1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
From 20b7bb685c5ea74c651ca1ea547ac66b0fee7035 Mon Sep 17 00:00:00 2001
From: Ilya Dryomov <idryomov@gmail.com>
Date: Fri, 6 Mar 2020 20:16:45 +0100
Subject: [PATCH] msg/async/ProtocolV2: avoid AES-GCM nonce reuse
vulnerabilities
The secure mode uses AES-128-GCM with 96-bit nonces consisting of a
32-bit counter followed by a 64-bit salt. The counter is incremented
after processing each frame, the salt is fixed for the duration of
the session. Both are initialized from the session key generated
during session negotiation, so the counter starts with essentially
a random value. It is allowed to wrap, and, after 2**32 frames, it
repeats, resulting in nonce reuse (the actual sequence numbers that
the messenger works with are 64-bit, so the session continues on).
Because of how GCM works, this completely breaks both confidentiality
and integrity aspects of the secure mode. A single nonce reuse reveals
the XOR of two plaintexts and almost completely reveals the subkey
used for producing authentication tags. After a few nonces get used
twice, all confidentiality and integrity goes out the window and the
attacker can potentially encrypt-authenticate plaintext of their
choice.
We can't easily change the nonce format to extend the counter to
64 bits (and possibly XOR it with a longer salt). Instead, just
remember the initial nonce and cut the session before it repeats,
forcing renegotiation.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Conflicts:
src/msg/async/ProtocolV2.h [ context: commit ed3ec4c01d17
("msg: Build target 'common' without using namespace in
headers") not in octopus ]
CVE: CVE-2020-1759
Upstream Status: Backport [20b7bb685c5ea74c651ca1ea547ac66b0fee7035]
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
src/msg/async/ProtocolV2.cc | 62 ++++++++++++++++++++++++----------
src/msg/async/ProtocolV2.h | 5 +--
src/msg/async/crypto_onwire.cc | 17 ++++++++--
src/msg/async/crypto_onwire.h | 5 +++
4 files changed, 67 insertions(+), 22 deletions(-)
diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc
index 8fc02db6e5..c69f2ccf79 100644
--- a/src/msg/async/ProtocolV2.cc
+++ b/src/msg/async/ProtocolV2.cc
@@ -533,7 +533,10 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) {
m->get_payload(),
m->get_middle(),
m->get_data());
- connection->outgoing_bl.append(message.get_buffer(session_stream_handlers));
+ if (!append_frame(message)) {
+ m->put();
+ return -EILSEQ;
+ }
ldout(cct, 5) << __func__ << " sending message m=" << m
<< " seq=" << m->get_seq() << " " << *m << dendl;
@@ -566,15 +569,17 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) {
return rc;
}
-void ProtocolV2::append_keepalive() {
- ldout(cct, 10) << __func__ << dendl;
- auto keepalive_frame = KeepAliveFrame::Encode();
- connection->outgoing_bl.append(keepalive_frame.get_buffer(session_stream_handlers));
-}
-
-void ProtocolV2::append_keepalive_ack(utime_t ×tamp) {
- auto keepalive_ack_frame = KeepAliveFrameAck::Encode(timestamp);
- connection->outgoing_bl.append(keepalive_ack_frame.get_buffer(session_stream_handlers));
+template <class F>
+bool ProtocolV2::append_frame(F& frame) {
+ ceph::bufferlist bl;
+ try {
+ bl = frame.get_buffer(session_stream_handlers);
+ } catch (ceph::crypto::onwire::TxHandlerError &e) {
+ ldout(cct, 1) << __func__ << " " << e.what() << dendl;
+ return false;
+ }
+ connection->outgoing_bl.append(bl);
+ return true;
}
void ProtocolV2::handle_message_ack(uint64_t seq) {
@@ -612,7 +617,15 @@ void ProtocolV2::write_event() {
connection->write_lock.lock();
if (can_write) {
if (keepalive) {
- append_keepalive();
+ ldout(cct, 10) << __func__ << " appending keepalive" << dendl;
+ auto keepalive_frame = KeepAliveFrame::Encode();
+ if (!append_frame(keepalive_frame)) {
+ connection->write_lock.unlock();
+ connection->lock.lock();
+ fault();
+ connection->lock.unlock();
+ return;
+ }
keepalive = false;
}
@@ -663,13 +676,16 @@ void ProtocolV2::write_event() {
if (r == 0) {
uint64_t left = ack_left;
if (left) {
- auto ack = AckFrame::Encode(in_seq);
- connection->outgoing_bl.append(ack.get_buffer(session_stream_handlers));
ldout(cct, 10) << __func__ << " try send msg ack, acked " << left
<< " messages" << dendl;
- ack_left -= left;
- left = ack_left;
- r = connection->_try_send(left);
