neutron

Missing Diffie-Hellman-Groups

Bug #1938284 reported by Maxim Korezkij
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Fix Released
Wishlist
Unassigned

Bug Description

The values for the pfs (perfect forward secrecy) when creating an ike or ipsec policy are limited to the Diffie-Hellman-Groups 2,5 and 14.

Strongswan as the default provider supports more than these 3 groups, e.g. group20(ecp384).

Tags: vpnaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714

Changed in neutron:
status: New → In Progress
Jakub Libosvar (libosvar)
Changed in neutron:
importance: Undecided → Medium
tags: added: vpnaas
Jakub Libosvar (libosvar)
Changed in neutron:
importance: Medium → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-vpnaas (master)

Change abandoned by "Maxim Korezkij <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714
Reason: Abandon because no time. Feel free to reopen.

Revision history for this message
Enrico Kern (flyersa) wrote :

Can we finally implement this patch? Those groups are outdated since years. Clients request to support higher DH groups. Patch is also there, why not implement it?

Enrico Kern (flyersa)
information type: Public → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Note that you've changed the information type of this bug to Public Security, indicating it represents a possible security vulnerability. Since the OpenStack Vulnerability Management Team (VMT) does not officially oversee[*] the neutron-vpnaas deliverable, I'm adding a security advisory task with a Won't Fix status to indicate we're not tracking this for any future advisory publication.

[*] https://security.openstack.org/repos-overseen.html

Changed in ossa:
status: New → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/898828

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/898830

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The patches above add not only the DH groups 15 to 31 but also more choices for encryption algorithm (to support AES CCM and AES GCM modes) and auth algorithms (to support aes-xcbc and aes-cmac).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/898828
Committed: https://opendev.org/openstack/neutron-lib/commit/b7598dab47d3648bf1bb28eae8c8ed8006097f5a
Submitter: "Zuul (22348)"
Branch: master

commit b7598dab47d3648bf1bb28eae8c8ed8006097f5a
Author: Bodo Petermann <email address hidden>
Date: Wed Oct 18 13:50:58 2023 +0200

    vpnaas: add support for more ciphers (auth, encryption, pfs modes)

    Encryption algorithms: add AES CCM mode and AES GCM mode variants
    for 128/192/256 bit keys and 8/12/16 octet ICVs.
    Auth algorithms: add aes-xcbc and aes-cmac.
    PFS: add Diffie Hellman groups 15 to 31.

    Related-Bug: #1938284
    Change-Id: Iba86fe9a1bbf88223b57a45fb89349c6b1858015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/2023.1)

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903551

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903552

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903971

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The neutron-lib part for the API definition for most added choices has been merged already. But the neutron-vpnaas change that implements them has not. I also noticed that the neutron-lib part missed the definition for AES CTR mode, so there's a new commit to add that too.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (stable/2023.2)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903552
Reason: As commented in https://review.opendev.org/c/openstack/neutron-lib/+/903552/comment/a4b99a01_466b834a/, an API change cannot be backported

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (stable/2023.1)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903551
Reason: As commented in https://review.opendev.org/c/openstack/neutron-lib/+/903551/comments/5c42cb15_a3ec30b5, an API change cannot be backported.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/903971
Committed: https://opendev.org/openstack/neutron-lib/commit/ef72d4cd6e2e74a0452dcea916613357c3627a22
Submitter: "Zuul (22348)"
Branch: master

commit ef72d4cd6e2e74a0452dcea916613357c3627a22
Author: Bodo Petermann <email address hidden>
Date: Tue Dec 19 13:06:02 2023 +0100

    vpnaas: add support for AES CTR

    Additional choices for encryption algorithms in vpnaas policies
    for AES Counter Mode (AES-CTR).

    Related-Bug: #1938284
    Change-Id: Icda2da71135065a1192954f33943b9ee225c5cf4

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-vpnaas/+/898830
Committed: https://opendev.org/openstack/neutron-vpnaas/commit/f6033dd2ef544e1fc8b9dcd138e51a94211e61d4
Submitter: "Zuul (22348)"
Branch: master

commit f6033dd2ef544e1fc8b9dcd138e51a94211e61d4
Author: Bodo Petermann <email address hidden>
Date: Wed Oct 18 13:58:44 2023 +0200

    Add support for additional auth, encryption, PFS choices

    Encryption algorithms: add AES CCM mode and AES GCM mode variants
    for 128/192/256 bit keys and 8/12/16 octet ICVs.
    In the API that will be 9 new choices for AES CCM and 9 for AES GCM,
    e.g. aes-256-ccm-16 (aes-{keysize}-ccm-{icv-size}).
    Add encrpytion algorithms for AES CTR mode: aes-128-ctr, aes-192-ctr,
    aes-256-ctr.
    Auth algorithms: add aes-xcbc and aes-cmac.
    PFS: add Diffie Hellman groups 15 to 31.

    Closes-Bug: #1938284
    Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/903971
    Change-Id: I07f49d8e91f0f16ee4c97e636ab3b62a5692d70c

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-vpnaas 26.0.0.0rc1

This issue was fixed in the openstack/neutron-vpnaas 26.0.0.0rc1 Epoxy release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.