lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240917010734.1905-1-antonio@openvpn.net>
Date: Tue, 17 Sep 2024 03:07:09 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: netdev@...r.kernel.org
Cc: kuba@...nel.org,
	pabeni@...hat.com,
	ryazanov.s.a@...il.com,
	edumazet@...gle.com,
	andrew@...n.ch,
	sd@...asysnail.net,
	Antonio Quartulli <antonio@...nvpn.net>
Subject: [PATCH net-next v7 00/25] Introducing OpenVPN Data Channel Offload

Hi all,

This is the 7th version of the ovpn patchset.

Thanks a lot to all those who have dedicated any amount of time to
review, report errors and send suggestions. Code quality (and even
performance!) has increased enormously compared to v1.

Notable changes from v6 are:
* converted NETIF_F_LLTX to dev->lltx
* added STREAM_PARSER to Kconfig
* regenerated netlink policies
* dropped skbs consistently in xmit() and ovpn_send() (drop only
  single skb instead of list)
* stored skb->len before calling ovpn_udp_output()
* stored pkt->len before calling gro_cells_receive()
* added drop_noovpn label in udp_encap_recv()
* removed sk_user_data bogus initialization
* removed call to rcu_barrier() from ovpn_struct_free()
* reworked encrypt/decrypt_post() to properly release CB and clear
  ctx member
* got rid of wrong kfree(sg)
* moved gro_cells_init() right before if (err) in ndo_init()
* added missing gro_cells_destroy() in error path in ndo_init()
* used call_rcu() to release peer and avoid deadlock
* moved hlist_add() after family check and rcu protected access
  in peer_add_mp()
* went back to single lock only for peer hashtables
* skipped keepalive interval computation when tmp_next_run is 0
* switched crypto_state->mutex to spinlock
* converted slots to array[2]
* skipped rehashing upon float in P2P mode
* avoided double free of skb in case of skb_share_check() failure
  (reported by smatch)
* turned ovpn_struct_init() into void as it always returns 0
  (reported by cppcheck)
* turned ovpn_tcp_to_userspace() into void as it always returns 0
  (reported by cppcheck)
* fixed typ0s reported by checkpatch --codespell

Moreover, I have smatch reporting the following:
drivers/net/ovpn/pktid.c:81 ovpn_pktid_recv() warn: potential spectre issue 'pr->history' [w]
drivers/net/ovpn/pktid.c:110 ovpn_pktid_recv() warn: possible spectre second half.  '*p'

I don't think it's code that we should worry about, but I thought it
would make sense to hear your opinion.


Please note that patches previously reviewed by Andrew Lunn have
retained the Reviewed-by tag as they have been simply rebased without
any modification.

The latest code can also be found at:

https://github.com/OpenVPN/linux-kernel-ovpn

Thanks a lot!
Best Regards,

Antonio Quartulli
OpenVPN Inc.

======================

Antonio Quartulli (25):
  netlink: add NLA_POLICY_MAX_LEN macro
  rtnetlink: don't crash on unregister if no dellink exists
  net: introduce OpenVPN Data Channel Offload (ovpn)
  ovpn: add basic netlink support
  ovpn: add basic interface creation/destruction/management routines
  ovpn: implement interface creation/destruction via netlink
  ovpn: keep carrier always on
  ovpn: introduce the ovpn_peer object
  ovpn: introduce the ovpn_socket object
  ovpn: implement basic TX path (UDP)
  ovpn: implement basic RX path (UDP)
  ovpn: implement packet processing
  ovpn: store tunnel and transport statistics
  ovpn: implement TCP transport
  ovpn: implement multi-peer support
  ovpn: implement peer lookup logic
  ovpn: implement keepalive mechanism
  ovpn: add support for updating local UDP endpoint
  ovpn: add support for peer floating
  ovpn: implement peer add/dump/delete via netlink
  ovpn: implement key add/del/swap via netlink
  ovpn: kill key and notify userspace in case of IV exhaustion
  ovpn: notify userspace when a peer is deleted
  ovpn: add basic ethtool support
  testing/selftest: add test tool and scripts for ovpn module

