15 Apr, 2008
1 commit
-
When CONFIG_SECURITY_NETWORK_XFRM is undefined the following warnings appears:
net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire':
net/xfrm/xfrm_user.c:1576: warning: 'ctx' may be used uninitialized in this function
net/xfrm/xfrm_user.c: In function 'xfrm_get_policy':
net/xfrm/xfrm_user.c:1340: warning: 'ctx' may be used uninitialized in this function
(security_xfrm_policy_alloc is noop for the case).It seems that they are result of the commit
03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b ("LSM: Make the Labeled IPsec
hooks more stack friendly")Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
14 Apr, 2008
1 commit
-
Conflicts:
drivers/net/ehea/ehea_main.c
drivers/net/wireless/iwlwifi/Kconfig
drivers/net/wireless/rt2x00/rt61pci.c
net/ipv4/inet_timewait_sock.c
net/ipv6/raw.c
net/mac80211/ieee80211_sta.c
13 Apr, 2008
1 commit
-
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs
on the stack to work around the LSM API. This patch attempts to fix that
problem by changing the LSM API to require only the relevant "security"
pointers instead of the entire SPD entry; we do this for all of the
security_xfrm_policy*() functions to keep things consistent.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
10 Apr, 2008
1 commit
-
Commit df9dcb45 ([IPSEC]: Fix inter address family IPsec tunnel handling)
broke openswan by removing the selector initialization for tunnel mode
in case it is uninitialized.This patch restores the initialization, fixing openswan, but probably
breaking inter-family tunnels again (unknown since the patch author
disappeared). The correct thing for inter-family tunnels is probably
to simply initialize the selector family explicitly.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
Conflicts:
drivers/net/usb/rndis_host.c
drivers/net/wireless/b43/dma.c
net/ipv6/ndisc.c
26 Mar, 2008
1 commit
-
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.Signed-off-by: YOSHIFUJI Hideaki
25 Mar, 2008
2 commits
-
Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source
address to be mangled in the IPv6 header (that is "CoA").
On Inter-MN communication after both nodes binds each other,
they use route optimized traffic two MIPv6 states applied, and
both source and destination address in the IPv6 header
are replaced by the states respectively.
The packet format is correct, however, next-hop routing search
are not.
This patch fixes it by remembering address pairs for later states.Based on patch from Masahide NAKAMURA .
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
29 Feb, 2008
1 commit
-
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
This is achieved adding the entries to one more list which is used
solely for walking the entries.This also fixes some races where the dump can have duplicate or missing
entries when the SPD/SADB is modified during an ongoing dump.Dumping SADB with 20000 entries using "time ip xfrm state" the sys
time dropped from 1.012s to 0.080s.Signed-off-by: Timo Teras
Signed-off-by: David S. Miller
18 Feb, 2008
1 commit
-
Keep ordering of policy entries with same selector in
xfrm_dst_hash_transfer().Issue should not appear in usual cases because multiple policy entries
with same selector are basically not allowed so far. Bug was pointed
out by Sebastien Decugis .We could convert bydst from hlist to list and use list_add_tail()
instead.Signed-off-by: YOSHIFUJI Hideaki
Acked-by: Sebastien Decugis
Signed-off-by: David S. Miller
15 Feb, 2008
2 commits
-
From: YOSHIFUJI Hideaki
When we destory a new policy entry, we need to tell
xfrm_policy_destroy() explicitly that the entry is not
alive yet.Signed-off-by: David S. Miller
-
net/built-in.o: In function `xfrm_policy_init':
/home/pmundt/devel/git/sh-2.6.25/net/xfrm/xfrm_policy.c:2338: undefined reference to `snmp_mib_init'snmp_mib_init() is only built in if CONFIG_INET is set.
Signed-off-by: Paul Mundt
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
13 Feb, 2008
1 commit
-
Al Viro spotted a bogus use of u64 on the input sequence number which
is big-endian. This patch fixes it by giving the input sequence number
its own member in the xfrm_skb_cb structure.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
08 Feb, 2008
1 commit
-
The below patch allows IPsec to use CTR mode with AES encryption
algorithm. Tested this using setkey in ipsec-tools.Signed-off-by: Joy Latten
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
02 Feb, 2008
1 commit
-
all callers pass something->audit_context
Signed-off-by: Al Viro
01 Feb, 2008
5 commits
-
o Outbound sequence number overflow error status
is counted as XfrmOutStateSeqError.
o Additionaly, it changes inbound sequence number replay
error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError
to apply name scheme above.
