I have not actually tested this (hard to get 2^35 correctly-bad packets out into reasonable time...) but stared at the code, and ran the full client/server test suite "just to be sure". MaxF understands crypto and has ACKed it in Gerrit.
As discussed on IRC, I have added a few references to the commit message so people with a less deep crypto background can inform themselves what this is all about. Your patch has been applied to the master branch. commit ffe0ad41985d7d5f67ae6fc7d58ffa327243f76b Author: Arne Schwabe Date: Thu Jan 9 18:49:28 2025 +0100 Do not attempt to decrypt packets anymore after 2**36 failed decryptions Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: MaxF <m...@max-fillinger.net> Message-Id: <20250109174928.17862-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30387.html Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel