From patchwork Thu Nov 13 12:16:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4593 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp792507may; Thu, 13 Nov 2025 04:41:06 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVPMnxgAHoQjdhnxdjb0MaXMpBkRZHJkLPB4YIzsD4JewjVwKVWXt1jDyJk04ogj1md8i9CFVGbF94=@openvpn.net X-Google-Smtp-Source: AGHT+IEcs6Wg4ldjqSjwCLIPvT33JUHYSTYjSlT0PLae5hlNt7w5C0H2D+61btuuNwoXh8Z8Kt5+ X-Received: by 2002:a05:6808:2020:b0:44d:aa6b:a59a with SMTP id 5614622812f47-450743f2e9emr3660148b6e.10.1763037666669; Thu, 13 Nov 2025 04:41:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763037666; cv=none; d=google.com; s=arc-20240605; b=Julccc/NEwKEQLF9g3v6Y230nMRSf8LE3GB84HnTPgkf+I+FJB4jVop2sJNauzst7c eUomdCC3/paPcd2ETtsXILFMzDLBavyLyGlxx9jw0MBWvCAgV+J8JeHKWaUGune1OZir 31BeviExM0NkcxQRvycAGxdCgBcB8kzwPDSxR/pgCMM2I1XbwbQ1oof1B3wla0R/1WjN fxRzBalLy47Zu3XFtJS3OJmETX4MW4qxQaeTIQPbUx8+dPCJ0JC4oBctc3DQ+jgy2WQc zOck3+P4NdA2AFat8gPwAJLhequDNFQgYM8MFsg/iZ22u0HSHnmMnP/qXcSMw4dpoAXy lD0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=PLx/pQZr7UsHwTW04S8U24YEc/IxyuDrl9Vft0Vc9Tg=; fh=BRD5nlWz8Dao7r6wQQa6hXD4f3uQGq0bfdeuHf+OsGo=; b=Q6cnGvAQsq8hUijGB7W5U5+1Np5vshQzQI3gUT5k729Mox05sfYm3rORpMcfy6Z47R yvFKzJJlTtE6sW8yx6W0a5P35Sgf1gGYWoNBSg+zOMtkGAKLUUOTw0aoMlMLNfQqHC5b m9QprDDI8zbRSrnL/X8DZ+GflcQQ1OoU6sOH5/M45+yCu9ltTwdTXAOTg8md7cuA40wr Z1P2vAvHNN1jft6AgqX7OdIKxgLlWx5jPVOBu/ptpKPdIyeUQMYmHkjTuzojBFI/O9id AeqDsB5mCzSOcR0rfu6yPhMB4OWKGdiJ4klvErOwtc424kIZr5KvzctduYHhw2kO3o6Z tHoA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iqit0Myj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=X5sflhSH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dmSyDZz/"; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=google header.b=gdxe5coF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dara=neutral header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4508a7626cbsi519733b6e.233.2025.11.13.04.41.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Nov 2025 04:41:06 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iqit0Myj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=X5sflhSH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dmSyDZz/"; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=google header.b=gdxe5coF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dara=neutral header.i=@openvpn.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=PLx/pQZr7UsHwTW04S8U24YEc/IxyuDrl9Vft0Vc9Tg=; b=iqit0MyjXTjvys2Ei3mnfLYlVU qf2qUBYa6iX6jt/gW8y7HluTdSp/cdWvh7otePlhOmaDeXE3JCtWWaALMKx4EiG/z5xPmqifvzaWX 4Hcp5pn7G02hQrcJA1pJi7FBGKsujcrD/zB47efumS0sHdYwn9zzSHOlI9BOevb3B7gw=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJWdG-00071g-2o; Thu, 13 Nov 2025 12:40:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJWdE-00071T-E9 for openvpn-devel@lists.sourceforge.net; Thu, 13 Nov 2025 12:40:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ewwTSr/CtoZRXetIIJbhz4ek05/KE5iBlMlGYZL0mrY=; b=X5sflhSH7XjKmb/LThkBpXlOMD 9JDSg/jIeAXp2F7Z4EbSN264k01yofrNqjP2OVuwD3j1rSFjG8tprxCpN8MgKcHBOIRR21D12AT9e RI3MTxCMc9K/UlT0vg3v1fT7pDJxTCPHS/qPxVWMyMgkeYyywJGF+4u+10Tx9L+Jsp0E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ewwTSr/CtoZRXetIIJbhz4ek05/KE5iBlMlGYZL0mrY=; b=d mSyDZz/ceeF+3QHYcJudXT9DVKEwnIOW15QyP8aI4cUxBZaYKq3599mRC37KODRdOulkkLQusH1Ie 84HleAPOyGSQv0lQ2yFGgXDi2jrJzd/D66gisDb2AvqVLFTKIz7u55QNTau3Lj1zlfBnSXrk7ugjD yN0j/k9A5R+dF1Uk=; Received: from mail-ej1-f47.google.com ([209.85.218.47]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1vJWdD-0006B7-I0 for openvpn-devel@lists.sourceforge.net; Thu, 13 Nov 2025 12:40:56 +0000 Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-b727f330dd2so101053066b.2 for ; Thu, 13 Nov 2025 04:40:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=google; t=1763037644; x=1763642444; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ewwTSr/CtoZRXetIIJbhz4ek05/KE5iBlMlGYZL0mrY=; b=gdxe5coFwdD/9OTOZ1f4v0N+MhuOKpZZKcfe+6xLT+qi5MdFphi3KZfubh6BZAXUb3 uZPP68ecaeGcYU4Pj6Rd7xg5Nzj6F25pmtjUH555+JIX3+sz4DSMCWh4BUjFSVdlvzG6 r1dqBOjXnNsnFebJZsRR5hENKp9dfudLspG+WRiCfLD2mBeS39NiEFHyJqv5yFrhiGd+ 4IVA/lGZl+EytxC/+tLy5awAPcLZQ3fYM0ih5Ct9qaWLATwvwK8FJJ20t5wlY3/BLuvt nSwUjmge9KbNv58P+2PBOBeb+QRqU3gQtrts1RZ6dfcot2ZGqLVS83l3YYpxswQaQmH6 TQwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763037644; x=1763642444; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ewwTSr/CtoZRXetIIJbhz4ek05/KE5iBlMlGYZL0mrY=; b=ABFBpVKuQaQ4821Hb5obFCFDVl40UvjOUeOuPCUKDcNLk6F9K0NftdvlTeQodfqiY+ 1EM8N7t3gwoaunUbmtT+9uyDb5auGPJu2p9mIdam7BZKBjRoqFMPFBACc36y6JChy3Qh SJ3S9YWfkVXWSH1Mg7Q3Ioan6Nm3VFtnHndZUfDmH0NSJFGzMBqcIGZIUS89DcUalxvd h/xoFH81voBN3/OM6RkgGVfyyMOMA3bxvqC2Glxykj+Ilc92+bNB2xi3W4EXaircdcfC 2KyZlof1c204yrzCvjY0S51hNyZAAOhc/avzPW5R/8lKbEUyV9227gi96YL3ERMvmvKv fS0g== X-Gm-Message-State: AOJu0YzXp82or3dUZ41LjIQV4/bp2Q2FIqc/QL9zPAwbQTK+eV720Lh+ XyYwk/BpK8bf4ePO1Ih3S9WzJdfCNblN/BPbHC1LLX0ypywzM1VNKCgf1OIxLAp45iIe3yQ+0de TByy11b4= X-Gm-Gg: ASbGncv8ZG+5n3TxmbF8xd5TftcCNjff5P3HfZUfxU+kf9bZLwVsMR2JXJDoMv+0eGO ZVKBEAJ4qXGH9EwnMe1ILwjnDxjleRjg6b1UO/IjW4SQ0mjFZW5QqcjMDi+AnYvpel05XDLPsY6 lEHpyNRw2s06m7rFNa0zyxlud3vsG3j9WdkBDoZXmO0iEKKuhEiMFPxqkqsRt9OxzDdxEHxc725 31b56mqtlO9cKgNkz5RNp67hyakKRvkBblLT4FMU5ku+pcGGqG7y4OMoXCy8fRQi9jOX9uXtryZ jccT0Fg3ApJcj2ThuPnVsdAljiPUnc54LZFcZOly/D0smmL6idCRq9qDunZl+1B0TVNMv2lLnG+ AsjSOkmTnJ+e1o+HjKXCNBB5iJlzYwvAy1cjN7yc1sD43e81COm6wdJloRn8IyVGSv9IEDxqeTm EjxQKO3w== X-Received: by 2002:a05:600c:4f12:b0:477:639d:c85b with SMTP id 5b1f17b1804b1-47787061d42mr68349565e9.2.1763036241590; Thu, 13 Nov 2025 04:17:21 -0800 (PST) Received: from fedora ([2a01:e11:600c:d1a0:3dc8:57d2:efb7:51a8]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47789ffea1esm65353135e9.13.2025.11.13.04.17.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Nov 2025 04:17:21 -0800 (PST) From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Nov 2025 13:16:31 +0100 Message-ID: <20251113121631.351053-1-ralf@mandelbit.com> X-Mailer: git-send-email 2.51.1 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently ovpn uses three separate dynamically allocated structures to set up cryptographic operations for both encryption and decryption. This adds overhead to performance-critical paths and contribu [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.218.47 listed in wl.mailspike.net] X-Headers-End: 1vJWdD-0006B7-I0 Subject: [Openvpn-devel] [PATCH ovpn v2] ovpn: consolidate crypto allocations in one chunk X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli , Sabrina Dubroca Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848678984165117935?= X-GMAIL-MSGID: =?utf-8?q?1848678984165117935?= Currently ovpn uses three separate dynamically allocated structures to set up cryptographic operations for both encryption and decryption. This adds overhead to performance-critical paths and contribute to memory fragmentation. This commit consolidates those allocations into a single temporary blob, similar to what esp_alloc_tmp() does. The resulting performance gain is +7.7% and +4.3% for UDP when using AES and ChaChaPoly respectively, and +4.3% for TCP. Signed-off-by: Ralf Lici Signed-off-by: Antonio Quartulli --- Changes since v1: - Fixed typo in commit message - Adjusted ovpn_aead_crypto_tmp_size comment to follow kdoc style - Stored allocated blob in the skb control block immediately after allocation to prevent leakage on failure drivers/net/ovpn/crypto_aead.c | 155 +++++++++++++++++++++++++-------- drivers/net/ovpn/io.c | 8 +- drivers/net/ovpn/skb.h | 13 ++- 3 files changed, 131 insertions(+), 45 deletions(-) diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c index cb6cdf8ec317..6b55d2e715bc 100644 --- a/drivers/net/ovpn/crypto_aead.c +++ b/drivers/net/ovpn/crypto_aead.c @@ -36,6 +36,105 @@ static int ovpn_aead_encap_overhead(const struct ovpn_crypto_key_slot *ks) crypto_aead_authsize(ks->encrypt); /* Auth Tag */ } +/** + * ovpn_aead_crypto_tmp_size - compute the size of a temporary object containing + * an AEAD request structure with extra space for SG + * and IV. + * @tfm: the AEAD cipher handle + * @nfrags: the number of fragments in the skb + * + * This function calculates the size of a contiguous memory block that includes + * the initialization vector (IV), the AEAD request, and an array of scatterlist + * entries. For alignment considerations, the IV is placed first, followed by + * the request, and then the scatterlist. + * Additional alignment is applied according to the requirements of the + * underlying structures. + * + * Return: the size of the temporary memory that needs to be allocated + */ +static unsigned int ovpn_aead_crypto_tmp_size(struct crypto_aead *tfm, + const unsigned int nfrags) +{ + unsigned int len = crypto_aead_ivsize(tfm); + + if (likely(len)) { + /* min size for a buffer of ivsize, aligned to alignmask */ + len += crypto_aead_alignmask(tfm) & + ~(crypto_tfm_ctx_alignment() - 1); + /* round up to the next multiple of the crypto ctx alignment */ + len = ALIGN(len, crypto_tfm_ctx_alignment()); + } + + /* reserve space for the AEAD request */ + len += sizeof(struct aead_request) + crypto_aead_reqsize(tfm); + /* round up to the next multiple of the scatterlist alignment */ + len = ALIGN(len, __alignof__(struct scatterlist)); + + /* add enough space for nfrags + 2 scatterlist entries */ + len += sizeof(struct scatterlist) * (nfrags + 2); + return len; +} + +/** + * ovpn_aead_crypto_tmp_iv - retrieve the pointer to the IV within a temporary + * buffer allocated using ovpn_aead_crypto_tmp_size + * @aead: the AEAD cipher handle + * @tmp: a pointer to the beginning of the temporary buffer + * + * This function retrieves a pointer to the initialization vector (IV) in the + * temporary buffer. If the AEAD cipher specifies an IV size, the pointer is + * adjusted using the AEAD's alignment mask to ensure proper alignment. + * + * Returns: a pointer to the IV within the temporary buffer + */ +static u8 *ovpn_aead_crypto_tmp_iv(struct crypto_aead *aead, void *tmp) +{ + return likely(crypto_aead_ivsize(aead)) ? + PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) : + tmp; +} + +/** + * ovpn_aead_crypto_tmp_req - retrieve the pointer to the AEAD request structure + * within a temporary buffer allocated using + * ovpn_aead_crypto_tmp_size + * @aead: the AEAD cipher handle + * @iv: a pointer to the initialization vector in the temporary buffer + * + * This function computes the location of the AEAD request structure that + * immediately follows the IV in the temporary buffer and it ensures the request + * is aligned to the crypto transform context alignment. + * + * Returns: a pointer to the AEAD request structure + */ +static struct aead_request *ovpn_aead_crypto_tmp_req(struct crypto_aead *aead, + const u8 *iv) +{ + return (void *)PTR_ALIGN(iv + crypto_aead_ivsize(aead), + crypto_tfm_ctx_alignment()); +} + +/** + * ovpn_aead_crypto_req_sg - locate the scatterlist following the AEAD request + * within a temporary buffer allocated using + * ovpn_aead_crypto_tmp_size + * @aead: the AEAD cipher handle + * @req: a pointer to the AEAD request structure in the temporary buffer + * + * This function computes the starting address of the scatterlist that is + * allocated immediately after the AEAD request structure. It aligns the pointer + * based on the alignment requirements of the scatterlist structure. + * + * Returns: a pointer to the scatterlist + */ +static struct scatterlist *ovpn_aead_crypto_req_sg(struct crypto_aead *aead, + struct aead_request *req) +{ + return (void *)ALIGN((unsigned long)(req + 1) + + crypto_aead_reqsize(aead), + __alignof__(struct scatterlist)); +} + int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, struct sk_buff *skb) { @@ -45,6 +144,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, struct scatterlist *sg; int nfrags, ret; u32 pktid, op; + void *tmp; u8 *iv; ovpn_skb_cb(skb)->peer = peer; @@ -71,13 +171,17 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2))) return -ENOSPC; - /* sg may be required by async crypto */ - ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) * - (nfrags + 2), GFP_ATOMIC); - if (unlikely(!ovpn_skb_cb(skb)->sg)) + /* allocate temporary memory for iv, sg and req */ + tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->encrypt, nfrags), + GFP_ATOMIC); + if (unlikely(!tmp)) return -ENOMEM; - sg = ovpn_skb_cb(skb)->sg; + ovpn_skb_cb(skb)->crypto_tmp = tmp; + + iv = ovpn_aead_crypto_tmp_iv(ks->encrypt, tmp); + req = ovpn_aead_crypto_tmp_req(ks->encrypt, iv); + sg = ovpn_aead_crypto_req_sg(ks->encrypt, req); /* sg table: * 0: op, wire nonce (AD, len=OVPN_OP_SIZE_V2+OVPN_NONCE_WIRE_SIZE), @@ -105,13 +209,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, if (unlikely(ret < 0)) return ret; - /* iv may be required by async crypto */ - ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC); - if (unlikely(!ovpn_skb_cb(skb)->iv)) - return -ENOMEM; - - iv = ovpn_skb_cb(skb)->iv; - /* concat 4 bytes packet id and 8 bytes nonce tail into 12 bytes * nonce */ @@ -130,12 +227,6 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, /* AEAD Additional data */ sg_set_buf(sg, skb->data, OVPN_AAD_SIZE); - req = aead_request_alloc(ks->encrypt, GFP_ATOMIC); - if (unlikely(!req)) - return -ENOMEM; - - ovpn_skb_cb(skb)->req = req; - /* setup async crypto operation */ aead_request_set_tfm(req, ks->encrypt); aead_request_set_callback(req, 0, ovpn_encrypt_post, skb); @@ -156,6 +247,7 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, struct