From patchwork Thu Jan 9 17:49:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4042 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1539:b0:5e7:b9eb:58e8 with SMTP id a25csp1494629mar; Thu, 9 Jan 2025 09:49:46 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVOkpL3fbDpf4Jlg3AM6ce7ZFx8MzUfBg0uVQlPw5ezMqwhpiYDXbbk1ZDHZNQGIgxFgaG5BnwZ7yA=@openvpn.net X-Google-Smtp-Source: AGHT+IGmYCIBWwXMt7SR43TSwJp5wb40WCOrVXg+4CJTI8PcuFG/fh1p9o60n9HMpQcoOPtNoxb/ X-Received: by 2002:a05:6808:3020:b0:3eb:5362:8f68 with SMTP id 5614622812f47-3ef2eeb038dmr3926932b6e.38.1736444986407; Thu, 09 Jan 2025 09:49:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1736444986; cv=none; d=google.com; s=arc-20240605; b=AU36m2vAAB1A2lU3FbIhI7l1pdHYsh77/YnjlCiG0uMzYUK5ixybYXBU6v/foTvR6W IPQBQFbRdME1jtGCFGF940k/qRvz4yHQvm3lSoHkW0UZ/v1mJ+j8dg2rnq3cNVeXZUO2 K0sNEla8BALkwhq2XFUm4nkhPSEzd+N1vytBeKJTbvSNIHjj/Z88I1HaLahO5cOjzbEm NrekotNXbMtfk0kccmFYOXUm/L8zK/sdZvQ8RXOikAbKWC3hbzfOaq8Ug3oNt8M3Eq5H reU3np+/a3XjereVyauak3Sly6jfjPq8TBM2/sy3ECOLE714KswiQ9sqU5XZEOyOVieC ylMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=5EmxlaZu3p4pWfR+BWeR0r4KcN/QwUFZxTtczJAxkK0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ElUCh8s4xWB51YqwoT6U6Q0Vl8hDSwT6H0p4wDKSMH/rVJxuL6sgSPNBTgzlIFJwCi TaP6QalhSByW/pj35x6wzOdkzhNJO/8V6cjBSWLpn9LJ/98H7DzmJrxW1b2M96ee+OR6 5/hJ1msWNy3wpJ7NCVMG4O4nVvRzZNSBUFegI6J42SbtpP9O2Iyod7vRbG000/mIQcob GMfsu0FFRPKHllYBRj4KQe3GouUPS3ORYZlTZBdXDgLgFiNMH/UjCqohgss1kq5DbVQw 0M9+FPE7WXN/9L2Jy3yLd5uZfaxIk1jwElUSKn3xb0n+xwgLm+mN345YVOa0rPsAttmd fA9g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NRg70yMK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=PaJxHpMa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3f037491054si1089433b6e.14.2025.01.09.09.49.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jan 2025 09:49:46 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NRg70yMK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=PaJxHpMa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tVwf5-0004oh-6l; Thu, 09 Jan 2025 17:49:39 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tVwf3-0004oR-CF for openvpn-devel@lists.sourceforge.net; Thu, 09 Jan 2025 17:49:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DRUJiwIQC8VH4LrhxaYanmz4FSuB6HhlZFYb8UcOjAE=; b=NRg70yMK/JN7KvE2xseZ6U2sfR UBn1jXj/+7h0xjT1eZOpT68V/DXv/YHRkPbCGXqmeGefNaEQMxXM3VYT2Jhu06B88JauSktF/BsUz YiLiFqSh8giaOvu59Jy95ukw10F1WOajfyZd0VcsHDYngT4I/yPm+5cs6JVsqRwv1piI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DRUJiwIQC8VH4LrhxaYanmz4FSuB6HhlZFYb8UcOjAE=; b=PaJxHpMaj5TfqWKhcx9YjkKN9L f4zFc8naGR8m+wD1FlbPeZ3hGZLBdp24OMQ94lcyaoJN4ABsgeF7pTfVqUiAG2FMJTxPihgevtTsf YiW+AykNlGr6nvCeLLRPvpWmuKX3GyUxle3Pp44zqMBBPRHehPbiHEer9ZFv/W+uTguQ=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tVwf1-000481-VQ for openvpn-devel@lists.sourceforge.net; Thu, 09 Jan 2025 17:49:37 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 509HnTi3017872 for ; Thu, 9 Jan 2025 18:49:29 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 509HnTeX017871 for openvpn-devel@lists.sourceforge.net; Thu, 9 Jan 2025 18:49:29 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jan 2025 18:49:28 +0100 Message-ID: <20250109174928.17862-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe To avoid attacks (especially on Chacha20-Poly1305) we do not allow decryption anymore after 2**36 failed verifications. Change-Id: I81440ac28a1ad553652e201234e5ddfe03a8c190 Signed-off-by: Arne Schwabe Acked-by: MaxF --- Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1tVwf1-000481-VQ Subject: [Openvpn-devel] [PATCH v5] Do not attempt to decrypt packets anymore after 2**36 failed decryptions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1820794538458298142?= X-GMAIL-MSGID: =?utf-8?q?1820794538458298142?= From: Arne Schwabe To avoid attacks (especially on Chacha20-Poly1305) we do not allow decryption anymore after 2**36 failed verifications. Change-Id: I81440ac28a1ad553652e201234e5ddfe03a8c190 Signed-off-by: Arne Schwabe Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/843 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index df38cdd..ee9b0c6 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -405,7 +405,13 @@ { static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; - const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; + struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; + + if (cipher_decrypt_verify_fail_exceeded(ctx)) + { + CRYPT_DROP("Decryption failed verification limit reached."); + } + int outlen; struct gc_arena gc; @@ -511,6 +517,7 @@ if (!cipher_ctx_final_check_tag(ctx->cipher, BPTR(&work) + outlen, &outlen, tag_ptr, tag_size)) { + ctx->failed_verifications++; CRYPT_DROP("packet tag authentication failed"); } ASSERT(buf_inc_len(&work, outlen)); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 3ad31c5..fe81c7f 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -209,6 +209,8 @@ * with the current key in number of 128 bit blocks (only used for * AEAD ciphers) */ uint64_t plaintext_blocks; + /** number of failed verification using this cipher */ + uint64_t failed_verifications; }; #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */ @@ -661,6 +663,32 @@ cipher_get_aead_limits(const char *ciphername); /** + * Check if the number of failed decryption is over the acceptable limit. + */ +static inline bool +cipher_decrypt_verify_fail_exceeded(const struct key_ctx *ctx) +{ + /* Use 2**36, same as DTLS 1.3. Strictly speaking this only guarantees + * the security margin for packets up to 2^10 blocks (16384 bytes) + * but we accept slightly lower security bound for the edge + * of Chacha20-Poly1305 and packets over 16k as MTUs over 16k are + * extremely rarely used */ + return ctx->failed_verifications > (1ull << 36); +} + +/** + * Check if the number of failed decryption is approaching the limit and we + * should try to move to a new key + */ +static inline bool +cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx) +{ + /* Use 2**35, half the amount after which we refuse to decrypt */ + return ctx->failed_verifications > (1ull << 35); +} + + +/** * Blocksize used for the AEAD limit caluclation * * Since cipher_ctx_block_size() is not reliable and will return 1 in many diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cf7f34f..e4a7b57 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3005,6 +3005,11 @@ return true; } + if (cipher_decrypt_verify_fail_warn(&key_ctx_bi->decrypt)) + { + return true; + } + return false; } /*