git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Thu, 9 Jan 2025 17:49:28 +0000 (18:49 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 9 Jan 2025 21:20:56 +0000 (22:20 +0100)
commit	ffe0ad41985d7d5f67ae6fc7d58ffa327243f76b
tree	86e9cdd3170b25d6491e6fb3f359cfa094e55521	tree
parent	6a7931a4a89cb35be7b799942e7fa03fde2cdc63	commit \| diff

Do not attempt to decrypt packets anymore after 2**36 failed decryptions

To avoid attacks (especially on Chacha20-Poly1305) we do not allow
decryption anymore after 2**36 failed verifications.

After 2**35, we trigger a renegotiation (to avoid that situation).

For the theoretical background, see

   - https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/
   - RFC 9147 (DTLS 1.3) section 4.5.3 "AEAD limits"
   - https://eprint.iacr.org/2024/051.pdf

Change-Id: I81440ac28a1ad553652e201234e5ddfe03a8c190
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250109174928.17862-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30387.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/crypto.c		diff \| blob \| blame \| history
src/openvpn/crypto.h		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history