From patchwork Wed Jul 1 15:43:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 5053 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a17:907:9721:b0:c12:c60:681d with SMTP id jg33csp1417542ejc; Wed, 1 Jul 2026 08:44:16 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8Rb0kslhAr6ImgaTn+9uYvcgiy10Ywa0otJ3SW6aCltTk/QlLDdAAQZG24eU+omy1yIIm3C+S2/+U=@openvpn.net X-Received: by 2002:a05:6820:1512:b0:6a1:50eb:2110 with SMTP id 006d021491bc7-6a309b831e1mr1157222eaf.69.1782920656036; Wed, 01 Jul 2026 08:44:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1782920656; cv=none; d=google.com; s=arc-20260327; b=og5BBiHjf0ZO2ztAfASs7SUB2hkx+mJH6MgvK41G7rSdcOszAWdxD8Gi89aJ3mSBWz JVviJ4WuqxHo2skg6lc+JZCoMxjsx7B1KsJ89EnKRayNxhiaLpFtS+nbTn3m7McnGopW eizbXQlBwT4YRHOdQaGijmuJ9OD6Zp4doSyh3fvWuhxICSM5cURR7IPjp4V4nzblHFt2 6IsF+dq6B0FRtgiULyg90j7Nev5ubDo9+/GdEXYjIrfhui+6/WV60wj6tBF5FbmPVOzX P3Fuh1QzbK46/+SEb7qqF6cX6ZIuJOIyMsmb2hSvMUE8N8xja9VN11tAaXSref/SyI6f LkXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=jgPAGbOng96O5oMSIwOu34se4HEnKrnjNxQewvTkY1k=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Ls3dB26pL68vwVqpAgx8gInlQdjCBtgC/ut4jOA9zn7TiIUNxr8fkNH95GqtbI+MP+ IS1VKP+Vz1xR12adhWCTS9kdjXvRsS6VA8+CSUq0VaFmiZdB55jW4Dpmx5VpnjEJg6YC 198PH6GDoWDf8h1gaaKchjXKTMKnfTjQPl+ruhhQlEy0nkc/22N+mqynXapQNVdgKKev /CMWX3PXGFtzZQxoEYRnhQk50GSb7YFwfhHUM44b+gkDui7g/AWCPHDhw2kOWZ3/Ihl0 fOEOSxHQI2/0DHtfbE0gbZNYiMYMuTze8WzMpV2G4mu3DQZqVrXCtmVrpKEdhjIEbCZX OG8w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=HAxrkTHC; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=miGa9GiZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EQjDFcHE; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b="K/67fN9g"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-44cbf00534dsi10152fac.318.2026.07.01.08.44.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Jul 2026 08:44:16 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=HAxrkTHC; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=miGa9GiZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EQjDFcHE; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b="K/67fN9g"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=jgPAGbOng96O5oMSIwOu34se4HEnKrnjNxQewvTkY1k=; b=HAxrkTHCxxO1RAFGFRG3tMhlOb fmIX0RiSPmoweg2XPvlRp99Rwt+Jfc2riJls5QGNWXnBFrSV7/amY6zKR+QnYvO8RZbOcWsgxUei7 /amw0GGJBKKRdZ/HMVVxtrlQIBOh52lbyLytgfVqBlAVxoiVol713o+EHfke1H3UbSwo=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wex6l-0003is-HI; Wed, 01 Jul 2026 15:44:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wex6j-0003if-Hz for openvpn-devel@lists.sourceforge.net; Wed, 01 Jul 2026 15:44:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8eHaoThz7oG4s8Vip6GEI7g3K50ddl7vSdnAYqr+Fgw=; b=miGa9GiZXfd2HBBHDC4g9Ho9zn NVrjSF8qMCoCNh1bzRe1Bs509V58z1IqKKMo2PjzUPINPl0OJvPra9sxKruDPsuXbFo8qYN/MBFng rJu5eIDb/WTD1YwCHxyEUr+S2XnZt5tKJXnhttxgvieQnfS16eTxCyAgFJLHKoemuc+k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8eHaoThz7oG4s8Vip6GEI7g3K50ddl7vSdnAYqr+Fgw=; b=EQjDFcHEBt4GPPBvF4eMDq6B15 SfBBoG9DQEGGLFOE/G0C9g0JxMaUKHExvDljVRjdmJ+azeL9JpiFvXMqphDluGmVGZOLL2/DUReRQ OKtROgsN4aw70fSK5L++lg81xlSL6ruyW+8pYCotJnbBPZBa+uwcLFPXl7twXXXjYzXA=; Received: from mout-b-210.mailbox.org ([195.10.208.40]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wex6f-00029T-LE for openvpn-devel@lists.sourceforge.net; Wed, 01 Jul 2026 15:44:11 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (No client certificate requested) by mout-b-210.mailbox.org (Postfix) with ESMTPS id 4gr47K2wsxzMkt4; Wed, 01 Jul 2026 