git: f7ee28e75582 - main - if_ovpn: notify userspace when we've used half of the sequence numbers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 May 2023 16:13:54 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f7ee28e755820375d5f441e19c1f1376a200e834 commit f7ee28e755820375d5f441e19c1f1376a200e834 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-05-08 14:41:48 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-05-08 14:43:25 +0000 if_ovpn: notify userspace when we've used half of the sequence numbers OpenVPN uses the sequence number (as well as a userspace supplied nonce) to build the IV. This means we should avoid re-using sequence numbers. However, userspace doesn't know how many packets we've sent (and thus what sequence number we're up to). Notify userspace when we've used half of the available sequence numbers to tell it that it's time for a key renegotiaton. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D39570 --- sys/net/if_ovpn.c | 33 ++++++++++++++++++++++++++++++--- sys/net/if_ovpn.h | 1 + 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index bf07d23f0235..22723bfc34bb 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -93,6 +93,8 @@ struct ovpn_kkey_dir { * strictly higher than this. */ uint32_t rx_seq; + uint32_t tx_seq; + /* Seen packets, relative to rx_seq. bit(0) will always be 0. */ uint64_t rx_window; }; @@ -147,7 +149,6 @@ struct ovpn_kpeer { struct in6_addr vpn6; struct ovpn_kkey keys[2]; - uint32_t tx_seq; enum ovpn_del_reason del_reason; struct ovpn_keepalive keepalive; @@ -215,6 +216,7 @@ static RB_GENERATE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare); #define OVPN_OP_DATA_V2 0x09 #define OVPN_OP_SHIFT 3 +#define OVPN_SEQ_ROTATE 0x80000000 VNET_DEFINE_STATIC(struct if_clone *, ovpn_cloner); #define V_ovpn_cloner VNET(ovpn_cloner) @@ -428,6 +430,28 @@ ovpn_notify_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer) } } +static void +ovpn_notify_key_rotation(struct ovpn_softc *sc, struct ovpn_kpeer *peer) +{ + struct ovpn_notification *n; + + n = malloc(sizeof(*n), M_OVPN, M_NOWAIT | M_ZERO); + if (n == NULL) + return; + + n->peerid = peer->peerid; + n->type = OVPN_NOTIF_ROTATE_KEY; + + if (buf_ring_enqueue(sc->notifring, n) != 0) { + free(n, M_OVPN); + } else if (sc->so != NULL) { + /* Wake up userspace */ + sc->so->so_error = EAGAIN; + sorwakeup(sc->so); + sowwakeup(sc->so); + } +} + static void ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked) { @@ -523,7 +547,6 @@ ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl) peer = malloc(sizeof(*peer), M_OVPN, M_WAITOK | M_ZERO); peer->peerid = peerid; peer->sc = sc; - peer->tx_seq = 1; peer->refcount = 1; peer->last_active = uma_zalloc_pcpu(pcpu_zone_4, M_WAITOK | M_ZERO); COUNTER_ARRAY_ALLOC(peer->counters, OVPN_PEER_COUNTER_SIZE, M_WAITOK); @@ -738,6 +761,7 @@ ovpn_create_kkey_dir(struct ovpn_kkey_dir **kdirp, kdir->cipher = cipher; kdir->keylen = keylen; + kdir->tx_seq = 1; memcpy(kdir->key, key, keylen); kdir->noncelen = ivlen; memcpy(kdir->nonce, iv, ivlen); @@ -1849,7 +1873,10 @@ ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m, ohdr->opcode |= key->peerid; ohdr->opcode = htonl(ohdr->opcode); - seq = atomic_fetchadd_32(&peer->tx_seq, 1); + seq = atomic_fetchadd_32(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, 1); + if (seq == OVPN_SEQ_ROTATE) + ovpn_notify_key_rotation(sc, peer); + seq = htonl(seq); ohdr->seq = seq; diff --git a/sys/net/if_ovpn.h b/sys/net/if_ovpn.h index 1c0299940c3e..45fd0696a4ed 100644 --- a/sys/net/if_ovpn.h +++ b/sys/net/if_ovpn.h @@ -36,6 +36,7 @@ enum ovpn_notif_type { OVPN_NOTIF_DEL_PEER, + OVPN_NOTIF_ROTATE_KEY, }; enum ovpn_del_reason {