)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":14,"context_line":"record size of 2**14 (2*10 blocks) is used to calculate the number of"},{"line_number":15,"context_line":"records before a new key needs to be used."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"For a VPN OpenVPN, the same calculation would either require using a"},{"line_number":18,"context_line":"pessimistic assumption of using a MTU size of 65k which limits us to"},{"line_number":19,"context_line":"2^24 packets, which equals only 24 GB with more common MTU/MSS of 1400"},{"line_number":20,"context_line":"or requiring a dynamic calculation which includes the actual MTU that"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"6f5c1440_6ba1cc3d","line":17,"updated":"2024-11-28 10:03:54.000000000","message":"\"VPN like OpenVPN\"? Or just \"For OpenVPN\"?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":false,"context_lines":[{"line_number":14,"context_line":"record size of 2**14 (2*10 blocks) is used to calculate the number of"},{"line_number":15,"context_line":"records before a new key needs to be used."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"For a VPN OpenVPN, the same calculation would either require using a"},{"line_number":18,"context_line":"pessimistic assumption of using a MTU size of 65k which limits us to"},{"line_number":19,"context_line":"2^24 packets, which equals only 24 GB with more common MTU/MSS of 1400"},{"line_number":20,"context_line":"or requiring a dynamic calculation which includes the actual MTU that"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"933872f5_aebd1b85","line":17,"in_reply_to":"6f5c1440_6ba1cc3d","updated":"2024-11-28 18:40:35.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":21,"context_line":"we allow to send. For 1500 the calculation yields 2*29.4 which is a"},{"line_number":22,"context_line":"quite significant higher number of packets (923 GB at 1400 MSS/MTU)."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To avoid this dynamic calculation and also avoiding needing to know the"},{"line_number":25,"context_line":"MSS/MTU size in the crypto layer, this implementation foregoes the"},{"line_number":26,"context_line":"simplification of counting just packets but will count blocks and packets"},{"line_number":27,"context_line":"instead and determines the limit from that."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"e9855faf_bebc8208","line":24,"updated":"2024-11-28 10:03:54.000000000","message":"\"avoid\"","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":false,"context_lines":[{"line_number":21,"context_line":"we allow to send. For 1500 the calculation yields 2*29.4 which is a"},{"line_number":22,"context_line":"quite significant higher number of packets (923 GB at 1400 MSS/MTU)."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"To avoid this dynamic calculation and also avoiding needing to know the"},{"line_number":25,"context_line":"MSS/MTU size in the crypto layer, this implementation foregoes the"},{"line_number":26,"context_line":"simplification of counting just packets but will count blocks and packets"},{"line_number":27,"context_line":"instead and determines the limit from that."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"ca599a2c_8f021338","line":24,"in_reply_to":"e9855faf_bebc8208","updated":"2024-11-28 18:40:35.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":26,"context_line":"simplification of counting just packets but will count blocks and packets"},{"line_number":27,"context_line":"instead and determines the limit from that."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"This also has the side effects that connection with a lot of small packets"},{"line_number":30,"context_line":"(like TCP ACKs) mixed with large packets will be able to keep using the same"},{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"56e7feb1_cedb0de9","line":29,"updated":"2024-11-28 10:03:54.000000000","message":"\"connections\"","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":false,"context_lines":[{"line_number":26,"context_line":"simplification of counting just packets but will count blocks and packets"},{"line_number":27,"context_line":"instead and determines the limit from that."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"This also has the side effects that connection with a lot of small packets"},{"line_number":30,"context_line":"(like TCP ACKs) mixed with large packets will be able to keep using the same"},{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"dbf4f6ff_4d8eca15","line":29,"in_reply_to":"56e7feb1_cedb0de9","updated":"2024-11-28 18:40:35.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":27,"context_line":"instead and determines the limit from that."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"This also has the side effects that connection with a lot of small packets"},{"line_number":30,"context_line":"(like TCP ACKs) mixed with large packets will be able to keep using the same"},{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"This patch will set the limit where to trigger the renegotiation at 7/8"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"374d394d_c29d4c00","line":30,"updated":"2024-11-28 10:03:54.000000000","message":"\"same key\"?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":false,"context_lines":[{"line_number":27,"context_line":"instead and determines the limit from that."