From patchwork Mon Nov 11 09:40:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3940 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2428293mad; Mon, 11 Nov 2024 01:41:00 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVIJdwsvm5hE9yFUzMGKbP3eL4/UhcnzMdnchLiNFsIgJtPDKKONupgXhE24XLAIp7J7JM15MmuGZw=@openvpn.net X-Google-Smtp-Source: AGHT+IEvGH107KnE3ARQP2Qew1XwbeRnC5uUCxqgXlNWlyYK3rSlmQP8oxj5fpcPo2fs5Vg9WFU4 X-Received: by 2002:a05:6808:1381:b0:3e5:e092:cd52 with SMTP id 5614622812f47-3e794772dc9mr8969917b6e.40.1731318060011; Mon, 11 Nov 2024 01:41:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731318059; cv=none; d=google.com; s=arc-20240605; b=MAtKE+LqWW/DJ0buF7bqlbuOfTLMEEctnMzn1zb7w9D8TwoVPcTYOoXXBvElp83gdk DjofvdWrAtX/Rmbewr7tZPcMRch0XuMojG+G6tHouBhim2z+tYTKFrpX4SPq298MI66/ WDxV4dzbIPjNGjp+poq09EB45+pAm99chM7tIowP7Ka+DSuYcw4NMtcKl+ZJupfH0hPJ Rk9c5ZWqlje5gJsOGXiyxMvUii9iv+bgjujUt2yYmjB+Ed+gAbGtVfeQ9dVPtceYbVvZ yQn2Rs180TSRC/s6PZi6XgT+K/o4cOY0UKiEjEnepglxc3mQK0ExQ8NACRcUKJ0kcAV6 1mnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=nOTNE3tHWGRT/rIzGlh5s4SbpEzD7221Nf22un0LDNQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=eMr2nltpAYRYSBPfdJ/uAvGCo9A0rj8Lvu1/1BvO2XloDrTIrltB5FURqvRqJKa3Ir UZA/EovzbWlAtwalxmz5wWE0/iMaNW5Ru1xM8BQ3E3La3+GHxrCvp2tQq1cQMm6JJdZz O7dnKmhtOBRBP+lgQDlK0GLLqHVEQ8z/rL6ZNMwgwpHwAfRoWsQG4F2Z4vcoxL+HB70k UG6J6xQl3rps5aYjnmfWuQHfnxslW5yxYbibDG/Kp02qMo4tyJYmb4ppd4st5iTlqRKU JERXnA7RR6zxBuLWauuQzblNrOHZuhpbdtIKwNSP3dU0bexEVN05WgPA5XZgylgiXPci tUrQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=j7RcS5tp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nN2x1Mli; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3e78ccadb04si627733b6e.89.2024.11.11.01.40.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Nov 2024 01:40:59 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=j7RcS5tp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nN2x1Mli; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAQuf-0005Pe-DF; Mon, 11 Nov 2024 09:40:50 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAQue-0005PY-8b for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 09:40:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FsJwbqN+DnBJ7N9EmMvLby+9V4kdOo3ZDgwpOmVJLLs=; b=j7RcS5tpJpCE3d4s2YTGUoBGo3 3ab6pun+LQskyv+laH0RNcToNVF3/kgpH0rkzlPANkth4RLqIiAyendUcVpa0Z6iyhSb6JOzUutbS lnlnC7K4i2g8os9VgxvQUPrYeKq0oTHkgnc3BbUZ71Rh2HzbSypNGj2qIlAQ6O7AgK1U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FsJwbqN+DnBJ7N9EmMvLby+9V4kdOo3ZDgwpOmVJLLs=; b=nN2x1Mli5Fb0EZ3JMPBtQ/cG4K 3VMoCPAy6RK+AwtkycihzHjcfblzKAwpTRuymcFv010PfFrjioTRbJgepPCNUHi0cnZ5uE1lrr1RH 61wswjg8eLBOxJWlDYPy/3/2G8zo/TLVvOkkqjs4PnIVBgbB38vQlhJ4jaLIGgSyRgvY=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tAQub-0006gW-MP for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 09:40:48 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 4AB9eYMF016083 for ; Mon, 11 Nov 2024 10:40:34 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 4AB9eYi4016082 for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 10:40:34 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 11 Nov 2024 10:40:33 +0100 Message-ID: <20241111094033.16073-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe reneg-bytes can currently only specify up to a maximum of 2GB. This makes it even problematic to use without extended counters. Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1tAQub-0006gW-MP Subject: [Openvpn-devel] [PATCH v1] Change --reneg-bytes and --reneg-packets to 64 bit counters X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815418565881793187?= X-GMAIL-MSGID: =?utf-8?q?1815418565881793187?= From: Arne Schwabe reneg-bytes can currently only specify up to a maximum of 2GB. This makes it even problematic to use without extended counters. Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/795 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1beb0ee..10ee9f6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2032,8 +2032,8 @@ SHOW_INT(tls_timeout); - SHOW_INT(renegotiate_bytes); - SHOW_INT(renegotiate_packets); + SHOW_INT64(renegotiate_bytes); + SHOW_INT64(renegotiate_packets); SHOW_INT(renegotiate_seconds); SHOW_INT(handshake_window); @@ -9187,12 +9187,26 @@ else if (streq(p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_bytes = positive_atoi(p[1]); + char *end; + long long reneg_bytes = strtoll(p[1], &end, 10); + if (*end != '\0' || reneg_bytes < 0) + { + msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_bytes = reneg_bytes; } else if (streq(p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_packets = positive_atoi(p[1]); + char *end; + long long pkt_max = strtoll(p[1], &end, 10); + if (*end != '\0' || pkt_max < 0) + { + msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_packets = pkt_max; } else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index ee39dbb..6ab92e2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -626,8 +626,8 @@ int tls_timeout; /* Data channel key renegotiation parameters */ - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; int renegotiate_seconds; int renegotiate_seconds_min; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c48a85c..ab55365 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -118,7 +118,7 @@ * May *not* be NULL. */ static void -tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) +tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes) { if (cipher_kt_insecure(ciphername)) { @@ -3028,7 +3028,7 @@ && should_trigger_renegotiation(session, ks)) { msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format - "/%d pkts=" counter_format "/%d", + "/%" PRIi64 " pkts=" counter_format "/%" PRIi64, (int) (now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes, session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 5bc2f2a..5840e2d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -331,8 +331,8 @@ int transition_window; int handshake_window; interval_t packet_timeout; - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; interval_t renegotiate_seconds; /* cert verification parms */