Attention is currently required from: plaisthos. syzzer has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/506?usp=email )
Change subject: Implement support for AEAD tag at the end ...................................................................... Patch Set 4: Code-Review-1 (5 comments) Patchset: PS4: I have always supported to place the tag at the end. It's easier to manage in hardware, is common practice and has no security impact. The only real reservation I have is whether this should be combined with other protocol changes to prevent an explosion of possible wire formats. For example with a longer on-the-wire IV. Combining these would results in 2 possible AEAD wire formats, instead of 4. (Or 8, if there are plans for a longer peer-id, but not sure if that was just a typo in v1 or actually planned). (And then there are a few nits, see comments.) File src/openvpn/crypto.c: http://gerrit.openvpn.net/c/openvpn/+/506/comment/6e399d5e_d094230c : PS1, Line 426: uint8_t *tag_ptr = NULL; Not sure if the current static analyzers are smart enough to detect that these (non-const) variables are not used inside the error_exit label, but they used to complain about jumping over an initialization. (What CRYPTO_ERROR above does.) http://gerrit.openvpn.net/c/openvpn/+/506/comment/281413d5_d34e727f : PS1, Line 463: ASSERT(buf_inc_len(&work, outlen)); Good to add a newline to visually separate the decryption from the authentication, but the buf_inc_len belongs to the decryption bit, right? Not the authentication bit. File src/openvpn/ssl.h: http://gerrit.openvpn.net/c/openvpn/+/506/comment/9b25b8a6_547ed983 : PS1, Line 111: #define IV_PROTO_DATA_V3 (1<<10) This means that this commit can only go in together with commits for a larger peer id and larger IV, right? File tests/unit_tests/openvpn/test_ssl.c: http://gerrit.openvpn.net/c/openvpn/+/506/comment/05d64456_0a9f2c26 : PS4, Line 272: run_data_channel_with_cipher_end(const char *cipher) s/end/tag_end/ ? (Or even tag_at_end) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/506?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I00821d75342daf3f813b829812d648fe298bea81 Gerrit-Change-Number: 506 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: syzzer <stef...@karger.me> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Comment-Date: Fri, 12 Apr 2024 20:01:02 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel