[Openvpn-devel,2/9] Directly use hardcoed OPENVPN_TAG_LENGTH instead lookup

Message ID 20211201180727.2496903-2-arne@rfc2549.org
State Accepted
Headers show
  • [Openvpn-devel,1/9] Implement optional cipher in --data-ciphers prefixed with ?
Related show

Commit Message

Arne Schwabe Dec. 1, 2021, 6:07 p.m.
We always use the same tag size for all AEAED cipher, so instead
of doing a lookup, always use the same tag size.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
 src/openvpn/crypto.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)


Gert Doering Dec. 5, 2021, 5:26 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Verified that these changes are only done within "aead" encrypt/decrypt
crypto functions, and we already know it's an AEAD cipher.  Changed the 
commit subject to actually name it "AEAD" TAG_LENGTH :-)

(I wondered why the patch does not remove cipher_kt_tag_size() right
away, but that's our beloved crypto_adjust_frame_parameters()... so
I assume that will come as part of the frame cleanup later on)

Lightly tested client side, with BF-CBC and AEAD connections.

Your patch has been applied to the master branch.

commit e82e3382384846456881eec97d626b2d4cfb2df6
Author: Arne Schwabe
Date:   Wed Dec 1 19:07:20 2021 +0100

     Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20211201180727.2496903-2-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23273.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 251decdc5..270d83c56 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -69,7 +69,7 @@  openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
     const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
     uint8_t *mac_out = NULL;
     const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
-    const int mac_len = cipher_kt_tag_size(cipher_kt);
+    const int mac_len = OPENVPN_AEAD_TAG_LENGTH;
     /* IV, packet-ID and implicit IV required for this mode. */
@@ -362,7 +362,6 @@  openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
     const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
     const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
     uint8_t *tag_ptr = NULL;
-    int tag_size = 0;
     int outlen;
     struct gc_arena gc;
@@ -415,7 +414,7 @@  openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
     /* keep the tag value to feed in later */
-    tag_size = cipher_kt_tag_size(cipher_kt);
+    const int tag_size = OPENVPN_AEAD_TAG_LENGTH;
     if (buf->len < tag_size)
         CRYPT_ERROR("missing tag");