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"This also has the side effects that connection with a lot of small packets"},{"line_number":30,"context_line":"(like TCP ACKs) mixed with large packets will be able to keep using the same"},{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"This patch will set the limit where to trigger the renegotiation at 7/8"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"2fede922_5b7df247","line":30,"in_reply_to":"374d394d_c29d4c00","updated":"2024-11-28 18:40:35.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"This patch will set the limit where to trigger the renegotiation at 7/8"},{"line_number":34,"context_line":"of the"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"[1]  https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"4815cde9_b38338fa","line":34,"updated":"2024-11-28 10:03:54.000000000","message":"\"of the actual limit\"?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":false,"context_lines":[{"line_number":31,"context_line":"much longer until requiring a renegotiation."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"This patch will set the limit where to trigger the renegotiation at 7/8"},{"line_number":34,"context_line":"of the"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"[1]  https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html"},{"line_number":37,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"578c0f8b_24b20229","line":34,"in_reply_to":"4815cde9_b38338fa","updated":"2024-11-28 18:40:35.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0a652af407cf7d74dc11e4a8509557937939a359","unresolved":true,"context_lines":[{"line_number":47,"context_line":"Here the send limit is over the limit (1792 \u003d 2048 * 8/7)."},{"line_number":48,"context_line":"Change-Id: I0d2c763fd1dcdacdd8993731fc4979e258d1da4e"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7"},{"line_number":51,"context_line":"Signed-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"efd85c78_167db128","line":50,"updated":"2024-11-28 10:03:54.000000000","message":"Why does this have three Change-Ids?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Here the send limit is over the limit (1792 \u003d 2048 * 8/7)."},{"line_number":48,"context_line":"Change-Id: I0d2c763fd1dcdacdd8993731fc4979e258d1da4e"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7"},{"line_number":51,"context_line":"Signed-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"afd7f3b3_34658dc4","line":50,"in_reply_to":"75c4d609_2a233adb","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"17908acca7979992dd9601c928335dea43e192ba","unresolved":true,"context_lines":[{"line_number":47,"context_line":"Here the send limit is over the limit (1792 \u003d 2048 * 8/7)."},{"line_number":48,"context_line":"Change-Id: I0d2c763fd1dcdacdd8993731fc4979e258d1da4e"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7"},{"line_number":51,"context_line":"Signed-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"75c4d609_2a233adb","line":50,"in_reply_to":"efd85c78_167db128","updated":"2024-11-28 18:40:35.000000000","message":"That is a good question, some that post commit script did some nonsense, I will try to figure out which is the right one and remove the other two.","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"34957685f77983019a9c7e6395237c232ff303ba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e30614f4_76e0cc61","updated":"2024-11-11 17:59:19.000000000","message":"minor typo and a question about \u003cmath.h\u003e","commit_id":"2e245bcbbe910be83c9841195b20a3c9c9267672"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"359453f81cc339baf4cd71b5d5df0aee3a5ee1e3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"27f5a4ef_37477915","updated":"2024-11-29 14:05:53.000000000","message":"The limit matches the one in the RFC for p \u003d 2^57.\n\nI have some nitpicks about comments.\n\nAnd one question: The RFC also specifies a limit for message integrity. If v is the number of failed decryptions for the current key and L is the maximum number of blocks per message, we must make sure that v \u003c\u003d min(2^64, (p * 2^127) / (L + 1)). Are we going to check that too?","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"83b764d2b164e97d8a6519027ff68b49e41b4bdf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"74a77e37_da81a0b0","in_reply_to":"27f5a4ef_37477915","updated":"2024-11-30 12:48:30.000000000","message":"I will add that as seperate commit later in the patch (to be sent, it is not there yet). We will probably aim for the 2^36 limits that also TLS uses.","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"20543d92afbd4416d1dc6c55967ec0fd946d56db","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"3a2c8991_f5343e60","updated":"2024-12-03 13:48:12.000000000","message":"I\u0027ve pointed out a few more places where you could use uint. Let me know if this is excessive nitpicking.","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"05b5a9d885a5d03e70028a4e30889007aea27df5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"627e39e8_6fc93e76","updated":"2024-12-11 21:15:40.000000000","message":"Looks good in general. Math checks out. Some minor nits and one fundamental remark to consider.