From patchwork Wed Dec 25 14:21:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4017 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:998b:b0:5e7:b9eb:58e8 with SMTP id d11csp5166962mav; Wed, 25 Dec 2024 06:21:49 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW/PQ3TeCX4kslRIgmpvvgi1R4v39uoYGC7qzu5TcnDbjjbtDV/vkujpf5Kf47PqA/kg9q7FiAYYfA=@openvpn.net X-Google-Smtp-Source: AGHT+IHRrgsd1hRprLLQ0kYDWHcTtwWhx/k/zHEKu7O6+trcU4glz1ruVau6UGZCaTqMGiXv1bwh X-Received: by 2002:a05:6871:4b05:b0:29e:6bdb:e362 with SMTP id 586e51a60fabf-2a7fb0cb218mr9608756fac.17.1735136508849; Wed, 25 Dec 2024 06:21:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1735136508; cv=none; d=google.com; s=arc-20240605; b=R7SFFtPmIArnm/u1Kq5Arcgk6NFVjiK5GtsCmZIHEHXd7+vNI4sSbGMMXYgXj/yr03 /4eR1Mmni9CTotAMRG3zNtnJOQqPKZBUR8X9KSnQ1hamZv1OcBae3c+Ht3BhQaHAuDVz QKjWtcPsIzPqvMU+v5UHFAVvCwbNgy4NaoKPKW6sViHLRIPGFZ+W71iUytlVO4CQlduT HTF6koTgTo5i0yuvHN246PvL4AxxIUknAfWqXViWkMr3IkSwViOk5XWXN0VEK9jhldT5 TJFyghAWN2SnA7k1yBfURx7Au3JumTLY6ACOIvlERoQ+9SZsjFPiElr1C+PozAtu7j+0 kEcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=Ozxz06M8GSfjwXmdAZUAMbBw0Akv8EpDQpnyWiQYiNI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=GSvbrHQZ9lBmrK/gVCTCH2Euqi5m0gQhfItdt2GXu5Wd8yiDvfDVcITH/723z0jnih QRu5FCMaMnbDsKqDq4YPBb99MibsnMkwN3fFUoh0VD2XjLVvjyMLPfmXc9pr0zIFHfwg 7l3lMFKDcb437eU8bWrjwSMyZm994bNJnKOj1eYLNEE0IMIdsDlRERQMWXkz4zQOMWud x+1nNW+tjVNADpA8cLexWV+BEdsMMG7POa4oItE3KfpuPi7xy4JPR/UFMPDnHrqyHnU4 eHDLRRQCdn0MDPS8cpfJfhZ377x8c/Rd02xFg2/w8xzV88565e8KSBe7VE4PAl5b3IkP PYXQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iROGKgC2; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GGR5HLut; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71fc97be9desi8052801a34.108.2024.12.25.06.21.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Dec 2024 06:21:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iROGKgC2; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GGR5HLut; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tQSGc-0007AJ-FG; Wed, 25 Dec 2024 14:21:43 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tQSGa-0007AB-Il for openvpn-devel@lists.sourceforge.net; Wed, 25 Dec 2024 14:21:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=KIjGsMcCcJ2bxP/uwuHC1NJJqafoi/3x0yoGRELRnU8=; b=iROGKgC27YujNAy6u2sZ0imGEd Czd2Z1X5tNKtdHLkpftXLiRhAaMzbjIpPSKxLMU6kXN4ONjGDHZoVp6f24v3Fthx6pyIBwCTZASyh qBNM7UOe+Z0Tl4lVYe2QfWsNozIq1V4RNz6MEISQI+XiBeE05kCg3msq1U3RGWNQHzpM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KIjGsMcCcJ2bxP/uwuHC1NJJqafoi/3x0yoGRELRnU8=; b=GGR5HLut41doGQD9k0rZewSk0Z htIkgTjZ+VvynOCWL1jPhsInf0eOqqmzmvDjrZ15Vpk/2KQZcdN79fZEbV2NaQ7qRUO3kLU7aRI5x LjS2KvFkYtX+1QKeCl8icwUpb82US8UPfICUGFAaX96hZv25IkbidoJjMYqfl468XE9E=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tQSGZ-0000fM-6R for openvpn-devel@lists.sourceforge.net; Wed, 25 Dec 2024 14:21:41 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 4BPELWbD012553 for ; Wed, 25 Dec 2024 15:21:32 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 4BPELWNZ012552 for openvpn-devel@lists.sourceforge.net; Wed, 25 Dec 2024 15:21:32 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 25 Dec 2024 15:21:31 +0100 Message-ID: <20241225142131.12543-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This allows to get rid of multiple casts and also prepares for the larger packet id used by epoch data format. Change-Id: If470af2eb456b2b10f9f2806933e026842188c42 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1tQSGZ-0000fM-6R Subject: [Openvpn-devel] [PATCH v8] Change internal id of packet id to uint64 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1819422499807724859?= X-GMAIL-MSGID: =?utf-8?q?1819422499807724859?