Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/796?usp=email )
Change subject: Trigger renegotiation of data key if getting close to the AEAD usage limit ...................................................................... Patch Set 6: Code-Review-1 (8 comments) File src/openvpn/crypto.h: http://gerrit.openvpn.net/c/openvpn/+/796/comment/cd492ae9_fd17bd7c : PS6, Line 603: * number of number of block + packets. Return -1 if ciphername is not an AEAD "blocks" File src/openvpn/crypto.c: http://gerrit.openvpn.net/c/openvpn/+/796/comment/884aa131_043fac76 : PS6, Line 353: * q + s <= (p^36 - 1) `2^36` http://gerrit.openvpn.net/c/openvpn/+/796/comment/5487e9b6_1af10abb : PS6, Line 502: /* update number of plaintext blocks decrypted. Use the x + (n-1)/n trick Should be `(x + (n-1))/n`. The code is correct, but comment is wrong. http://gerrit.openvpn.net/c/openvpn/+/796/comment/38ba5a32_7a3341ec : PS6, Line 503: * to round up the result to the number of blocked used. */ "blocks" http://gerrit.openvpn.net/c/openvpn/+/796/comment/4cbb5beb_e82ad0e6 : PS6, Line 505: opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1))/blocksize; So we increase this number before we have done all checks on the packet. Doesn't that open us up to potential attacks that force renegotiation by replaying packets? File src/openvpn/ssl.c: http://gerrit.openvpn.net/c/openvpn/+/796/comment/dc63e5a8_82d0b335 : PS6, Line 144: /* set limit to 7/8 of the limit so the renogiation has can succeeds before "renegotiation can succeed" ? File src/openvpn/ssl_common.h: http://gerrit.openvpn.net/c/openvpn/+/796/comment/728ac18b_aa309cd4 : PS6, Line 336: /** This limit for AEAD cipher, this is the sum of packets + blocks "This" -> "The"? Or maybe just remove it? File tests/unit_tests/openvpn/test_crypto.c: http://gerrit.openvpn.net/c/openvpn/+/796/comment/fd854db2_f454d881 : PS6, Line 463: int64_t L = 101; Please mention or use AEAD_LIMIT_BLOCKSIZE -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/796?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I057f007577f10c6ac917ee4620ee3d2559187dc7 Gerrit-Change-Number: 796 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: cron2 <g...@greenie.muc.de> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: cron2 <g...@greenie.muc.de> Gerrit-Comment-Date: Thu, 28 Nov 2024 09:47:14 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