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"85ce9192c2649af6e02fdbe55f8d4ee290e76847","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"86d38fb9_30df4250","updated":"2024-12-12 20:02:46.000000000","message":"Looks good conceptually. I don\u0027t have a dev/test setup available to actually do a full review, so sticking to +1.","commit_id":"f62118bf57240d2062de70a25d3cb0f03c0c26a5"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"a361778579d8bffcd991a848a8536eaf6ec9f677","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"74f56964_5e726262","updated":"2024-12-21 15:36:46.000000000","message":"This has been extensively reviewed by people who understand math and crypto.  I have stared at the rest of the code, and it seems to make sense.  Will do a \"reduce limits, see what happens\" test before final merge.","commit_id":"9c0286b6241851ea40790fa175a70c1ac5db5b28"}],"src/openvpn/crypto.c":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"34957685f77983019a9c7e6395237c232ff303ba","unresolved":true,"context_lines":[{"line_number":37,"context_line":"#include \"platform.h\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"#include \"memdbg.h\""},{"line_number":40,"context_line":"#include \u003cmath.h\u003e"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"/*"},{"line_number":43,"context_line":" * Encryption and Compression Routines."}],"source_content_type":"text/x-csrc","patch_set":1,"id":"74449d2c_0a6e8ccd","line":40,"updated":"2024-11-11 17:59:19.000000000","message":"where\u0027s that coming from?  I see not math-typical functions being called (round() etc) in the new code?","commit_id":"2e245bcbbe910be83c9841195b20a3c9c9267672"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"bb986e4e6da26d1e0dcf971a6cb8372ed00777cf","unresolved":false,"context_lines":[{"line_number":37,"context_line":"#include \"platform.h\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"#include \"memdbg.h\""},{"line_number":40,"context_line":"#include \u003cmath.h\u003e"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"/*"},{"line_number":43,"context_line":" * Encryption and Compression Routines."}],"source_content_type":"text/x-csrc","patch_set":1,"id":"1fd81608_087915dd","line":40,"in_reply_to":"74449d2c_0a6e8ccd","updated":"2024-11-14 13:47:10.000000000","message":"Earlier version used math to calculate those limits but then I got into all the linking problem with -lm and then decided that I rather use in based math instead ....","commit_id":"2e245bcbbe910be83c9841195b20a3c9c9267672"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":350,"context_line":"     *"},{"line_number":351,"context_line":"     *  With p \u003d 2^-57 this becomes"},{"line_number":352,"context_line":"     *"},{"line_number":353,"context_line":"     *      q + s \u003c\u003d (p^36 - 1)"},{"line_number":354,"context_line":"     *"},{"line_number":355,"context_line":"     */"},{"line_number":356,"context_line":"    int64_t rs \u003d (1ull \u003c\u003c 36) - 1;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"884aa131_043fac76","line":353,"updated":"2024-11-28 09:47:14.000000000","message":"`2^36`","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":350,"context_line":"     *"},{"line_number":351,"context_line":"     *  With p \u003d 2^-57 this becomes"},{"line_number":352,"context_line":"     *"},{"line_number":353,"context_line":"     *      q + s \u003c\u003d (p^36 - 1)"},{"line_number":354,"context_line":"     *"},{"line_number":355,"context_line":"     */"},{"line_number":356,"context_line":"    int64_t rs \u003d (1ull \u003c\u003c 36) - 1;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"734aa10c_22eb3343","line":353,"in_reply_to":"884aa131_043fac76","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":499,"context_line":"        CRYPT_ERROR(\"packet decryption failed\");"},{"line_number":500,"context_line":"    }"},{"line_number":501,"context_line":""},{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"5487e9b6_1af10abb","line":502,"updated":"2024-11-28 09:47:14.000000000","message":"Should be `(x + (n-1))/n`. The code is correct, but comment is wrong.","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":499,"context_line":"        CRYPT_ERROR(\"packet decryption failed\");"},{"line_number":500,"context_line":"    }"},{"line_number":501,"context_line":""},{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"827f411c_2ae94fdb","line":502,"in_reply_to":"5487e9b6_1af10abb","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":500,"context_line":"    }"},{"line_number":501,"context_line":""},{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"},{"line_number":506,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"38ba5a32_7a3341ec","line":503,"updated":"2024-11-28 09:47:14.000000000","message":"\"blocks\"","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":500,"context_line":"    }"},{"line_number":501,"context_line":""},{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"},{"line_number":506,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"eaad6627_493699fa","line":503,"in_reply_to":"38ba5a32_7a3341ec","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"    ASSERT(buf_inc_len(\u0026work, outlen));"},{"line_number":508,"context_line":"    if (!cipher_ctx_final_check_tag(ctx-\u003ecipher, BPTR(\u0026work) + outlen,"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"4cbb5beb_e82ad0e6","line":505,"updated":"2024-11-28 09:47:14.000000000","message":"So we increase this number before we have done all checks on the packet. Doesn\u0027t that open us up to potential attacks that force renegotiation by replaying packets?