[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld, ordex.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(1 comment)

File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/997ae8f4_a9d0ede6 :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
> Acknowledged
There is a -1 state in OpenSSL that mean "don't change when reinitialising" 
that we do not use.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 27 Mar 2024 18:44:04 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: flichtenheld 
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] crypto_backend: fix type of enc parameter

[Frank Lichtenheld]

We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:

crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const 
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]

Previous compiler versions did not complain.

v2:
 - clean solution instead of quick solution. Fix the actual API
   definition

Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld 
Acked-by: Arne Schwabe 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/548
This mail reflects revision 3 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe 


diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8d37e64..c454c64 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -336,10 +336,10 @@
  * @param key   Buffer containing the key to use
  * @param ciphernameCiphername of the cipher to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).
+ *  \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
  */
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *cipername, int enc);
+ const char *cipername, crypto_operation_t enc);
 
 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..c230292 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,7 +566,7 @@
 
 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 CLEAR(*ctx);
@@ -580,7 +580,7 @@
 msg(M_FATAL, "mbed TLS cipher context init #1");
 }
 
-if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, operation)))
+if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, enc)))
 {
 msg(M_FATAL, "mbed TLS cipher set key");
 }
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 46f76e2..48d1e20 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -63,6 +63,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMMBEDTLS_MODE_GCM
 
+typedef mbedtls_operation_t crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  MBEDTLS_ENCRYPT
 
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 50683b6..bfc5e37 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -840,7 +840,7 @@
 
 void
 cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-const char *ciphername, int enc)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 evp_cipher_type *kt = cipher_get(ciphername);
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index c0e95b4..4cd988a 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -85,6 +85,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMEVP_CIPH_GCM_MODE
 
+typedef int crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  1
 


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[flichtenheld (Code Review)]

Attention is currently required from: ordex, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(1 comment)

File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/54a6d210_d1fef5e2 :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
> still dirty if you ask me, but it's a nit pick
Acknowledged



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 27 Mar 2024 16:25:43 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: flichtenheld 
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[ordex (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

ordex has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(1 comment)

File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/c7af8f42_1c7d88cd :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
> Also, in practice it is a boolean. […]
still dirty if you ask me, but it's a nit pick



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 15:25:50 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: flichtenheld 
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[flichtenheld (Code Review)]

Attention is currently required from: ordex, plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(1 comment)

File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/dc2be5d0_47f83eb9 :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
> It matches the OpenSSL API, it also uses int enc ...
Also, in practice it is a boolean. The third state is only for indicating error 
when used as a return value.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 27 Mar 2024 15:19:32 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: plaisthos 
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld, ordex.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(1 comment)

File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/4014ab83_686bac9b :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
> may I argue that the name "operation" (or just "op") is more appropriate as 
> this is not a bool (encr […]
It matches the OpenSSL API, it also uses int enc ...



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: flichtenheld 
Gerrit-Attention: ordex 
Gerrit-Comment-Date: Wed, 27 Mar 2024 13:34:00 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: ordex 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3: Code-Review+2


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 13:32:50 +
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[ordex (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

ordex has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: crypto_backend: fix type of enc parameter
..


Patch Set 3:

(2 comments)

Patchset:

PS3:
Thanks for introducing the typedef - this looks much cleaner, as Arne also 
suggested. However, I have a nit pick about the arg naming.


File src/openvpn/crypto_mbedtls.c:

http://gerrit.openvpn.net/c/openvpn/+/548/comment/f5ffc802_2b16c413 :
PS3, Line 569: const char *ciphername, crypto_operation_t enc)
may I argue that the name "operation" (or just "op") is more appropriate as 
this is not a bool (encrypt or not encrypt), but rather an enum being assigned 
some op?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-CC: ordex 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 13:24:24 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[flichtenheld (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/548?usp=email

to look at the new patch set (#3).


Change subject: crypto_backend: fix type of enc parameter
..

crypto_backend: fix type of enc parameter

We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:

crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const 
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]

Previous compiler versions did not complain.

v2:
 - clean solution instead of quick solution. Fix the actual API
   definition

Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld 
---
M src/openvpn/crypto_backend.h
M src/openvpn/crypto_mbedtls.c
M src/openvpn/crypto_mbedtls.h
M src/openvpn/crypto_openssl.c
M src/openvpn/crypto_openssl.h
5 files changed, 9 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/48/548/3

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8d37e64..c454c64 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -336,10 +336,10 @@
  * @param key   Buffer containing the key to use
  * @param ciphernameCiphername of the cipher to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).
+ *  \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
  */
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *cipername, int enc);
+ const char *cipername, crypto_operation_t enc);

 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..c230292 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,7 +566,7 @@

 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 CLEAR(*ctx);
@@ -580,7 +580,7 @@
 msg(M_FATAL, "mbed TLS cipher context init #1");
 }

-if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, operation)))
+if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, (int)key_bitlen, enc)))
 {
 msg(M_FATAL, "mbed TLS cipher set key");
 }
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 46f76e2..48d1e20 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -63,6 +63,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMMBEDTLS_MODE_GCM

+typedef mbedtls_operation_t crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  MBEDTLS_ENCRYPT

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 50683b6..bfc5e37 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -840,7 +840,7 @@

 void
 cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-const char *ciphername, int enc)
+const char *ciphername, crypto_operation_t enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 evp_cipher_type *kt = cipher_get(ciphername);
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index c0e95b4..4cd988a 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -85,6 +85,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMEVP_CIPH_GCM_MODE

+typedef int crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  1


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] IRC community meeting summary

[Johan Draaisma]

Meeting summary for 27 March 2024:

 * *New: when to deprecate weak ciphers*
   /Weak ciphers like 3DES and BF-CBC - what to do with them and when?/
   /Originally it looks like it was planned to remove in 2.7 but that
   may be too soon./
   /For example OpenVPN Inc. still sees customers with 10+ year old
   installations fairly regularly./
   /A proposal to consider may be to deprecate it when crypto libraries
   deprecate it./
   /Weighing the expected complaints versus the low cost of just
   maintaining weak ciphers until crypto libraries deprecate them - the
   choice seems obvious./
   /For now we'll stick with letting weak ciphers stay in unless there
   is some convincing reason to remove it./

 * *Closed: OpenVPN 2.6.10 release*
   /This was released 20th of March./

 * *Closed: OpenVPN 2.5.10 release*
   /This was released 21st of March, including new Windows installers./

 * *Closed: community funding initiative*
   /ordex convinced OTF (Open Tech Fund) to let OpenVPN join the "FOSS
   sustainability funding pilot run"./
   /This allows to pay for allocated hours for mattock and cron2 to
   work on OpenVPN community tasks./
   /Some ongoing tasks are listed under 'Mattock Topics' in the meeting
   notes and have already been going on for a while./
   /This topic is therefore considered closed for now./

 * *Closed: inactive setting data counter in openvpn2 and openvpn3*
   /It looks like openvpn2 and openvpn3 handle the counting of traffic
   for this differently./
   /After some discussion it was decided illia will submit some
   suggested fixes./
   /This will now follow standard procedure for patch submission and
   review. Closing topic./

 * *Closed: tunnelblick and sophos UTM*
   /Looks like Tunnelblick implemented a fix on their end./
   /​https://github.com/OpenVPN/openvpn/issues/525
   /

 * *Updated: website release process*
   /Last week a website release was planned that would enable a new way
   for updating Community Downloads page./
   /Postponed to this week. We'll see./

 * *Updated: forums topics*
   /ecrist still working on forums. admin access issue looks resolved.
   email issue looks resolved./
   /Plan is to soon switch URLs so new forum is on forums.openvpn.net
   and old forums is on archive address./
   /- email confirmation on registration was suggested./
   /- we still need to work on having some other people with some admin
   or high mod access./
   /- mod guide, hard or soft delete (chuck board?), what to do with
   GDPR, etc. (write it down and actually make it available to mods,
   maybe a hidden topic)/
   /- access for mods to logs so one can see what others did/

 * *Updated: DCO and Linux upstreaming, API change*/
   /Upstreaming DCO to Linux is proceeding, it is in review stage at
   the moment./
   /ordex will prepare a v3 patchset soon based on feedback received./
   /There will be an API change that makes it incompatible with the
   current implementation./
   /A graceful solution to that was already discussed and in motion.
   giaan will be working on this./
   /(in a nutshell, make OpenVPN understand old and new API, DKMS and
   kernel versions both will then use new API, then we drop old API)//

 * *Updated: mattock topics*
   /Made it so --dev null tests can run arbitrary numbers of servers
   concurrently, and have arbitrary amount of clients run in parallel
   to these servers./
   /Will probably look into separating the --dev null test data (test
   cases) from the test scripts./
   /Also started on debian snapshot publishing but didn't get very far
   there yet./

As always you're welcome to join at #openvpn-meeting on Libera IRC 
network every Wednesday at 13:00 Central European Time.


