[Openvpn-devel] [S] Change in openvpn[master]: Clarify some code in epoch with better comments

[cron2 (C. Review) <ge...@op...>]

cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email )

Change subject: Clarify some code in epoch with better comments
......................................................................

Clarify some code in epoch with better comments

Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Frank Lichtenheld <fr...@li...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34829.html
Signed-off-by: Gert Doering <ge...@gr...>
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 11 insertions(+), 2 deletions(-)




diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..e43bc6c 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,13 @@
         /* IV starts with packet id to make the IV unique for packet */
         if (use_epoch_data_format)
         {
+            /* Note this does not check aead_usage_limit but can overstep it by
+             * a few extra blocks in one extra write. This is not affecting the
+             * security margin as these extra blocks are on a completely
+             * different order of magnitude than the security margin.
+             * The next iteration/call to epoch_check_send_iterate will
+             * iterate the epoch
+             */
             if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer))
             {
                 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..9424fd7 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,8 @@
 
     /** last epoch_key used for generation of the current send data keys.
      * As invariant, the epoch of epoch_key_send is always kept >= the epoch of
-     * epoch_key_recv */
+     * key_ctx_bi.decrypt.epoch
+     */
     struct epoch_key epoch_key_send;
 
     /** epoch_key used for the highest receive epoch keys */
@@ -309,7 +310,8 @@
 
     /** The limit for AEAD cipher, this is the sum of packets + blocks
      * that are allowed to be used. Will switch to a new epoch if this
-     * limit is reached*/
+     * limit is reached.
+     */
     uint64_t aead_usage_limit;
 
     /** Keeps the future epoch data keys for decryption. The current one

-- 
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Gerrit-Change-Number: 1190
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: ordex <an...@ma...>
Gerrit-CC: openvpn-devel <ope...@li...>