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":502,"context_line":"    /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick"},{"line_number":503,"context_line":"     * to round up the result to the number of blocked used. */"},{"line_number":504,"context_line":"    const int blocksize \u003d AEAD_LIMIT_BLOCKSIZE;"},{"line_number":505,"context_line":"    opt-\u003ekey_ctx_bi.decrypt.plaintext_blocks +\u003d (outlen + (blocksize - 1))/blocksize;"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"    ASSERT(buf_inc_len(\u0026work, outlen));"},{"line_number":508,"context_line":"    if (!cipher_ctx_final_check_tag(ctx-\u003ecipher, BPTR(\u0026work) + outlen,"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"c3a09ead_b2f38a1c","line":505,"in_reply_to":"4cbb5beb_e82ad0e6","updated":"2024-11-28 19:02:02.000000000","message":"thanks good catch.","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"359453f81cc339baf4cd71b5d5df0aee3a5ee1e3","unresolved":true,"context_lines":[{"line_number":344,"context_line":"    /* We focus here on the equation"},{"line_number":345,"context_line":"     *"},{"line_number":346,"context_line":"     *       q + s \u003c\u003d p^(1/2) * 2^(129/2) - 1"},{"line_number":347,"context_line":"     *       q \u003c\u003d (p^(1/2) * 2^(129/2) - 1) / (L + 1)"},{"line_number":348,"context_line":"     *"},{"line_number":349,"context_line":"     * as is the one that is limiting us."},{"line_number":350,"context_line":"     *"}],"source_content_type":"text/x-csrc","patch_set":7,"id":"ab160cf8_a5e88f45","line":347,"range":{"start_line":347,"start_character":13,"end_line":347,"end_character":53},"updated":"2024-11-29 14:05:53.000000000","message":"We\u0027re not doing anything with this inequality. This one is for the case where we don\u0027t count the individual blocks but just have an upper bound of L on the number of blocks per message.","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"7e6e9a3653b8653e73844708fc6daedd711a2469","unresolved":false,"context_lines":[{"line_number":344,"context_line":"    /* We focus here on the equation"},{"line_number":345,"context_line":"     *"},{"line_number":346,"context_line":"     *       q + s \u003c\u003d p^(1/2) * 2^(129/2) - 1"},{"line_number":347,"context_line":"     *       q \u003c\u003d (p^(1/2) * 2^(129/2) - 1) / (L + 1)"},{"line_number":348,"context_line":"     *"},{"line_number":349,"context_line":"     * as is the one that is limiting us."},{"line_number":350,"context_line":"     *"}],"source_content_type":"text/x-csrc","patch_set":7,"id":"3b5c18b9_d1b170ca","line":347,"range":{"start_line":347,"start_character":13,"end_line":347,"end_character":53},"in_reply_to":"ab160cf8_a5e88f45","updated":"2024-11-30 12:46:35.000000000","message":"Yes, I will remove that one. The earlier version used L but it is easier do the block counting that actually figuring out L.","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"20543d92afbd4416d1dc6c55967ec0fd946d56db","unresolved":true,"context_lines":[{"line_number":352,"context_line":"     *      q + s \u003c\u003d (2^36 - 1)"},{"line_number":353,"context_line":"     *"},{"line_number":354,"context_line":"     */"},{"line_number":355,"context_line":"    int64_t rs \u003d (1ull \u003c\u003c 36) - 1;"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"    return rs;"},{"line_number":358,"context_line":"}"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"56ca9914_0cae7c14","line":355,"range":{"start_line":355,"start_character":4,"end_line":355,"end_character":11},"updated":"2024-12-03 13:48:12.000000000","message":"This could be uint","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"cb52fa621e4ae6ae2f21d91200e016f02ddc2179","unresolved":false,"context_lines":[{"line_number":352,"context_line":"     *      q + s \u003c\u003d (2^36 - 1)"},{"line_number":353,"context_line":"     *"},{"line_number":354,"context_line":"     */"},{"line_number":355,"context_line":"    int64_t rs \u003d (1ull \u003c\u003c 36) - 1;"},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"    return rs;"},{"line_number":358,"context_line":"}"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"f04661f0_7a09925d","line":355,"range":{"start_line":355,"start_character":4,"end_line":355,"end_character":11},"in_reply_to":"56ca9914_0cae7c14","updated":"2024-12-03 14:08:37.000000000","message":"Acknowledged","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"}],"src/openvpn/crypto.h":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"34957685f77983019a9c7e6395237c232ff303ba","unresolved":true,"context_lines":[{"line_number":612,"context_line":"/**"},{"line_number":613,"context_line":" * Blocksize used for the AEAD limit caluclation"},{"line_number":614,"context_line":" *"},{"line_number":615,"context_line":" * Since cipher_ctx_block_size() is reliable and will return 1 in many"},{"line_number":616,"context_line":" * cases use a hardcoded blocksize instead */"},{"line_number":617,"context_line":"#define     AEAD_LIMIT_BLOCKSIZE    16"},{"line_number":618,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":1,"id":"b2b1e089_c3b3a093","line":615,"updated":"2024-11-11 