From patchwork Mon Nov 11 02:00:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3935 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2278277mad; Sun, 10 Nov 2024 18:00:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUQNSETHMWjaKtdhhBbWEkmPlrcJRNI/nqm9S11URfxNGvCtfCs3cQ70nYV/jgkTOZgQo3+7PKGrg0=@openvpn.net X-Google-Smtp-Source: AGHT+IE+2WhIWuyn12WZQ8ghHgVF2n0rx7R3M+dmIfygJP5fa5JGf98uwODxjMglOBqACWsTjeGw X-Received: by 2002:a05:6830:6581:b0:718:9df:9976 with SMTP id 46e09a7af769-71a1c2b1471mr9024375a34.28.1731290435238; Sun, 10 Nov 2024 18:00:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731290435; cv=none; d=google.com; s=arc-20240605; b=SGAz6GP1SyPzlK/UI2R00e0FTxAmdCY6GtXRslzE/qTY1mzQlvT66cqEBXLo2RTz1K UgHwfR+EZXhed20zc1qgQMIomC3oagIDLHzwvcCL4Rj3pE/T5L15KkgEM9YJeAvbVkDU m66tCfXV4AzrRYG6vnjdu78bRLHZFQJCcqMvkGHU3XCMKCRnECcl6889MSrR0o6A2Bgf lPk2SVrx40x917sZtHPxOsMWc1bvsvNuiCnPe86jIbuYlYOKWBkH4+HZZJxP1mKlFj/v LSVRhI30AvAfjTU+vY4hHiPw8ezmu2gwe+K6xK3SAMsGW91OjAo58vdnNMQbnZ4+/c6F UhVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=O7qs6e4t84CAdNcwKiMwBcGPWiy5gudm7mFmduCyQb4=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=TyXgyRMrf8+aHO3S7hmMOztu4n7LtIJdhCoPfOSA/FmkTezxeZyoXm877LDntBWBi1 NdFAJ+PS4agjS5yy0zy13czGMuM4UwB2oBx36d6O84UlMUXGuejuooxEn+ZAO6s4X1AL wTCE5dI0Tomu2vBLcSnvTXRChS5R+mu5HujRz2Lo8v5+yw3AcWFmHsbHrlRaK9MOHElY ISvKaCfSLNux9tgpLrw+pXObprWilw96sIq30Sj4DaG/KdUi+LYf3aSEiTJnyQibxlz7 42b/maC9oLksueCtUjdDq6SCA4LUtOrh+fmnPWLU8iEQjttcilCNeCObJKgBLn0sY0ZP yHcg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QBsxmsSz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ae6xzjve; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HDkocVsW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71a1092b993si197311a34.128.2024.11.10.18.00.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2024 18:00:35 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QBsxmsSz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ae6xzjve; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HDkocVsW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAJj8-0005PR-8n; Mon, 11 Nov 2024 02:00:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAJj7-0005PC-0D for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=X4ajHGfHcxHZL1hbaLb1ts8535qgRTm+Y26xNpGmsms=; b=QBsxmsSzU3OfoyVOxwYITjc51W AaKrR879Gdu8RZIku/7GObPHTo8UIETX0KcB3hP4PJbDpvdABZjxFdmyb+QKjZ2ixfvfE2eg0vWCJ yE+7d/0Yw+HDNSJ4a61G+VjmskwUrioL6VveuNPmQRvOMRZP8N1Tu8FD742ywh6Ul8uQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=X4ajHGfHcxHZL1hbaLb1ts8535qgRTm+Y26xNpGmsms=; b=A e6xzjveMP3VyMR1PUfrvUfXNPug0kc8R2DOy3Qz0hmpREcDfgSR+hx7O9ghp2tvGvzYIPTmVBweIv seKLj99uRXX6Ss4VurjXmHtLGwlIFjlReUsjvD/YjGcAQ041X/r7qyGKtQRm0Rp60KPQjLIjctwEC uIUhg9MzSdrTN4Go=; Received: from mail-wr1-f47.google.com ([209.85.221.47]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tAJj5-0001b0-T8 for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:24 +0000 Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-37d55f0cf85so2584837f8f.3 for ; Sun, 10 Nov 2024 18:00:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1731290408; x=1731895208; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=X4ajHGfHcxHZL1hbaLb1ts8535qgRTm+Y26xNpGmsms=; b=HDkocVsW3Q1Z5WR+BnW2wG2Z7T3GCadZgxnhEQBGk8+2KsqKfa46h0645ou2br3zfD sIwXWtwPmHM147FlQXWhxyHqFCaRGsJDcoUGfwmBhGAyTaDFsyYR0v5kVXxBKliTZKpj MoeWDU5OG5REexuNDA5elOy5AQXlM+5kEeumH51k4dJ+trUf4BXqRoD/5CzV1sOBKS5A 5taHzRElZoyJ73Id+Z0UM1hb6EDjqJrK3Dqz37lLCHjG4RLT1X13qZ856PMX6SJWEO56 /PUiE0lHT4h6FRERuC9p3sd1nt/QdkLIVuar3BF5Q24HMqrmsbQNNOspVL/BxTnIP5DG lnMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731290408; x=1731895208; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=X4ajHGfHcxHZL1hbaLb1ts8535qgRTm+Y26xNpGmsms=; b=dZQHE4O6fDpSlcIxGKqfpqfBgujUjfb3AE4clRKQxWzWjBDEKJbs4N+XFS5gUFJHEZ PvQv+1aee7wGnO582pMolNYFjzexAvaIn4L0ig5KDtG0a6+KxsbUzc4yua+Th21UVb4E UCG+5JEODAPobx5owqnd42xEdoURSc5JcQtYHiVH9L91+FJnFwCvHTYKfEQd76VNbiCf J2dVud8iGvjJY1z4KIX+5QUglvMX+yrKW60znLpUizGo+4mllSIekYFviuBV0xm7fbwg Ju8E0zzXfLJq+oiegbL1BQbMpr2CxtRbLpszxFw67E4CXewg5hbD0czXt6ag8Dfv7qRo HXoQ== X-Gm-Message-State: AOJu0Yxv+wU/xRNRZdw+e8Y2c6WhbbJCF8NiID/nrDDWhVVLw1TK2EyS LbaKayspjTT4CbGd+oM3F2GIPQsvGqdcgNEY+upPi6pJrPbTyYUclFUb76W9d8hGFdtvzRsQB6Y f X-Received: by 2002:a5d:6d03:0:b0:37c:cfeb:e612 with SMTP id ffacd0b85a97d-381f17261e1mr9065241f8f.1.1731290408193; Sun, 10 Nov 2024 18:00:08 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-381ed9ea6b5sm11734467f8f.84.2024.11.10.18.00.