+ auto ack_frame = AckFrame::Encode(in_seq);
+ if (append_frame(ack_frame)) {
+ ack_left -= left;
+ left = ack_left;
+ r = connection->_try_send(left);
+ } else {
+ r = -EILSEQ;
+ }
} else if (is_queued()) {
r = connection->_try_send();
}
@@ -769,7 +785,13 @@ template <class F>
CtPtr ProtocolV2::write(const std::string &desc,
CONTINUATION_TYPE<ProtocolV2> &next,
F &frame) {
- ceph::bufferlist bl = frame.get_buffer(session_stream_handlers);
+ ceph::bufferlist bl;
+ try {
+ bl = frame.get_buffer(session_stream_handlers);
+ } catch (ceph::crypto::onwire::TxHandlerError &e) {
+ ldout(cct, 1) << __func__ << " " << e.what() << dendl;
+ return _fault();
+ }
return write(desc, next, bl);
}
@@ -1672,7 +1694,11 @@ CtPtr ProtocolV2::handle_keepalive2(ceph::bufferlist &payload)
ldout(cct, 30) << __func__ << " got KEEPALIVE2 tag ..." << dendl;
connection->write_lock.lock();
- append_keepalive_ack(keepalive_frame.timestamp());
+ auto keepalive_ack_frame = KeepAliveFrameAck::Encode(keepalive_frame.timestamp());
+ if (!append_frame(keepalive_ack_frame)) {
+ connection->write_lock.unlock();
+ return _fault();
+ }
connection->write_lock.unlock();
ldout(cct, 20) << __func__ << " got KEEPALIVE2 "
diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h
index 2dbe647ae5..9897d18cf2 100644
--- a/src/msg/async/ProtocolV2.h
+++ b/src/msg/async/ProtocolV2.h
@@ -129,6 +129,9 @@ private:
CONTINUATION_TYPE<ProtocolV2> &next,
bufferlist &buffer);
+ template <class F>
+ bool append_frame(F& frame);
+
void requeue_sent();
uint64_t discard_requeued_up_to(uint64_t out_seq, uint64_t seq);
void reset_recv_state();
@@ -140,8 +143,6 @@ private:
void prepare_send_message(uint64_t features, Message *m);
out_queue_entry_t _get_next_outgoing();
ssize_t write_message(Message *m, bool more);
- void append_keepalive();
- void append_keepalive_ack(utime_t ×tamp);
void handle_message_ack(uint64_t seq);
CONTINUATION_DECL(ProtocolV2, _wait_for_peer_banner);
diff --git a/src/msg/async/crypto_onwire.cc b/src/msg/async/crypto_onwire.cc
index acf3f66689..07e7fe6553 100644
--- a/src/msg/async/crypto_onwire.cc
+++ b/src/msg/async/crypto_onwire.cc
@@ -22,6 +22,10 @@ static constexpr const std::size_t AESGCM_BLOCK_LEN{16};
struct nonce_t {
std::uint32_t random_seq;
std::uint64_t random_rest;
+
+ bool operator==(const nonce_t& rhs) const {
+ return !memcmp(this, &rhs, sizeof(*this));
+ }
} __attribute__((packed));
static_assert(sizeof(nonce_t) == AESGCM_IV_LEN);
@@ -35,7 +39,8 @@ class AES128GCM_OnWireTxHandler : public ceph::crypto::onwire::TxHandler {
CephContext* const cct;
std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)> ectx;
ceph::bufferlist buffer;
- nonce_t nonce;
+ nonce_t nonce, initial_nonce;
+ bool used_initial_nonce;
static_assert(sizeof(nonce) == AESGCM_IV_LEN);
public:
@@ -44,7 +49,7 @@ public:
const nonce_t& nonce)
: cct(cct),
ectx(EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free),
- nonce(nonce) {
+ nonce(nonce), initial_nonce(nonce), used_initial_nonce(false) {
ceph_assert_always(ectx);
ceph_assert_always(key.size() * CHAR_BIT == 128);
@@ -61,6 +66,7 @@ public:
~AES128GCM_OnWireTxHandler() override {
::ceph::crypto::zeroize_for_security(&nonce, sizeof(nonce));
+ ::ceph::crypto::zeroize_for_security(&initial_nonce, sizeof(initial_nonce));
}
std::uint32_t calculate_segment_size(std::uint32_t size) override
@@ -78,6 +84,13 @@ public:
void AES128GCM_OnWireTxHandler::reset_tx_handler(
std::initializer_list<std::uint32_t> update_size_sequence)
{
+ if (nonce == initial_nonce) {
+ if (used_initial_nonce) {
+ throw ceph::crypto::onwire::TxHandlerError("out of nonces");
+ }
+ used_initial_nonce = true;
+ }
+
if(1 != EVP_EncryptInit_ex(ectx.get(), nullptr, nullptr, nullptr,
reinterpret_cast<const unsigned char*>(&nonce))) {
throw std::runtime_error("EVP_EncryptInit_ex failed");
diff --git a/src/msg/async/crypto_onwire.h b/src/msg/async/crypto_onwire.h
index bd682e8c71..0c544f205a 100644
--- a/src/msg/async/crypto_onwire.h
+++ b/src/msg/async/crypto_onwire.h
@@ -45,6 +45,11 @@ struct MsgAuthError : public std::runtime_error {
}
};
+struct TxHandlerError : public std::runtime_error {
+ TxHandlerError(const char* what)
+ : std::runtime_error(std::string("tx handler error: ") + what) {}
+};
+
struct TxHandler {
virtual ~TxHandler() = default;
--
2.20.1
|
