Re: [PATCH net-next v18 09/25] ovpn: implement packet processing

Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> · Wed, 5 Feb 2025 22:50:10 +0100

Hi Antonio,

Another one I should have spotted a long time ago :(

2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:
> +int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> +		      struct sk_buff *skb)
> +{
> +	const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
> +	struct aead_request *req;
> +	struct sk_buff *trailer;
> +	struct scatterlist *sg;
> +	u8 iv[OVPN_NONCE_SIZE];

You'll have to kmalloc this as well, it gets passed to the crypto API
and with async crypto, it'll be used after ovpn_aead_encrypt has
returned.

[...]
> +	/* setup async crypto operation */
> +	aead_request_set_tfm(req, ks->encrypt);
> +	aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
> +	aead_request_set_crypt(req, sg, sg,
> +			       skb->len - ovpn_aead_encap_overhead(ks), iv);
                                                                        ^^
passed here

> +	aead_request_set_ad(req, OVPN_AAD_SIZE);
> +
> +	/* encrypt it */
> +	return crypto_aead_encrypt(req);
> +free_sg:
> +	kfree(ovpn_skb_cb(skb)->sg);
> +	ovpn_skb_cb(skb)->sg = NULL;
> +	return ret;
> +}
> +
> +int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> +		      struct sk_buff *skb)
> +{
> +	const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
> +	int ret, payload_len, nfrags;
> +	unsigned int payload_offset;
> +	struct aead_request *req;
> +	struct sk_buff *trailer;
> +	struct scatterlist *sg;
> +	u8 iv[OVPN_NONCE_SIZE];

And same here.

(maybe something for the todolist: ovpn could copy the alloc trick
from esp_alloc_tmp, like I did for macsec_alloc_req -- not required,
but could be nice to avoid many small allocs and all their failure
checks)

-- 
Sabrina