23 Apr, 2011
1 commit
-
Add const qualifiers to structs iphdr, ipv6hdr and in6_addr pointers
where possible, to make code intention more obvious.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
14 Mar, 2011
2 commits
-
This patch adds IPsec extended sequence numbers support to esp4.
We use the authencesn crypto algorithm to handle esp with separate
encryption/authentication algorithms.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
To support IPsec extended sequence numbers, we split the
output sequence numbers of xfrm_skb_cb in low and high order 32 bits
and we add the high order 32 bits to the input sequence numbers.
All users are updated accordingly.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
11 Dec, 2010
1 commit
-
Add TFC padding to all packets smaller than the boundary configured
on the xfrm state. If the boundary is larger than the PMTU, limit
padding to the PMTU.Signed-off-by: Martin Willi
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
23 Feb, 2010
1 commit
-
pass mark to all SA lookups to prepare them for when we add code
to have them search.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Nov, 2009
1 commit
-
Instead of using the hardcoded truncation for authentication
algorithms, use the truncation length specified on xfrm_state.Signed-off-by: Martin Willi
Signed-off-by: David S. Miller
15 Sep, 2009
1 commit
-
Remove long removed "inet_protocol_base" declaration.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
26 Nov, 2008
2 commits
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
03 Nov, 2008
1 commit
-
Signed-off-by: Jianjun Kong
Signed-off-by: David S. Miller
06 Aug, 2008
1 commit
-
Here's a revised version, based on Herbert's comments, of a fix for
the ipv6-inner, ipv4-outer interfamily ipsec beet mode. It fixes the
network header adjustment in interfamily, and doesn't reserve space
for the pseudo header anymore when we have ipv6 as the inner family.Signed-off-by: Joakim Koskela
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
ESP does not account for the IV size when calling pskb_may_pull() to
ensure everything it accesses directly is within the linear part of a
potential fragment. This results in a BUG() being triggered when the
both the IPv4 and IPv6 ESP stack is fed with an skb where the first
fragment ends between the end of the esp header and the end of the IV.This bug was found by Dirk Nehring .
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
18 Mar, 2008
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
13 Feb, 2008
1 commit
-
Al Viro spotted a bogus use of u64 on the input sequence number which
is big-endian. This patch fixes it by giving the input sequence number
its own member in the xfrm_skb_cb structure.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Feb, 2008
3 commits
-
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch converts ESP to use the crypto_aead interface and in particular
the authenc algorithm. This lays the foundations for future support of
combined mode algorithms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
4 commits
-
Let's nip the code duplication in the bud :)
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch releases the lock on the state before calling
x->type->input. It also adds the lock to the spots where they're
currently needed.Most of those places (all except mip6) are expected to disappear with
async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Similar to the moving out of the replay processing on the output, this
patch moves the integrity stat collectin from x->type->input into
xfrm_input.This would eventually allow transforms such as AH/ESP to be lockless.
The error value EBADMSG (currently unused in the crypto layer) is used
to indicate a failed integrity check. In future this error can be
directly returned by the crypto layer once we switch to aead
algorithms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Dec, 2007
1 commit
-
RFC4303 introduces dummy packets with a nexthdr value of 59
to implement traffic confidentiality. Such packets need to
be dropped silently and the payload may not be attempted to
be parsed as it consists of random chunk.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
31 Oct, 2007
1 commit
-
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errorsThe issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.hSigned-off-by: David S. Miller
27 Oct, 2007
2 commits
-
This patch fixes the errors made in the users of the crypto layer during
the sg_init_table conversion. It also adds a few conversions that were
missing altogether.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch fixes the following compile errors in some configurations:
...
CC net/ipv4/esp4.o
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv4/esp4.c: In function 'esp_output':
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv4/esp4.c:113: error: implicit declaration of function 'sg_init_table'
make[3]: *** [net/ipv4/esp4.o] Error 1
...
