mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
6a05768a71
Currently we have only one slot for renegotiation of the session/keys.
If a replayed/faked packet is inserted by a malicous attacker, the
legimate peer cannot renegotiate anymore.
This commit introduces dynamic tls-crypt. When both peer support this
feature, both peer create a dynamic tls-crypt key using TLS EKM (export
key material) and will enforce using that key and tls-crypt for all
renegotiations. This also add an additional protection layer for
renegotiations to be taken over by an illegimate client, binding the
renegotiations tightly to the original session. Especially when 2FA,
webauth or similar authentication is used, many third party setup ignore
the need to secure renegotiation with an auth-token.
Since one of tls-crypt/tls-crypt-v2 purposes is to provide poor man's post
quantum crypto guarantees, we have to ensure that the dynamic key tls-crypt
key that replace the original tls-crypt key is as strong as the orginal key
to avoid problems if there is a weak RNG or TLS EKM produces weak keys. We
ensure this but XORing the original key with the key from TLS EKM. If
tls-crypt/tls-cryptv2 is not active, we use just the key generated by
TLS EKM. We also do not use hashing or anything else on the original key
before XOR to avoid any potential of a structure in the key or something
else that might weaken post-quantum use cases.
OpenVPN 2.x reserves the TM_ACTIVE session for renegotiations. When a
SOFT_RESET_V1 packet is received, the active TLS session is moved from
KS_PRIMARY to KS_SECONDARY. Here an attacker could theorectically send a
faked/replayed SOFT_RESET_V1 and first packet containing the TLS client
hello. If this happens, the session is blocked until the TLS
renegotiation attempt times out, blocking the legimitate client.
Using a dynamic tls-crypt key here blocks any SOFT_RESET_V1 (and following
packets) as replay and fake packets will not have a matching
authentication/encryption and will be discarded.
HARD_RESET packets that are from a reconnecting peer are instead put in the
TM_UNTRUSTED/KS_PRIMARY slot until they are sufficiently verified, so the
dynamic tls-crypt key is not used here. Replay/fake packets also do not
block the legimitate client.
This commit delays the purging of the original tls-crypt key data from
directly after passing it to crypto library to tls_wrap_free. We do this
to allow us mixing the new exported key with the original key.
To be able to generate the dynamic tls-cryptn key, we need the original
key, so deleting the key is not an option if we need it later again to
generate another key. Even when the client does not support secure
renegotiation, deleting the key is not an option since when the
reconnecting client or (especially in p2p mode with float) another client
does the reconnect, we might need to generate a dynamic tls-crypt key
again. Delaying the deletion of the key has also little effect as the
key is still present in the OpenSSL/mbed TLS structures in the tls_wrap
structure, so only the number of times the keys is in memory would be
reduced.
Patch v2: fix spellings of reneg and renegotiations.
Patch v3: expand comment to original_tlscrypt_keydata and commit message,
add Changes.rst
Patch v4: improve commit message, Changes.rst
Patch v5: fix spelling/grammar mistakes. Add more comments.
Patch v6: consistently calld this feature dynamic tls-crypt crypt. Note
this changes the export label and makes it incompatible with
previous patches.
Patch v7: also xor tls-auth key data into the dynamic tls-crypt key like
tls-crypt key data
Patch v8: Avoid triggering ASSERT added in v7 by properly setting keys.n = 2
when loading tls crypt v2 client keys. Add dyn-tls-crypt to
protocol options printout.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20230307150233.3551436-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26341.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||
|---|---|---|
| .. | ||
| engine-key | ||
| example_test | ||
| openvpn | ||
| plugins | ||
| Makefile.am | ||
| README.md | ||
Unit Tests
This directory contains unit tests for openvpn. New features/bugfixes should be written in a test friendly way and come with corresponding tests.
Run tests
Tests are run by make check. A failed tests stops test execution. To run all
tests regardless of errors call make -k check.
Add new tests to existing test suite
Test suites are organized in directories. example_test/ is an example for a test suite with two test executables. Feel free to use it as a template for new tests.
Test suites
Test suites live inside a subdirectory of $ROOT/tests/unit_tests, e.g. $ROOT/tests/unit_tests/my_feature.
Test suites are configured by a Makefile.am. Tests are executed by testdrivers. One testsuite can contain more than one testdriver.
Hints
- Name suites & testdrivers in a way that the name of the driver says something about which component/feature is tested
- Name the testdriver executable
*_testdriver. This way it gets picked up by the default.gitignore- If this is not feasible: Add all output to a
.gitignore* Use descriptive test names:coffee_brewing__with_no_beans__failsvs.test34
- If this is not feasible: Add all output to a
- Testing a configurable feature? Wrap test execution with a conditional (see auth_pam for an example)
- Add multiple test-drivers when one testdriver looks crowded with tests
New Test Suites
- Organize tests in folders for features.
- Add the new test directory to
SUBDIRSinMakefile.am - Edit
configure.acand add the newMakefiletoAC_CONFIG_FILES - Run
./configure, and enable the feature you'd like to test - Make sure that
make checkruns your tests - Check: Would a stranger be able to easily find your tests by you looking at the test output?
- Run
./configure, and disable the feature you'd like to test - Make sure that
make checkdoes not run your tests