Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: Clarify some code in epoch with better comments
......................................................................
Clarify some code in epoch with better comments
Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 8 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/2
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..d6b8841 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,12 @@
/* IV starts with packet id to make the IV unique for packet */
if (use_epoch_data_format)
{
+ /* Note this does not check aead_usage_limit but can overstep it by
+ * a few extra blocks in one extra write. This is not affecting the
+ * security margin as these extra blocks are on a completely
+ * different order of magnitude than the security margin.
+ * The next iteration/call to epoch_check_send_iterate will
+ * iterate the epoch */
if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch,
&iv_buffer))
{
msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..3842615 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,7 @@
/** last epoch_key used for generation of the current send data keys.
* As invariant, the epoch of epoch_key_send is always kept >= the epoch of
- * epoch_key_recv */
+ * key_ctx_bi.decrypt.epoch */
struct epoch_key epoch_key_send;
/** epoch_key used for the highest receive epoch keys */
@@ -309,7 +309,7 @@
/** The limit for AEAD cipher, this is the sum of packets + blocks
* that are allowed to be used. Will switch to a new epoch if this
- * limit is reached*/
+ * limit is reached. */
uint64_t aead_usage_limit;
/** Keeps the future epoch data keys for decryption. The current one
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