17:43:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1782920637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8eHaoThz7oG4s8Vip6GEI7g3K50ddl7vSdnAYqr+Fgw=; b=K/67fN9gtoAstyxzjl35CpKh9krAGaF9Us3J5RY3vU06NKzTNKbSXpjQHdKPbov9knl7Xh bX67VUYK98AJV2Gv38CbE7GHmrh3zHJ7f/Z8w5d8z68eSDCXIumYWRAPS63ucaxKNgQ1xo Awv7qg1b/uBTISEXwWntbY0dMQIHNxUA7gRurUrcy4JcimHYssAY9tmBJB0mrx/8JnGnkw ftotMJzhkwiHPydGPZKaWZph4rwiUCQqSlP6PbcANi1fHacmXG7iiNY3+1IfHHf7ZLeh/N JDg0gxt7lDvHTu7Jjm3vPJSGKK3P0lgdtzIANSRVCTjyIKEj12ITiEbL+yJchg== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 Jul 2026 17:43:22 +0200 Message-ID: <4ae05d37fc69c2c29d83f824616b1aee6315ab6b.1782919654.git.ralf@mandelbit.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gr47K2wsxzMkt4 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Epoch key rotation needs to replace encrypt and decrypt key contexts while packets may still hold references from the async AEAD path. Publish key contexts through RCU, add a per-context kref, and let encrypt and decrypt requests hold a context until their completion callback runs. Direct-key behavior is otherwise unchanged. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1wex6f-00029T-LE Subject: [Openvpn-devel] [RFC ovpn net-next 07/14] ovpn: make key contexts refcounted X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1869527809887715264 X-GMAIL-MSGID: 1869527809887715264 Epoch key rotation needs to replace encrypt and decrypt key contexts while packets may still hold references from the async AEAD path. Publish key contexts through RCU, add a per-context kref, and let encrypt and decrypt requests hold a context until their completion callback runs. Direct-key behavior is otherwise unchanged. Signed-off-by: Ralf Lici --- drivers/net/ovpn/crypto.h | 34 ++++++++++++++++++++-- drivers/net/ovpn/crypto_aead.c | 20 ++++++++++--- drivers/net/ovpn/crypto_key.c | 53 +++++++++++++++++++--------------- drivers/net/ovpn/io.c | 8 +++-- drivers/net/ovpn/skb.h | 2 ++ 5 files changed, 86 insertions(+), 31 deletions(-) diff --git a/drivers/net/ovpn/crypto.h b/drivers/net/ovpn/crypto.h index c36cd8299afd..1d62f2be23c9 100644 --- a/drivers/net/ovpn/crypto.h +++ b/drivers/net/ovpn/crypto.h @@ -10,6 +10,9 @@ #ifndef _NET_OVPN_OVPNCRYPTO_H_ #define _NET_OVPN_OVPNCRYPTO_H_ +#include +#include + #include "crypto_limits.h" #include "pktid.h" #include "proto.h" @@ -47,6 +50,8 @@ struct ovpn_key_ctx { struct ovpn_key_usage usage; atomic64_t decrypt_failures; unsigned long decrypt_failure_flags; + struct kref refcount; + struct rcu_head rcu; }; struct ovpn_crypto_key_slot { @@ -54,8 +59,8 @@ struct ovpn_crypto_key_slot { enum ovpn_cipher_alg cipher_alg; struct ovpn_limit usage_limit; - struct ovpn_key_ctx *encrypt; - struct ovpn_key_ctx *decrypt; + struct ovpn_key_ctx __rcu *encrypt; + struct ovpn_key_ctx __rcu *decrypt; struct kref refcount; struct rcu_head rcu; }; @@ -137,6 +142,31 @@ static inline void ovpn_crypto_key_slot_put(struct ovpn_crypto_key_slot *ks) kref_put(&ks->refcount, ovpn_crypto_key_slot_release); } +void ovpn_key_ctx_release(struct kref *kref); + +static inline void ovpn_key_ctx_put(struct ovpn_key_ctx *key) +{ + if (key) + kref_put(&key->refcount, ovpn_key_ctx_release); +} + +static inline int ovpn_key_ctx_get(struct ovpn_key_ctx **out, + struct ovpn_key_ctx __rcu **rcu_ptr) +{ + struct ovpn_key_ctx *key; + + rcu_read_lock(); + key = rcu_dereference(*rcu_ptr); + if (unlikely(!key || !kref_get_unless_zero(&key->refcount))) { + rcu_read_unlock(); + return -ENOKEY; + } + rcu_read_unlock(); + + *out = key; + return 