 Documentation/netlink/specs/ovpn.yaml         |  328 +++
 MAINTAINERS                                   |    8 +
 drivers/net/Kconfig                           |   15 +
 drivers/net/Makefile                          |    1 +
 drivers/net/ovpn/Makefile                     |   22 +
 drivers/net/ovpn/bind.c                       |   54 +
 drivers/net/ovpn/bind.h                       |  117 ++
 drivers/net/ovpn/crypto.c                     |  172 ++
 drivers/net/ovpn/crypto.h                     |  138 ++
 drivers/net/ovpn/crypto_aead.c                |  356 ++++
 drivers/net/ovpn/crypto_aead.h                |   31 +
 drivers/net/ovpn/io.c                         |  459 +++++
 drivers/net/ovpn/io.h                         |   25 +
 drivers/net/ovpn/main.c                       |  364 ++++
 drivers/net/ovpn/main.h                       |   29 +
 drivers/net/ovpn/netlink-gen.c                |  206 ++
 drivers/net/ovpn/netlink-gen.h                |   41 +
 drivers/net/ovpn/netlink.c                    | 1052 ++++++++++
 drivers/net/ovpn/netlink.h                    |   18 +
 drivers/net/ovpn/ovpnstruct.h                 |   59 +
 drivers/net/ovpn/packet.h                     |   40 +
 drivers/net/ovpn/peer.c                       | 1192 +++++++++++
 drivers/net/ovpn/peer.h                       |  171 ++
 drivers/net/ovpn/pktid.c                      |  130 ++
 drivers/net/ovpn/pktid.h                      |   87 +
 drivers/net/ovpn/proto.h                      |  104 +
 drivers/net/ovpn/skb.h                        |   61 +
 drivers/net/ovpn/socket.c                     |  165 ++
 drivers/net/ovpn/socket.h                     |   53 +
 drivers/net/ovpn/stats.c                      |   21 +
 drivers/net/ovpn/stats.h                      |   47 +
 drivers/net/ovpn/tcp.c                        |  506 +++++
 drivers/net/ovpn/tcp.h                        |   43 +
 drivers/net/ovpn/udp.c                        |  406 ++++
 drivers/net/ovpn/udp.h                        |   26 +
 include/net/netlink.h                         |    1 +
 include/uapi/linux/ovpn.h                     |  108 +
 include/uapi/linux/udp.h                      |    1 +
 net/core/rtnetlink.c                          |    8 +-
 tools/net/ynl/ynl-gen-c.py                    |    2 +
 tools/testing/selftests/Makefile              |    1 +
 tools/testing/selftests/net/ovpn/.gitignore   |    2 +
 tools/testing/selftests/net/ovpn/Makefile     |   17 +
 tools/testing/selftests/net/ovpn/config       |    8 +
 .../selftests/net/ovpn/data-test-tcp.sh       |    9 +
 tools/testing/selftests/net/ovpn/data-test.sh |  150 ++
 tools/testing/selftests/net/ovpn/data64.key   |    5 +
 .../testing/selftests/net/ovpn/float-test.sh  |  115 ++
 tools/testing/selftests/net/ovpn/ovpn-cli.c   | 1820 +++++++++++++++++
 .../testing/selftests/net/ovpn/tcp_peers.txt  |    5 +
 .../testing/selftests/net/ovpn/udp_peers.txt  |    5 +
 51 files changed, 8802 insertions(+), 2 deletions(-)
 create mode 100644 Documentation/netlink/specs/ovpn.yaml
 create mode 100644 drivers/net/ovpn/Makefile
 create mode 100644 drivers/net/ovpn/bind.c
 create mode 100644 drivers/net/ovpn/bind.h
 create mode 100644 drivers/net/ovpn/crypto.c
 create mode 100644 drivers/net/ovpn/crypto.h
 create mode 100644 drivers/net/ovpn/crypto_aead.c
 create mode 100644 drivers/net/ovpn/crypto_aead.h
 create mode 100644 drivers/net/ovpn/io.c
 create mode 100644 drivers/net/ovpn/io.h
 create mode 100644 drivers/net/ovpn/main.c
 create mode 100644 drivers/net/ovpn/main.h
 create mode 100644 drivers/net/ovpn/netlink-gen.c
 create mode 100644 drivers/net/ovpn/netlink-gen.h
 create mode 100644 drivers/net/ovpn/netlink.c
 create mode 100644 drivers/net/ovpn/netlink.h
 create mode 100644 drivers/net/ovpn/ovpnstruct.h
 create mode 100644 drivers/net/ovpn/packet.h
 create mode 100644 drivers/net/ovpn/peer.c
 create mode 100644 drivers/net/ovpn/peer.h
 create mode 100644 drivers/net/ovpn/pktid.c
 create mode 100644 drivers/net/ovpn/pktid.h
 create mode 100644 drivers/net/ovpn/proto.h
 create mode 100644 drivers/net/ovpn/skb.h
 create mode 100644 drivers/net/ovpn/socket.c
 create mode 100644 drivers/net/ovpn/socket.h
 create mode 100644 drivers/net/ovpn/stats.c
 create mode 100644 drivers/net/ovpn/stats.h
 create mode 100644 drivers/net/ovpn/tcp.c
 create mode 100644 drivers/net/ovpn/tcp.h
 create mode 100644 drivers/net/ovpn/udp.c
 create mode 100644 drivers/net/ovpn/udp.h
 create mode 100644 include/uapi/linux/ovpn.h
 create mode 100644 tools/testing/selftests/net/ovpn/.gitignore
 create mode 100644 tools/testing/selftests/net/ovpn/Makefile
 create mode 100644 tools/testing/selftests/net/ovpn/config
 create mode 100755 tools/testing/selftests/net/ovpn/data-test-tcp.sh
 create mode 100755 tools/testing/selftests/net/ovpn/data-test.sh
 create mode 100644 tools/testing/selftests/net/ovpn/data64.key
 create mode 100755 tools/testing/selftests/net/ovpn/float-test.sh
 create mode 100644 tools/testing/selftests/net/ovpn/ovpn-cli.c
 create mode 100644 tools/testing/selftests/net/ovpn/tcp_peers.txt
 create mode 100644 tools/testing/selftests/net/ovpn/udp_peers.txt

-- 
2.44.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