diff mbox series

[Openvpn-devel,v2] Clarify some code in epoch with better comments

Message ID 20251203125741.29239-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v2] Clarify some code in epoch with better comments | expand

Commit Message

Gert Doering Dec. 3, 2025, 12:57 p.m. UTC 
From: Arne Schwabe <arne@rfc2549.org>

Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering Dec. 4, 2025, 1:23 p.m. UTC | #1 
Improved documentation is always welcome :-)

I have taken Antonio's last-minute complaint into account and adjusted
the end-of-comment '*/' bits to live on their own line.  I did not touch
other comments in these files, just those that were touched in Arne's
patch.

Since this is just comments, I've only done a sanity check compile to
ensure I didn't fat-finger one of my changes.

Your patch has been applied to the master branch.

commit c282b62f9072b513c0fa8eef49fd8fc7c47afd15
Author: Arne Schwabe
Date:   Wed Dec 3 13:57:34 2025 +0100

     Clarify some code in epoch with better comments

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
     Message-Id: <20251203125741.29239-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34829.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8049b3a..d6b8841 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -97,6 +97,12 @@ 
         /* IV starts with packet id to make the IV unique for packet */
         if (use_epoch_data_format)
         {
+            /* Note this does not check aead_usage_limit but can overstep it by
+             * a few extra blocks in one extra write. This is not affecting the
+             * security margin as these extra blocks are on a completely
+             * different order of magnitude than the security margin.
+             * The next iteration/call to epoch_check_send_iterate will
+             * iterate the epoch */
             if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer))
             {
                 msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 72c6821..3842615 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -298,7 +298,7 @@ 
 
     /** last epoch_key used for generation of the current send data keys.
      * As invariant, the epoch of epoch_key_send is always kept >= the epoch of
-     * epoch_key_recv */
+     * key_ctx_bi.decrypt.epoch  */
     struct epoch_key epoch_key_send;
 
     /** epoch_key used for the highest receive epoch keys */
@@ -309,7 +309,7 @@ 
 
     /** The limit for AEAD cipher, this is the sum of packets + blocks
      * that are allowed to be used. Will switch to a new epoch if this
-     * limit is reached*/
+     * limit is reached. */
     uint64_t aead_usage_limit;
 
     /** Keeps the future epoch data keys for decryption. The current one