17:59:19.000000000","message":"\"is not reliable\"?","commit_id":"2e245bcbbe910be83c9841195b20a3c9c9267672"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"bb986e4e6da26d1e0dcf971a6cb8372ed00777cf","unresolved":false,"context_lines":[{"line_number":612,"context_line":"/**"},{"line_number":613,"context_line":" * Blocksize used for the AEAD limit caluclation"},{"line_number":614,"context_line":" *"},{"line_number":615,"context_line":" * Since cipher_ctx_block_size() is reliable and will return 1 in many"},{"line_number":616,"context_line":" * cases use a hardcoded blocksize instead */"},{"line_number":617,"context_line":"#define     AEAD_LIMIT_BLOCKSIZE    16"},{"line_number":618,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":1,"id":"7d70e94e_b31d44b6","line":615,"in_reply_to":"b2b1e089_c3b3a093","updated":"2024-11-14 13:47:10.000000000","message":"Done","commit_id":"2e245bcbbe910be83c9841195b20a3c9c9267672"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":600,"context_line":""},{"line_number":601,"context_line":"/**"},{"line_number":602,"context_line":" * Check if the cipher is an AEAD cipher and needs to be limited to a certain"},{"line_number":603,"context_line":" * number of number of block + packets. Return -1 if ciphername is not an AEAD"},{"line_number":604,"context_line":" * cipher or no limit (e.g. Chacha20-Poly1305) is needed."},{"line_number":605,"context_line":" *"},{"line_number":606,"context_line":" * For reference see the OpenVPN RFC draft and"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"cd492ae9_fd17bd7c","line":603,"updated":"2024-11-28 09:47:14.000000000","message":"\"blocks\"","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":600,"context_line":""},{"line_number":601,"context_line":"/**"},{"line_number":602,"context_line":" * Check if the cipher is an AEAD cipher and needs to be limited to a certain"},{"line_number":603,"context_line":" * number of number of block + packets. Return -1 if ciphername is not an AEAD"},{"line_number":604,"context_line":" * cipher or no limit (e.g. Chacha20-Poly1305) is needed."},{"line_number":605,"context_line":" *"},{"line_number":606,"context_line":" * For reference see the OpenVPN RFC draft and"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"424ddba6_d7884def","line":603,"in_reply_to":"cd492ae9_fd17bd7c","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"359453f81cc339baf4cd71b5d5df0aee3a5ee1e3","unresolved":true,"context_lines":[{"line_number":166,"context_line":"    uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH];"},{"line_number":167,"context_line":"    /**\u003c The implicit part of the IV */"},{"line_number":168,"context_line":"    size_t implicit_iv_len;     /**\u003c The length of implicit_iv */"},{"line_number":169,"context_line":"    /** Counter for the number of plaintext encrypted using this cipher"},{"line_number":170,"context_line":"     * in number of 128 bit blocks (only used for AEAD ciphers) */"},{"line_number":171,"context_line":"    uint64_t plaintext_blocks;"},{"line_number":172,"context_line":"};"},{"line_number":173,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":7,"id":"cb71ff95_59bc6586","line":170,"range":{"start_line":169,"start_character":0,"end_line":170,"end_character":66},"updated":"2024-11-29 14:05:53.000000000","message":"This looks a bit garbled. Maybe \"Counter for the number of 128-bit plaintext blocks encrypted with the current key\"?","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"7e6e9a3653b8653e73844708fc6daedd711a2469","unresolved":false,"context_lines":[{"line_number":166,"context_line":"    uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH];"},{"line_number":167,"context_line":"    /**\u003c The implicit part of the IV */"},{"line_number":168,"context_line":"    size_t implicit_iv_len;     /**\u003c The length of implicit_iv */"},{"line_number":169,"context_line":"    /** Counter for the number of plaintext encrypted using this cipher"},{"line_number":170,"context_line":"     * in number of 128 bit blocks (only used for AEAD ciphers) */"},{"line_number":171,"context_line":"    uint64_t plaintext_blocks;"},{"line_number":172,"context_line":"};"},{"line_number":173,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":7,"id":"425b7b90_d202b3d9","line":170,"range":{"start_line":169,"start_character":0,"end_line":170,"end_character":66},"in_reply_to":"cb71ff95_59bc6586","updated":"2024-11-30 12:46:35.000000000","message":"Done","commit_id":"ba3927d1925381f075bc166880aa37464e420314"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"fcc05243106c36915d96c4ed93314e5664947c4b","unresolved":true,"context_lines":[{"line_number":601,"context_line":""},{"line_number":602,"context_line":"/**"},{"line_number":603,"context_line":" * Check if the cipher is an AEAD cipher and needs to be limited to a certain"},{"line_number":604,"context_line":" * number of number of blocks + packets. Return -1 if ciphername is not an AEAD"},{"line_number":605,"context_line":" * cipher or no limit (e.g. Chacha20-Poly1305) is needed."},{"line_number":606,"context_line":" *"},{"line_number":607,"context_line":" * For reference see the OpenVPN RFC draft and"}],"source_content_type":"text/x-csrc","patch_set":9,"id":"a302425a_a5242f5e","line":604,"range":{"start_line":604,"start_character":41,"end_line":604,"end_character":50},"updated":"2024-12-02 14:26:21.000000000","message":"The code is returning 0.