Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/805?usp=email
to look at the new patch set (#3).
Change subject: Rename aead-tag-at-end to aead-epoch
......................................................................
Rename aead-tag-at-end to aead-epoch
Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
M doc/man-sections/client-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/push.c
M src/openvpn/ssl.h
M tests/unit_tests/openvpn/test_ssl.c
8 files changed, 18 insertions(+), 13 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/05/805/3
diff --git a/doc/man-sections/client-options.rst
b/doc/man-sections/client-options.rst
index 5ca85e0..0aee9e2 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -367,6 +367,7 @@
- bit 7: The client is capable of sending exit notification via control
channel using ``EXIT`` message. Also, the client is accepting the
protocol-flags pushed option for the EKM capability
- bit 8: The client is capable of accepting ``AUTH_FAILED,TEMP`` messages
- bit 9: The client is capable of dynamic tls-crypt
+ - bit 10: The client is capable of data epoch keys
:code:`IV_NCP=2`
Negotiable ciphers, client supports ``--cipher`` pushed by
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index c04ef4f..d3f479f 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -128,7 +128,7 @@
dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s",
format_hex(BPTR(&work), BLEN(&work), 0, &gc));
- if (!(opt->flags & CO_AEAD_TAG_AT_THE_END))
+ if (!(opt->flags & CO_EPOCH_DATA_KEY_FORMAT))
{
/* Reserve space for authentication tag */
mac_out = buf_write_alloc(&work, mac_len);
@@ -149,7 +149,7 @@
ASSERT(buf_inc_len(&work, outlen));
/* if the tag is at end the end, allocate it now */
- if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+ if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT)
{
/* Reserve space for authentication tag */
mac_out = buf_write_alloc(&work, mac_len);
@@ -475,7 +475,7 @@
uint8_t *tag_ptr = NULL;
int data_len = 0;
- if (opt->flags & CO_AEAD_TAG_AT_THE_END)
+ if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT)
{
data_len = BLEN(buf) - tag_size;
tag_ptr = BPTR(buf) + data_len;
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 1c41443..de94ef1 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -362,9 +362,10 @@
/**< Bit-flag indicating that renegotiations are using tls-crypt
* with a TLS-EKM derived key.
*/
-#define CO_AEAD_TAG_AT_THE_END (1<<8)
- /**< Bit-flag indicating that the AEAD tag is at the end of the
- * packet.
+#define CO_EPOCH_DATA_KEY_FORMAT (1<<8)
+ /**< Bit-flag indicating that the data format using
+ * AEAD tag is at the end of the packet and using epoch
+ * keys is used.
*/
unsigned int flags; /**< Bit-flags determining behavior of
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9371024..2c831fe 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2390,9 +2390,9 @@
{
buf_printf(&out, " dyn-tls-crypt");
}
- if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END)
+ if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
{
- buf_printf(&out, " aead-tag-end");
+ buf_printf(&out, " aead-epoch");
}
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 10ee9f6..ec27e7f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8692,9 +8692,9 @@
options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
}
#endif
- else if (streq(p[j], "aead-tag-end"))
+ else if (streq(p[j], "aead-epoch"))
{
- options->imported_protocol_flags |= CO_AEAD_TAG_AT_THE_END;
+ options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
}
else
{
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 6c06374..01d3699 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -689,9 +689,9 @@
buf_printf(&proto_flags, " dyn-tls-crypt");
}
- if (o->imported_protocol_flags & CO_AEAD_TAG_AT_THE_END)
+ if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
{
- buf_printf(&proto_flags, " aead-tag-end");
+ buf_printf(&proto_flags, " aead-epoch");
}
if (buf_len(&proto_flags) > 0)
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index eea1323..e47a94d 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -107,6 +107,9 @@
/** Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt
key) */
#define IV_PROTO_DYN_TLS_CRYPT (1<<9)
+/** Support the extended packet id and epoch format for data channel packets */
+#define IV_PROTO_DATA_EPOCH (1<<10)
+
/** Supports the --dns option after all the incompatible changes */
#define IV_PROTO_DNS_OPTION_V2 (1<<11)
diff --git a/tests/unit_tests/openvpn/test_ssl.c
b/tests/unit_tests/openvpn/test_ssl.c
index caacd9e..845ca56 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -404,7 +404,7 @@
run_data_channel_with_cipher_end(const char *cipher)
{
struct crypto_options co = init_crypto_options(cipher, "none");
- co.flags |= CO_AEAD_TAG_AT_THE_END;
+ co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
do_data_channel_round_trip(&co);
uninit_crypto_options(&co);
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/805?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc
Gerrit-Change-Number: 805
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
