On 05/02/2025 22:50, Sabrina Dubroca wrote:
Hi Antonio,
Another one I should have spotted a long time ago :(
better late than never (I think..)
2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:
+int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
+ struct sk_buff *skb)
+{
+ const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
+ struct aead_request *req;
+ struct sk_buff *trailer;
+ struct scatterlist *sg;
+ u8 iv[OVPN_NONCE_SIZE];
You'll have to kmalloc this as well, it gets passed to the crypto API
and with async crypto, it'll be used after ovpn_aead_encrypt has
returned.
[...]
+ /* setup async crypto operation */
+ aead_request_set_tfm(req, ks->encrypt);
+ aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
+ aead_request_set_crypt(req, sg, sg,
+ skb->len - ovpn_aead_encap_overhead(ks), iv);
^^
passed here
+ aead_request_set_ad(req, OVPN_AAD_SIZE);
+
+ /* encrypt it */
+ return crypto_aead_encrypt(req);
+free_sg:
+ kfree(ovpn_skb_cb(skb)->sg);
+ ovpn_skb_cb(skb)->sg = NULL;
+ return ret;
+}
+
+int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
+ struct sk_buff *skb)
+{
+ const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
+ int ret, payload_len, nfrags;
+ unsigned int payload_offset;
+ struct aead_request *req;
+ struct sk_buff *trailer;
+ struct scatterlist *sg;
+ u8 iv[OVPN_NONCE_SIZE];
And same here.
(maybe something for the todolist: ovpn could copy the alloc trick
from esp_alloc_tmp, like I did for macsec_alloc_req -- not required,
but could be nice to avoid many small allocs and all their failure
checks)
Ouch, you're right. I will pre-allocate iv as well, like I do for sg.
And thanks for the hints, I'll add that to my todo.
Cheers,
--
Antonio Quartulli
OpenVPN Inc.