Kind regards,
Johan Draaisma
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Implement support for larger packet counter sizes

[flichtenheld (Code Review)]

Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/507?usp=email )

Change subject: Implement support for larger packet counter sizes
..


Patch Set 4: Code-Review+1

(1 comment)

Patchset:

PS4:
Looks good to me, but probably others should also review before we go ahead 
with this



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/507?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I01e258e97351b5aa4b9e561f5b35ddc2318569e2
Gerrit-Change-Number: 507
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 27 Mar 2024 11:33:34 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: crypto_backend: fix type of enc parameter

[flichtenheld (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/548?usp=email

to look at the new patch set (#2).

The following approvals got outdated and were removed:
Code-Review-1 by plaisthos


Change subject: crypto_backend: fix type of enc parameter
..

crypto_backend: fix type of enc parameter

We had parts of a abstraction, but it wasn't consistent.
GCC 13 now complains about the type mismatch with mbedtls now:

crypto_mbedtls.c:568:1: error:
conflicting types for ‘cipher_ctx_init’ due to enum/integer mismatch;
have ‘void(mbedtls_cipher_context_t *, const uint8_t *, const char *, const 
mbedtls_operation_t)’
[...] [-Werror=enum-int-mismatch]
crypto_backend.h:341:6: note:
previous declaration of ‘cipher_ctx_init’ with type
‘void(cipher_ctx_t *, const uint8_t *, const char *, int)’ [...]

Previous compiler versions did not complain.

Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Signed-off-by: Frank Lichtenheld 
---
M src/openvpn/crypto_backend.h
M src/openvpn/crypto_mbedtls.c
M src/openvpn/crypto_mbedtls.h
M src/openvpn/crypto_openssl.h
4 files changed, 8 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/48/548/2

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 8d37e64..c454c64 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -336,10 +336,10 @@
  * @param key   Buffer containing the key to use
  * @param ciphernameCiphername of the cipher to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).
+ *  \c OPENVPN_OP_ENCRYPT or \c OPENVPN_OP_DECRYPT).
  */
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key,
- const char *cipername, int enc);
+ const char *cipername, crypto_operation_t enc);

 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 1a39752..91485cb 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -566,11 +566,12 @@

 void
 cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key,
-const char *ciphername, const mbedtls_operation_t operation)
+const char *ciphername, int enc)
 {
 ASSERT(NULL != ciphername && NULL != ctx);
 CLEAR(*ctx);

+const mbedtls_operation_t operation = (mbedtls_operation_t)enc;
 const mbedtls_cipher_info_t *kt = cipher_get(ciphername);
 ASSERT(kt);
 size_t key_bitlen = mbedtls_cipher_info_get_key_bitlen(kt);
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 46f76e2..48d1e20 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -63,6 +63,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMMBEDTLS_MODE_GCM

+typedef mbedtls_operation_t crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  MBEDTLS_ENCRYPT

diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index c0e95b4..4cd988a 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -85,6 +85,8 @@
 /** Cipher is in GCM mode */
 #define OPENVPN_MODE_GCMEVP_CIPH_GCM_MODE

+typedef int crypto_operation_t;
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT  1


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Remove openvpn_snprintf and similar functions

[ordex (Code Review)]

Attention is currently required from: flichtenheld, plaisthos.

ordex has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/547?usp=email )

Change subject: Remove openvpn_snprintf and similar functions
..


Patch Set 2:

(5 comments)

Patchset:

PS2:
some nit picks below..


