cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1358?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Do not underestimate number of encrypted/decrypted AEAD blocks ...................................................................... Do not underestimate number of encrypted/decrypted AEAD blocks Even though the current code typically counts all the encrypted/decrypted traffic, this is only the case because of the specific implementation of OpenSSL at the moment. Instead of counting the length returned by one call only, count all the encrypted/decrypted bytes. Other implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2) (currently) do not honour these usage limits at all. This is the reason that I also currently do not consider the lack/improper validation in our code to be a security vulnerability. In the current state implementations/protocol that lack this feature altogether are not considered vulnerable. Reported by: <[email protected]> Change-Id: I429d768fb33ef2c58484287d4091440ad8599053 Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358 Message-Id: <[email protected]> Signed-off-by: Gert Doering <[email protected]> --- M src/openvpn/crypto.c 1 file changed, 6 insertions(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/58/1358/4 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 307d1ee..8049b3a 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -152,15 +152,15 @@ ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); ASSERT(buf_inc_len(&work, outlen)); - /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick - * to round up the result to the number of blocks used */ - const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; - /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); + /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick + * to round up the result to the number of blocks used */ + const int blocksize = AEAD_LIMIT_BLOCKSIZE; + opt->key_ctx_bi.encrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize; + /* if the tag is at end the end, allocate it now */ if (use_epoch_data_format) { @@ -580,11 +580,10 @@ goto error_exit; } - /* update number of plaintext blocks decrypted. Use the (x + (n-1))/n trick * to round up the result to the number of blocks used. */ const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; + opt->key_ctx_bi.decrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize; *buf = work; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1358?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I429d768fb33ef2c58484287d4091440ad8599053 Gerrit-Change-Number: 1358 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <[email protected]> Gerrit-Reviewer: cron2 <[email protected]> Gerrit-Reviewer: flichtenheld <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
