06 May, 2011
1 commit
-
Conflicts:
drivers/net/tg3.c
27 Apr, 2011
1 commit
-
When we use IPsec extended sequence numbers, we may overwrite
the last scatterlist of the associated data by the scatterlist
for the skb. This patch fixes this by placing the scatterlist
for the skb right behind the last scatterlist of the associated
data. esp4 does it already like that.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
23 Apr, 2011
1 commit
-
Add const qualifiers to structs iphdr, ipv6hdr and in6_addr pointers
where possible, to make code intention more obvious.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
14 Mar, 2011
2 commits
-
This patch adds IPsec extended sequence numbers support to esp6.
We use the authencesn crypto algorithm to handle esp with separate
encryption/authentication algorithms.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
To support IPsec extended sequence numbers, we split the
output sequence numbers of xfrm_skb_cb in low and high order 32 bits
and we add the high order 32 bits to the input sequence numbers.
All users are updated accordingly.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
11 Dec, 2010
1 commit
-
Add TFC padding to all packets smaller than the boundary configured
on the xfrm state. If the boundary is larger than the PMTU, limit
padding to the PMTU.Signed-off-by: Martin Willi
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
23 Feb, 2010
1 commit
-
pass mark to all SA lookups to prepare them for when we add code
to have them search.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Nov, 2009
1 commit
-
Instead of using the hardcoded truncation for authentication
algorithms, use the truncation length specified on xfrm_state.Signed-off-by: Martin Willi
Signed-off-by: David S. Miller
15 Sep, 2009
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
23 Jun, 2009
1 commit
-
Change all the code that deals directly with ICMPv6 type and code
values to use u8 instead of a signed int as that's the actual data
type.Signed-off-by: Brian Haley
Signed-off-by: David S. Miller
26 Nov, 2008
2 commits
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
30 Oct, 2008
1 commit
-
Signed-off-by: Harvey Harrison
Signed-off-by: David S. Miller
29 Oct, 2008
1 commit
-
Signed-off-by: Harvey Harrison
Signed-off-by: David S. Miller
06 Aug, 2008
1 commit
-
Here's a revised version, based on Herbert's comments, of a fix for
the ipv4-inner, ipv6-outer interfamily ipsec beet mode. It fixes the
network header adjustment during interfamily, as well as makes sure
that we reserve enough room for the new ipv6 header if we might have
something else as the inner family. Also, the ipv4 pseudo header
construction was added.Signed-off-by: Joakim Koskela
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
ESP does not account for the IV size when calling pskb_may_pull() to
ensure everything it accesses directly is within the linear part of a
potential fragment. This results in a BUG() being triggered when the
both the IPv4 and IPv6 ESP stack is fed with an skb where the first
fragment ends between the end of the esp header and the end of the IV.This bug was found by Dirk Nehring .
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
13 Feb, 2008
1 commit
-
Al Viro spotted a bogus use of u64 on the input sequence number which
is big-endian. This patch fixes it by giving the input sequence number
its own member in the xfrm_skb_cb structure.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Feb, 2008
3 commits
-
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch converts ESP to use the crypto_aead interface and in particular
the authenc algorithm. This lays the foundations for future support of
combined mode algorithms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
4 commits
-
Let's nip the code duplication in the bud :)
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch releases the lock on the state before calling
x->type->input. It also adds the lock to the spots where they're
currently needed.Most of those places (all except mip6) are expected to disappear with
async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Similar to the moving out of the replay processing on the output, this
patch moves the integrity stat collectin from x->type->input into
xfrm_input.This would eventually allow transforms such as AH/ESP to be lockless.
The error value EBADMSG (currently unused in the crypto layer) is used
to indicate a failed integrity check. In future this error can be
directly returned by the crypto layer once we switch to aead
algorithms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Dec, 2007
1 commit
-
RFC4303 introduces dummy packets with a nexthdr value of 59
to implement traffic confidentiality. Such packets need to
be dropped silently and the payload may not be attempted to
be parsed as it consists of random chunk.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
31 Oct, 2007
1 commit
-
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errorsThe issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.hSigned-off-by: David S. Miller
27 Oct, 2007
2 commits
-
This patch fixes the errors made in the users of the crypto layer during
the sg_init_table conversion. It also adds a few conversions that were
missing altogether.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch fixes the following compile errors in some configurations:
...