File src/openvpn/proxy.c:

http://gerrit.openvpn.net/c/openvpn/+/547/comment/d2c89116_22dbc48e :
PS2, Line 962: if (sret >= sizeof(buf))
if this can truly happen, does it mean that the buffer is undersized compared 
to the size of all variables we are putting together?

Therefore, wouldn't it make more sense to extend the size of the buffer to 
ensure that no matter what we save in those variables, we will always be able 
to create the HTTP header?

Or there is a limit with the HTTP header that we have to deal with?

My concern is that we are not preventing people from filling those variables as 
they please, but we will then fail to put them together for no good reason.

does it make sense?


File src/openvpn/socks.c:

http://gerrit.openvpn.net/c/openvpn/+/547/comment/8bdf0e3c_8356c931 :
PS2, Line 114: (int) strlen(creds.username), 
creds.username,
normally we don't put a paceb etween the cast and the variable name.
This comments applies to all other casts below


http://gerrit.openvpn.net/c/openvpn/+/547/comment/b417986e_a5f333df :
PS2, Line 116: ASSERT(sret <= sizeof(to_send));
why ASSERT here while in other cases we just go to error or cleanup?


File tests/unit_tests/openvpn/test_buffer.c:

http://gerrit.openvpn.net/c/openvpn/+/547/comment/f8c8a505_dbfb9729 :
PS2, Line 369:  * for this unit test. We know that are doing this that are 
truncated
I think there is some typ0 here.
Maybe something like: "We know that results will be truncated and we actually 
want to test that".



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/547?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I07096977e3b562bcb5d2c6f11673a4175b8e12ac
Gerrit-Change-Number: 547
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: ordex 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 10:48:48 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Implement support for larger packet counter sizes

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/507?usp=email )

Change subject: Implement support for larger packet counter sizes
..


Patch Set 4:

(5 comments)

File src/openvpn/crypto.h:

http://gerrit.openvpn.net/c/openvpn/+/507/comment/f254a2ce_f57578ee :
PS3, Line 292:  * big ending number in the wire format.
> "endian"?
Acknowledged


File src/openvpn/crypto.c:

http://gerrit.openvpn.net/c/openvpn/+/507/comment/5002c984_e4c79e7d :
PS3, Line 393: /* Combine IV from explicit part from packet and implicit 
part from context,
> End on ". […]
Done


http://gerrit.openvpn.net/c/openvpn/+/507/comment/7c48e081_1bd56f08 :
PS3, Line 394:  * the length of the implicit length is initialised when the 
implicit is
> That sentence is very unwieldy. […]
Done


File src/openvpn/dco.h:

http://gerrit.openvpn.net/c/openvpn/+/507/comment/2852f4e6_e5ca91be :
PS3, Line 253:  * Return if the dco implementation supports the new protocol 
features of
> "if" -> "whether"
Done


File src/openvpn/init.c:

http://gerrit.openvpn.net/c/openvpn/+/507/comment/7d199642_142d7abf :
PS3, Line 3308: to.data_v3_features_supported = false;
> I think you mean "to. […]
Acknowledged



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/507?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I01e258e97351b5aa4b9e561f5b35ddc2318569e2
Gerrit-Change-Number: 507
Gerrit-PatchSet: 4
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 10:40:22 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: flichtenheld 
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [L] Change in openvpn[master]: Implement support for larger packet counter sizes

[plaisthos (Code Review)]

Attention is currently required from: plaisthos.

Hello flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/507?usp=email

to look at the new patch set (#4).


Change subject: Implement support for larger packet counter sizes
..

Implement support for larger packet counter sizes

With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more.

To illustrate the problem, some back of the envelope math here:

If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second.

With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.

This introduces the 64bit packet counters for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.

While we still keep the old --secret logic around we use the same
weird unix timestamp + packet counter format to avoid refactoring the
code now and again when we remove --secret code but DCO
implementations are free to use just a single 64 bit counter. One
other small downside of this approach is that when rollover happens
and we get reordering all the older packets are thrown away since
the distance between the packet before and after the rollover is
quite large as we probably jump forward more than 1s (or more than
2^32 packet ids). But this is an obscure edge that we can
(currently) live with.

