From: Arne Schwabe Date: Wed, 12 Nov 2025 11:21:27 +0000 (+0100) Subject: Do not underestimate number of encrypted/decrypted AEAD blocks X-Git-Tag: v2.7_rc2~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e6d478fb6246465fb81060e60348bb0061a94fa;p=thirdparty%2Fopenvpn.git Do not underestimate number of encrypted/decrypted AEAD blocks Even though the current code typically counts all the encrypted/decrypted traffic, this is only the case because of the specific implementation of OpenSSL at the moment. Instead of counting the length returned by one call only, count all the encrypted/decrypted bytes. Other implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2) (currently) do not honour these usage limits at all. This is the reason that I also currently do not consider the lack/improper validation in our code to be a security vulnerability. In the current state implementations/protocol that lack this feature altogether are not considered vulnerable. Reported by: Change-Id: I429d768fb33ef2c58484287d4091440ad8599053 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358 Message-Id: <20251112112133.1325-1-gert@greenie.muc.de> Signed-off-by: Gert Doering --- diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 307d1ee6c..8049b3a56 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -152,15 +152,15 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, struct crypto_optio ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf))); ASSERT(buf_inc_len(&work, outlen)); - /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick - * to round up the result to the number of blocks used */ - const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; - /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); ASSERT(buf_inc_len(&work, outlen)); + /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick + * to round up the result to the number of blocks used */ + const int blocksize = AEAD_LIMIT_BLOCKSIZE; + opt->key_ctx_bi.encrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize; + /* if the tag is at end the end, allocate it now */ if (use_epoch_data_format) { @@ -580,11 +580,10 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, struct crypto_optio goto error_exit; } - /* update number of plaintext blocks decrypted. Use the (x + (n-1))/n trick * to round up the result to the number of blocks used. */ const int blocksize = AEAD_LIMIT_BLOCKSIZE; - opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize; + opt->key_ctx_bi.decrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize; *buf = work;