Opened 6 years ago

Closed 5 years ago

#1121 closed Feature Wish (fixed)

tls-crypt-v2: client-specific tls-crypt keys

Reported by: Antonio Quartulli Owned by: Antonio Quartulli
Priority: blocker Milestone: release 2.5
Component: Crypto Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

OpenVPN 2.4 currently support a control channel encryption mechanism which hides the content of control packets from malicious observers.

The main downside of this mechanism is that it currently uses one shared key among the entire VPN infrastructure (i.e. shared among all the clients and the server).

This ticket is about a new version of this feature, where each client gets provided with its own key.

Change History (4)

comment:1 Changed 6 years ago by Antonio Quartulli

The patchset is out on the mailing list since a while.
Antonio is currently reviewing it.

comment:2 Changed 6 years ago by Antonio Quartulli

Milestone: release 2.5
Version: OpenVPN 2.5.0 (Community Ed)

comment:3 Changed 6 years ago by Antonio Quartulli

Patches have been reviewed once again and they need to be resent to the ml. They can probably be ACK'd right after.

comment:4 Changed 5 years ago by David Sommerseth

Resolution: fixed
Status: assignedclosed

This feature has been added to git master, to be part of the coming release/2.5.

commit ff931c5e99a808e762bc0203d70f19bf3767e216
Author: Steffan Karger
Date:   Mon Oct 22 13:45:15 2018 +0200

    tls-crypt-v2: add script hook to verify metadata
    
    To allow rejecting incoming connections very early in the handshake,
    add a --tls-crypt-v2-verify option that allows administators to
    run an external command to verify the metadata from the client key.
    See doc/tls-crypt-v2.txt for more details.
    
    Because of the extra dependencies, this requires adding a mock
    parse_line() to the tls-crypt unit tests.  Also, this turns tls_wrap_free
    into a static inline function, so that we don't need to compile in ssl.c
    (and all of it's dependencies) with the unit tests.
    
    Signed-off-by: Antonio Quartulli
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-6-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17789.html
    Signed-off-by: David Sommerseth

commit 19dffdbde08f6b1ea5d32d429a255218d4304c66
Author: Steffan Karger
Date:   Mon Oct 22 13:45:14 2018 +0200

    tls-crypt-v2: implement tls-crypt-v2 handshake
    
    This makes clients send-and-use, and servers receive-unwrap-and-use
    tls-crypt-v2 client keys, which completes the on-the-wire work.
    
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-5-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17787.html
    Signed-off-by: David Sommerseth

commit 283290bf77dbc6c1c23deddd6145e74576bf79f1
Author: Steffan Karger
Date:   Mon Oct 22 13:45:13 2018 +0200

    tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode
    
    Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake
    messages.
    
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-4-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17790.html
    Signed-off-by: David Sommerseth

commit a98a56768fdb652664dd10e09037a05f96494b23
Author: Steffan Karger
Date:   Mon Oct 22 13:45:12 2018 +0200

    tls-crypt-v2: add unwrap_client_key
    
    Add helper functions to unwrap tls-crypt-v2 client keys.
    
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-3-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17791.html
    Signed-off-by: David Sommerseth

commit 9d59029a088b26b8dd50dc2523f87e2b38e4ab53
Author: Steffan Karger
Date:   Mon Oct 22 13:45:11 2018 +0200

    tls-crypt-v2: generate tls-crypt-v2 keys
    
    As a first step towards a full tls-crypt-v2 implementation, add
    functionality to generate tls-crypt-v2 client and server keys.
    
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-2-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17792.html
    Signed-off-by: David Sommerseth

commit 6394cba7b5b11974b0159891f2bf65164775c6c0
Author: Steffan Karger
Date:   Mon Oct 22 13:45:10 2018 +0200

    tls-crypt-v2: add specification to doc/
    
    This is a preliminary description of tls-crypt-v2.  It should give a good
    impression about the reasoning and design behind tls-crypt-v2, but might
    need some polishing and updating.
    
    Signed-off-by: Steffan Karger
    Acked-by: Antonio Quartulli
    Message-Id: <1540208715-14044-1-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17788.html
    Signed-off-by: David Sommerseth
Note: See TracTickets for help on using tickets.