)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"12d81c817634cc1b76e6f4bcb9a94abbf4ba5982","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"cb4eb36a_0a5b039c","updated":"2025-01-10 08:08:59.000000000","message":"light review, spotted a few minor things","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"bff47481f37879f527c5024873efbf16240b2510","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"4c049e24_2a361d81","updated":"2025-02-04 08:32:41.000000000","message":"Getting there, so it survives \"no AEAD ciphers\" now :-)\n\nThe next nastiness is \"client requests a cipher that the server does not support\" - this test is labeled \"expect failure\", but with v17 it hits an assertion...\n\n```\npeer info: IV_CIPHERS\u003dIDEA-CBC\npeer info: IV_PROTO\u003d3998\n(auth succeeds, client-connect runs, ...)\nAssertion failed at crypto_openssl.c:612 (ciphername)\nExiting due to fatal error\n```","commit_id":"55972246ccba388d16de72c4950dc319a59de980"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"313dbfac16e96bcdf856bb820872ece5b775bc6f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"b60fc42c_eed7eb90","updated":"2025-02-03 15:40:48.000000000","message":"This ASSERT()s when an epoch-enabled client connects to an epoch-enabled server, but presents non-AEAD ciphers\n\n```\npeer info: IV_CIPHERS\u003dnone\npeer info: IV_PROTO\u003d3998\n...\nAEAD cipher (currently [null-cipher]) required for epoch data format.\nExiting due to fatal error\n```\n\n(BF-CBC works just as well)","commit_id":"55972246ccba388d16de72c4950dc319a59de980"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"68c46db42af9a0d86b00e404639e043987895560","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"e029c8f0_87f59243","updated":"2025-02-04 10:56:34.000000000","message":"Client- and Server-side tests pass now, including NCP malicousness (\"none\", \"ARIA-CBC\").\n\nI do not feel comfortable giving a +2 for the crypto bits, but the rest of the changes look good to me.","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"64140210568e6b9f564873c937266cbe6b1fd19c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"b2b21039_d2d23f06","updated":"2025-02-05 17:01:22.000000000","message":"Some minor comments.\n\nAlso, I\u0027ll read the tests again later. I don\u0027t think I fully got them yet.","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"}],"Changes.rst":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"12d81c817634cc1b76e6f4bcb9a94abbf4ba5982","unresolved":true,"context_lines":[{"line_number":35,"context_line":"    replaced by the default ciphers used by OpenVPN, making it easier to"},{"line_number":36,"context_line":"    add an allowed cipher without having to spell out the default ciphers."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Epoch data keys"},{"line_number":39,"context_line":"    This introduces the epoch data format for AEAD data channel"},{"line_number":40,"context_line":"    ciphers in TLS mode ciphers. This new data format has a number of\u003d"},{"line_number":41,"context_line":"    improvements over the standard \"DATA_V2\" format."}],"source_content_type":"text/x-rst","patch_set":12,"id":"28a72564_50bb6c50","line":38,"updated":"2025-01-10 08:08:59.000000000","message":"maybe make that header \"epoch data keys \u0026 packet format\" or so?  The text describes keys and format...","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"bc96346f78a7a3b10fe3c5f83f07368612321045","unresolved":false,"context_lines":[{"line_number":35,"context_line":"    replaced by the default ciphers used by OpenVPN, making it easier to"},{"line_number":36,"context_line":"    add an allowed cipher without having to spell out the default ciphers."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Epoch data keys"},{"line_number":39,"context_line":"    This introduces the epoch data format for AEAD data channel"},{"line_number":40,"context_line":"    ciphers in TLS mode ciphers. This new data format has a number of\u003d"},{"line_number":41,"context_line":"    improvements over the standard \"DATA_V2\" format."}],"source_content_type":"text/x-rst","patch_set":12,"id":"7cb2c8ce_a1734688","line":38,"in_reply_to":"28a72564_50bb6c50","updated":"2025-01-10 09:49:02.000000000","message":"Acknowledged","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"12d81c817634cc1b76e6f4bcb9a94abbf4ba5982","unresolved":true,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Epoch data keys"},{"line_number":39,"context_line":"    This introduces the epoch data format for AEAD data channel"},{"line_number":40,"context_line":"    ciphers in TLS mode ciphers. This new data format has a number of\u003d"},{"line_number":41,"context_line":"    improvements over the standard \"DATA_V2\" format."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"    - AEAD tag at the end of packet which is more hardware implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"a96b47e7_f7937579","line":40,"updated":"2025-01-10 08:08:59.000000000","message":"stray `\u003d`","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"bc96346f78a7a3b10fe3c5f83f07368612321045","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Epoch data keys"},{"line_number":39,"context_line":"    This introduces the epoch data format for AEAD data channel"},{"line_number":40,"context_line":"    ciphers in TLS mode ciphers. This new data format has a number of\u003d"},{"line_number":41,"context_line":"    improvements over the standard \"DATA_V2\" format."