Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
to review the following change.
Change subject: Clarify some code in epoch with better comments
......................................................................
Clarify some code in epoch with better comments
Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 5 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/1
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 4c0f684..873fda5 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,9 @@
/* IV starts with packet id to make the IV unique for packet */
if (use_epoch_data_format)
{
+ /* Note this does not check aead_usage_limit but overstepping it
by a few
+ * extra block in by one extra write, is not affecting the
security margin,
+ * next iteration/call to epoch_check_send_iterate will iterate
the epoch */
if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch,
&iv_buffer))
{
msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index efd7f60..0f0db13 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,7 @@
/** last epoch_key used for generation of the current send data keys.
* As invariant, the epoch of epoch_key_send is always kept >= the epoch of
- * epoch_key_recv */
+ * key_ctx_bi.decrypt.epoch */
struct epoch_key epoch_key_send;
/** epoch_key used for the highest receive epoch keys */
@@ -309,7 +309,7 @@
/** The limit for AEAD cipher, this is the sum of packets + blocks
* that are allowed to be used. Will switch to a new epoch if this
- * limit is reached*/
+ * limit is reached. */
uint64_t aead_usage_limit;
/** Keeps the future epoch data keys for decryption. The current one
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
