Limit --reneg-bytes to 64MB when using small block ciphers

Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks.  The 64 MB value has been selected with the researchers who
published the SWEET32 paper.

Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.

Furthermore, in contrast with the patch for master, this will not limit
--reneg-bytes on the client side.  This allows server administrators to
revert to the old behaviour, or increase --reneg-bytes to something they
believe is workable, without having to change client configs.  (The master
branch provides cipher negotiation as a real solution, so we can be
stricter there.)

v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
    language in warning message, add URL to man page, and only limit at the
    server side.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477656607-7440-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12799.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 70573dacb1abdc9db80f664023ee6e6b147e98b9..7be30ec0bc72908a5d9c796f3c181b4e1463e116 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3913,6 +3913,7 @@ an abbreviation for Blowfish in Cipher Block Chaining mode.
 
 Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
 small block size allows attacks based on collisions, as demonstrated by SWEET32.
+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
 
 To see other ciphers that are available with OpenVPN, use the
 .B \-\-show\-ciphers

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 552e33323a65e07794a91567ecb57771d9e1f435..ca4af27ebe6e5adfd2ff705418894bdc1ed4f2b6 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -496,8 +496,9 @@ init_key_ctx (struct key_ctx *ctx, struct key *key,
          cipher_kt_iv_size(kt->cipher));
       if (cipher_kt_block_size(kt->cipher) < 128/8)
        {
-         msg (M_WARN, "WARNING: this cipher's block size is less than 128 bit "
-             "(%d bit).  Consider using a --cipher with a larger block size.",
+         msg (M_WARN, "WARNING: INSECURE cipher with block size less than 128"
+             " bit (%d bit).  This allows attacks like SWEET32.  Mitigate by "
+             "using a --cipher with a larger block size (e.g. AES-256-CBC).",
              cipher_kt_block_size(kt->cipher)*8);
        }
     }

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ef02993cc2f179188d06029ade580f6357c4d3b..19cd815d1e5ae111b71907c0b8583fa789c204de 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -849,6 +849,7 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_SSL
   o->key_method = 2;
   o->tls_timeout = 2;
+  o->renegotiate_bytes = -1;
   o->renegotiate_seconds = 3600;
   o->handshake_window = 60;
   o->transition_window = 3600;

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 33fd9dd6b7ad7c59f00bd17e0eb77ca1065a1789..bfad2911f4807cbb6d91bdf89f205af8b26f20c7 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -271,6 +271,27 @@ tls_get_cipher_name_pair (const char * cipher_name, size_t len) {
   return NULL;
 }
 
+/**
+ * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
+ *
+ * @param cipher       The current cipher (may be NULL).
+ * @param reneg_bytes  Pointer to the current reneg_bytes, updated if needed.
+ *                     May *not* be NULL.
+ */
+static void
+tls_limit_reneg_bytes (const cipher_kt_t *cipher, int *reneg_bytes)
+{
+  if (cipher && (cipher_kt_block_size(cipher) < 128/8))
+    {
+      if (*reneg_bytes == -1) /* Not user-specified */
+       {
+         msg (M_WARN, "WARNING: cipher with small block size in use, "
+              "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
+         *reneg_bytes = 64 * 1024 * 1024;
+       }
+    }
+}
+
 /*
  * Max number of bytes we will add
  * for data structures common to both
@@ -1956,6 +1977,8 @@ key_method_2_write (struct buffer *buf, struct tls_session *session)
        }
                      
       CLEAR (*ks->key_src);
+      tls_limit_reneg_bytes (session->opt->key_type.cipher,
+                            &session->opt->renegotiate_bytes);
     }
 
   return true;
@@ -2222,7 +2245,7 @@ tls_process (struct tls_multi *multi,
   if (ks->state >= S_ACTIVE &&
       ((session->opt->renegotiate_seconds
        && now >= ks->established + session->opt->renegotiate_seconds)
-       || (session->opt->renegotiate_bytes
+       || (session->opt->renegotiate_bytes > 0
           && ks->n_bytes >= session->opt->renegotiate_bytes)
        || (session->opt->renegotiate_packets
           && ks->n_packets >= session->opt->renegotiate_packets)