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"    - AEAD tag at the end of packet which is more hardware implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"c262c810_6074d03e","line":40,"in_reply_to":"a96b47e7_f7937579","updated":"2025-01-10 09:49:02.000000000","message":"Acknowledged","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"}],"src/openvpn/crypto.c":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"12d81c817634cc1b76e6f4bcb9a94abbf4ba5982","unresolved":true,"context_lines":[{"line_number":452,"context_line":"    if (!use_epoch_data_format \u0026\u0026 cipher_decrypt_verify_fail_exceeded(ctx))"},{"line_number":453,"context_line":"    {"},{"line_number":454,"context_line":"        CRYPT_DROP(\"Decryption failed verification limit reached.\");"},{"line_number":455,"context_line":"        goto error_exit;"},{"line_number":456,"context_line":"    }"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"    const int tag_size \u003d OPENVPN_AEAD_TAG_LENGTH;"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"f3bd08f7_4e5efc26","line":455,"updated":"2025-01-10 08:08:59.000000000","message":"that `goto` should not be needed?  CRYPT_DROP() expands to CRYPT_ERROR_EXIT() which has the goto","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"bc96346f78a7a3b10fe3c5f83f07368612321045","unresolved":false,"context_lines":[{"line_number":452,"context_line":"    if (!use_epoch_data_format \u0026\u0026 cipher_decrypt_verify_fail_exceeded(ctx))"},{"line_number":453,"context_line":"    {"},{"line_number":454,"context_line":"        CRYPT_DROP(\"Decryption failed verification limit reached.\");"},{"line_number":455,"context_line":"        goto error_exit;"},{"line_number":456,"context_line":"    }"},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"    const int tag_size \u003d OPENVPN_AEAD_TAG_LENGTH;"}],"source_content_type":"text/x-csrc","patch_set":12,"id":"54b550d3_c3929922","line":455,"in_reply_to":"f3bd08f7_4e5efc26","updated":"2025-01-10 09:49:02.000000000","message":"Acknowledged","commit_id":"28d8b5ee153d9a8acaed01e085a2a393b5d7e29f"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"68c46db42af9a0d86b00e404639e043987895560","unresolved":true,"context_lines":[{"line_number":3037,"context_line":"        return true;"},{"line_number":3038,"context_line":"    }"},{"line_number":3039,"context_line":""},{"line_number":3040,"context_line":"    if (ks-\u003ecrypto_options.flags \u0026 CO_EPOCH_DATA_KEY_FORMAT)"},{"line_number":3041,"context_line":"    {"},{"line_number":3042,"context_line":"        /* We only need to check the send key as we always keep send"},{"line_number":3043,"context_line":"         * key epoch \u003e\u003d recv key epoch in \\c epoch_replace_update_recv_key */"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"6feaf7c3_3bc9619b","line":3040,"updated":"2025-02-04 10:56:34.000000000","message":"if we need to do another round of this patch, it would be nice to be consistent with all the other checks and have a comment above the `if()`\n\n```\n/* epoch approaching the 16 bit limit */\n```\n\nor so.","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"b5425082df8feebc996428b2f5f63a8eb5a8a198","unresolved":false,"context_lines":[{"line_number":3037,"context_line":"        return true;"},{"line_number":3038,"context_line":"    }"},{"line_number":3039,"context_line":""},{"line_number":3040,"context_line":"    if (ks-\u003ecrypto_options.flags \u0026 CO_EPOCH_DATA_KEY_FORMAT)"},{"line_number":3041,"context_line":"    {"},{"line_number":3042,"context_line":"        /* We only need to check the send key as we always keep send"},{"line_number":3043,"context_line":"         * key epoch \u003e\u003d recv key epoch in \\c epoch_replace_update_recv_key */"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"38db66c9_2bc36ec9","line":3040,"in_reply_to":"6feaf7c3_3bc9619b","updated":"2025-02-09 15:27:21.000000000","message":"Done","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"}],"tests/unit_tests/openvpn/test_crypto.c":[{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"64140210568e6b9f564873c937266cbe6b1fd19c","unresolved":true,"context_lines":[{"line_number":874,"context_line":"    struct crypto_options *co \u003d \u0026data-\u003eco;"},{"line_number":875,"context_line":""},{"line_number":876,"context_line":"    /* Modify the receive epoch and keys to have a very high epoch to test"},{"line_number":877,"context_line":"     * the end of array. Iterating through all 65k keys takes a 2-3s, so we"},{"line_number":878,"context_line":"     * avoid this for the unit test */"},{"line_number":879,"context_line":"    co-\u003ekey_ctx_bi.decrypt.epoch \u003d 65500;"},{"line_number":880,"context_line":"    co-\u003ekey_ctx_bi.encrypt.epoch \u003d 65500;"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"42fb5434_e8016878","line":877,"updated":"2025-02-05 17:01:22.000000000","message":"Why is this number