tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec: stack problems

Le 01/03/2018 à 15:07, Joerg Sonnenberger a écrit :
On Thu, Mar 01, 2018 at 10:25:54AM +0100, Maxime Villard wrote:
In fact, the crypto code was written with the assumption that when
crypto_dispatch returns, there is no further crypto processing.

If the packet is repushed, this assumption does not hold anymore, and I'm not
sure whether it wouldn't break things.

But otherwise yes, it would be nice to repush the packet.

I don't understand that. The lower layers already expect the decrypted
data, so crypto processing has to be done at this point anyway?

I meant to say that I'm not sure that there aren't many design changes needed
in order to repush the packet.

My main concern is that I don't understand why the authors of the IPsec code
did not repush the packet like the rest of the encapsulation protocols. There
must have been some reason - like zeroing out secret structures once the
packet has gone through the network stack entirely, I don't know.

Also, crypto_dispatch already has a batching mechanism (CRYPTO_F_BATCH) - but
it appears to be unused, so I'm not sure what we intended to do there either.


Home | Main Index | Thread Index | Old Index