git.apps.os.sepia.ceph.com Git - ceph-ci.git/commit

author	Ilya Dryomov <idryomov@gmail.com>
	Fri, 6 Mar 2020 19:16:45 +0000 (20:16 +0100)
committer	Abhishek Lekshmanan <abhishek@suse.com>
	Wed, 6 May 2020 07:54:50 +0000 (09:54 +0200)
commit	bb61e6a5adc328ebdc78ae6c275a2f470778a3a8
tree	6dc68667f0516132ab9ecd1ab7ce977d6fb02dea	tree \| snapshot
parent	7eaa0da8649019bd1f9696d7425849477048d766	commit \| diff

msg/async/ProtocolV2: avoid AES-GCM nonce reuse vulnerabilities

The secure mode uses AES-128-GCM with 96-bit nonces consisting of a
32-bit counter followed by a 64-bit salt.  The counter is incremented
after processing each frame, the salt is fixed for the duration of
the session.  Both are initialized from the session key generated
during session negotiation, so the counter starts with essentially
a random value.  It is allowed to wrap, and, after 2**32 frames, it
repeats, resulting in nonce reuse (the actual sequence numbers that
the messenger works with are 64-bit, so the session continues on).

Because of how GCM works, this completely breaks both confidentiality
and integrity aspects of the secure mode.  A single nonce reuse reveals
the XOR of two plaintexts and almost completely reveals the subkey
used for producing authentication tags.  After a few nonces get used
twice, all confidentiality and integrity goes out the window and the
attacker can potentially encrypt-authenticate plaintext of their
choice.

We can't easily change the nonce format to extend the counter to
64 bits (and possibly XOR it with a longer salt).  Instead, just
remember the initial nonce and cut the session before it repeats,
forcing renegotiation.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>

src/msg/async/ProtocolV2.cc		diff \| blob \| history
src/msg/async/ProtocolV2.h		diff \| blob \| history
src/msg/async/crypto_onwire.cc		diff \| blob \| history
src/msg/async/crypto_onwire.h		diff \| blob \| history