)]}'
{"id":"openvpn~1358","triplet_id":"openvpn~master~I429d768fb33ef2c58484287d4091440ad8599053","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-11-12 13:03:05.000000000","reason":"Change was submitted"},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2025-11-12 13:03:05.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I429d768fb33ef2c58484287d4091440ad8599053","subject":"Do not underestimate number of encrypted/decrypted AEAD blocks","status":"MERGED","created":"2025-11-07 12:44:37.000000000","updated":"2025-11-12 13:03:05.000000000","submitted":"2025-11-12 13:03:05.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":12,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"1358","meta_rev_id":"867319a2c4c4d9047084685783047307fdb92616","_number":1358,"virtual_id_number":1358,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"value":0,"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-11-07 12:44:38.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-11-07 12:44:38.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"},{"updated":"2025-11-12 11:21:17.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"state":"REVIEWER"}],"messages":[{"id":"6c3988bf176a66bd18f4640e410dfed8966aec58","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-07 12:44:37.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"343a991bfe7c79def960136ffc919990fd3b6eac","author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"date":"2025-11-07 12:59:15.000000000","message":"Patch Set 1: Code-Review-1\n\n(3 comments)","accounts_in_message":[],"_revision_number":1},{"id":"af67acf739eb09627486052a4944cc4865bbb085","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-07 14:30:14.000000000","message":"Uploaded patch set 2: Commit message was updated.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":2},{"id":"642fa1c06e4c1cd7d16836d198940318bbb48530","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-07 14:30:22.000000000","message":"Patch Set 1:\n\n(3 comments)","accounts_in_message":[],"_revision_number":1},{"id":"d5b5a55b4764c4cb2a8c069cc74011156fb1f192","author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"date":"2025-11-07 14:34:19.000000000","message":"Patch Set 2: Code-Review-1\n\n(3 comments)","accounts_in_message":[],"_revision_number":2},{"id":"d1eb269b5258990474850ba250dc14601e2c8ba0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-10 11:10:50.000000000","message":"Uploaded patch set 3: Patch Set 2 was rebased. Commit message was updated.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":3},{"id":"70d68a939cee14fa7600f62c148b6af5bc07d8e5","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-10 11:11:14.000000000","message":"Patch Set 2:\n\n(3 comments)","accounts_in_message":[],"_revision_number":2},{"id":"330e121b1a8cb9450886c062c417acfc1bf4e951","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-11-12 11:21:17.000000000","message":"Patch Set 3: Code-Review+2","accounts_in_message":[],"_revision_number":3},{"id":"867319a2c4c4d9047084685783047307fdb92616","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-11-12 13:03:05.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":4}],"current_revision_number":4,"current_revision":"5e6d478fb6246465fb81060e60348bb0061a94fa","revisions":{"9a3134b9b3bd6b5bbe84169de58b5d0b8c3e4286":{"kind":"REWORK","_number":1,"created":"2025-11-07 12:44:37.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/58/1358/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/58/1358/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1 \u0026\u0026 git checkout -b change-1358 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"8545a3db4e83d0294d823ad6489a3040de10984e","subject":"init: make some functions static"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-07 12:37:14.000000000","tz":60},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-07 12:44:32.000000000","tz":60},"subject":"Do not underestimate number of encrypted/decrypted  AEAD blocks","message":"Do not underestimate number of encrypted/decrypted  AEAD blocks\n\nEven thought the current code typically counts all the encrypted/decrypted\ntraffic, this is only the case because of the specific implementation\nof OpenSSL at the moment.\n\nInstead of counting the length returned by one call only, count all\nthe encrypted/decrypted bytes.\n\nOther implementations that AES-GCM (like IPSec, MacSEC, TLS 1.2) currently\ndo not honour these usage limits at all. So this currently not something\nthat I consider to be security vulnerability since currently this something\nthat enhances security but is not yet required so to say.\n\nReported by: \u003cstephan@srlabs.de\u003e\n\nChange-Id: I429d768fb33ef2c58484287d4091440ad8599053\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"8e6836bce91d97731d9827084578a2bf8842f9aa":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2025-11-07 14:30:14.