1 Apr
2025
1 Apr
'25
9:59 a.m.
2025-03-18, 02:40:44 +0100, Antonio Quartulli wrote:
+/* this swap is not atomic, but there will be a very short time frame where the
- old_secondary key won't be available. This should not be a big deal as most
- likely both peers are already using the new primary at this point.
- */
This is not the case anymore.
+void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs) +{
- const struct ovpn_crypto_key_slot *old_primary, *old_secondary;
- u8 idx;
- spin_lock_bh(&cs->lock);
- idx = cs->primary_idx;
- old_primary = rcu_dereference_protected(cs->slots[idx],
lockdep_is_held(&cs->lock));- old_secondary = rcu_dereference_protected(cs->slots[!idx],
lockdep_is_held(&cs->lock));- /* perform real swap by switching the index of the primary key */
- WRITE_ONCE(cs->primary_idx, !cs->primary_idx);
- pr_debug("key swapped: (old primary) %d <-> (new primary) %d\n",
old_primary ? old_primary->key_id : -1,old_secondary ? old_secondary->key_id : -1);- spin_unlock_bh(&cs->lock);
+}
[...]
+int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
struct sk_buff *skb)+{
[...]
- /* encrypt it */
- return crypto_aead_encrypt(req);
+free_iv:
- kfree(ovpn_skb_cb(skb)->iv);
- ovpn_skb_cb(skb)->iv = NULL;
+free_sg:
- kfree(ovpn_skb_cb(skb)->sg);
- ovpn_skb_cb(skb)->sg = NULL;
nit: Those shouldn't really be needed, since we'll call ovpn_encrypt_post that will take care of iv/sg/req. But it's fine if you leave them.
(same thing on the decrypt side)
- return ret;
+}
[...]
+/**
- ovpn_key_id_from_skb - extract key ID from the skb head
- @skb: the packet to extract the key ID code from
- Note: this function assumes that the skb head was pulled enough
- to access the first byte.
nit: another "first byte" that I missed previously :(
- Return: the key ID
- */
+static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb) +{
- u32 opcode = be32_to_cpu(*(__be32 *)skb->data);
- return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode);
+}
--
Sabrina