\n\nGiven that, you could also make the function return an unint which I would like because an int-uint comparison is making me feel a bit paranoid. (Though even then highest_pid is still an int.)","commit_id":"b5a0812e542f29e0ac20da38102d241be5a68ba4"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"84c96fef8b437ad355bb5e099cc7cdeaa78f290c","unresolved":false,"context_lines":[{"line_number":601,"context_line":""},{"line_number":602,"context_line":"/**"},{"line_number":603,"context_line":" * Check if the cipher is an AEAD cipher and needs to be limited to a certain"},{"line_number":604,"context_line":" * number of number of blocks + packets. Return -1 if ciphername is not an AEAD"},{"line_number":605,"context_line":" * cipher or no limit (e.g. Chacha20-Poly1305) is needed."},{"line_number":606,"context_line":" *"},{"line_number":607,"context_line":" * For reference see the OpenVPN RFC draft and"}],"source_content_type":"text/x-csrc","patch_set":9,"id":"42d71047_818ce5cc","line":604,"range":{"start_line":604,"start_character":41,"end_line":604,"end_character":50},"in_reply_to":"a302425a_a5242f5e","updated":"2024-12-03 11:06:26.000000000","message":"I fixed the description and made it an unsigned int.","commit_id":"b5a0812e542f29e0ac20da38102d241be5a68ba4"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation has can succeeds before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"dc63e5a8_82d0b335","line":144,"updated":"2024-11-28 09:47:14.000000000","message":"\"renegotiation can succeed\" ?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation has can succeeds before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"e2fcb49b_de363156","line":144,"in_reply_to":"dc63e5a8_82d0b335","updated":"2024-11-28 19:02:02.000000000","message":"Acknowledged","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"20543d92afbd4416d1dc6c55967ec0fd946d56db","unresolved":true,"context_lines":[{"line_number":131,"context_line":"    }"},{"line_number":132,"context_line":"}"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"static int64_t"},{"line_number":135,"context_line":"tls_get_limit_aead(const char *ciphername)"},{"line_number":136,"context_line":"{"},{"line_number":137,"context_line":"    int64_t limit \u003d cipher_get_aead_limits(ciphername);"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"    if (limit \u003d\u003d 0)"},{"line_number":140,"context_line":"    {"},{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","},{"line_number":150,"context_line":"        ciphername, limit);"},{"line_number":151,"context_line":"    return limit;"},{"line_number":152,"context_line":"}"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"void"},{"line_number":155,"context_line":"tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"ca8aab0e_b7f91c98","line":152,"range":{"start_line":134,"start_character":0,"end_line":152,"end_character":1},"updated":"2024-12-03 13:48:12.000000000","message":"This function could return uint","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c1212fe01ba31fca5580feda0d30f59492302ef3","unresolved":false,"context_lines":[{"line_number":131,"context_line":"    }"},{"line_number":132,"context_line":"}"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"static int64_t"},{"line_number":135,"context_line":"tls_get_limit_aead(const char *ciphername)"},{"line_number":136,"context_line":"{"},{"line_number":137,"context_line":"    int64_t limit \u003d cipher_get_aead_limits(ciphername);"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"    if (limit \u003d\u003d 0)"},{"line_number":140,"context_line":"    {"},{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","},{"line_number":150,"context_line":"        ciphername, limit);"},{"line_number":151,"context_line":"    return limit;"},{"line_number":152,"context_line":"}"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"void"},{"line_number":155,"context_line":"tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"c237d8e4_41a211f7","line":152,"range":{"start_line":134,"start_character":0,"end_line":152,"end_character":1},"in_reply_to":"ca8aab0e_b7f91c98","updated":"2024-12-12 15:49:22.000000000","message":"Done","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"05b5a9d885a5d03e70028a4e30889007aea27df5","unresolved":true,"context_lines":[{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":12,"id":"2fd3c45a_2a4cdbb4","line":144,"updated":"2024-12-11 21:15:40.000000000","message":"renegotiation","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c1212fe01ba31fca5580feda0d30f59492302ef3","unresolved":false,"context_lines":[{"line_number":141,"context_line":"        return 0;"},{"line_number":142,"context_line":"    }"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":12,"id":"9c45c755_8086e09c","line":144,"in_reply_to":"2fd3c45a_2a4cdbb4","updated":"2024-12-12 15:49:22.000000000","message":"Done","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"05b5a9d885a5d03e70028a4e30889007aea27df5","unresolved":true,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","}],"source_content_type":"text/x-csrc","patch_set":12,"id":"a6fc21b4_8bd28a4d","line":146,"updated":"2024-12-11 21:15:40.000000000","message":"Consider adding overflow checks. I know, unlikely, and doesn´t result in an unsafe situation, but if cipher_get_aead_limits at some point could return values close to 2**64, this calculation could result in very low limit values.