git.feebdaed.xyz Git - 0xmirror/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Wed, 12 Nov 2025 11:21:27 +0000 (12:21 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 12 Nov 2025 11:32:24 +0000 (12:32 +0100)
commit	5e6d478fb6246465fb81060e60348bb0061a94fa
tree	329f28870670fac6b064afdf4ac3d83706a82d63	tree \| snapshot
parent	985f4eaeccf0d3f9d833f3271d88634e237d7cd5	commit \| diff

Do not underestimate number of encrypted/decrypted AEAD blocks

Even though the current code typically counts all the encrypted/decrypted
traffic, this is only the case because of the specific implementation
of OpenSSL at the moment.

Instead of counting the length returned by one call only, count all
the encrypted/decrypted bytes.

Other implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2)
(currently) do not honour these usage limits at all. This is the reason that
I also currently do not consider the lack/improper validation in our code
to be a security vulnerability. In the current state implementations/protocol
that lack this feature altogether are not considered vulnerable.

Reported by: <stephan@srlabs.de>

Change-Id: I429d768fb33ef2c58484287d4091440ad8599053
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358
Message-Id: <20251112112133.1325-1-gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>