= From: Arne Schwabe This allows to get rid of multiple casts and also prepares for the larger packet id used by epoch data format. Change-Id: If470af2eb456b2b10f9f2806933e026842188c42 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/802 This mail reflects revision 8 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index fb962e4..117c95f 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -36,6 +36,8 @@ #include "syshead.h" +#include + #include "packet_id.h" #include "misc.h" #include "integer.h" @@ -56,7 +58,7 @@ const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, - int value); + packet_id_print_type value); #endif /* ENABLE_DEBUG */ @@ -65,7 +67,7 @@ const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, - int value) + uint64_t value) { #ifdef ENABLE_DEBUG if (unlikely(check_debug_level(msglevel))) @@ -115,22 +117,21 @@ const time_t local_now = now; if (p->seq_list) { - packet_id_type diff; + int64_t diff; /* - * If time value increases, start a new - * sequence number sequence. + * If time value increases, start a new sequence number sequence. */ if (!CIRC_LIST_SIZE(p->seq_list) || pin->time > p->time - || (pin->id >= (packet_id_type)p->seq_backtrack - && pin->id - (packet_id_type)p->seq_backtrack > p->id)) + || (pin->id >= p->seq_backtrack + && pin->id - p->seq_backtrack > p->id)) { p->time = pin->time; p->id = 0; - if (pin->id > (packet_id_type)p->seq_backtrack) + if (pin->id > p->seq_backtrack) { - p->id = pin->id - (packet_id_type)p->seq_backtrack; + p->id = pin->id - p->seq_backtrack; } CIRC_LIST_RESET(p->seq_list); } @@ -146,7 +147,7 @@ } diff = p->id - pin->id; - if (diff < (packet_id_type) CIRC_LIST_SIZE(p->seq_list) + if (diff < CIRC_LIST_SIZE(p->seq_list) && local_now > SEQ_EXPIRED) { CIRC_LIST_ITEM(p->seq_list, diff) = local_now; @@ -170,9 +171,8 @@ const time_t local_now = now; if (p->time_backtrack) { - int i; bool expire = false; - for (i = 0; i < CIRC_LIST_SIZE(p->seq_list); ++i) + for (int i = 0; i < CIRC_LIST_SIZE(p->seq_list); ++i) { const time_t t = CIRC_LIST_ITEM(p->seq_list, i); if (t == SEQ_EXPIRED) @@ -200,7 +200,7 @@ packet_id_test(struct packet_id_rec *p, const struct packet_id_net *pin) { - packet_id_type diff; + uint64_t diff; packet_id_debug(D_PID_DEBUG, p, pin, "PID_TEST", 0); @@ -231,9 +231,9 @@ diff = p->id - pin->id; /* keep track of maximum backtrack seen for debugging purposes */ - if ((int)diff > p->max_backtrack_stat) + if (diff > p->max_backtrack_stat) { - p->max_backtrack_stat = (int)diff; + p->max_backtrack_stat = diff; packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat); } @@ -557,7 +557,7 @@ const struct packet_id_rec *p, const struct packet_id_net *pin, const char *message, - int value) + packet_id_print_type value) { struct gc_arena gc = gc_new(); struct buffer out = alloc_buf_gc(256, &gc); @@ -569,7 +569,7 @@ CLEAR(tv); gettimeofday(&tv, NULL); - buf_printf(&out, "%s [%d]", message, value); + buf_printf(&out, "%s [" packet_id_format "]", message, value); buf_printf(&out, " [%s-%d] [", p->name, p->unit); for (i = 0; sl != NULL && i < sl->x_size; ++i) { @@ -604,17 +604,17 @@ } buf_printf(&out, "%c", c); } - buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id); + buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, p->id); if (pin) { - buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id); + buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, pin->id); } buf_printf(&out, " t=%" PRIi64 "[%d]", (int64_t)prev_now, (int)(prev_now - tv.tv_sec)); - buf_printf(&out, " r=[%d,%d,%d,%d,%d]", + buf_printf(&out, " r=[%d,%" PRIu64 ",%d,%" PRIu64 ",%d]", (int)(p->last_reap - tv.tv_sec), p->seq_backtrack, p->time_backtrack, diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 3778d19..d8a3e1a 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -35,11 +35,13 @@ #include "error.h" #include "otime.h" -#if 1 /* - * These are the types that members of - * a struct packet_id_net are converted - * to for network transmission. + * These are the types that members of a struct packet_id_net are converted + * to for network transmission and for saving to a persistent file. + * + * Note: data epoch data uses a 64 bit packet ID + * compromised of 16 bit epoch and 48 bit per-epoch packet counter. + * These are ephemeral and are never saved to a file. */ typedef uint32_t packet_id_type; #define