Attention is currently required from: cron2, flichtenheld, ordex. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/797?usp=email )
Change subject: Use XOR instead of concatenation for calculation of IV from implicit IV ...................................................................... Patch Set 2: (9 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/797/comment/59bcb58e_1dd37b5e : PS2, Line 12: IV generation code later. > Question: what is the advantage or XOR'ing the IV with the packet ID? And why > is the implicit IV gro […] The implicit IV is growing from 64 bit to 96 bits. The whole IV is 96 bits and with Data v2 we use 32 bit packet id || implicit_iv to form the IV. File src/openvpn/crypto.h: http://gerrit.openvpn.net/c/openvpn/+/797/comment/141bbf3c_5381bd8d : PS2, Line 168: size_t implicit_iv_len; /**< The length of implicit_iv */ > why is the len being removed? What is the underlying assumption allowing us > to drop the len? […] The underlying assumption is that implicit IV is always xored to generate the IV. So implicit IV len is always the same length as the length of the IV. http://gerrit.openvpn.net/c/openvpn/+/797/comment/cc89468e_4b046e53 : PS2, Line 173: uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]; > I believe I understand the comment above, but I have troubles combining it > with OPENVPN_MAX_IV_LENGT […] Yes, we only fill as many bytes as the size of the IV of the cipher we are using. File src/openvpn/crypto.c: http://gerrit.openvpn.net/c/openvpn/+/797/comment/d33cecd7_d179dad1 : PS2, Line 102: * XOR of packet and implicit IV */ > This comment doesn't fully compile. […] Done http://gerrit.openvpn.net/c/openvpn/+/797/comment/23e39761_6d3a4ea0 : PS2, Line 445: * XOR of packet counter and implicit IV */ > same comment as before Done File src/openvpn/dco_freebsd.c: http://gerrit.openvpn.net/c/openvpn/+/797/comment/dc522f44_9fe63698 : PS2, Line 398: /* FreeBSD uses the contact operation, need to skip the first 4 null > concat? Acknowledged File src/openvpn/dco_linux.c: http://gerrit.openvpn.net/c/openvpn/+/797/comment/e2a5f44c_31248b37 : PS2, Line 588: /* First 4 zero bytes as the kernel does concat instead of XOR */ > "skip" first 4 zero bytes? Done http://gerrit.openvpn.net/c/openvpn/+/797/comment/a7e16baf_72713641 : PS2, Line 599: /* First 4 zero bytes as the kernel does concat instead of XOR */ > as above Done File src/openvpn/dco_win.c: http://gerrit.openvpn.net/c/openvpn/+/797/comment/9c728a26_c4af20b0 : PS2, Line 317: /* First 4 zero bytes as ovpn-dco-win does concat instead of XOR */ > same comment as for Linux DCO, but no +4 here? confusing Yeah looks that I only tested windows. Since all of them directly get the keys from the key2 structure, the patch does not interact with that. Will remove it from all platforms in the fixed version. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/797?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I74216d776d3e0a8dc987ec7b1671c8e8dcccdbd6 Gerrit-Change-Number: 797 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: cron2 <g...@greenie.muc.de> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-CC: ordex <a...@unstable.cc> Gerrit-Attention: cron2 <g...@greenie.muc.de> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Attention: ordex <a...@unstable.cc> Gerrit-Comment-Date: Wed, 13 Nov 2024 12:49:21 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <g...@greenie.muc.de> Comment-In-Reply-To: ordex <a...@unstable.cc> Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