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv6/esp6.c: In function 'esp6_output':
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv6/esp6.c:112: error: implicit declaration of function 'sg_init_table'
make[3]: *** [net/ipv6/esp6.o] Error 1Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
26 Oct, 2007
1 commit
-
Signed-off-by: David S. Miller
11 Oct, 2007
10 commits
-
This patch makes the IPv4 x->type->input functions return the next protocol
instead of setting it directly. This is identical to how we do things in
IPv6 and will help us merge common code on the input path.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch moves the setting of the IP length and checksum fields out of
the transforms and into the xfrmX_output functions. This would help future
efforts in merging the transforms themselves.It also adds an optimisation to ipcomp due to the fact that the transport
offset is guaranteed to be zero.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch removes the duplicate ipv6_{auth,esp,comp}_hdr structures since
they're identical to the IPv4 versions. Duplicating them would only create
problems for ourselves later when we need to add things like extended
sequence numbers.I've also added transport header type conversion headers for these types
which are now used by the transforms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The IPv6 calling convention for x->mode->output is more general and could
help an eventual protocol-generic x->type->output implementation. This
patch adopts it for IPv4 as well and modifies the IPv4 type output functions
accordingly.It also rewrites the IPv6 mac/transport header calculation to be based off
the network header where practical.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch changes the calling convention so that on entry from
x->mode->output and before entry into x->type->output skb->data
will point to the payload instead of the IP header.This is essentially a redistribution of skb_push/skb_pull calls
with the aim of minimising them on the common path of tunnel +
ESP.It'll also let us use the same calling convention between IPv4
and IPv6 with the next patch.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
I pointed this out back when this patch was first proposed but it looks like
it got lost along the way.The checksum only needs to be ignored for NAT-T in transport mode where
we lose the original inner addresses due to NAT. With BEET the inner
addresses will be intact so the checksum remains valid.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch releases the lock on the state before calling x->type->output.
It also adds the lock to the spots where they're currently needed.Most of those places (all except mip6) are expected to disappear with
async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Current the x->mode->output functions store the IPv6 nh pointer in the
skb network header. This is inconvenient because the network header then
has to be fixed up before the packet can leave the IPsec stack. The mac
header field is unused on output so we can use that to store this instead.This patch does that and removes the network header fix-up in xfrm_output.
It also uses ipv6_hdr where appropriate in the x->type->output functions.
There is also a minor clean-up in esp4 to make it use the same code as
esp6 to help any subsequent effort to merge the two.Lastly it kills two redundant skb_set_* statements in BEET that were
simply copied over from transport mode.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The replay counter is one of only two remaining things in the output code
that requires a lock on the xfrm state (the other being the crypto). This
patch moves it into the generic xfrm_output so we can remove the lock from
the transforms themselves.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The keys are only used during initialisation so we don't need to carry them
in esp_data. Since we don't have to allocate them again, there is no need
to place a limit on the authentication key length anymore.This patch also kills the unused auth.icv member.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
It is clean-up for XFRM type modules and adds aliases with its
protocol:
ESP, AH, IPCOMP, IPIP and IPv6 for IPsec
ROUTING and DSTOPTS for MIPv6It is almost the same thing as XFRM mode alias, but it is added
new defines XFRM_PROTO_XXX for preprocessing since some protocols
are defined as enum.Signed-off-by: Masahide NAKAMURA
Acked-by: Ingo Oeser
Signed-off-by: David S. Miller
26 Apr, 2007
3 commits
-
esp_init_state doesn't account for the beet pseudo header in the header_len
calculation, which may result in undersized skbs hitting xfrm4_beet_output,
causing unnecessary reallocations in ip_finish_output2.The skbs should still always have enough room to avoid causing
skb_under_panic in skb_push since we have at least 16 bytes available
from LL_RESERVED_SPACE in xfrm_state_check_space.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Replace the probing based MTU estimation, which usually takes 2-3 iterations
to find a fitting value and may underestimate the MTU, by an exact calculation.Also fix underestimation of the XFRM trailer_len, which causes unnecessary
reallocations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix incorrect switch of "trailer" skb by "skb" during skb_tail_pointer
conversion:- *(u8*)(trailer->tail - 1) = top_iph->protocol;
+ *(skb_tail_pointer(skb) - 1) = top_iph->protocol;- *(u8 *)(trailer->tail - 1) = *skb_network_header(skb);
+ *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb);Signed-off-by: Patrick McHardy
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