PACKET_ID_MAX UINT32_MAX @@ -64,31 +66,12 @@ /* convert a net_time_t in network order to a time_t in host order */ #define ntohtime(x) ((time_t)ntohl(x)) -#else /* if 1 */ - -/* - * DEBUGGING ONLY. - * Make packet_id_type and net_time_t small - * to test wraparound logic and corner cases. - */ - -typedef uint8_t packet_id_type; -typedef uint16_t net_time_t; - -#define PACKET_ID_WRAP_TRIGGER 0x80 - -#define htonpid(x) (x) -#define ntohpid(x) (x) -#define htontime(x) htons((net_time_t)x) -#define ntohtime(x) ((time_t)ntohs(x)) - -#endif /* if 1 */ /* * Printf formats for special types */ -#define packet_id_format "%u" -typedef unsigned int packet_id_print_type; +#define packet_id_format "%" PRIu64 +typedef uint64_t packet_id_print_type; /* * Maximum allowed backtrack in @@ -128,10 +111,10 @@ { time_t last_reap; /* last call of packet_id_reap */ time_t time; /* highest time stamp received */ - packet_id_type id; /* highest sequence number received */ - int seq_backtrack; /* set from --replay-window */ + uint64_t id; /* highest sequence number received */ + uint64_t seq_backtrack; /* set from --replay-window */ int time_backtrack; /* set from --replay-window */ - int max_backtrack_stat; /* maximum backtrack seen so far */ + uint64_t max_backtrack_stat; /* maximum backtrack seen so far */ bool initialized; /* true if packet_id_init was called */ struct seq_list *seq_list; /* packet-id "memory" */ const char *name; @@ -164,7 +147,7 @@ */ struct packet_id_send { - packet_id_type id; + uint64_t id; time_t time; }; @@ -174,8 +157,12 @@ * sequence number. A long packet-id * includes a timestamp as well. * + * An epoch packet-id is a 16 bit epoch + * counter plus a 48 per-epoch packet-id + * * Long packet-ids are used as IVs for - * CFB/OFB ciphers. + * CFB/OFB ciphers and for control channel + * messages. * * This data structure is always sent * over the net in network byte order, @@ -191,9 +178,16 @@ * 64 bit platforms use a * 64 bit time_t. */ + +/** + * Data structure for describing the packet id that is received/send to the + * network. This struct does not match the on wire format. + */ struct packet_id_net { - packet_id_type id; + /* converted to packet_id_type on non-epoch data ids, does not contain + * the epoch but is a flat id */ + uint64_t id; time_t time; /* converted to net_time_t before transmission */ }; diff --git a/tests/unit_tests/openvpn/test_packet_id.c b/tests/unit_tests/openvpn/test_packet_id.c index a3567bc..d918985 100644 --- a/tests/unit_tests/openvpn/test_packet_id.c +++ b/tests/unit_tests/openvpn/test_packet_id.c @@ -90,8 +90,8 @@ now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); - assert(data->pis.id == 1); - assert(data->pis.time == now); + assert_int_equal(data->pis.id, 1); + assert_int_equal(data->pis.time, now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl((uint32_t)now)); } @@ -117,8 +117,8 @@ data->test_buf.offset = sizeof(data->test_buf_data); now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, true)); - assert(data->pis.id == 1); - assert(data->pis.time == now); + assert_int_equal(data->pis.id, 1); + assert_int_equal(data->pis.time, now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl((uint32_t)now)); } @@ -128,7 +128,8 @@ { struct test_packet_id_write_data *data = *state; - data->pis.id = ~0; + /* maximum 32-bit packet id */ + data->pis.id = (packet_id_type)(~0); assert_false(packet_id_write(&data->pis, &data->test_buf, false, false)); } @@ -137,7 +138,8 @@ { struct test_packet_id_write_data *data = *state; - data->pis.id = ~0; + /* maximum 32-bit packet id */ + data->pis.id = (packet_id_type)(~0); data->pis.time = 5006; /* Write fails if time did not change */ @@ -148,8 +150,8 @@ now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); - assert(data->pis.id == 1); - assert(data->pis.time == now); + assert_int_equal(data->pis.id, 1); + assert_int_equal(data->pis.time, now); assert_true(data->test_buf_data.buf_id == htonl(1)); assert_true(data->test_buf_data.buf_time == htonl((uint32_t)now)); }