From patchwork Wed Dec 3 12:57:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4653 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp8533253maw; Wed, 3 Dec 2025 04:58:05 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVQkGvgP7m0H5B39RKZWP6xBCx216edzfQcAuLyzgPiek1zJtrEyYOI5tJOLUFCmEDxAHNlY3FehFY=@openvpn.net X-Google-Smtp-Source: AGHT+IFKLyZ9H05bqiema0RBP3YGdmZHrH2xlmObHOFYyH7yqNWAE/TdsnxyKaJ5DjMEYQrA8K7h X-Received: by 2002:a05:687c:20c1:b0:3ec:3685:34a1 with SMTP id 586e51a60fabf-3f1693c9c11mr1196554fac.25.1764766685262; Wed, 03 Dec 2025 04:58:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764766685; cv=none; d=google.com; s=arc-20240605; b=g3DENNDLmdnxKDmNC7iQfi51gBN/nIMCPQJktzeX24JV5xdVwqnxrUf2xhawSW1BEQ DMFAi2KXz2pFob3J4hYbg+rF5ukbKv9CHAtpfecsqzPp3vrH7S01Y50NqCVsRSRCS1/Q xkSzxAmNgHRSfGKW6LBDtlBVbyOWqILfPF7V2rLQ+AX+KlXC4CiUYryzyq5Bz6cFz5fX TbpbcYWxj843OA1vmSvbob3JCigUx+1+a+kiB/Ca5ve42oUA3SBPl8XTxyKIQ70R1oeL 3E6gBEFfIFVcf6ppoKRxYsJ9uLwUUcczXe6oJJJBBIV9jFCQ6F6QJiJK+5sXfH5gLxXH m92w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=ifzl50eJ0neUphNspOijqkO+JZu2ijKgWNENQRacd80=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=H56c0nv27WLM1l9rBTdqul66CRJNmr1+33QoQnPAvizfAsFgk6AxH6pRaRWUeUJ26d Rmegxi9A2QPbd2Nb+8yW8Vf5OHX+iQFUPfVnnvTdxJJv8MGvPeAtR98qnWF0/NKvSNfU Snra8zxbt4u17OjNVsssfMqzV9O1d3FAUNBhmcPM1YpYBVUDQcEnFAqMtWsQSiI7E0bH hxjQPjhVzomVFUZ62Buxt/KloZjt+1pEj9Ypq3QTfw3Zvhv9c1Vc4+BfkVjLPMTUD3sw a8JXtBBcBLEc53W6HlUtQqVkdWE5a9viM9nmJ6FIx94qX7xbqEvYqvgm3u2gaHY4Fmcx M57w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="BBfTQk/7"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EHncMbVm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mJDEn+nG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3f0dcfbbff9si4120227fac.430.2025.12.03.04.58.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Dec 2025 04:58:04 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="BBfTQk/7"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EHncMbVm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mJDEn+nG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ifzl50eJ0neUphNspOijqkO+JZu2ijKgWNENQRacd80=; b=BBfTQk/7fKumbiuQIKi2AfC6jg slx5RE1x7ejQo22QAhUq3WxnNfOtkhCla2l3uWvzkXd3OOa8+PuAjf72MH9htZopHzSQOu7DlQoNV lkUvOfhalv5JYpGIRjayS0P86GsuyLK0FMt9dbbIQ+RD18WjuqVl3pOGMfWV3qSHHqtg=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vQmQg-0002lB-8j; Wed, 03 Dec 2025 12:57:59 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vQmQX-0002kt-J3 for openvpn-devel@lists.sourceforge.net; Wed, 03 Dec 2025 12:57:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PyZl9sPNhsoleBenC/Nn6SI7VgnCp9JavdLmH0uFPHc=; b=EHncMbVmESAc3kSs15B8ocnHJO E7KHrF+5IsJMs61Mn+tzvNizhFc08NzYaxZt8CUDQpsYn6b0sLbi7+OS3BDZzkkWLzZhYmzPGv9a1 uCZtyuXfZkyl6f4e0QFrzx6HXi6aCcNTZN9TH0x7ZRus2U4T3bhT97LqSPLxH6r3ef4s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PyZl9sPNhsoleBenC/Nn6SI7VgnCp9JavdLmH0uFPHc=; b=mJDEn+nGunHJkcSGaRW1bXclnA z2nR8+8GUGs9Yi+WZ9F+YRDW6Pkmf1xB8yqDfv2ryQDmuRvVIhp11P8xNu606ZI+RaGVTkxN3SDBZ ZTjiJyYc4/4FzAV372P09ga7I5ehwPgA/ItLkUgWfFF7Di8SjsbMsrcSCQqDlIRTkJ7I=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vQmQW-00039w-UN for openvpn-devel@lists.sourceforge.net; Wed, 03 Dec 2025 12:57:50 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B3Cvf2N029261 for ; Wed, 3 Dec 2025 13:57:41 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B3CvfSo029260 for openvpn-devel@lists.sourceforge.net; Wed, 3 Dec 2025 13:57:41 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 3 Dec 2025 13:57:34 +0100 Message-ID: <20251203125741.29239-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vQmQW-00039w-UN Subject: [Openvpn-devel] [PATCH v2] Clarify some code in epoch with better comments X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1850491992074097868?= X-GMAIL-MSGID: =?utf-8?q?1850491992074097868?= From: Arne Schwabe Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8049b3a..d6b8841 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -97,6 +97,12 @@ /* IV starts with packet id to make the IV unique for packet */ if (use_epoch_data_format) { + /* Note this does not check aead_usage_limit but can overstep it by + * a few extra blocks in one extra write. This is not affecting the + * security margin as these extra blocks are on a completely + * different order of magnitude than the security margin. + * The next iteration/call to epoch_check_send_iterate will + * iterate the epoch */ if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 72c6821..3842615 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -298,7 +298,7 @@ /** last epoch_key used for generation of the current send data keys. * As invariant, the epoch of epoch_key_send is always kept >= the epoch of - * epoch_key_recv */ + * key_ctx_bi.decrypt.epoch */ struct epoch_key epoch_key_send; /** epoch_key used for the highest receive epoch keys */ @@ -309,7 +309,7 @@ /** The limit for AEAD cipher, this is the sum of packets + blocks * that are allowed to be used. Will switch to a new epoch if this - * limit is reached*/ + * limit is reached. */ uint64_t aead_usage_limit; /** Keeps the future epoch data keys for decryption. The current one