Re: [PATCH net-next v24 09/23] ovpn: implement packet processing

[Antonio Quartulli]

On 01/04/2025 11:59, Sabrina Dubroca wrote:
2025-03-18, 02:40:44 +0100, Antonio Quartulli wrote:
+/* this swap is not atomic, but there will be a very short time frame where the
+ * old_secondary key won't be available. This should not be a big deal as most
+ * likely both peers are already using the new primary at this point.
+ */

This is not the case anymore.

Oh right - this comment can go.


+void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs)
+{
+       const struct ovpn_crypto_key_slot *old_primary, *old_secondary;
+       u8 idx;
+
+       spin_lock_bh(&cs->lock);
+       idx = cs->primary_idx;
+       old_primary = rcu_dereference_protected(cs->slots[idx],
+                                               lockdep_is_held(&cs->lock));
+       old_secondary = rcu_dereference_protected(cs->slots[!idx],
+                                                 lockdep_is_held(&cs->lock));
+       /* perform real swap by switching the index of the primary key */
+       WRITE_ONCE(cs->primary_idx, !cs->primary_idx);
+
+       pr_debug("key swapped: (old primary) %d <-> (new primary) %d\n",
+                old_primary ? old_primary->key_id : -1,
+                old_secondary ? old_secondary->key_id : -1);
+
+       spin_unlock_bh(&cs->lock);
+}

[...]
+int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
+                     struct sk_buff *skb)
+{
[...]
+       /* encrypt it */
+       return crypto_aead_encrypt(req);
+free_iv:
+       kfree(ovpn_skb_cb(skb)->iv);
+       ovpn_skb_cb(skb)->iv = NULL;
+free_sg:
+       kfree(ovpn_skb_cb(skb)->sg);
+       ovpn_skb_cb(skb)->sg = NULL;

nit: Those shouldn't really be needed, since we'll call
ovpn_encrypt_post that will take care of iv/sg/req. But it's fine if
you leave them.

Right!
This code flow was re-arranged a couple of times, and I have missed that 
we now always hit those free()s in post().

I prefer to drop them and put a comment indicating that cleanup happens 
in post().


(same thing on the decrypt side)

Yep


+       return ret;
+}


[...]
+/**
+ * ovpn_key_id_from_skb - extract key ID from the skb head
+ * @skb: the packet to extract the key ID code from
+ *
+ * Note: this function assumes that the skb head was pulled enough
+ * to access the first byte.

nit: another "first byte" that I missed previously :(

ACK!


+ *
+ * Return: the key ID
+ */
+static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb)
+{
+       u32 opcode = be32_to_cpu(*(__be32 *)skb->data);
+
+       return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode);
+}


Regards,

--
Antonio Quartulli
OpenVPN Inc.