This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The added IV_CIPHER string that we send, brought the Frame used in
the proto test client over the 256 byte limit. Change the proto test
to use a larger test frame of 378 byte.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The metadata that may be possibly be contained in the WKc has to be
verified by means of a user implemented behaviour.
Implement an abstract class that exports a verify() method to be
used for this purpose.
Users can extend this class and override the verify() method with
their own.
A basic implementation is also provided: it will just ignore the
metadata (if any) and report success to the core.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
By default tls-crypt is now enabled instead of tls-auth.
It can be easily changed by editing the define at the top
of test/ssl/proto.hpp
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Not really important, but worth fixing to avoid polluting
any memchecker output with unreleased (leaked) resources.
Release process resources before exiting the main function.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329). Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted. While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.
This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.
This capability is advertised to servers via the a
peer info setting:
IV_BS64DL=1
meaning "Block-Size 64-bit Data Limit". The "1" indicates
the implementation version.
The implementation currently has some limitations:
* Keys are renegotiated at a maximum rate of once per
5 seconds to reduce the likelihood of loss of
synchronization between peers.
* The maximum renegotiation rate may be further extended
if the peer delays rollover from the old to new key
after renegotiation.
Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.
Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".
Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds. Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.
Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter. become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission. become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.
Incremented core version to 3.0.20.
receive path to reassemble messages fragmented by the
SSL layer up to a max message size of 64 KB.
Ramifications:
* Peer info data and pushed options can be significantly
larger (i.e. approaching 64 KB).
* Less need for the options continuation feature.
Limitations:
* While this patch doesn't change the underlying OpenVPN
protocol, it can result in messages being sent that are
fragmented by the receiving SSL implementation into
multiple buffers. Implementations that lack reassembly
capabilities (such as OpenVPN 2.x at this point in time)
would see each buffer fragment as a separate message.
* This patch running on the server will break negotiation
with pre-peer-info clients. Basically this means it will
interoperate with any OpenVPN 3 version or OpenVPN 2.x
version that includes the June 2010 commit "Implemented a
key/value auth channel from client to server.
Version 2.1.1i".
allowing backtracks of up to 2048 (previous limit was 64).
In addition, we now maintain the packet ID window as a bit
array (previously a byte array was used).
1. work with latest proto.hpp API changes.
2. NOERR -- if defined, turn off simulated errors
3. FORCE_AES_CBC -- set force_aes_cbc_ciphersuites SSL flag
4. if VERBOSE, enable SSL debugging output
* Performance degradation from recent commit was occurring
in PRNG.
* Allow RNG to be used in place of PRNG. For PolarSSL
at least, this change completely reverses the
polymorphic ProtoContext performance degradation
and turns it into a net performance gain.
* Added bool prng to RNG constructors to allow
the implementation to optimize for PRNG
(only PolarSSL currently supports this).
Documented different use-cases for RNG vs. PRNG
in ProtoContext:
RNG -- Random number generator.
Use-cases demand highest cryptographic strength
such as key generation.
PRNG -- Pseudo-random number generator.
Use-cases demand cryptographic strength
combined with high performance. Used for
IV and ProtoSessionID generation.
three-level factory model:
CryptoDCFactory -- builds CryptoDCContext objects for a given
cipher/digest
CryptoDCContext -- builds CryptoDCBase objects for a given key ID
CryptoDCBase -- encrypt/decrypt data channel
These scripts
scripts/mac/build-minicrypto
scripts/mac/build-polarssl
will now build PolarSSL (on OSX) with libminicrypto linkage.
Currently, only SHA1/256/512 implementations from OpenSSL are
built in libminicrypto. We leave the current PolarSSL AES
implementation as-is since it now implements AES-NI.
Also added portable openssl/build-openssl script.
* Fixed compile issue due to need to replace cc.enable_debug()
with cc.ssl_debug_level = 1.
* Added RENEG var to control number of "virtual seconds" between
SSL renegotiations.
* Doc changes in README.txt.
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.