I agree with SR-Labs that this is a bug - thanks for fixing.
I also do agree with Arne that this is not CVE worthy, as this is a new
safety margin added to 2.7, which is only really relevant if you are
talking about "sustained utilization of >> 10 Gbit/s to the same peer,
exceeding sane AEAD block limits, and not going into tls-renegotiation due
to any other trigger (reneg-sec etc)" - so the chance to actually have
a setup that would hit this is very close to zero, and then you're no
worse than with 2.6 - or any of the other TLS/AEAD implementations.
Stared at code ("make sense"), fed into the t_server testbed ("just to
be sure"). BB and GHA agree that it compiles and tests fine everywhere.
Your patch has been applied to the master branch.
commit 5e6d478fb6246465fb81060e60348bb0061a94fa
Author: Arne Schwabe
Date: Wed Nov 12 12:21:27 2025 +0100
Do not underestimate number of encrypted/decrypted AEAD blocks
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Gert Doering <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358
Message-Id: <[email protected]>
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