Change-Id: I01e258e97351b5aa4b9e561f5b35ddc2318569e2
Signed-off-by: Arne Schwabe 
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/dco.h
M src/openvpn/init.c
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/packet_id.c
M src/openvpn/packet_id.h
M src/openvpn/push.c
M src/openvpn/ssl.c
M src/openvpn/ssl.h
M src/openvpn/ssl_common.h
M src/openvpn/ssl_ncp.c
M tests/unit_tests/openvpn/test_ssl.c
14 files changed, 386 insertions(+), 42 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/07/507/4

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 9758c8c..51c9eb9 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -68,6 +68,7 @@
 const struct key_ctx *ctx = >key_ctx_bi.encrypt;
 uint8_t *mac_out = NULL;
 const int mac_len = OPENVPN_AEAD_TAG_LENGTH;
+bool longiv = opt->flags & CO_64_BIT_PKT_ID;

 /* IV, packet-ID and implicit IV required for this mode. */
 ASSERT(ctx->cipher);
@@ -86,7 +87,7 @@
 buf_set_write(_buffer, iv, iv_len);

 /* IV starts with packet id to make the IV unique for packet */
-if (!packet_id_write(>packet_id.send, _buffer, false, false))
+if (!packet_id_write_flat(>packet_id.send, _buffer, longiv))
 {
 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
 goto err;
@@ -355,6 +356,9 @@
  * Set buf->len to 0 and return false on decrypt error.
  *
  * On success, buf is set to point to plaintext, true is returned.
+ *
+ * This method assumes that everything between ad_start and BPTR(buf) is
+ * authenticated data and therefore has no ad_len parameter
  */
 static bool
 openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
@@ -384,7 +388,11 @@
 /* IV and Packet ID required for this mode */
 ASSERT(packet_id_initialized(>packet_id));

-/* Combine IV from explicit part from packet and implicit part from 
context */
+bool longiv = opt->flags & CO_64_BIT_PKT_ID;
+
+/* Combine IV from explicit part from packet and implicit part from 
context.
+ * packet_iv_len and implicit_iv are initialised in init_key_contexts
+ * when keys are initialised as well */
 {
 uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 };
 const int iv_len = cipher_ctx_iv_length(ctx->cipher);
@@ -409,7 +417,7 @@
 }

 /* Read packet ID from packet */
-if (!packet_id_read(, buf, false))
+if (!packet_id_read_flat(, buf, longiv))
 {
 CRYPT_ERROR("error reading packet-id");
 }
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 61184bc..5188c9c 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -248,8 +248,10 @@
  *   OpenVPN process startups. */

 #define CO_PACKET_ID_LONG_FORM  (1<<0)
-/**< Bit-flag indicating whether to use
-*   OpenVPN's long packet ID format. */
+/**< Bit-flag indicating whether to use OpenVPN's long packet ID format.
+ * This format puts [4 byte counter][4byte timestamp] on the wire in
+ * big endian/network endian format.
+  

[Openvpn-devel] [M] Change in openvpn[master]: Implement support for AEAD tag at the end

[plaisthos (Code Review)]

Attention is currently required from: plaisthos.

Hello flichtenheld,

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/506?usp=email

to look at the new patch set (#4).

The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.


Change subject: Implement support for AEAD tag at the end
..

Implement support for AEAD tag at the end

Using the AEAD tag at the end is the standard way of doing AEAD. Several
APIs even only support the tag at the end (e.g. mbed TLS). Having the tag at
the front or end makes no difference for security but allows streaming HW
implementations like NICs to be much more efficient as they do not need to
buffer a whole packet content and encrypt it to finally write the tag but
instead just add the calculated tag at the end of processing.

Change-Id: I00821d75342daf3f813b829812d648fe298bea81
Signed-off-by: Arne Schwabe 
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/push.c
M tests/unit_tests/openvpn/test_ssl.c
6 files changed, 80 insertions(+), 26 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/506/4

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5d05cc4..9758c8c 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -104,14 +104,10 @@
 ASSERT(cipher_ctx_reset(ctx->cipher, iv));
 }

-/* Reserve space for authentication tag */
-mac_out = buf_write_alloc(, mac_len);
-ASSERT(mac_out);
-
 dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), 
BLEN(buf), 80, ));

