Do not underestimate number of encrypted/decrypted AEAD blocks

schwabe · cron2 · commit 5e6d478fb624 · 2025-11-12T12:32:24.000+01:00
Even though the current code typically counts all the encrypted/decrypted traffic, this is only the case because of the specific implementation of OpenSSL at the moment. Instead of counting the length returned by one call only, count all the encrypted/decrypted bytes. Other implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2) (currently) do not honour these usage limits at all. This is the reason that I also currently do not consider the lack/improper validation in our code to be a security vulnerability. In the current state implementations/protocol that lack this feature altogether are not considered vulnerable. Reported by: <stephan@srlabs.de> Change-Id: I429d768fb33ef2c58484287d4091440ad8599053 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358 Message-Id: <20251112112133.1325-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
@@ -152,15 +152,15 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, struct crypto_optio
     ASSERT(cipher_ctx_update(ctx->cipher, BEND(&work), &outlen, BPTR(buf), BLEN(buf)));
     ASSERT(buf_inc_len(&work, outlen));
 
-    /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick
-     * to round up the result to the number of blocks used */
-    const int blocksize = AEAD_LIMIT_BLOCKSIZE;
-    opt->key_ctx_bi.encrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize;
-
     /* Flush the encryption buffer */
     ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
     ASSERT(buf_inc_len(&work, outlen));
 
+    /* update number of plaintext blocks encrypted. Use the (x + (n-1))/n trick
+     * to round up the result to the number of blocks used */
+    const int blocksize = AEAD_LIMIT_BLOCKSIZE;
+    opt->key_ctx_bi.encrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize;
+
     /* if the tag is at end the end, allocate it now */
     if (use_epoch_data_format)
     {
@@ -580,11 +580,10 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, struct crypto_optio
         goto error_exit;
     }
 
-
     /* update number of plaintext blocks decrypted. Use the (x + (n-1))/n trick
      * to round up the result to the number of blocks used. */
     const int blocksize = AEAD_LIMIT_BLOCKSIZE;
-    opt->key_ctx_bi.decrypt.plaintext_blocks += (outlen + (blocksize - 1)) / blocksize;
+    opt->key_ctx_bi.decrypt.plaintext_blocks += (BLEN(&work) + (blocksize - 1)) / blocksize;
 
     *buf = work;
 
