lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <76edb6d9-5b17-499e-ad0f-c0eee3cd547c@openvpn.net>
Date: Mon, 7 Oct 2024 12:57:54 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: Donald Hunter <donald.hunter@...il.com>
Cc: Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Shuah Khan <shuah@...nel.org>,
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 linux-kselftest@...r.kernel.org, sd@...asysnail.net, ryazanov.s.a@...il.com
Subject: Re: [PATCH net-next v8 03/24] ovpn: add basic netlink support

On 04/10/2024 18:13, Donald Hunter wrote:
> On Wed, 2 Oct 2024 at 10:03, Antonio Quartulli <antonio@...nvpn.net> wrote:
>>
>> +definitions:
>> +  -
>> +    type: const
>> +    name: nonce-tail-size
>> +    value: 8
>> +  -
>> +    type: enum
>> +    name: cipher-alg
>> +    value-start: 0
> 
> value-start defaults to 0 for enum so this is unnecessary. Same for
> the following enum definitions.

ACK

> 
>> +    entries: [ none, aes-gcm, chacha20-poly1305 ]
>> +  -
>> +    type: enum
>> +    name: del-peer-reason
>> +    value-start: 0
>> +    entries: [ teardown, userspace, expired, transport-error, transport-disconnect ]
>> +  -
>> +    type: enum
>> +    name: key-slot
>> +    value-start: 0
>> +    entries: [ primary, secondary ]
>> +  -
>> +    type: enum
>> +    name: mode
>> +    value-start: 0
>> +    entries: [ p2p, mp ]
>> +
> 
> [...]
> 
>> +operations:
>> +  list:
>> +    -
>> +      name: dev-new
>> +      attribute-set: ovpn
>> +      flags: [ admin-perm ]
>> +      doc: Create a new interface of type ovpn
>> +      do:
>> +        request:
>> +          attributes:
>> +            - ifname
>> +            - mode
>> +        reply:
>> +          attributes:
>> +            - ifname
>> +            - ifindex
>> +    -
>> +      name: dev-del
>> +      attribute-set: ovpn
>> +      flags: [ admin-perm ]
>> +      doc: Delete existing interface of type ovpn
>> +      do:
>> +        pre: ovpn-nl-pre-doit
>> +        post: ovpn-nl-post-doit
>> +        request:
>> +          attributes:
>> +            - ifindex
> 
> There's no dev-get do/dump op. I think there should be one for
> diagnostics and metrics.

I am not sure how much information it can provide (as of now we only 
have the 'mode' that is being set upon creation).

In any case, I am not against implementing the op now and extend it 
later as we see fit.

> 
>> +    -
>> +      name: key-new
>> +      attribute-set: ovpn
>> +      flags: [ admin-perm ]
>> +      doc: Add a cipher key for a specific peer
>> +      do:
>> +        pre: ovpn-nl-pre-doit
>> +        post: ovpn-nl-post-doit
>> +        request:
>> +          attributes:
>> +            - ifindex
>> +            - keyconf
>> +    -
>> +      name: key-swap
>> +      attribute-set: ovpn
>> +      flags: [ admin-perm ]
>> +      doc: Swap primary and secondary session keys for a specific peer
>> +      do:
>> +        pre: ovpn-nl-pre-doit
>> +        post: ovpn-nl-post-doit
>> +        request:
>> +          attributes:
>> +            - ifindex
>> +            - keyconf
>> +    -
>> +      name: key-swap-ntf
>> +      notify: key-new
> 
> This doesn't work because key-new doesn't have a reply. You should
> define it with an event: block instead. You can see the build errors
> here:
> 
> make -C tools/net/ynl

Oh, I wasn't aware of this subfolder.
Thanks for pointing it out!

I am thinking that it may make sense to implement a key-get op to 
extract non-sensible data about the keys (i.e. what cipher was 
configured). This may be useful for debugging as well.

At that point the key-swap-ntf can re-use the key-get as notify.


Cheers,

> 
> CC ovpn-user.o
> In file included from ovpn-user.c:8:
> ovpn-user.h:1194:33: error: field ‘obj’ has incomplete type
>   1194 |         struct ovpn_key_new_rsp obj __attribute__((aligned(8)));
>        |                                 ^~~
> ovpn-user.c:835:35: error: ‘ovpn_key_new_rsp_parse’ undeclared here
> (not in a function); did you mean ‘ovpn_dev_new_rsp_parse’?
>    835 |                 .cb             = ovpn_key_new_rsp_parse,
>        |                                   ^~~~~~~~~~~~~~~~~~~~~~
>        |                                   ovpn_dev_new_rsp_parse
> make[1]: *** [Makefile:41: ovpn-user.o] Error 1
> 
>> +      doc: |
>> +        Notification about key having exhausted its IV space and requiring
>> +        renegotiation
>> +      mcgrp: peers
>> +    -
>> +      name: key-del
>> +      attribute-set: ovpn
>> +      flags: [ admin-perm ]
>> +      doc: Delete cipher key for a specific peer
>> +      do:
>> +        pre: ovpn-nl-pre-doit
>> +        post: ovpn-nl-post-doit
>> +        request:
>> +          attributes:
>> +            - ifindex
>> +            - keyconf
>> +
>> +mcast-groups:
>> +  list:
>> +    -
>> +      name: peers

-- 
Antonio Quartulli
OpenVPN Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