 /* Buffer overflow check */
-if (!buf_safe(, buf->len + cipher_ctx_block_size(ctx->cipher)))
+if (!buf_safe(, buf->len + mac_len + 
cipher_ctx_block_size(ctx->cipher)))
 {
 msg(D_CRYPT_ERRORS,
 "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
@@ -121,9 +117,16 @@
 }

 /* For AEAD ciphers, authenticate Additional Data, including opcode */
-ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(), BLEN() - 
mac_len));
+ASSERT(cipher_ctx_update_ad(ctx->cipher, BPTR(), BLEN()));
 dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s",
- format_hex(BPTR(), BLEN() - mac_len, 0, ));
+ format_hex(BPTR(), BLEN(), 0, ));
+
+if (!(opt->flags & CO_AEAD_TAG_AT_THE_END))
+{
+/* Reserve space for authentication tag */
+mac_out = buf_write_alloc(, mac_len);
+ASSERT(mac_out);
+}

 /* Encrypt packet ID, payload */
 ASSERT(cipher_ctx_update(ctx->cipher, BEND(), , BPTR(buf), 
BLEN(buf)));
@@ -133,6 +136,14 @@
 ASSERT(cipher_ctx_final(ctx->cipher, BEND(), ));
 ASSERT(buf_inc_len(, outlen));

+/* if the tag is at end the end, allocate it now */
+if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+{
+/* Reserve space for authentication tag */
+mac_out = buf_write_alloc(, mac_len);
+ASSERT(mac_out);
+}
+
 /* Write authentication tag */
 ASSERT(cipher_ctx_get_tag(ctx->cipher, mac_out, mac_len));

@@ -353,7 +364,6 @@
 static const char error_prefix[] = "AEAD Decrypt error";
 struct packet_id_net pin = { 0 };
 const struct key_ctx *ctx = >key_ctx_bi.decrypt;
-uint8_t *tag_ptr = NULL;
 int outlen;
 struct gc_arena gc;
 
@@ -406,19 +416,29 @@

 /* keep the tag value to feed in later */
 const int tag_size = OPENVPN_AEAD_TAG_LENGTH;
-if (buf->len < tag_size)
+if (buf->len < tag_size + 1)
 {
-CRYPT_ERROR("missing tag");
+CRYPT_ERROR("missing tag or no payload");
 }
-tag_ptr = BPTR(buf);
-ASSERT(buf_advance(buf, tag_size));
+
+const int ad_size = BPTR(buf) - ad_start;
+
+uint8_t *tag_ptr = NULL;
+int data_len = 0;
+
+if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+{
+data_len = BLEN(buf) - tag_size;
+tag_ptr = BPTR(buf) + data_len;
+}
+else
+{
+tag_ptr = BPTR(buf);
+ASSERT(buf_advance(buf, tag_size));
+data_len = BLEN(buf);
+}
+
 dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, 
));
-
-if (buf->len < 1)
-{
-CRYPT_ERROR("missing payload");
-}
-
 dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), 
BLEN(buf), 0, ));

 /* Buffer overflow check (should never fail) */
@@ -427,20 +447,19 @@
 CRYPT_ERROR("potential buffer overflow");
 }

-{
-/* feed in tag and the authenticated data */
-const int ad_size = BPTR(buf) - ad_start - tag_size;
-ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size));
-dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s",
- format_hex(BPTR(buf) - ad_size - tag_size, ad_size, 0, ));
-}
+
+/* feed in tag and the authenticated data */
+ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size));
+dmsg(D_PACKET_CONTENT, 

[Openvpn-devel] [XS] Change in openvpn[master]: mbedtls: avoid warning with GCC 13+

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

plaisthos has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/548?usp=email )

Change subject: mbedtls: avoid warning with GCC 13+
..


Patch Set 1: Code-Review-1

(1 comment)

Patchset:

PS1:
I would rather have a typedef in crypto_mbedtls.h and crypto_openssl.h that 
does something like

typedef mbedtls_operation_t encryption_operation_t;

and then use that type consistently in the API. Do you want to take a stab at 
that or should I take over?



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/548?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If0dcdde30879fd6185efb2ad31399c1629c04d22
Gerrit-Change-Number: 548
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld 
Gerrit-Reviewer: plaisthos 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
Gerrit-Comment-Date: Wed, 27 Mar 2024 09:30:02 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel