Ticket #865: openvpn-2.4.1-reneg-sec_random.patch

File openvpn-2.4.1-reneg-sec_random.patch, 5.5 KB (added by Simon Matter, 3 years ago)
  • doc/openvpn.8

    diff -Naur openvpn-2.4.1.orig/doc/openvpn.8 openvpn-2.4.1/doc/openvpn.8
    old new  
    3434.\" .ft -- normal face
    3535.\" .in +|-{n} -- indent
    3636.\"
    37 .TH openvpn 8 "25 August 2016"
     37.TH openvpn 8 "28 March 2017"
    3838.\"*********************************************************
    3939.SH NAME
    4040openvpn \- secure IP tunnel daemon.
     
    49194919packets sent and received (disabled by default).
    49204920.\"*********************************************************
    49214921.TP
    4922 .B \-\-reneg\-sec n
     4922.B \-\-reneg\-sec n [random]
    49234923Renegotiate data channel key after
    49244924.B n
    49254925seconds (default=3600).
    49264926
     4927If the optional
     4928.B random
     4929parameter is specified, a per session pseudo-random component in the range of
     4930.B 1 ... random
     4931is added to the
     4932.B n
     4933seconds above (default=0).
     4934
    49274935When using dual-factor authentication, note that this default value may
    49284936cause the end user to be challenged to reauthorize once per hour.
    49294937
  • src/openvpn/init.c

    diff -Naur openvpn-2.4.1.orig/src/openvpn/init.c openvpn-2.4.1/src/openvpn/init.c
    old new  
    25922592    to.renegotiate_bytes = options->renegotiate_bytes;
    25932593    to.renegotiate_packets = options->renegotiate_packets;
    25942594    to.renegotiate_seconds = options->renegotiate_seconds;
     2595    if (options->renegotiate_seconds_random)
     2596    {
     2597        to.renegotiate_seconds += max_int((int)(get_random() % options->renegotiate_seconds_random) + 1, 1);
     2598    }
    25952599    to.single_session = options->single_session;
    25962600    to.mode = options->mode;
    25972601    to.pull = options->pull;
  • src/openvpn/options.c

    diff -Naur openvpn-2.4.1.orig/src/openvpn/options.c openvpn-2.4.1/src/openvpn/options.c
    old new  
    603603    "                  if no ACK from remote within n seconds (default=%d).\n"
    604604    "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
    605605    "--reneg-pkts n  : Renegotiate data chan. key after n packets sent and recvd.\n"
    606     "--reneg-sec n   : Renegotiate data chan. key after n seconds (default=%d).\n"
     606    "--reneg-sec n [r] : Renegotiate data chan. key after n seconds (default=%d)\n"
     607    "                  and if r is specified, add a per session pseudo-random\n"
     608    "                  component in the range of 1 ... r to n (default=%d).\n"
    607609    "--hand-window n : Data channel key exchange must finalize within n seconds\n"
    608610    "                  of handshake initiation by any peer (default=%d).\n"
    609611    "--tran-window n : Transition window -- old key can live this many seconds\n"
     
    17731775    SHOW_INT(renegotiate_bytes);
    17741776    SHOW_INT(renegotiate_packets);
    17751777    SHOW_INT(renegotiate_seconds);
     1778    SHOW_INT(renegotiate_seconds_random);
    17761779
    17771780    SHOW_INT(handshake_window);
    17781781    SHOW_INT(transition_window);
     
    27412744        MUST_BE_UNDEF(renegotiate_bytes);
    27422745        MUST_BE_UNDEF(renegotiate_packets);
    27432746        MUST_BE_UNDEF(renegotiate_seconds);
     2747        MUST_BE_UNDEF(renegotiate_seconds_random);
    27442748        MUST_BE_UNDEF(handshake_window);
    27452749        MUST_BE_UNDEF(transition_window);
    27462750        MUST_BE_UNDEF(tls_auth_file);
     
    40914095            o.authname, o.ciphername,
    40924096            o.replay_window, o.replay_time,
    40934097            o.tls_timeout, o.renegotiate_seconds,
     4098            o.renegotiate_seconds_random,
    40944099            o.handshake_window, o.transition_window);
    40954100#else  /* ifdef ENABLE_CRYPTO */
    40964101    fprintf(fp, usage_message,
     
    79837988        VERIFY_PERMISSION(OPT_P_TLS_PARMS);
    79847989        options->renegotiate_packets = positive_atoi(p[1]);
    79857990    }
    7986     else if (streq(p[0], "reneg-sec") && p[1] && !p[2])
     7991    else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
    79877992    {
    79887993        VERIFY_PERMISSION(OPT_P_TLS_PARMS);
    79897994        options->renegotiate_seconds = positive_atoi(p[1]);
     7995        if (p[2])
     7996        {
     7997            options->renegotiate_seconds_random = positive_atoi(p[2]);
     7998        }
    79907999    }
    79918000    else if (streq(p[0], "hand-window") && p[1] && !p[2])
    79928001    {
  • src/openvpn/options.h

    diff -Naur openvpn-2.4.1.orig/src/openvpn/options.h openvpn-2.4.1/src/openvpn/options.h
    old new  
    545545    int renegotiate_bytes;
    546546    int renegotiate_packets;
    547547    int renegotiate_seconds;
     548    int renegotiate_seconds_random;
    548549
    549550    /* Data channel key handshake must finalize
    550551     * within n seconds of handshake initiation. */
  • src/openvpn/ssl.c

    diff -Naur openvpn-2.4.1.orig/src/openvpn/ssl.c openvpn-2.4.1/src/openvpn/ssl.c
    old new  
    27192719            || (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))))
    27202720    {
    27212721        msg(D_TLS_DEBUG_LOW,
    2722             "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
    2723             (int)(ks->established + session->opt->renegotiate_seconds - now),
     2722            "TLS: soft reset sec=%d/%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
     2723            (int)(now - ks->established), (int)session->opt->renegotiate_seconds,
    27242724            ks->n_bytes, session->opt->renegotiate_bytes,
    27252725            ks->n_packets, session->opt->renegotiate_packets);
    27262726        key_state_soft_reset(session);