mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code
79013381dc
openvpn3/openvpn/server
History
James Yonan 662bf7833e ovpn3 core : Added automatic data limits for Blowfish, 
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329).  Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted.  While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.

This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.

This capability is advertised to servers via the a
peer info setting:

  IV_BS64DL=1

meaning "Block-Size 64-bit Data Limit".  The "1" indicates
the implementation version.

The implementation currently has some limitations:

* Keys are renegotiated at a maximum rate of once per
  5 seconds to reduce the likelihood of loss of
  synchronization between peers.

* The maximum renegotiation rate may be further extended
  if the peer delays rollover from the old to new key
  after renegotiation.

Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.

Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".

Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds.  Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.

Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter.  become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission.  become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.

Incremented core version to 3.0.20.
2016-09-01 15:19:00 -06:00
..
listenlist.hpp class Protocol : add enum for client/server suffix. 2016-05-05 00:13:43 -06:00
manage.hpp server APIs : added set_acl_id(), set_fwmark(), and changed 2016-08-17 11:36:34 -07:00
peeraddr.hpp Renamed boost::intrusive_ptr<T> usage to RCPtr<T>. 2015-05-17 21:26:53 -06:00
peerstats.hpp C++11 update: mass replace of boost::uint/int to std::uint/int. 2015-04-23 17:55:07 -06:00
servhalt.hpp HaltRestart : added new RAW type for OMI. 2016-05-05 00:36:00 -06:00
servproto.hpp ovpn3 core : Added automatic data limits for Blowfish, 2016-09-01 15:19:00 -06:00
vpnservnetblock.hpp vpnservpool : major refactor for OMI. 2016-05-05 00:37:10 -06:00
vpnservpool.hpp route : removed mark as a route-specific property. 2016-08-17 11:31:11 -07:00