Attention is currently required from: MaxF, flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/804?usp=email )

Change subject: Implement methods to generate and manage OpenVPN Epoch keys
......................................................................


Patch Set 9:

(23 comments)

File src/openvpn/crypto.h:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/4cf4ae43_56da8da9 :
PS9, Line 175: /** the epoch of the key is if it was generated as epoch data 
key material */
> I think you mean: The epoch of the key, if it was generated as epoch data key 
> material. […]
I will clarify that this only meaningful if key parameters are used in epoch 
data and it is not meaningful otherwise.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/788a09ea_7023fafa :
PS9, Line 223: is
> this?
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/3d1e7540_b7a53f6a :
PS9, Line 307: This limit for AEAD cipher
> The limit for AEAD ciphers?
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/1dead943_a6393dd1 :
PS9, Line 315: key
> keys
yes but also the comment is wrong as epoch_data_keys_future only stores receive 
keys.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/78aa125b_37d2d67c :
PS9, Line 316: to switch also sending key
> to also switch the sending key?
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/f57d4cd6_30ec7906 :
PS9, Line 324: switch
> switched?
yes, and also before instead of bevor.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/be5e1ecc_1af62691 :
PS9, Line 524: @param epoch Epoch read from packet or 0 when epoch is not used.
> That's not an argument of the function.
yes that got into a commit too early. I moved it to the commit that actually 
adds the epoch parameter.


File src/openvpn/crypto_epoch.h:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/87827b4b_e2c66cc6 :
PS9, Line 72: * @param epoch_key     Epoch key to be used
            :  * @param key          Destination for the generated data key
> wrong order compared to the function.
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/3e654f8c_e8b2f61e :
PS9, Line 91: using
> uses
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/0a1c083e_f7fbf9ba :
PS9, Line 96: a
> for the receive key?
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/f2c845b2_b82d132e :
PS9, Line 103: send_epoch_keyt
> send_epoch_key
Acknowledged


http://gerrit.openvpn.net/c/openvpn/+/804/comment/2ef5767a_589a85d0 :
PS9, Line 118: * @param e1_send    The E1 send epoch key derived by TLS-EKM
             :  * @param e1_recv    The E1 receive epoch key derived by TLS-EKM
> incomplete parameters
Acknowledged


File src/openvpn/crypto_epoch.c:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/37c7c0ca_5ba66eff :
PS9, Line 136: 11
> We could use strlen() here.
I will be using sizeof(array) - 1 as strlen doesn't really like operating on a 
uint8_t array.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/b83b22ac_c3dd00bb :
PS9, Line 157: 8
> strlen?
same as above


http://gerrit.openvpn.net/c/openvpn/+/804/comment/ae88362e_fa765dab :
PS9, Line 163: 7
> strlen?
same as above


http://gerrit.openvpn.net/c/openvpn/+/804/comment/4b15f462_6189d29b :
PS9, Line 210: uint16_t current_epoch_recv = co->key_ctx_bi.decrypt.epoch;
> The variable name makes this look like it should be co->epoch_key_recv.epoch. 
> […]
I reworked the comment and the function doxygen to hopefully make it a bit 
better to understand.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/85168ea8_12a0a758 :
PS9, Line 423: is
> in?
not sure how I managed to mangle this when I copy&pasted it.


File src/openvpn/packet_id.h:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/929b34fb_60e60e0a :
PS9, Line 214:  */
> Incomplete
Acknowledged


File src/openvpn/packet_id.c:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/129a630b_4118bf6c :
PS9, Line 81: packet_id_init_recv(struct packet_id_rec *rec, int seq_backtrack, 
int time_backtrack, const char *name, int unit)
> You could make this a static function.
Acknowledged


File tests/unit_tests/openvpn/test_crypto.c:

http://gerrit.openvpn.net/c/openvpn/+/804/comment/b63adfb5_696e6519 :
PS9, Line 728: is uses
> uses
Done


http://gerrit.openvpn.net/c/openvpn/+/804/comment/aa4ca31d_556d7a6b :
PS9, Line 830: 1-5
> 2-6
Done


http://gerrit.openvpn.net/c/openvpn/+/804/comment/cb188983_ad366b2c :
PS9, Line 835:     assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
> Could we make sure that it really is the retiring key by comparing it with 
> &co->epoch_retiring_data_ […]
good idea.


http://gerrit.openvpn.net/c/openvpn/+/804/comment/eca5ecc7_126d252a :
PS9, Line 899:     assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - 32));
> This hard-codes the assumption that this function is called with a state that 
> has num_future_keys == […]
I think for a unit test hardcoding this is fine. I think we want to rather 
hardcode it here rather then to rely on the internal state of co being correct 
for the unit test.

I will add an assert that the num_future_keys is 32 and then use 
num_future_keys as you suggested.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/804?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id7d6a576ca8c9560cb2dfae82fc62175820e9b80
Gerrit-Change-Number: 804
Gerrit-PatchSet: 9
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: MaxF <m...@max-fillinger.net>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Attention: MaxF <m...@max-fillinger.net>
Gerrit-Comment-Date: Sun, 29 Dec 2024 03:09:05 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: MaxF <m...@max-fillinger.net>
Gerrit-MessageType: comment
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to