| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z6PdEurGNirlnkoM@hog>
Date: Wed, 5 Feb 2025 22:50:10 +0100
From: Sabrina Dubroca <sd@...asysnail.net>
To: Antonio Quartulli <antonio@...nvpn.net>
Cc: netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Donald Hunter <donald.hunter@...il.com>,
Shuah Khan <shuah@...nel.org>, ryazanov.s.a@...il.com,
Andrew Lunn <andrew+netdev@...n.ch>,
Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, Xiao Liang <shaw.leon@...il.com>
Subject: Re: [PATCH net-next v18 09/25] ovpn: implement packet processing
Hi Antonio,
Another one I should have spotted a long time ago :(
2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:
> +int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> + struct sk_buff *skb)
> +{
> + const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
> + struct aead_request *req;
> + struct sk_buff *trailer;
> + struct scatterlist *sg;
> + u8 iv[OVPN_NONCE_SIZE];
You'll have to kmalloc this as well, it gets passed to the crypto API
and with async crypto, it'll be used after ovpn_aead_encrypt has
returned.
[...]
> + /* setup async crypto operation */
> + aead_request_set_tfm(req, ks->encrypt);
> + aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
> + aead_request_set_crypt(req, sg, sg,
> + skb->len - ovpn_aead_encap_overhead(ks), iv);
^^
passed here
> + aead_request_set_ad(req, OVPN_AAD_SIZE);
> +
> + /* encrypt it */
> + return crypto_aead_encrypt(req);
> +free_sg:
> + kfree(ovpn_skb_cb(skb)->sg);
> + ovpn_skb_cb(skb)->sg = NULL;
> + return ret;
> +}
> +
> +int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
> + struct sk_buff *skb)
> +{
> + const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
> + int ret, payload_len, nfrags;
> + unsigned int payload_offset;
> + struct aead_request *req;
> + struct sk_buff *trailer;
> + struct scatterlist *sg;
> + u8 iv[OVPN_NONCE_SIZE];
And same here.
(maybe something for the todolist: ovpn could copy the alloc trick
from esp_alloc_tmp, like I did for macsec_alloc_req -- not required,
but could be nice to avoid many small allocs and all their failure
checks)
--
Sabrina
Powered by blists - more mailing lists