From d9f1649d3f5f609e493e7d2aec68034665bda9d8 Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Mon, 8 Sep 2025 11:38:56 +0300 Subject: [PATCH] Fix wording around AD/AAD The "authenticated data" sounds ambiguous and doesn't match definitions from either NIST standard - "additional authenticated data (AAD)" or RFC 5116 - "The associated data is authenticated but not encrypted". Moreover, specifying payload as a part of AD/AAD is plain wrong. Fix by using the term from AEAD RFC (associated data) and removing the payload from its definition. Signed-off-by: Lev Stipakov --- openvpn-wire-protocol.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openvpn-wire-protocol.xml b/openvpn-wire-protocol.xml index 1a6afc0..3a9849f 100644 --- a/openvpn-wire-protocol.xml +++ b/openvpn-wire-protocol.xml @@ -1955,15 +1955,15 @@ struct aead_packet { - For DATA_V2 packets the authenticated data includes opcode, - key_id and peer_id. For DATA_V1 packets the authenticated data starts + For DATA_V2 packets the associated data includes opcode, + key_id and peer_id. For DATA_V1 packets the associated data starts on the first byte of packet_id, not including opcode and key_id. -authenticated_data_v1 = packet_id | payload -authenticated_data_v2 = opcode| key_id | peer_id | packet_id | payload +associated_data_v1 = packet_id +associated_data_v2 = opcode| key_id | peer_id | packet_id @@ -2034,12 +2034,12 @@ struct packet_id { This data format is only defined for DATA_V2 packets and therefore - the authenticated data includes opcode, key_id and peer_id. + the associated data includes opcode, key_id and peer_id. -authenticated_data = opcode| key_id | peer_id | packet_id | payload +associated_data = opcode| key_id | peer_id | packet_id