aead_request *req; struct sk_buff *trailer; struct scatterlist *sg; + void *tmp; u8 *iv; payload_offset = OVPN_AAD_SIZE + tag_size; @@ -184,13 +276,17 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2))) return -ENOSPC; - /* sg may be required by async crypto */ - ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) * - (nfrags + 2), GFP_ATOMIC); - if (unlikely(!ovpn_skb_cb(skb)->sg)) + /* allocate temporary memory for iv, sg and req */ + tmp = kmalloc(ovpn_aead_crypto_tmp_size(ks->decrypt, nfrags), + GFP_ATOMIC); + if (unlikely(!tmp)) return -ENOMEM; - sg = ovpn_skb_cb(skb)->sg; + ovpn_skb_cb(skb)->crypto_tmp = tmp; + + iv = ovpn_aead_crypto_tmp_iv(ks->decrypt, tmp); + req = ovpn_aead_crypto_tmp_req(ks->decrypt, iv); + sg = ovpn_aead_crypto_req_sg(ks->decrypt, req); /* sg table: * 0: op, wire nonce (AD, len=OVPN_OPCODE_SIZE+OVPN_NONCE_WIRE_SIZE), @@ -213,24 +309,11 @@ int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks, /* append auth_tag onto scatterlist */ sg_set_buf(sg + ret + 1, skb->data + OVPN_AAD_SIZE, tag_size); - /* iv may be required by async crypto */ - ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC); - if (unlikely(!ovpn_skb_cb(skb)->iv)) - return -ENOMEM; - - iv = ovpn_skb_cb(skb)->iv; - /* copy nonce into IV buffer */ memcpy(iv, skb->data + OVPN_OPCODE_SIZE, OVPN_NONCE_WIRE_SIZE); memcpy(iv + OVPN_NONCE_WIRE_SIZE, ks->nonce_tail_recv, OVPN_NONCE_TAIL_SIZE); - req = aead_request_alloc(ks->decrypt, GFP_ATOMIC); - if (unlikely(!req)) - return -ENOMEM; - - ovpn_skb_cb(skb)->req = req; - /* setup async crypto operation */ aead_request_set_tfm(req, ks->decrypt); aead_request_set_callback(req, 0, ovpn_decrypt_post, skb); diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index 3e9e7f8444b3..2721ee8268b2 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -119,9 +119,7 @@ void ovpn_decrypt_post(void *data, int ret) peer = ovpn_skb_cb(skb)->peer; /* crypto is done, cleanup skb CB and its members */ - kfree(ovpn_skb_cb(skb)->iv); - kfree(ovpn_skb_cb(skb)->sg); - aead_request_free(ovpn_skb_cb(skb)->req); + kfree(ovpn_skb_cb(skb)->crypto_tmp); if (unlikely(ret < 0)) goto drop; @@ -248,9 +246,7 @@ void ovpn_encrypt_post(void *data, int ret) peer = ovpn_skb_cb(skb)->peer; /* crypto is done, cleanup skb CB and its members */ - kfree(ovpn_skb_cb(skb)->iv); - kfree(ovpn_skb_cb(skb)->sg); - aead_request_free(ovpn_skb_cb(skb)->req); + kfree(ovpn_skb_cb(skb)->crypto_tmp); if (unlikely(ret == -ERANGE)) { /* we ran out of IVs and we must kill the key as it can't be diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h index 64430880f1da..4fb7ea025426 100644 --- a/drivers/net/ovpn/skb.h +++ b/drivers/net/ovpn/skb.h @@ -18,12 +18,19 @@ #include #include +/** + * struct ovpn_cb - ovpn skb control block + * @peer: the peer this skb was received from/sent to + * @ks: the crypto key slot used to encrypt/decrypt this skb + * @crypto_tmp: pointer to temporary memory used for crypto operations + * containing the IV, the scatter gather list and the aead request + * @payload_offset: offset in the skb where the payload starts + * @nosignal: whether this skb should be sent with the MSG_NOSIGNAL flag (TCP) + */ struct ovpn_cb { struct ovpn_peer *peer; struct ovpn_crypto_key_slot *ks; - struct aead_request *req; - struct scatterlist *sg; - u8 *iv; + void *crypto_tmp; unsigned int payload_offset; bool nosignal; };