changed?","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"55a954a867fa00f81b02f908bb53c54385177142","unresolved":false,"context_lines":[{"line_number":874,"context_line":"    struct crypto_options *co \u003d \u0026data-\u003eco;"},{"line_number":875,"context_line":""},{"line_number":876,"context_line":"    /* Modify the receive epoch and keys to have a very high epoch to test"},{"line_number":877,"context_line":"     * the end of array. Iterating through all 65k keys takes a 2-3s, so we"},{"line_number":878,"context_line":"     * avoid this for the unit test */"},{"line_number":879,"context_line":"    co-\u003ekey_ctx_bi.decrypt.epoch \u003d 65500;"},{"line_number":880,"context_line":"    co-\u003ekey_ctx_bi.encrypt.epoch \u003d 65500;"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"b2f3e131_4cc9910e","line":877,"in_reply_to":"2fea2111_397e3eef","updated":"2025-02-12 16:11:24.000000000","message":"Done","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"76aa699f790f589d88d5ba994b2dfa139e0098c6","unresolved":true,"context_lines":[{"line_number":874,"context_line":"    struct crypto_options *co \u003d \u0026data-\u003eco;"},{"line_number":875,"context_line":""},{"line_number":876,"context_line":"    /* Modify the receive epoch and keys to have a very high epoch to test"},{"line_number":877,"context_line":"     * the end of array. Iterating through all 65k keys takes a 2-3s, so we"},{"line_number":878,"context_line":"     * avoid this for the unit test */"},{"line_number":879,"context_line":"    co-\u003ekey_ctx_bi.decrypt.epoch \u003d 65500;"},{"line_number":880,"context_line":"    co-\u003ekey_ctx_bi.encrypt.epoch \u003d 65500;"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"2fea2111_397e3eef","line":877,"in_reply_to":"42fb5434_e8016878","updated":"2025-02-05 17:07:25.000000000","message":"Because I am stupid and thought that for some reason that maximum epoch of 16bit is 16k when it is actually 65k. The unit tests still works because it just iterated through all the remaining 48k keys but it didn\u0027t avoid the 2-3 delay ....","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"}],"tests/unit_tests/openvpn/test_ssl.c":[{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"64140210568e6b9f564873c937266cbe6b1fd19c","unresolved":true,"context_lines":[{"line_number":639,"context_line":"    else"},{"line_number":640,"context_line":"    {"},{"line_number":641,"context_line":"        uint8_t *tag_location \u003d BPTR(\u0026buf) + 4;"},{"line_number":642,"context_line":"        const uint8_t exp_tag_short[16] \u003d"},{"line_number":643,"context_line":"        {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f};"},{"line_number":644,"context_line":"        assert_memory_equal(tag_location, exp_tag_short, OPENVPN_AEAD_TAG_LENGTH);"},{"line_number":645,"context_line":"    }"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"47bafe95_4b39c681","line":642,"range":{"start_line":642,"start_character":0,"end_line":642,"end_character":41},"updated":"2025-02-05 17:01:22.000000000","message":"What makes this short? It\u0027s exactly as long as the other.","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"76aa699f790f589d88d5ba994b2dfa139e0098c6","unresolved":true,"context_lines":[{"line_number":639,"context_line":"    else"},{"line_number":640,"context_line":"    {"},{"line_number":641,"context_line":"        uint8_t *tag_location \u003d BPTR(\u0026buf) + 4;"},{"line_number":642,"context_line":"        const uint8_t exp_tag_short[16] \u003d"},{"line_number":643,"context_line":"        {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f};"},{"line_number":644,"context_line":"        assert_memory_equal(tag_location, exp_tag_short, OPENVPN_AEAD_TAG_LENGTH);"},{"line_number":645,"context_line":"    }"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"854f6f60_4167ef0b","line":642,"range":{"start_line":642,"start_character":0,"end_line":642,"end_character":41},"in_reply_to":"47bafe95_4b39c681","updated":"2025-02-05 17:07:25.000000000","message":"tag for the short packet id. The name could have been chosen a bit better. It is still a leftover when there was a short and long packet id instead of a short packet id vs epoch packet id.","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"55a954a867fa00f81b02f908bb53c54385177142","unresolved":false,"context_lines":[{"line_number":639,"context_line":"    else"},{"line_number":640,"context_line":"    {"},{"line_number":641,"context_line":"        uint8_t *tag_location \u003d BPTR(\u0026buf) + 4;"},{"line_number":642,"context_line":"        const uint8_t exp_tag_short[16] \u003d"},{"line_number":643,"context_line":"        {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f};"},{"line_number":644,"context_line":"        assert_memory_equal(tag_location, exp_tag_short, OPENVPN_AEAD_TAG_LENGTH);"},{"line_number":645,"context_line":"    }"}],"source_content_type":"text/x-csrc","patch_set":18,"id":"501376f6_d5a27e2a","line":642,"range":{"start_line":642,"start_character":0,"end_line":642,"end_character":41},"in_reply_to":"854f6f60_4167ef0b","updated":"2025-02-12 16:11:24.000000000","message":"Done","commit_id":"4d7aa213f984614d97673c13a7a2ee57688d925b"}]}