From: Arne Schwabe Date: Mon, 11 Nov 2024 09:40:33 +0000 (+0100) Subject: Change --reneg-bytes and --reneg-packets to 64 bit counters X-Git-Tag: v2.7_alpha1~162 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d52ea247d9dec5262a09f3891db83b79b2ca403e;p=thirdparty%2Fopenvpn.git Change --reneg-bytes and --reneg-packets to 64 bit counters reneg-bytes can currently only specify up to a maximum of 2GB. This makes it even problematic to use without extended counters. Change-Id: I993e7fc5609955d271e74370affc2eea340a1e2d Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20241111094033.16073-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29744.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1beb0eec..10ee9f68 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2032,8 +2032,8 @@ show_settings(const struct options *o) SHOW_INT(tls_timeout); - SHOW_INT(renegotiate_bytes); - SHOW_INT(renegotiate_packets); + SHOW_INT64(renegotiate_bytes); + SHOW_INT64(renegotiate_packets); SHOW_INT(renegotiate_seconds); SHOW_INT(handshake_window); @@ -9187,12 +9187,26 @@ add_option(struct options *options, else if (streq(p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_bytes = positive_atoi(p[1]); + char *end; + long long reneg_bytes = strtoll(p[1], &end, 10); + if (*end != '\0' || reneg_bytes < 0) + { + msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_bytes = reneg_bytes; } else if (streq(p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); - options->renegotiate_packets = positive_atoi(p[1]); + char *end; + long long pkt_max = strtoll(p[1], &end, 10); + if (*end != '\0' || pkt_max < 0) + { + msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0"); + goto err; + } + options->renegotiate_packets = pkt_max; } else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index ee39dbbc..6ab92e22 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -626,8 +626,8 @@ struct options int tls_timeout; /* Data channel key renegotiation parameters */ - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; int renegotiate_seconds; int renegotiate_seconds_min; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d44185e7..1f8eb1ec 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -118,7 +118,7 @@ key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); * May *not* be NULL. */ static void -tls_limit_reneg_bytes(const char *ciphername, int *reneg_bytes) +tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes) { if (cipher_kt_insecure(ciphername)) { @@ -3028,7 +3028,7 @@ tls_process(struct tls_multi *multi, && should_trigger_renegotiation(session, ks)) { msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format - "/%d pkts=" counter_format "/%d", + "/%" PRIi64 " pkts=" counter_format "/%" PRIi64, (int) (now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes, session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 5bc2f2aa..5840e2d7 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -331,8 +331,8 @@ struct tls_options int transition_window; int handshake_window; interval_t packet_timeout; - int renegotiate_bytes; - int renegotiate_packets; + int64_t renegotiate_bytes; + int64_t renegotiate_packets; interval_t renegotiate_seconds; /* cert verification parms */