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/58/1358/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/58/1358/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2 \u0026\u0026 git checkout -b change-1358 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"8545a3db4e83d0294d823ad6489a3040de10984e","subject":"init: make some functions static"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-07 12:37:14.000000000","tz":60},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-07 14:28:51.000000000","tz":60},"subject":"Do not underestimate number of encrypted/decrypted  AEAD blocks","message":"Do not underestimate number of encrypted/decrypted  AEAD blocks\n\nEven though the current code typically counts all the encrypted/decrypted\ntraffic, this is only the case because of the specific implementation\nof OpenSSL at the moment.\n\nInstead of counting the length returned by one call only, count all\nthe encrypted/decrypted bytes.\n\nOther implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2) currently\ndo not honour these usage limits at all. So this currently not something\nthat I consider to be security vulnerability. In the current state\nimplementations/protocol that lack this feature all together are also\nnot considered vulnerable.\n\nReported by: \u003cstephan@srlabs.de\u003e\n\nChange-Id: I429d768fb33ef2c58484287d4091440ad8599053\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"5784dabbe6ce96e1106495e4838503fad7cec3f8":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":3,"created":"2025-11-10 11:10:50.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/58/1358/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/58/1358/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3 \u0026\u0026 git checkout -b change-1358 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"7e0b68aeeaebeed71b902299c436371ebc83170e","subject":"dco_freebsd.c: fix integer warnings"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-07 12:37:14.000000000","tz":60},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-10 11:10:37.000000000","tz":60},"subject":"Do not underestimate number of encrypted/decrypted  AEAD blocks","message":"Do not underestimate number of encrypted/decrypted  AEAD blocks\n\nEven though the current code typically counts all the encrypted/decrypted\ntraffic, this is only the case because of the specific implementation\nof OpenSSL at the moment.\n\nInstead of counting the length returned by one call only, count all\nthe encrypted/decrypted bytes.\n\nOther implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2)\n(currently) do not honour these usage limits at all. This is the reason that\nI also currently do not consider the lack/improper validation in our code\nto be a security vulnerability. In the current state implementations/protocol\nthat lack this feature altogether are not considered vulnerable.\n\nReported by: \u003cstephan@srlabs.de\u003e\n\nChange-Id: I429d768fb33ef2c58484287d4091440ad8599053\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"5e6d478fb6246465fb81060e60348bb0061a94fa":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":4,"created":"2025-11-12 13:03:05.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/58/1358/4","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/58/1358/4","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4 \u0026\u0026 git checkout -b change-1358 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/58/1358/4 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"985f4eaeccf0d3f9d833f3271d88634e237d7cd5","subject":"iservice: make sure directories have trailing backslash"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-12 11:21:27.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-11-12 11:32:24.000000000","tz":60},"subject":"Do not underestimate number of encrypted/decrypted AEAD blocks","message":"Do not underestimate number of encrypted/decrypted AEAD blocks\n\nEven though the current code typically counts all the encrypted/decrypted\ntraffic, this is only the case because of the specific implementation\nof OpenSSL at the moment.\n\nInstead of counting the length returned by one call only, count all\nthe encrypted/decrypted bytes.\n\nOther implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2)\n(currently) do not honour these usage limits at all. This is the reason that\nI also currently do not consider the lack/improper validation in our code\nto be a security vulnerability. In the current state implementations/protocol\nthat lack this feature altogether are not considered vulnerable.\n\nReported by: \u003cstephan@srlabs.de\u003e\n\nChange-Id: I429d768fb33ef2c58484287d4091440ad8599053\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: Gert Doering \u003cgert@greenie.muc.de\u003e\nGerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358\nMessage-Id: \u003c20251112112133.1325-1-gert@greenie.muc.de\u003e\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}