[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[cron2 (Code Review)]

cron2 has uploaded a new patch set (#3) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review-1 by ordex


Change subject: Clarify some code in epoch with better comments
..

Clarify some code in epoch with better comments

Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
Message-Id: <20251203125741.29239-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34829.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 11 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/3

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..e43bc6c 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,13 @@
 /* IV starts with packet id to make the IV unique for packet */
 if (use_epoch_data_format)
 {
+/* Note this does not check aead_usage_limit but can overstep it by
+ * a few extra blocks in one extra write. This is not affecting the
+ * security margin as these extra blocks are on a completely
+ * different order of magnitude than the security margin.
+ * The next iteration/call to epoch_check_send_iterate will
+ * iterate the epoch
+ */
 if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, 
&iv_buffer))
 {
 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..9424fd7 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,8 @@

 /** last epoch_key used for generation of the current send data keys.
  * As invariant, the epoch of epoch_key_send is always kept >= the epoch of
- * epoch_key_recv */
+ * key_ctx_bi.decrypt.epoch
+ */
 struct epoch_key epoch_key_send;

 /** epoch_key used for the highest receive epoch keys */
@@ -309,7 +310,8 @@

 /** The limit for AEAD cipher, this is the sum of packets + blocks
  * that are allowed to be used. Will switch to a new epoch if this
- * limit is reached*/
+ * limit is reached.
+ */
 uint64_t aead_usage_limit;

 /** Keeps the future epoch data keys for decryption. The current one

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: ordex 
Gerrit-CC: openvpn-devel 
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[cron2 (Code Review)]

cron2 has submitted this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email )

Change subject: Clarify some code in epoch with better comments
..

Clarify some code in epoch with better comments

Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe 
Acked-by: Frank Lichtenheld 
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
Message-Id: <20251203125741.29239-1-g...@greenie.muc.de>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34829.html
Signed-off-by: Gert Doering 
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 11 insertions(+), 2 deletions(-)




diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..e43bc6c 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,13 @@
 /* IV starts with packet id to make the IV unique for packet */
 if (use_epoch_data_format)
 {
+/* Note this does not check aead_usage_limit but can overstep it by
+ * a few extra blocks in one extra write. This is not affecting the
+ * security margin as these extra blocks are on a completely
+ * different order of magnitude than the security margin.
+ * The next iteration/call to epoch_check_send_iterate will
+ * iterate the epoch
+ */
 if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, 
&iv_buffer))
 {
 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..9424fd7 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,8 @@

 /** last epoch_key used for generation of the current send data keys.
  * As invariant, the epoch of epoch_key_send is always kept >= the epoch of
- * epoch_key_recv */
+ * key_ctx_bi.decrypt.epoch
+ */
 struct epoch_key epoch_key_send;

 /** epoch_key used for the highest receive epoch keys */
@@ -309,7 +310,8 @@

 /** The limit for AEAD cipher, this is the sum of packets + blocks
  * that are allowed to be used. Will switch to a new epoch if this
- * limit is reached*/
+ * limit is reached.
+ */
 uint64_t aead_usage_limit;

 /** Keeps the future epoch data keys for decryption. The current one

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: ordex 
Gerrit-CC: openvpn-devel 
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[ordex (Code Review)]

Attention is currently required from: plaisthos.

ordex has posted comments on this change by plaisthos. ( 
http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email )

Change subject: Clarify some code in epoch with better comments
..


Patch Set 2: Code-Review-1

(2 comments)

File src/openvpn/crypto.h:

http://gerrit.openvpn.net/c/openvpn/+/1190/comment/7157deb0_b889163c?usp=email :
PS2, Line 312:  * limit is reached. */
shouldn't the closing */ be on a new line like all other multiline comments?


File src/openvpn/crypto.c:

http://gerrit.openvpn.net/c/openvpn/+/1190/comment/ccf561c6_6036bff1?usp=email :
PS2, Line 105:  * iterate the epoch */
same here



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: comment
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-Reviewer: ordex 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Thu, 04 Dec 2025 12:47:20 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[flichtenheld (Code Review)]

Attention is currently required from: plaisthos.

flichtenheld has posted comments on this change by plaisthos. ( 
http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email )

Change subject: Clarify some code in epoch with better comments
..


Patch Set 2: Code-Review+2


--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: comment
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: plaisthos 
Gerrit-Comment-Date: Wed, 03 Dec 2025 11:33:11 +
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[plaisthos (Code Review)]

Attention is currently required from: flichtenheld.

Hello flichtenheld, 

I'd like you to reexamine a change. Please visit

http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email

to look at the new patch set (#2).

The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld


Change subject: Clarify some code in epoch with better comments
..

Clarify some code in epoch with better comments

Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe 
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 8 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/2

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..d6b8841 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,12 @@
 /* IV starts with packet id to make the IV unique for packet */
 if (use_epoch_data_format)
 {
+/* Note this does not check aead_usage_limit but can overstep it by
+ * a few extra blocks in one extra write. This is not affecting the
+ * security margin as these extra blocks are on a completely
+ * different order of magnitude than the security margin.
+ * The next iteration/call to epoch_check_send_iterate will
+ * iterate the epoch */
 if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, 
&iv_buffer))
 {
 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..3842615 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,7 @@

 /** last epoch_key used for generation of the current send data keys.
  * As invariant, the epoch of epoch_key_send is always kept >= the epoch of
- * epoch_key_recv */
+ * key_ctx_bi.decrypt.epoch  */
 struct epoch_key epoch_key_send;

 /** epoch_key used for the highest receive epoch keys */
@@ -309,7 +309,7 @@

 /** The limit for AEAD cipher, this is the sum of packets + blocks
  * that are allowed to be used. Will switch to a new epoch if this
- * limit is reached*/
+ * limit is reached. */
 uint64_t aead_usage_limit;

 /** Keeps the future epoch data keys for decryption. The current one

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos 
Gerrit-Reviewer: flichtenheld 
Gerrit-CC: openvpn-devel 
Gerrit-Attention: flichtenheld 
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel