[PATCH net-next v3 21/24] ovpn: kill key and notify userspace in case of IV exhaustion
From: Antonio Quartulli <antonio@openvpn.net>
Date: 2024-05-06 01:16:01
Subsystem:
networking drivers, openvpn data channel offload, the rest · Maintainers:
Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Antonio Quartulli, Linus Torvalds
IV wrap-around is cryptographically dangerous for a number of ciphers, therefore kill the key and inform userspace (via netlink) should the IV space go exhausted. Signed-off-by: Antonio Quartulli <antonio@openvpn.net> --- drivers/net/ovpn/io.c | 16 +++++++++++++++ drivers/net/ovpn/netlink.c | 42 ++++++++++++++++++++++++++++++++++++++ drivers/net/ovpn/netlink.h | 8 ++++++++ 3 files changed, 66 insertions(+)
diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 19ebc0fbe2be..8806479ccae5 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c@@ -336,6 +336,22 @@ static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb) /* encrypt */ ret = ovpn_aead_encrypt(ks, skb, peer->id); if (unlikely(ret < 0)) { + /* if we ran out of IVs we must kill the key as it can't be used + * anymore + */ + if (ret == -ERANGE) { + netdev_warn(peer->ovpn->dev, + "killing primary key as we ran out of IVs for peer %u\n", + peer->id); + ovpn_crypto_kill_primary(&peer->crypto); + ret = ovpn_nl_notify_swap_keys(peer); + if (ret < 0) + netdev_warn(peer->ovpn->dev, + "couldn't send key killing notification to userspace for peer %u\n", + peer->id); + goto err; + } + net_err_ratelimited("%s: error during encryption for peer %u, key-id %u: %d\n", peer->ovpn->dev->name, peer->id, ks->key_id, ret);
diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c
index df14988c1f43..dc80004eadbb 100644
--- a/drivers/net/ovpn/netlink.c
+++ b/drivers/net/ovpn/netlink.c@@ -862,6 +862,48 @@ int ovpn_nl_del_key_doit(struct sk_buff *skb, struct genl_info *info) return 0; } +int ovpn_nl_notify_swap_keys(struct ovpn_peer *peer) +{ + struct sk_buff *msg; + void *hdr; + int ret; + + netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n", + peer->id); + + msg = nlmsg_new(100, GFP_KERNEL); + if (!msg) + return -ENOMEM; + + hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, + OVPN_CMD_SWAP_KEYS); + if (!hdr) { + ret = -ENOBUFS; + goto err_free_msg; + } + + if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) { + ret = -EMSGSIZE; + goto err_free_msg; + } + + if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id)) { + ret = -EMSGSIZE; + goto err_free_msg; + } + + genlmsg_end(msg, hdr); + + genlmsg_multicast_netns(&ovpn_nl_family, dev_net(peer->ovpn->dev), + msg, 0, OVPN_NLGRP_PEERS, GFP_KERNEL); + + return 0; + +err_free_msg: + nlmsg_free(msg); + return ret; +} + /** * ovpn_nl_init - perform any ovpn specific netlink initialization * @ovpn: the openvpn instance object
diff --git a/drivers/net/ovpn/netlink.h b/drivers/net/ovpn/netlink.h
index d79f3ca604b0..ccc49130a150 100644
--- a/drivers/net/ovpn/netlink.h
+++ b/drivers/net/ovpn/netlink.h@@ -27,4 +27,12 @@ int ovpn_nl_register(void); */ void ovpn_nl_unregister(void); +/** + * ovpn_nl_notify_swap_keys - notify userspace peer's key must be renewed + * @peer: the peer whose key needs to be renewed + * + * Return: 0 on success or a negative error code otherwise + */ +int ovpn_nl_notify_swap_keys(struct ovpn_peer *peer); + #endif /* _NET_OVPN_NETLINK_H_ */
--
2.43.2