11 Oct, 2007
8 commits
-
This patch makes the IPv4 x->type->input functions return the next protocol
instead of setting it directly. This is identical to how we do things in
IPv6 and will help us merge common code on the input path.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch moves the setting of the IP length and checksum fields out of
the transforms and into the xfrmX_output functions. This would help future
efforts in merging the transforms themselves.It also adds an optimisation to ipcomp due to the fact that the transport
offset is guaranteed to be zero.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch removes the duplicate ipv6_{auth,esp,comp}_hdr structures since
they're identical to the IPv4 versions. Duplicating them would only create
problems for ourselves later when we need to add things like extended
sequence numbers.I've also added transport header type conversion headers for these types
which are now used by the transforms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The IPv6 calling convention for x->mode->output is more general and could
help an eventual protocol-generic x->type->output implementation. This
patch adopts it for IPv4 as well and modifies the IPv4 type output functions
accordingly.It also rewrites the IPv6 mac/transport header calculation to be based off
the network header where practical.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch changes the calling convention so that on entry from
x->mode->output and before entry into x->type->output skb->data
will point to the payload instead of the IP header.This is essentially a redistribution of skb_push/skb_pull calls
with the aim of minimising them on the common path of tunnel +
ESP.It'll also let us use the same calling convention between IPv4
and IPv6 with the next patch.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch releases the lock on the state before calling x->type->output.
It also adds the lock to the spots where they're currently needed.Most of those places (all except mip6) are expected to disappear with
async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The replay counter is one of only two remaining things in the output code
that requires a lock on the xfrm state (the other being the crypto). This
patch moves it into the generic xfrm_output so we can remove the lock from
the transforms themselves.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The keys are only used during initialisation so we don't need to carry them
in esp_data. Since we don't have to allocate them again, there is no need
to place a limit on the authentication key length anymore.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
27 Aug, 2007
1 commit
-
In testing our ESP/AH offload hardware, I discovered an issue with how
AH handles mutable fields in IPv4. RFC 4302 (AH) states the following
on the subject:For IPv4, the entire option is viewed as a unit; so even
though the type and length fields within most options are immutable
in transit, if an option is classified as mutable, the entire option
is zeroed for ICV computation purposes.The current implementation does not zero the type and length fields,
resulting in authentication failures when communicating with hosts
that do (i.e. FreeBSD).I have tested record route and timestamp options (ping -R and ping -T)
on a small network involving Windows XP, FreeBSD 6.2, and Linux hosts,
with one router. In the presence of these options, the FreeBSD and
Linux hosts (with the patch or with the hardware) can communicate.
The Windows XP host simply fails to accept these packets with or
without the patch.I have also been trying to test source routing options (using
traceroute -g), but haven't had much luck getting this option to work
*without* AH, let alone with.Signed-off-by: Nick Bowler
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
It is clean-up for XFRM type modules and adds aliases with its
protocol:
ESP, AH, IPCOMP, IPIP and IPv6 for IPsec
ROUTING and DSTOPTS for MIPv6It is almost the same thing as XFRM mode alias, but it is added
new defines XFRM_PROTO_XXX for preprocessing since some protocols
are defined as enum.Signed-off-by: Masahide NAKAMURA
Acked-by: Ingo Oeser
Signed-off-by: David S. Miller
26 Apr, 2007
5 commits
-
Renaming skb->h to skb->transport_header, skb->nh to skb->network_header and
skb->mac to skb->mac_header, to match the names of the associated helpers
(skb[_[re]set]_{transport,network,mac}_header).Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the common, open coded 'skb->h.raw = skb->data' operation, so that we can
later turn skb->h.raw into a offset, reducing the size of struct sk_buff in
64bit land while possibly keeping it as a pointer on 32bit.This one touches just the most simple cases:
skb->h.raw = skb->data;
skb->h.raw = {skb_push|[__]skb_pull}()The next ones will handle the slightly more "complex" cases.
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the places where we need a pointer to the network header, it is still legal
to touch skb->nh.raw directly if just adding to, subtracting from or setting it
to another layer header.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
03 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
Transformation mode is used as either IPsec transport or tunnel.
It is required to add two more items, route optimization and inbound trigger
for Mobile IPv6.
Based on MIPL2 kernel patch.This patch was also written by: Ville Nuorvala
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Changes to the core network stack to support the NetLabel subsystem. This
includes changes to the IPv4 option handling to support CIPSO labels.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
21 Sep, 2006
1 commit
-
This patch converts IPsec to use the new HMAC template. The names of
existing simple digest algorithms may still be used to refer to their
HMAC composites.The same structure can be used by other MACs such as AES-XCBC-MAC.
This patch also switches from the digest interface to hash.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
22 Jul, 2006
1 commit
-
Signed-off-by: Panagiotis Issaris
Signed-off-by: David S. Miller
01 Jul, 2006
1 commit
-
Signed-off-by: Jörn Engel
Signed-off-by: Adrian Bunk
18 Jun, 2006
1 commit
-
Now that we have xfrm_mode objects we can move the transport mode specific
input decapsulation code into xfrm_mode_transport. This removes duplicate
code as well as unnecessary header movement in case of tunnel mode SAs
since we will discard the original IP header immediately.This also fixes a minor bug for transport-mode ESP where the IP payload
length is set to the correct value minus the header length (with extension
headers for IPv6).Of course the other neat thing is that we no longer have to allocate
temporary buffers to hold the IP headers for ESP and IPComp.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Apr, 2006
1 commit
-
This patch removes the decap_state argument from the xfrm input hook.
Previously this function allowed the input hook to share state with
the post_input hook. The latter has since been removed.The only purpose for it now is to check the encap type. However, it
is easier and better to move the encap type check to the generic
xfrm_rcv function. This allows us to get rid of the decap state
argument altogether.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
21 Mar, 2006
1 commit
-
Fast path sequence updates that will generate ipsec async
eventsSigned-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
04 Jan, 2006
1 commit
-
To help in reducing the number of include dependencies, several files were
touched as they were getting needed headers indirectly for stuff they use.Thanks also to Alan Menegotto for pointing out that net/dccp/proto.c had
linux/dccp.h include twice.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
02 Sep, 2005
1 commit
-
Since the patch to add a NULL short-circuit to crypto_free_tfm() went in,
there's no longer any need for callers of that function to check for NULL.
This patch removes the redundant NULL checks and also a few similar checks
for NULL before calls to kfree() that I ran into while doing the
crypto_free_tfm bits.I've succesfuly compile tested this patch, and a kernel with the patch
applied boots and runs just fine.When I posted the patch to LKML (and other lists/people on Cc) it drew the
following comments :J. Bruce Fields commented
"I've no problem with the auth_gss or nfsv4 bits.--b."Sridhar Samudrala said
"sctp change looks fine."Herbert Xu signed off on the patch.
So, I guess this is ready to be dropped into -mm and eventually mainline.
Signed-off-by: Jesper Juhl
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
21 Jun, 2005
1 commit
-
This patch adds xfrm_init_state which is simply a wrapper that calls
xfrm_get_type and subsequently x->type->init_state. It also gets rid
of the unused args argument.Abstracting it out allows us to add common initialisation code, e.g.,
to set family-specific flags.The add_time setting in xfrm_user.c was deleted because it's already
set by xfrm_state_alloc.Signed-off-by: Herbert Xu
Acked-by: James Morris
Signed-off-by: David S. Miller
17 Apr, 2005
1 commit
-
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.Let it rip!
