Le 01/03/2018 à 15:07, Joerg Sonnenberger a écrit :
On Thu, Mar 01, 2018 at 10:25:54AM +0100, Maxime Villard wrote:In fact, the crypto code was written with the assumption that when crypto_dispatch returns, there is no further crypto processing. If the packet is repushed, this assumption does not hold anymore, and I'm not sure whether it wouldn't break things. But otherwise yes, it would be nice to repush the packet.I don't understand that. The lower layers already expect the decrypted data, so crypto processing has to be done at this point anyway?
I meant to say that I'm not sure that there aren't many design changes needed in order to repush the packet. My main concern is that I don't understand why the authors of the IPsec code did not repush the packet like the rest of the encapsulation protocols. There must have been some reason - like zeroing out secret structures once the packet has gone through the network stack entirely, I don't know. Also, crypto_dispatch already has a batching mechanism (CRYPTO_F_BATCH) - but it appears to be unused, so I'm not sure what we intended to do there either. Maxime