Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks. The 64 MB value has been selected with the researchers who
published the SWEET32 paper.
Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.
v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
language in warning message, and add URL to man page.
Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
---
doc/openvpn.8 | 1 +
src/openvpn/crypto.c | 5 +++--
src/openvpn/options.c | 1 +
src/openvpn/ssl.c | 29 ++++++++++++++++++++++++++++-
4 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2e58f33..0ac8184 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4101,6 +4101,7 @@ an abbreviation for Blowfish in Cipher Block Chaining
mode.
Using BF-CBC is no longer recommended, because of it's 64-bit block size. This
small block size allows attacks based on collisions, as demonstrated by
SWEET32.
+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
To see other ciphers that are available with OpenVPN, use the
.B \-\-show\-ciphers
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 45689f2..f600070 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -836,8 +836,9 @@ init_key_ctx (struct key_ctx *ctx, struct key *key,
cipher_kt_iv_size(kt->cipher));
if (cipher_kt_block_size(kt->cipher) < 128/8)
{
- msg (M_WARN, "WARNING: this cipher's block size is less than 128 bit "
- "(%d bit). Consider using a --cipher with a larger block size.",
+ msg (M_WARN, "WARNING: INSECURE cipher with block size less than 128"
+ " bit (%d bit). This allows attacks like SWEET32. Mitigate by "
+ "using a --cipher with a larger block size (e.g. AES-256-CBC).",
cipher_kt_block_size(kt->cipher)*8);
}
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 281ef0b..996c26e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -852,6 +852,7 @@ init_options (struct options *o, const bool init_gc)
#endif
o->key_method = 2;
o->tls_timeout = 2;
+ o->renegotiate_bytes = -1;
o->renegotiate_seconds = 3600;
o->handshake_window = 60;
o->transition_window = 3600;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index dfdc200..33122a3 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -283,6 +283,27 @@ tls_get_cipher_name_pair (const char * cipher_name, size_t
len) {
return NULL;
}
+/**
+ * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
+ *
+ * @param cipher The current cipher (may be NULL).
+ * @param reneg_bytes Pointer to the current reneg_bytes, updated if needed.
+ * May *not* be NULL.
+ */
+static void
+tls_limit_reneg_bytes (const cipher_kt_t *cipher, int *reneg_bytes)
+{
+ if (cipher && (cipher_kt_block_size(cipher) < 128/8))
+ {
+ if (*reneg_bytes == -1) /* Not user-specified */
+ {
+ msg (M_WARN, "WARNING: cipher with small block size in use, "
+ "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
+ *reneg_bytes = 64 * 1024 * 1024;
+ }
+ }
+}
+
/*
* Max number of bytes we will add
* for data structures common to both
@@ -1742,6 +1763,8 @@ tls_session_update_crypto_params(struct tls_session
*session,
msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
goto cleanup;
}
+ tls_limit_reneg_bytes (session->opt->key_type.cipher,
+ &session->opt->renegotiate_bytes);
ret = true;
cleanup:
CLEAR (*ks->key_src);
@@ -2126,6 +2149,8 @@ key_method_2_write (struct buffer *buf, struct
tls_session *session)
}
CLEAR (*ks->key_src);
+ tls_limit_reneg_bytes (session->opt->key_type.cipher,
+ &session->opt->renegotiate_bytes);
}
return true;
@@ -2354,6 +2379,8 @@ key_method_2_read (struct buffer *buf, struct tls_multi
*multi, struct tls_sessi
}
CLEAR (*ks->key_src);
+ tls_limit_reneg_bytes (session->opt->key_type.cipher,
+ &session->opt->renegotiate_bytes);
}
gc_free (&gc);
@@ -2410,7 +2437,7 @@ tls_process (struct tls_multi *multi,
if (ks->state >= S_ACTIVE &&
((session->opt->renegotiate_seconds
&& now >= ks->established + session->opt->renegotiate_seconds)
- || (session->opt->renegotiate_bytes
+ || (session->opt->renegotiate_bytes > 0
&& ks->n_bytes >= session->opt->renegotiate_bytes)
|| (session->opt->renegotiate_packets
&& ks->n_packets >= session->opt->renegotiate_packets)
--
2.7.4
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