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c1212fe01ba31fca5580feda0d30f59492302ef3","unresolved":false,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    /* set limit to 7/8 of the limit so the renogiation can succeed before"},{"line_number":145,"context_line":"     * we go over the limit */"},{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","}],"source_content_type":"text/x-csrc","patch_set":12,"id":"ee3d97c9_67c4d1c6","line":146,"in_reply_to":"a6fc21b4_8bd28a4d","updated":"2024-12-12 15:49:22.000000000","message":"I changed the order to /8 * 7 which does not have the overflow problem and I think if we now off by a few packets because of the lower precision that is not doing much in the grand scheme.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"05b5a9d885a5d03e70028a4e30889007aea27df5","unresolved":true,"context_lines":[{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","},{"line_number":150,"context_line":"        ciphername, limit);"},{"line_number":151,"context_line":"    return limit;"},{"line_number":152,"context_line":"}"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"7971040c_bac1d94b","line":149,"updated":"2024-12-11 21:15:40.000000000","message":"This suggests a hard limit, but it\u0027s a soft limit we can (and typically will) exceed. Without the 64-bit pid, we had a hard limit at 2**32-1. To be able to claim we never exceed the real limit (the \"8/8\" value), we should consider adding a hard limit enforcement.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"85ce9192c2649af6e02fdbe55f8d4ee290e76847","unresolved":false,"context_lines":[{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","},{"line_number":150,"context_line":"        ciphername, limit);"},{"line_number":151,"context_line":"    return limit;"},{"line_number":152,"context_line":"}"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"5601c42a_7ba38f22","line":149,"in_reply_to":"2ddba798_2401cb2d","updated":"2024-12-12 20:02:46.000000000","message":"Ahh, I didn\u0027t realize the hard limit arrived with the epoch patches. That\u0027s perfect.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c1212fe01ba31fca5580feda0d30f59492302ef3","unresolved":false,"context_lines":[{"line_number":146,"context_line":"    limit \u003d limit * 7/8;"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"    msg(D_SHOW_KEYS, \"Note: AEAD cipher %s will be limited to a sum of %\""},{"line_number":149,"context_line":"        PRIi64 \" for block and packets before renegotiation\","},{"line_number":150,"context_line":"        ciphername, limit);"},{"line_number":151,"context_line":"    return limit;"},{"line_number":152,"context_line":"}"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"2ddba798_2401cb2d","line":149,"in_reply_to":"7971040c_bac1d94b","updated":"2024-12-12 15:49:22.000000000","message":"The hard limit of 2**32-1 is still there. The higher pid limit only comes with the epoch patches and those actually have this as as a hard limit.\n\nI think implementing a hard limit for this feature is not so important, so I changed the message to indicate that there will be a renegotiation.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000035,"name":"syzzer","display_name":"Steffan Karger","email":"steffan@karger.me","username":"syzzer","status":"Commits and comments are my own views, not those of my employer."},"change_message_id":"05b5a9d885a5d03e70028a4e30889007aea27df5","unresolved":true,"context_lines":[{"line_number":3024,"context_line":""},{"line_number":3025,"context_line":"    if (aead_usage_limit_reached(usage_limit, \u0026key_ctx_bi-\u003eencrypt,"},{"line_number":3026,"context_line":"                                 ks-\u003ecrypto_options.packet_id.send.id)"},{"line_number":3027,"context_line":"        || aead_usage_limit_reached(usage_limit, \u0026key_ctx_bi-\u003edecrypt,"},{"line_number":3028,"context_line":"                                    ks-\u003ecrypto_options.packet_id.rec.id))"},{"line_number":3029,"context_line":"    {"},{"line_number":3030,"context_line":"        return true;"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"502879b2_3c1a0f24","line":3027,"updated":"2024-12-11 21:15:40.000000000","message":"This is a safety precaution? The sending party is ultimately responsible for not exceeding the limit of course. (But I admit, in practice this would likely prevent buggy peers from exceeding the limit.)","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c1212fe01ba31fca5580feda0d30f59492302ef3","unresolved":false,"context_lines":[{"line_number":3024,"context_line":""},{"line_number":3025,"context_line":"    if (aead_usage_limit_reached(usage_limit, \u0026key_ctx_bi-\u003eencrypt,"},{"line_number":3026,"context_line":"                                 ks-\u003ecrypto_options.packet_id.send.id)"},{"line_number":3027,"context_line":"        || aead_usage_limit_reached(usage_limit, \u0026key_ctx_bi-\u003edecrypt,"},{"line_number":3028,"context_line":"                                    ks-\u003ecrypto_options.packet_id.rec.id))"},{"line_number":3029,"context_line":"    {"},{"line_number":3030,"context_line":"        return true;"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"55c0c5e2_32a406f5","line":3027,"in_reply_to":"502879b2_3c1a0f24","updated":"2024-12-12 15:49:22.000000000","message":"My thinking was that this code will most certainly only be in use when only one side is aware of the limitation. Since if both sides are aware, then both sides will probably also switch to use epoch data channel instead, which only the sender checks.