:32:05 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fSHDpart; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="XQCeRZ/S"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b5lHc7A5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=nWyUew86iUgCjL8r4pvMykk4//rYn94xQaWrf/fGkjg=; b=fSHDpart+Dphk2MjnRMukhoNeo n7a6p/t2WoNvwRTy4+1XtsW9mJ1Dn3oNELj2KgQzl25c5efEjBfyiioqn1/6m/Cnfb+mIVMnUhfyh WNappkCzPJ0uawX9wi2akJs6ORmbCfReHCT4V1RV3MH65q5LkW9UR+le4Qc5/MuxhJIQ=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w0jt8-0003vO-V6; Thu, 12 Mar 2026 17:31:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w0jt7-0003vG-MF for openvpn-devel@lists.sourceforge.net; Thu, 12 Mar 2026 17:31:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RKZY5FrKdYhEVeQXunMXwN0nPvWz+JNtQQzKi1nziZA=; b=XQCeRZ/SQ+XLYGBBGye8dsuEoI ZYQrj/CBy7gc6mCIk5z6rnNqWMPlRScq4iwhjnJ5VntMz9xsK+TJjToax/h77DGGAYLJbBKM9jr3q 0GxtxAvjyXpVLTThbHugMpwWfjN/v0t7hdzxxI4f6wGiVhfvsu6qwYQcc4mGJrrWYy8I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RKZY5FrKdYhEVeQXunMXwN0nPvWz+JNtQQzKi1nziZA=; b=b5lHc7A5Q1TpfHOwZ0kO31Iuj7 POQGwDlAlUWGczm8g5/WOY62lZAjhd/P5QL/ES6qUm6oOaA4nCM3gnu6BWlX9hZ49OIcNNwzsSXcg 0w/fD7ZwA7OK7OQRSa0TaU3o34UV/1AbQWn9vbq/8bihbUSot/0zTZltSuq/4SCjjO/Q=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w0jt6-0003p2-Bf for openvpn-devel@lists.sourceforge.net; Thu, 12 Mar 2026 17:31:57 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62CHVi5d015615 for ; Thu, 12 Mar 2026 18:31:44 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62CHVinu015614 for openvpn-devel@lists.sourceforge.net; Thu, 12 Mar 2026 18:31:44 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 Mar 2026 18:31:38 +0100 Message-ID: <20260312173144.15602-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld First of all remove the testing of renegotiation_seconds. Commit 9a5161704173e31f2510d3f5c29361f76e275d0f made it irrelevant for verify_auth_token but still left UTs for it. But AFAICT these UTs only [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w0jt6-0003p2-Bf Subject: [Openvpn-devel] [PATCH v6] auth_token: Clean up type handling in verify_auth_token and its UT X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1859478330594581775?= X-GMAIL-MSGID: =?utf-8?q?1859478330594581775?= From: Frank Lichtenheld First of all remove the testing of renegotiation_seconds. Commit 9a5161704173e31f2510d3f5c29361f76e275d0f made it irrelevant for verify_auth_token but still left UTs for it. But AFAICT these UTs only test that renegotiation_seconds is bigger than auth_token_renewal, so it tests the UT setup routine... Also improve the code to require less casts under -Wsign-compare. Add a comment that this code is not y38 safe if time_t is 32bit. Probably nothing we want to do from our side since in that case everything that uses "now" is borked. So we trust in the OS here... Change-Id: I73dba29719ea685f0427a3c479e7f1f176f09eba Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1510 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1510 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index eb2b4d5..d8ca125 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -287,11 +287,6 @@ return memcmp_constant_time(&hmac_output, hmac, 32) == 0; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wsign-compare" -#endif - unsigned int verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session) { @@ -318,7 +313,7 @@ const uint8_t *sessid = b64decoded; const uint8_t *tstamp_initial = sessid + AUTH_TOKEN_SESSION_ID_LEN; - const uint8_t *tstamp = tstamp_initial + sizeof(int64_t); + const uint8_t *tstamp = tstamp_initial + sizeof(uint64_t); /* tstamp, tstamp_initial might not be aligned to an uint64, use memcpy * to avoid unaligned access */ @@ -348,9 +343,11 @@ } /* Accept session tokens only if their timestamp is in the acceptable range - * for renegotiations */ - bool in_renegotiation_time = - now >= timestamp && now < timestamp + 2 * session->opt->auth_token_renewal; + * for renegotiations. + * Cast is required for systems with 32bit time_t, e.g. Windows x86. + */ + const time_t token_reneg_deadline = (time_t)timestamp + 2 * session->opt->auth_token_renewal; + bool in_renegotiation_time = now >= (time_t)timestamp && now < token_reneg_deadline; if (!in_renegotiation_time) { @@ -369,7 +366,8 @@ ret |= AUTH_TOKEN_EXPIRED; } - if (multi->opt.auth_token_lifetime && now > timestamp_initial + multi->opt.auth_token_lifetime) + const time_t token_eol = (time_t)timestamp_initial + multi->opt.auth_token_lifetime; + if (multi->opt.auth_token_lifetime && now > token_eol) { ret |= AUTH_TOKEN_EXPIRED; } @@ -396,10 +394,6 @@ return ret; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - void wipe_auth_token(struct tls_multi *multi) { diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index 82c20c1..30d55f6 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -166,20 +166,19 @@ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } -/* Note: only on 32bit Windows builds */ -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wsign-compare" -#endif - static void auth_token_test_timeout(void **state) { struct test_context *ctx = (struct test_context *)*state; - now = 100000; + const time_t initial_time = 100000; + now = initial_time; generate_auth_token(&ctx->up, &ctx->multi); + const time_t token_renew_window = + initial_time + 2 * ctx->session->opt->auth_token_renewal; + const time_t token_eol = initial_time + ctx->session->opt->auth_token_lifetime + 1; + strcpy(ctx->up.password, ctx->multi.auth_token); free(ctx->multi.auth_token_initial); ctx->multi.auth_token_initial = NULL; @@ -188,26 +187,21 @@ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token before validity, should be rejected */ - now = 100000 - 100; + now = initial_time - 100; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); - /* Token no valid for renegotiate_seconds but still for renewal_time */ - now = 100000 + 2 * ctx->session->opt->renegotiate_seconds - 20; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), - AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); - - - now = 100000 + 2 * ctx->session->opt->auth_token_renewal - 20; + /* Token still valid for renewal_time */ + now = token_renew_window - 20; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token past validity, should be rejected */ - now = 100000 + 2 * ctx->session->opt->renegotiate_seconds + 20; + now = token_renew_window + 20; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); - /* But not when we reached our timeout */ - now = 100000 + ctx->session->opt->auth_token_lifetime + 1; + /* Token past lifetime, should be rejected */ + now = token_eol; assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK | AUTH_TOKEN_EXPIRED); @@ -215,8 +209,8 @@ ctx->multi.auth_token_initial = NULL; /* regenerate the token util it hits the expiry */ - now = 100000; - while (now < 100000 + ctx->session->opt->auth_token_lifetime + 1) + now = initial_time; + while (now < token_eol) { assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); @@ -234,10 +228,6 @@ assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - static void zerohmac(char *token) {