git.monstr.eu Git - linux-2.6-microblaze.git/commit

author	Antonio Quartulli <antonio@openvpn.net>
	Tue, 15 Apr 2025 11:17:37 +0000 (13:17 +0200)
committer	Paolo Abeni <pabeni@redhat.com>
	Thu, 17 Apr 2025 10:30:03 +0000 (12:30 +0200)
commit	89d3c0e4612afa1c6429ed68d298e35592fbe208
tree	2ac3e9e54daac4358e1c2fa97724cf522149ef8e	tree
parent	203e2bf55990c96a7efa928b4407368a548dde97	commit \| diff

ovpn: kill key and notify userspace in case of IV exhaustion

IV wrap-around is cryptographically dangerous for a number of ciphers,
therefore kill the key and inform userspace (via netlink) should the
IV space go exhausted.

Userspace has two ways of deciding when the key has to be renewed before
exhausting the IV space:
1) time based approach:
   after X seconds/minutes userspace generates a new key and sends it
   to the kernel. This is based on guestimate and normally default
   timer value works well.

2) packet count based approach:
   after X packets/bytes userspace generates a new key and sends it to
   the kernel. Userspace keeps track of the amount of traffic by
   periodically polling GET_PEER and fetching the VPN/LINK stats.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Link: https://patch.msgid.link/20250415-b4-ovpn-v26-20-577f6097b964@openvpn.net
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

drivers/net/ovpn/crypto.c		diff \| blob \| history
drivers/net/ovpn/crypto.h		diff \| blob \| history
drivers/net/ovpn/io.c		diff \| blob \| history
drivers/net/ovpn/netlink.c		diff \| blob \| history
drivers/net/ovpn/netlink.h		diff \| blob \| history