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 18:00:06 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 11 Nov 2024 02:00:05 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc X-Gerrit-Change-Number: 805 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 8d85203f621a2c04e66ef3a5dc2cd2ad46c21565 References: Message-ID: <1dd11ecfdbe24eff158a3ab357bfd4ba3d22cec2-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.47 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.7 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.47 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tAJj5-0001b0-T8 Subject: [Openvpn-devel] [S] Change in openvpn[master]: Rename aead-tag-at-end to aead-epoch X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815389599436193831?= X-GMAIL-MSGID: =?utf-8?q?1815389599436193831?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/805?usp=email to review the following change. Change subject: Rename aead-tag-at-end to aead-epoch ...................................................................... Rename aead-tag-at-end to aead-epoch Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc Signed-off-by: Arne Schwabe --- M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/push.c M src/openvpn/ssl.h M tests/unit_tests/openvpn/test_ssl.c 7 files changed, 17 insertions(+), 13 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/05/805/1 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index dc23ffc..996830c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -128,7 +128,7 @@ dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", format_hex(BPTR(&work), BLEN(&work), 0, &gc)); - if (!(opt->flags & CO_AEAD_TAG_AT_THE_END)) + if (!(opt->flags & CO_EPOCH_DATA_KEY_FORMAT)) { /* Reserve space for authentication tag */ mac_out = buf_write_alloc(&work, mac_len); @@ -149,7 +149,7 @@ ASSERT(buf_inc_len(&work, outlen)); /* if the tag is at end the end, allocate it now */ - if (opt->flags & CO_AEAD_TAG_AT_THE_END) + if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT) { /* Reserve space for authentication tag */ mac_out = buf_write_alloc(&work, mac_len); @@ -475,7 +475,7 @@ uint8_t *tag_ptr = NULL; int data_len = 0; - if (opt->flags & CO_AEAD_TAG_AT_THE_END) + if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT) { data_len = BLEN(buf) - tag_size; tag_ptr = BPTR(buf) + data_len; diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index abba30c..933bc2f 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -359,9 +359,10 @@ /**< Bit-flag indicating that renegotiations are using tls-crypt * with a TLS-EKM derived key. */ -#define CO_AEAD_TAG_AT_THE_END (1<<8) - /**< Bit-flag indicating that the AEAD tag is at the end of the - * packet. +#define CO_EPOCH_DATA_KEY_FORMAT (1<<8) + /**< Bit-flag indicating that the data format using + * AEAD tag is at the end of the packet and using epoch + * keys is used. */ unsigned int flags; /**< Bit-flags determining behavior of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9371024..2c831fe 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2390,9 +2390,9 @@ { buf_printf(&out, " dyn-tls-crypt"); } - if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END) + if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT) { - buf_printf(&out, " aead-tag-end"); + buf_printf(&out, " aead-epoch"); } } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 10ee9f6..ec27e7f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8692,9 +8692,9 @@ options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT; } #endif - else if (streq(p[j], "aead-tag-end")) + else if (streq(p[j], "aead-epoch")) { - options->imported_protocol_flags |= CO_AEAD_TAG_AT_THE_END; + options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT; } else { diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 6c06374..01d3699 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -689,9 +689,9 @@ buf_printf(&proto_flags, " dyn-tls-crypt"); } - if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END) + if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT) { - buf_printf(&proto_flags, " aead-tag-end"); + buf_printf(&proto_flags, " aead-epoch"); } if (buf_len(&proto_flags) > 0) diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index eea1323..e47a94d 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -107,6 +107,9 @@ /** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key) */ #define IV_PROTO_DYN_TLS_CRYPT (1<<9) +/** Support the extended packet id and epoch format for data channel packets */ +#define IV_PROTO_DATA_EPOCH (1<<10) + /** Supports the --dns option after all the incompatible changes */ #define IV_PROTO_DNS_OPTION_V2 (1<<11) diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index caacd9e..845ca56 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -404,7 +404,7 @@ run_data_channel_with_cipher_end(const char *cipher) { struct crypto_options co = init_crypto_options(cipher, "none"); - co.flags |= CO_AEAD_TAG_AT_THE_END; + co.flags |= CO_EPOCH_DATA_KEY_FORMAT; do_data_channel_round_trip(&co); uninit_crypto_options(&co); }