Differential D39570

if_ovpn: notify userspace when we've used half of the sequence numbers
ClosedPublic
Actions

Authored by kp on Apr 14 2023, 9:41 AM.

Details

Reviewers

None

Group Reviewers

pfsense

Commits

rGf7ee28e75582: if_ovpn: notify userspace when we've used half of the sequence numbers

Summary

OpenVPN uses the sequence number (as well as a userspace supplied nonce)
to build the IV. This means we should avoid re-using sequence numbers.
However, userspace doesn't know how many packets we've sent (and thus
what sequence number we're up to).

Notify userspace when we've used half of the available sequence numbers
to tell it that it's time for a key renegotiaton.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Apr 14 2023, 9:41 AM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptApr 14 2023, 9:41 AM

kp requested review of this revision.Apr 14 2023, 9:41 AM

Harbormaster completed remote builds in B50907: Diff 120299.Apr 14 2023, 9:41 AM

This is a first draft for discussion with the OpenVPN project.

This revision was not accepted when it landed; it landed in state Needs Review.May 8 2023, 4:14 PM

Closed by commit rGf7ee28e75582: if_ovpn: notify userspace when we've used half of the sequence numbers (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rGf7ee28e75582: if_ovpn: notify userspace when we've used half of the sequence numbers.

Revision Contents
Changeset List

Path

Size

sys/

net/

if_ovpn.h

1 line

if_ovpn.c

33 lines

Diff 121688

View Options

sys/net/if_ovpn.h