Re: [PATCH net-next v18 09/25] ovpn: implement packet processing

Hi Antonio,

Another one I should have spotted a long time ago :(

2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:

+int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,

•       struct sk_buff *skb)
  

+{

• const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
• struct aead_request *req;
• struct sk_buff *trailer;
• struct scatterlist *sg;
• u8 iv[OVPN_NONCE_SIZE];

You'll have to kmalloc this as well, it gets passed to the crypto API and with async crypto, it'll be used after ovpn_aead_encrypt has returned.

[...]

• /* setup async crypto operation */
• aead_request_set_tfm(req, ks->encrypt);
• aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
• aead_request_set_crypt(req, sg, sg,

• 	       skb->len - ovpn_aead_encap_overhead(ks), iv);
  

^^ passed here

• aead_request_set_ad(req, OVPN_AAD_SIZE);
• /* encrypt it */
• return crypto_aead_encrypt(req);

+free_sg:

• kfree(ovpn_skb_cb(skb)->sg);
• ovpn_skb_cb(skb)->sg = NULL;
• return ret;

+}

+int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,

•       struct sk_buff *skb)
  

+{

• const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
• int ret, payload_len, nfrags;
• unsigned int payload_offset;
• struct aead_request *req;
• struct sk_buff *trailer;
• struct scatterlist *sg;
• u8 iv[OVPN_NONCE_SIZE];

And same here.

(maybe something for the todolist: ovpn could copy the alloc trick from esp_alloc_tmp, like I did for macsec_alloc_req -- not required, but could be nice to avoid many small allocs and all their failure checks)