This also changes the mbed TLS implementation from using the AES GCM
specific API to the generic AEAD API in mbed TLS. As result we can
refactor the commonly used parts of AEAD and normal cipher into a
common class.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The CryptoDCSettings::digest() method returns SHA1 digest when the
cipher is an AEAD cipher. This is incorrect, as AEAD ciphers does not
use digests for authentication at all; the authentication is an
integral part of the AEAD cipher itself.
To solve this, the CryptoAlgs::AlgFlags has been extended with a new
F_NO_CIPHER_DIGEST flag which is expected to be set on ciphers not
depending on any digests for authentication, like AES-GCM/AEAD
ciphers. A new method, use_cipher_digest(), will return True if
the cipher depends on a digest for authentication.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The metadata that may be possibly be contained in the WKc has to be
verified by means of a user implemented behaviour.
Implement an abstract class that exports a verify() method to be
used for this purpose.
Users can extend this class and override the verify() method with
their own.
A basic implementation is also provided: it will just ignore the
metadata (if any) and report success to the core.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The client reads the WKc from the key file and appends it to
the HARD_RESET_CLIENT_V3 packet when starting a connection.
The server reads the WKc from the received HARD_RESET_CLIENT_V3 packet,
decrypts and authenticates it (it is encrypted and signed with the
server keys upon generation) and finally extracts the client key.
The client key is then used to initialize the server tls-crypt.
At this point every packet is treated as a standard tls-crypt framed
message (HARD_RESET_CLIENT_V3 included).
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The client key used for tls-crypt-v2 is stored in PEM format
and it is made up by the actual client key (Kc) and the
wrapped client key (WKc). The latter is an envelope containing
Kc (and some optional metadata) encrypted by the server with
its own key. It is sent upon connection to allow the server to
extract the actual Kc to be used for the tls-crypt session.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
In order to make the HMAC API in the TLCrypt class
re-usable by tls-crypt-v2, avoid using the hard-coded
header size of the standard tls-crypt packet.
Instead, let the caller specify the header size via
argument.
Note that the header size is also expected to be the offset
where it is possible to find the Authentication tag to be
used during the packet authentication.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Added BufferAllocated move constructor for foreign
BufferAllocated template classes.
In order to make this work, we need to:
(a) generally friend BufferType and BufferAllocatedType
to all BufferAllocatedType template classes, and
(b) require typename R (thread_unsafe_refcount or
thread_safe_refcount) to be specified for
BufferAllocatedType (previously it was optional
and defaulted to thread_unsafe_refcount).
Signed-off-by: James Yonan <james@openvpn.net>
and use it in ProtoContext::promote_secondary_to_primary()
since it more accurately reflects the underlying
implementation.
Note that this only affects DCO (data channel offload)
implementations.
Signed-off-by: James Yonan <james@openvpn.net>
Add support for AES-256-CTR (used by tls-crypt) in the crypto
layer and make sure that each SSL library plugin is aware of it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
The basic approach is to rename all references to asio::xxx
types to openvpn_io::xxx and then make openvpn_io a
preprocessor variable that points to the top-level namespace
of the i/o reactor implementation.
All of the source files that currently include <asio.hpp> now
include <openvpn/io/io.hpp> instead:
This gives us a lightweight abstraction layer that allows us
to define openvpn_io to be something other than asio.
Other changes:
* Inclusion of asio by scripts/build is now optional, and is
enabled by passing ASIO=1 or ASIO_DIR=<dir>.
* Refactored openvpn/common/socktypes.hpp to no longer
require asio.
* Refactored openvpn/log/logthread.hpp to no longer require
asio.
* Added openvpn::get_hostname() method as alternative to
calling asio directly.
* openvpn/openssl/util/init.hpp will now #error
if USE_ASIO is undefined.
Signed-off-by: James Yonan <james@openvpn.net>
both cryptographic and non-cryptographic algorithms, as
a failsafe, add a new virtual method assert_crypto()
that will throw an exception if the algorithm is not
crypto strength. assert_crypto() should now be called
before any RNG is used for crypto purposes.
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329). Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted. While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.
This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.
This capability is advertised to servers via the a
peer info setting:
IV_BS64DL=1
meaning "Block-Size 64-bit Data Limit". The "1" indicates
the implementation version.
The implementation currently has some limitations:
* Keys are renegotiated at a maximum rate of once per
5 seconds to reduce the likelihood of loss of
synchronization between peers.
* The maximum renegotiation rate may be further extended
if the peer delays rollover from the old to new key
after renegotiation.
Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.
Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".
Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds. Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.
Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter. become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission. become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.
Incremented core version to 3.0.20.
allowing backtracks of up to 2048 (previous limit was 64).
In addition, we now maintain the packet ID window as a bit
array (previously a byte array was used).
control whether hex chars a-f are rendered as lowercase or
uppercase.
Renamed the template form of render_hex() to render_hex_generic(),
to avoid ambiguity from new caps parameter.
1. force_aes_cbc_ciphersuites flag will disable V2.
2. Added class CryptoDCSettings to Manage cipher/digest settings,
DC factory, and DC context. A CryptoDCSettings instance is
now declared as a member of ProtoContext::Config and is used
to define the cipher/digest pair of the config.
3. ProtoContext::Config::load now parses the "tun-mtu" directive.
Server-side changes:
1. Parse "keepalive" directive, using the same logic
as OpenVPN 2.x.
2. Added ProtoContext::init_data_channel() method for initializing
the data channel after IV_x peer info received from client.
* Make class Route standalone, moving it out of namespace
CIDRMap.
CryptoAlgs:
* Added comments
* For type-safety, mode() now returns a Mode rather than an
int.
CryptoDC:
* Added CRYPTO_DEFINED flag to indicate when encrypt() and
decrypt() methods are implemented by a data channel
provider.
Manage:
* Implemented skeleton management API for server-side client
authentication and managing client-instance properties.
Proto:
* Added Config::update_dc_factory() method.
* Support new CryptoDCInstance::CRYPTO_DEFINED flag.
* Updated server_auth() method to support SafeString transit
of client-provided auth-user-pass password to management
layer.
* control_send now does a reset() on the provided
Ptr reference before returning to reflect the
transfer-of-ownership of the underlying buffer.
* Implemented disable_keepalive() and override_dc_factory
methods.
Transbase (server) new methods:
// disable keepalive for rest of session
virtual void disable_keepalive() = 0;
// override the data channel factory
virtual void override_dc_factory(const CryptoDCFactory::Ptr& dc_factory) = 0;
// override the tun provider
virtual TunClientInstanceRecv* override_tun(TunClientInstanceSend* tun) = 0;
ServProto:
* Added abstract base classes for Tun factories and client instance
sender/receivers.
* Added Tun and Management linkages.
* Added new receiver methods for overriding the data channel
factory, Tun factory, and keepalive config.
* Added AuthCreds support.