o Inbound IPv4 UDP encapsuling type mismatch error is wrongly
mapped to XfrmInStateInvalid then this patch fiex the error
to XfrmInStateMismatch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This patch removes the following no longer used EXPORT_SYMBOL's:
- xfrm_input.c: xfrm_parse_spi
- xfrm_state.c: xfrm_replay_check
- xfrm_state.c: xfrm_replay_advanceSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Now that ESP uses authenc we can turn on the support for async
algorithms in IPsec.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
20 commits
-
Create a specific helper for netlink kernel socket disposal. This just
let the code look better and provides a ground for proper disposal
inside a namespace.Signed-off-by: Denis V. Lunev
Tested-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
net/xfrm/xfrm_policy.c:
xfrm_audit_policy_delete | -692
xfrm_audit_policy_add | -692
2 functions changed, 1384 bytes removed, diff: -1384net/xfrm/xfrm_policy.c:
xfrm_audit_common_policyinfo | +704
1 function changed, 704 bytes added, diff: +704net/xfrm/xfrm_policy.o:
3 functions changed, 704 bytes added, 1384 bytes removed, diff: -680Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
and select the crypto subsystem if neccessary
Signed-off-by: Sebastian Siewior
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
xfrm_state_clone() is not used outside of net/xfrm/xfrm_state.c
There is no need to export it.Spoted by sparse checker.
CHECK net/xfrm/xfrm_state.c
net/xfrm/xfrm_state.c:1103:19: warning: symbol 'xfrm_state_clone' was not
declared. Should it be static?Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Since __xfrm_policy_destroy is used to destory the resources
allocated by xfrm_policy_alloc. So using the name
__xfrm_policy_destroy is not correspond with xfrm_policy_alloc.
Rename it to xfrm_policy_destroy.And along with some instances that call xfrm_policy_alloc
but not using xfrm_policy_destroy to destroy the resource,
fix them.Signed-off-by: WANG Cong
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
o Increment PolError counter when flow_cache_lookup() returns
errored pointer.o Increment NoStates counter at larval-drop.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
net/xfrm/xfrm_state.c:
xfrm_audit_state_delete | -589
xfrm_replay_check | -542
xfrm_audit_state_icvfail | -520
xfrm_audit_state_add | -589
xfrm_audit_state_replay_overflow | -523
xfrm_audit_state_notfound_simple | -509
xfrm_audit_state_notfound | -521
7 functions changed, 3793 bytes removed, diff: -3793net/xfrm/xfrm_state.c:
xfrm_audit_helper_pktinfo | +522
xfrm_audit_helper_sainfo | +598
2 functions changed, 1120 bytes added, diff: +1120net/xfrm/xfrm_state.o:
9 functions changed, 1120 bytes added, 3793 bytes removed, diff: -2673Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
Previously we made it an error on the output path if the sequence number
overflowed. However we did not set the err variable accordingly. This
patch sets err to -EOVERFLOW in that case.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Add __acquires() and __releases() annotations to suppress some sparse
warnings.example of warnings :
net/ipv4/udp.c:1555:14: warning: context imbalance in 'udp_seq_start' - wrong
count at exit
net/ipv4/udp.c:1571:13: warning: context imbalance in 'udp_seq_stop' -
unexpected unlockSigned-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Let's nip the code duplication in the bud :)
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
When the output transform returns EINPROGRESS due to async operation we'll
free the skb the straight away as if it were an error. This patch fixes
that so that the skb is freed when the async operation completes.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
According to RFC4303, section 3.3.3 we need to drop outgoing packets which
cause the replay counter to overflow:3.3.3. Sequence Number Generation
The sender's counter is initialized to 0 when an SA is established.
The sender increments the sequence number (or ESN) counter for this
SA and inserts the low-order 32 bits of the value into the Sequence
Number field. Thus, the first packet sent using a given SA will
contain a sequence number of 1.If anti-replay is enabled (the default), the sender checks to ensure
that the counter has not cycled before inserting the new value in the
Sequence Number field. In other words, the sender MUST NOT send a
packet on an SA if doing so would cause the sequence number to cycle.
An attempt to transmit a packet that would result in sequence number
overflow is an auditable event. The audit log entry for this event
SHOULD include the SPI value, current date/time, Source Address,
Destination Address, and (in IPv6) the cleartext Flow ID.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the "less is more" book on software development* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the codeSigned-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This statistics is shown factor dropped by transformation
at /proc/net/xfrm_stat for developer.
It is a counter designed from current transformation source code
and defined as linux private MIB.See Documentation/networking/xfrm_proc.txt for the detail.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
IPv6 specific thing is wrongly removed from transformation at net-2.6.25.
This patch recovers it with current design.o Update "path" of xfrm_dst since IPv6 transformation should
care about routing changes. It is required by MIPv6 and
off-link destined IPsec.
o Rename nfheader_len which is for non-fragment transformation used by
MIPv6 to rt6i_nfheader_len as IPv6 name space.Signed-off-by: Masahide NAKAMURA
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
While merging the IPsec output path I moved the encapsulation output
operation to the top of the loop so that it sits outside of the locked
section. Unfortunately in doing so it now sits in front of the space
check as well which could be a fatal error.This patch rearranges the calls so that the space check happens as
the thing on the output path.This patch also fixes an incorrect goto should the encapsulation output
fail.Thanks to Kazunori MIYAZAWA for finding this bug.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
