Re: [PATCH net-next v18 09/25] ovpn: implement packet processing
From: Sabrina Dubroca
Date: Wed Feb 05 2025 - 16:50:30 EST
Hi Antonio,
Another one I should have spotted a long time ago :(
2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:
> +int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> + struct sk_buff *skb)
> +{
> + const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
> + struct aead_request *req;
> + struct sk_buff *trailer;
> + struct scatterlist *sg;
> + u8 iv[OVPN_NONCE_SIZE];
You'll have to kmalloc this as well, it gets passed to the crypto API
and with async crypto, it'll be used after ovpn_aead_encrypt has
returned.
[...]
> + /* setup async crypto operation */
> + aead_request_set_tfm(req, ks->encrypt);
> + aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
> + aead_request_set_crypt(req, sg, sg,
> + skb->len - ovpn_aead_encap_overhead(ks), iv);
^^
passed here
> + aead_request_set_ad(req, OVPN_AAD_SIZE);
> +
> + /* encrypt it */
> + return crypto_aead_encrypt(req);
> +free_sg:
> + kfree(ovpn_skb_cb(skb)->sg);
> + ovpn_skb_cb(skb)->sg = NULL;
> + return ret;
> +}
> +
> +int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> + struct sk_buff *skb)
> +{
> + const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
> + int ret, payload_len, nfrags;
> + unsigned int payload_offset;
> + struct aead_request *req;
> + struct sk_buff *trailer;
> + struct scatterlist *sg;
> + u8 iv[OVPN_NONCE_SIZE];
And same here.
(maybe something for the todolist: ovpn could copy the alloc trick
from esp_alloc_tmp, like I did for macsec_alloc_req -- not required,
but could be nice to avoid many small allocs and all their failure
checks)
--
Sabrina