mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code
79013381dc
openvpn3/openvpn/ssl
History
James Yonan 662bf7833e ovpn3 core : Added automatic data limits for Blowfish, 
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329).  Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted.  While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.

This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.

This capability is advertised to servers via the a
peer info setting:

  IV_BS64DL=1

meaning "Block-Size 64-bit Data Limit".  The "1" indicates
the implementation version.

The implementation currently has some limitations:

* Keys are renegotiated at a maximum rate of once per
  5 seconds to reduce the likelihood of loss of
  synchronization between peers.

* The maximum renegotiation rate may be further extended
  if the peer delays rollover from the old to new key
  after renegotiation.

Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.

Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".

Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds.  Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.

Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter.  become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission.  become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.

Incremented core version to 3.0.20.
2016-09-01 15:19:00 -06:00
..
datalimit.hpp ovpn3 core : Added automatic data limits for Blowfish, 2016-09-01 15:19:00 -06:00
is_openvpn_protocol.hpp Added is_openvpn_protocol() method, for peeking at the first 2016-04-12 22:00:12 -06:00
kuparse.hpp options/hexstr : refactored parse_hex_number() to allow 2016-05-12 13:45:14 -06:00
mssparms.hpp Added mssfix-ctrl directive to set control channel 2015-06-06 21:52:12 -06:00
nscert.hpp SSL core : fixed some benign cases where the std::string 2016-05-01 21:56:46 -06:00
peerinfo.hpp client : support push-peer-info directive. 2016-04-14 00:30:42 -06:00
proto_context_options.hpp Renamed boost::intrusive_ptr<T> usage to RCPtr<T>. 2015-05-17 21:26:53 -06:00
proto.hpp ovpn3 core : Added automatic data limits for Blowfish, 2016-09-01 15:19:00 -06:00
protostack.hpp ovpn3 core : Added automatic data limits for Blowfish, 2016-09-01 15:19:00 -06:00
psid.hpp Updated copyright to 2015. 2015-01-06 12:56:21 -07:00
sslapi.hpp AuthCert/SSL : support x509-track. Initially, only OpenSSL 2016-05-05 00:18:42 -06:00
sslchoose.hpp In sslchoose.hpp, include <polarssl/debug.h> for PolarSSL builds. 2015-04-18 23:56:54 -06:00
sslconsts.hpp OpenSSL, AuthCert : implemented DEFERRED_CERT_VERIFY SSL 2016-07-30 15:17:57 -07:00
tls_remote.hpp Boost dependency elimination -- change boost::algorithm 2015-06-04 19:22:59 -06:00
tlsprf.hpp OpenVPN protocol core : added logic to control channel 2016-05-09 21:39:04 -06:00
tlsver.hpp SSL core : fixed some benign cases where the std::string 2016-05-01 21:56:46 -06:00