0; +} + int ovpn_crypto_state_reset(struct ovpn_crypto_state *cs, const struct ovpn_peer_key_reset *pkr); diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c index ae4b87a2faec..a869545cd145 100644 --- a/drivers/net/ovpn/crypto_aead.c +++ b/drivers/net/ovpn/crypto_aead.c @@ -150,7 +150,7 @@ static struct scatterlist *ovpn_aead_crypto_req_sg(struct crypto_aead *aead, int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, struct sk_buff *skb) { - struct ovpn_key_ctx *key = ks->encrypt; + struct ovpn_key_ctx *key = NULL; unsigned int plaintext_len; struct aead_request *req; struct sk_buff *trailer; @@ -165,6 +165,12 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, ovpn_skb_cb(skb)->peer = peer; ovpn_skb_cb(skb)->ks = ks; plaintext_len = skb->len; + + ret = ovpn_key_ctx_get(&key, &ks->encrypt); + if (unlikely(ret)) + return ret; + ovpn_skb_cb(skb)->key = key; + tag_size = crypto_aead_authsize(key->tfm); /* Sample AEAD header format: @@ -264,7 +270,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, struct sk_buff *skb) { - struct ovpn_key_ctx *key = ks->decrypt; + struct ovpn_key_ctx *key = NULL; unsigned int payload_offset; int ret, payload_len, nfrags; struct aead_request *req; @@ -274,13 +280,19 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, void *tmp; u8 *iv; + ovpn_skb_cb(skb)->peer = peer; + ovpn_skb_cb(skb)->ks = ks; + + ret = ovpn_key_ctx_get(&key, &ks->decrypt); + if (unlikely(ret)) + return ret; + ovpn_skb_cb(skb)->key = key; + tag_size = crypto_aead_authsize(key->tfm); payload_offset = ovpn_aead_direct_payload_offset(tag_size); payload_len = skb->len - payload_offset; ovpn_skb_cb(skb)->payload_offset = payload_offset; - ovpn_skb_cb(skb)->peer = peer; - ovpn_skb_cb(skb)->ks = ks; /* sanity check on packet size, payload size must be >= 0 */ if (unlikely(payload_len < 0)) diff --git a/drivers/net/ovpn/crypto_key.c b/drivers/net/ovpn/crypto_key.c index cdf35e2b241c..44110a0b38eb 100644 --- a/drivers/net/ovpn/crypto_key.c +++ b/drivers/net/ovpn/crypto_key.c @@ -82,6 +82,22 @@ static void ovpn_key_ctx_free(struct ovpn_key_ctx *key) kfree(key); } +static void ovpn_key_ctx_free_rcu(struct rcu_head *head) +{ + struct ovpn_key_ctx *key; + + key = container_of(head, struct ovpn_key_ctx, rcu); + ovpn_key_ctx_free(key); +} + +void ovpn_key_ctx_release(struct kref *kref) +{ + struct ovpn_key_ctx *key; + + key = container_of(kref, struct ovpn_key_ctx, refcount); + call_rcu(&key->rcu, ovpn_key_ctx_free_rcu); +} + static struct ovpn_key_ctx * ovpn_key_ctx_new(const char *title, const char *alg_name, const struct ovpn_key_direction *dir, bool encrypt) @@ -113,6 +129,7 @@ ovpn_key_ctx_new(const char *title, const char *alg_name, ovpn_key_usage_init(&key->usage); atomic64_set(&key->decrypt_failures, 0); key->decrypt_failure_flags = 0; + kref_init(&key->refcount); /* initialize only the packet ID direction this context owns */ if (encrypt) @@ -128,8 +145,8 @@ void ovpn_crypto_key_slot_destroy(struct ovpn_crypto_key_slot *ks) if (!ks) return; - ovpn_key_ctx_free(ks->encrypt); - ovpn_key_ctx_free(ks->decrypt); + ovpn_key_ctx_put(rcu_access_pointer(ks->encrypt)); + ovpn_key_ctx_put(rcu_access_pointer(ks->decrypt)); kfree(ks); } @@ -137,6 +154,7 @@ struct ovpn_crypto_key_slot * ovpn_crypto_key_slot_new(const struct ovpn_key_config *kc) { struct ovpn_crypto_key_slot *ks = NULL; + struct ovpn_key_ctx *key; const char *alg_name; int ret; @@ -168,21 +186,19 @@ ovpn_crypto_key_slot_new(const struct ovpn_key_config *kc) ks->cipher_alg = kc->cipher_alg; ovpn_key_usage_limit_init(&ks->usage_limit, kc->cipher_alg); - ks->encrypt = ovpn_key_ctx_new("encrypt", alg_name, &kc->encrypt, - true); - if (IS_ERR(ks->encrypt)) { - ret = PTR_ERR(ks->encrypt); - ks->encrypt = NULL; + key = ovpn_key_ctx_new("encrypt", alg_name, &kc->encrypt, true); + if (IS_ERR(key)) { + ret = PTR_ERR(key); goto destroy_ks; } + RCU_INIT_POINTER(ks->encrypt, key); - ks->decrypt = ovpn_key_ctx_new("decrypt", alg_name, &kc->decrypt, - false); - if (IS_ERR(ks->decrypt)) { - ret = PTR_ERR(ks->decrypt); - ks->decrypt = NULL; + key = ovpn_key_ctx_new("decrypt", alg_name, &kc->decrypt, false); + if (IS_ERR(key)) { + ret = PTR_ERR(key); goto destroy_ks; } + RCU_INIT_POINTER(ks->decrypt, key); return ks; @@ -193,17 +209,8 @@ ovpn_crypto_key_slot_new(const struct ovpn_key_config *kc) enum ovpn_cipher_alg ovpn_crypto_key_slot_alg(struct ovpn_crypto_key_slot *ks) { - const char *alg_name; - - if (!ks->encrypt || !ks->encrypt->tfm) + if (!ks) return OVPN_CIPHER_ALG_NONE; - alg_name = crypto_tfm_alg_name(crypto_aead_tfm(ks->encrypt->tfm)); - - if (!strcmp(alg_name, ALG_NAME_AES)) - return OVPN_CIPHER_ALG_AES_GCM; - else if (!strcmp(alg_name, ALG_NAME_CHACHAPOLY)) - return OVPN_CIPHER_ALG_CHACHA20_POLY1305; - else - return OVPN_CIPHER_ALG_NONE; + return ks->cipher_alg; } diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index d3633cb4e2a9..2b57964679c7 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -125,14 +125,14 @@ void ovpn_decrypt_post(void *data, int ret) payload_offset = ovpn_skb_cb(skb)->payload_offset; ks = ovpn_skb_cb(skb)->ks; - key = ks->decrypt; + key = ovpn_skb_cb(skb)->key; peer = ovpn_skb_cb(skb)->peer; /* crypto is done, cleanup skb CB and its members */ kfree(ovpn_skb_cb(skb)->crypto_tmp); if (unlikely(ret == -EBADMSG)) { - if (unlikely(ovpn_aead_decrypt_failure_record(key))) + if (key && unlikely(ovpn_aead_decrypt_failure_record(key))) ovpn_nl_key_swap_notify(peer, ks->key_id); goto drop; } @@ -224,6 +224,7 @@ void ovpn_decrypt_post(void *data, int ret) ovpn_peer_put(peer); if (likely(ks)) ovpn_crypto_key_slot_put(ks); + ovpn_key_ctx_put(key); } /* RX path entry point: decrypt packet and forward it to the device */ @@ -256,6 +257,7 @@ void ovpn_encrypt_post(void *data, int ret) struct ovpn_crypto_key_slot *ks; struct sk_buff *skb = data; struct ovpn_socket *sock; + struct ovpn_key_ctx *key; struct ovpn_peer *peer; unsigned int orig_len; @@ -267,6 +269,7 @@ void ovpn_encrypt_post(void *data, int ret) ks = ovpn_skb_cb(skb)->ks; peer = ovpn_skb_cb(skb)->peer; + key = ovpn_skb_cb(skb)->key; /* crypto is done, cleanup skb CB and its members */ kfree(ovpn_skb_cb(skb)->crypto_tmp); @@ -322,6 +325,7 @@ void ovpn_encrypt_post(void *data, int ret) ovpn_peer_put(peer); if (likely(ks)) ovpn_crypto_key_slot_put(ks); + ovpn_key_ctx_put(key); kfree_skb(skb); } diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h index 4fb7ea025426..75d64161d774 100644 --- a/drivers/net/ovpn/skb.h +++ b/drivers/net/ovpn/skb.h @@ -22,6 +22,7 @@ * struct ovpn_cb - ovpn skb control block * @peer: the peer this skb was received from/sent to * @ks: the crypto key slot used to encrypt/decrypt this skb + * @key: the key context used to encrypt/decrypt this skb * @crypto_tmp: pointer to temporary memory used for crypto operations * containing the IV, the scatter gather list and the aead request * @payload_offset: offset in the skb where the payload starts @@ -30,6 +31,7 @@ struct ovpn_cb { struct ovpn_peer *peer; struct ovpn_crypto_key_slot *ks; + struct ovpn_key_ctx *key; void *crypto_tmp; unsigned int payload_offset; bool nosignal;