Re: [PATCH net-next v18 09/25] ovpn: implement packet processing

Antonio Quartulli <antonio@xxxxxxxxxxx> · Fri, 17 Jan 2025 13:28:33 +0100




On 17/01/2025 13:16, Sabrina Dubroca wrote:
2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:
  static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb)
  {
-	ovpn_skb_cb(skb)->peer = peer;
+	struct ovpn_crypto_key_slot *ks;
+
+	if (unlikely(skb->ip_summed == CHECKSUM_PARTIAL &&
+		     skb_checksum_help(skb))) {
+		net_warn_ratelimited("%s: cannot compute checksum for outgoing packet for peer %u\n",
+				     netdev_name(peer->ovpn->dev), peer->id);
+		return false;
+	}
+
+	/* get primary key to be used for encrypting data */
+	ks = ovpn_crypto_key_slot_primary(&peer->crypto);
+	if (unlikely(!ks))
+		return false;
  
  	/* take a reference to the peer because the crypto code may run async.
  	 * ovpn_encrypt_post() will release it upon completion
@@ -118,7 +244,8 @@ static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb)

Adding in the few lines that got snipped:

	/* take a reference to the peer because the crypto code may run async.
	 * ovpn_encrypt_post() will release it upon completion
	 */
	if (unlikely(!ovpn_peer_hold(peer))) {
		DEBUG_NET_WARN_ON_ONCE(1);
		return false;
	}

This should never happen, but just in case, we'd want
ovpn_crypto_key_slot_put() here.

ACK


  		return false;
  	}


--
Antonio Quartulli
OpenVPN Inc.