CC net/ipv4/esp4.o
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv4/esp4.c: In function 'esp_output':
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv4/esp4.c:113: error: implicit declaration of function 'sg_init_table'
make[3]: *** [net/ipv4/esp4.o] Error 1
...
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv6/esp6.c: In function 'esp6_output':
/home/bunk/linux/kernel-2.6/git/linux-2.6/net/ipv6/esp6.c:112: error: implicit declaration of function 'sg_init_table'
make[3]: *** [net/ipv6/esp6.o] Error 1Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
26 Oct, 2007
1 commit
-
Signed-off-by: David S. Miller
22 Oct, 2007
1 commit
-
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller
18 Oct, 2007
1 commit
-
Combining RO and AH/ESP/IPCOMP does not make sense. So this patch adds a
check in the state initialisation function to prevent this.This allows us to safely remove the mode input function of RO since it
can never be called anymore. Indeed, if somehow it does get called we'll
know about it through an OOPS instead of it slipping past silently.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Oct, 2007
7 commits
-
This patch moves the setting of the IP length and checksum fields out of
the transforms and into the xfrmX_output functions. This would help future
efforts in merging the transforms themselves.It also adds an optimisation to ipcomp due to the fact that the transport
offset is guaranteed to be zero.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch removes the duplicate ipv6_{auth,esp,comp}_hdr structures since
they're identical to the IPv4 versions. Duplicating them would only create
problems for ourselves later when we need to add things like extended
sequence numbers.I've also added transport header type conversion headers for these types
which are now used by the transforms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch changes the calling convention so that on entry from
x->mode->output and before entry into x->type->output skb->data
will point to the payload instead of the IP header.This is essentially a redistribution of skb_push/skb_pull calls
with the aim of minimising them on the common path of tunnel +
ESP.It'll also let us use the same calling convention between IPv4
and IPv6 with the next patch.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch releases the lock on the state before calling x->type->output.
It also adds the lock to the spots where they're currently needed.Most of those places (all except mip6) are expected to disappear with
async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Current the x->mode->output functions store the IPv6 nh pointer in the
skb network header. This is inconvenient because the network header then
has to be fixed up before the packet can leave the IPsec stack. The mac
header field is unused on output so we can use that to store this instead.This patch does that and removes the network header fix-up in xfrm_output.
It also uses ipv6_hdr where appropriate in the x->type->output functions.
There is also a minor clean-up in esp4 to make it use the same code as
esp6 to help any subsequent effort to merge the two.Lastly it kills two redundant skb_set_* statements in BEET that were
simply copied over from transport mode.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The replay counter is one of only two remaining things in the output code
that requires a lock on the xfrm state (the other being the crypto). This
patch moves it into the generic xfrm_output so we can remove the lock from
the transforms themselves.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The keys are only used during initialisation so we don't need to carry them
in esp_data. Since we don't have to allocate them again, there is no need
to place a limit on the authentication key length anymore.This patch also kills the unused auth.icv member.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
It is clean-up for XFRM type modules and adds aliases with its
protocol:
ESP, AH, IPCOMP, IPIP and IPv6 for IPsec
ROUTING and DSTOPTS for MIPv6It is almost the same thing as XFRM mode alias, but it is added
new defines XFRM_PROTO_XXX for preprocessing since some protocols
are defined as enum.Signed-off-by: Masahide NAKAMURA
Acked-by: Ingo Oeser
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
Replace the probing based MTU estimation, which usually takes 2-3 iterations
to find a fitting value and may underestimate the MTU, by an exact calculation.Also fix underestimation of the XFRM trailer_len, which causes unnecessary
reallocations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller