Re: [Openvpn-devel] [PATCH v7] Dynamic tls-crypt for secure soft_reset/session renegotiation

Mon, 06 Mar 2023 01:25:37 -0800 

Hi,

On Tue, Jan 31, 2023 at 02:52:48PM +0100, Arne Schwabe wrote:
> Patch v2: fix spellings of reneg and renegotiations.
> Patch v3: expand comment to original_tlscrypt_keydata and commit message,
>           add Changes.rst
> Patch v4: improve commit message, Changes.rst
> Patch v5: fix spelling/grammar mistakes. Add more comments.
> Patch v6: consistently calld this feature dynamic tls-crypt crypt. Note
>           this changes the export label and makes it incompatible with
>           previous patches.
> Patch v7: also xor tls-auth key data into the dynamic tls-crypt key like
>           tls-crypt key data

I'm a bit late to the party, apologies for this.

I did not look at the code ("Heiko has given it an ACK") but threw it
into the server test framework, where the new code "should" not have made
any difference (automated connections are not lasting long enough to hit
renegotiation at all).

Unfortunately, v7 on top of current master (commit c333a0c05f9d454ef)
fully breaks --tls-crypt-v2 connections, *if* the new code runs both
on client and server end

...
2023-03-06 10:20:03 PUSH: Received control message: 'PUSH_REPLY,route 
10.204.0.0 255.255.0.0,route-ipv6 fd00:abcd:204::/48,tun-ipv6,ping 
10,ping-restart 30,route-ipv6 fd00:dead:beef::2001/128,echo,route-ipv6 
fd00:dead:beef::2002/128,route-ipv6 fd00:dead:beef::1/128,ifconfig-ipv6 
fd00:abcd:204:5::2/124 fd00:abcd:204:5::1,peer-id 1,cipher 
AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'

(so the server wants dyn-tls-crypt)

...
2023-03-06 10:20:04 add_route_ipv6(fd00:dead:beef::1/128 -> fd00:abcd:204:5::1 
metric -1) dev tun0
2023-03-06 10:20:04 /sbin/route add -inet6 fd00:dead:beef::1/128 -iface tun0
add host fd00:dead:beef::1/128: gateway tun0

(ifconfig + route installation is done)

2023-03-06 10:20:04 Assertion failed at tls_crypt.c:83 (key->n == 2 && other->n 
== 2)
2023-03-06 10:20:04 Exiting due to fatal error

*boom*

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel























					Reply via email to