\n\nI will add a comment to indicate this as well.","commit_id":"2a7112358b3dbe141bdce844e2edc2e3f0168388"}],"src/openvpn/ssl_common.h":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":333,"context_line":"    interval_t packet_timeout;"},{"line_number":334,"context_line":"    int64_t renegotiate_bytes;"},{"line_number":335,"context_line":"    int64_t renegotiate_packets;"},{"line_number":336,"context_line":"    /** This limit for AEAD cipher, this is the sum of packets + blocks"},{"line_number":337,"context_line":"     * that are allowed to be used */"},{"line_number":338,"context_line":"    int64_t aead_usage_limit;"},{"line_number":339,"context_line":"    interval_t renegotiate_seconds;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"728ac18b_aa309cd4","line":336,"updated":"2024-11-28 09:47:14.000000000","message":"\"This\" -\u003e \"The\"? Or maybe just remove it?","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":333,"context_line":"    interval_t packet_timeout;"},{"line_number":334,"context_line":"    int64_t renegotiate_bytes;"},{"line_number":335,"context_line":"    int64_t renegotiate_packets;"},{"line_number":336,"context_line":"    /** This limit for AEAD cipher, this is the sum of packets + blocks"},{"line_number":337,"context_line":"     * that are allowed to be used */"},{"line_number":338,"context_line":"    int64_t aead_usage_limit;"},{"line_number":339,"context_line":"    interval_t renegotiate_seconds;"}],"source_content_type":"text/x-csrc","patch_set":6,"id":"c98780b7_0c3c5759","line":336,"in_reply_to":"728ac18b_aa309cd4","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"20543d92afbd4416d1dc6c55967ec0fd946d56db","unresolved":true,"context_lines":[{"line_number":335,"context_line":"    int64_t renegotiate_packets;"},{"line_number":336,"context_line":"    /** limit for AEAD cipher, this is the sum of packets + blocks"},{"line_number":337,"context_line":"     * that are allowed to be used */"},{"line_number":338,"context_line":"    int64_t aead_usage_limit;"},{"line_number":339,"context_line":"    interval_t renegotiate_seconds;"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"    /* cert verification parms */"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"166427ee_9749af9d","line":338,"updated":"2024-12-03 13:48:12.000000000","message":"This could be uint","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"cb52fa621e4ae6ae2f21d91200e016f02ddc2179","unresolved":false,"context_lines":[{"line_number":335,"context_line":"    int64_t renegotiate_packets;"},{"line_number":336,"context_line":"    /** limit for AEAD cipher, this is the sum of packets + blocks"},{"line_number":337,"context_line":"     * that are allowed to be used */"},{"line_number":338,"context_line":"    int64_t aead_usage_limit;"},{"line_number":339,"context_line":"    interval_t renegotiate_seconds;"},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"    /* cert verification parms */"}],"source_content_type":"text/x-csrc","patch_set":10,"id":"ceef0504_77360f1e","line":338,"in_reply_to":"166427ee_9749af9d","updated":"2024-12-03 14:08:37.000000000","message":"Acknowledged","commit_id":"a297a37ee53ae1c0ed4899b4c0dd5b46002d9ca6"}],"tests/unit_tests/openvpn/test_crypto.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"150e6e5a29cda7db0f8eca901804b8db34ae787e","unresolved":true,"context_lines":[{"line_number":460,"context_line":"    assert_int_equal(aeslimit, (1ull \u003c\u003c 36) - 1);"},{"line_number":461,"context_line":""},{"line_number":462,"context_line":"    /* Check if this matches our exception for 1600 size packets */"},{"line_number":463,"context_line":"    int64_t L \u003d 101;"},{"line_number":464,"context_line":"    /* 2 ^ 29.34, using the result here to avoid linking to libm */"},{"line_number":465,"context_line":"    assert_int_equal(aeslimit / L, 680390858);"},{"line_number":466,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"fd854db2_f454d881","line":463,"updated":"2024-11-28 09:47:14.000000000","message":"Please mention or use AEAD_LIMIT_BLOCKSIZE","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f575e36cf636e398490162ce6a48436f3e6b1d18","unresolved":false,"context_lines":[{"line_number":460,"context_line":"    assert_int_equal(aeslimit, (1ull \u003c\u003c 36) - 1);"},{"line_number":461,"context_line":""},{"line_number":462,"context_line":"    /* Check if this matches our exception for 1600 size packets */"},{"line_number":463,"context_line":"    int64_t L \u003d 101;"},{"line_number":464,"context_line":"    /* 2 ^ 29.34, using the result here to avoid linking to libm */"},{"line_number":465,"context_line":"    assert_int_equal(aeslimit / L, 680390858);"},{"line_number":466,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":6,"id":"918d7aea_2d1e7962","line":463,"in_reply_to":"fd854db2_f454d881","updated":"2024-11-28 19:02:02.000000000","message":"Done","commit_id":"aa59708e7e302b28096fa77280b8a705ce1680a0"}]}