On Fri, Nov 21, 2025 at 03:05:48PM +1100, Martin Thomson wrote: > > I would not worry about the size adjustments in the AEAD limits. > Those 256 bytes don't change things at all and I think that the limits > apply to plaintext sizes anyway (which can be up to 2^14.
IIRC, the limits apply to number of blocks used. With (full-tag) AES-GCM there is a trick to calculating how many bytes of the ~362GB limit have been used: Take size of each record payload in bytes, round up to multiple of 16 bytes and sum the results. E.g., records of 1221, 989, 738 and 800 bytes use up 1232+992+752+800=3776 bytes from the 362GB limit. This trick is not correct for Chacha20, but rekeying every ~360GB is acceptable (the actual limit is effectively infinite). -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
