[Openvpn-devel] [S] Change in openvpn[master]: Do not attempt to decrypt packets anymore after 2**36 failed decryptions

Fri, 27 Dec 2024 16:38:22 -0800 

Attention is currently required from: flichtenheld, plaisthos.

MaxF has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/843?usp=email )

Change subject: Do not attempt to decrypt packets anymore after 2**36 failed 
decryptions
......................................................................


Patch Set 2: Code-Review-1

(5 comments)

Patchset:

PS2:
I'm unsure if we should use the 2^36 limit for Chacha-poly, but for AES-GCM it 
should be ok.


File src/openvpn/crypto.h:

http://gerrit.openvpn.net/c/openvpn/+/843/comment/39d7c228_ac4d76f3 :
PS2, Line 667:  We
Incomplete


http://gerrit.openvpn.net/c/openvpn/+/843/comment/e2534d46_534f661c :
PS2, Line 672: TLS 1.3
Should be DTLS


http://gerrit.openvpn.net/c/openvpn/+/843/comment/96fbdeb5_8ce34e21 :
PS2, Line 672: 2**36
I've been looking at the integrity bounds in the AEAD limits RFC again and I'm 
not sure if 2^36 is right for us. The number of decryption failures that we can 
tolerate depends on the maximum message length that we're willing to receive (L 
in the formulas).

The DTLS RFC assumes L <= 2^10, but for us it can be larger. I don't think this 
matters for AES-GCM, the 2^36 limit leaves lots of room to spare. But for 
Chacha-poly, it's pretty tight.

If we tolerate p = 2^-57 and we have L = 2^14, then we can only have 2^32 
decryption failures.


File src/openvpn/crypto.c:

http://gerrit.openvpn.net/c/openvpn/+/843/comment/62ea554d_ed6bec9a :
PS2, Line 426:
Extra whitespace



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/843?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I81440ac28a1ad553652e201234e5ddfe03a8c190
Gerrit-Change-Number: 843
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: MaxF <m...@max-fillinger.net>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Comment-Date: Sat, 28 Dec 2024 00:37:01 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to