22 Sep, 2011

1 commit

  • When asyncronous crypto algorithms are used, there might be many
    packets that passed the xfrm replay check, but the replay advance
    function is not called yet for these packets. So the replay check
    function would accept a replay of all of these packets. Also the
    system might crash if there are more packets in async processing
    than the size of the anti replay window, because the replay advance
    function would try to update the replay window beyond the bounds.

    This pach adds a second replay check after resuming from the async
    processing to fix these issues.

    Signed-off-by: Steffen Klassert
    Acked-by: Herbert Xu
    Signed-off-by: David S. Miller

    Steffen Klassert
     

29 Mar, 2011

1 commit


28 Mar, 2011

1 commit

  • Crypto requests might return asynchronous. In this case we leave
    the rcu protected region, so force a refcount on the skb's
    destination entry before we enter the xfrm type input/output
    handlers.

    This fixes a crash when a route is deleted whilst sending IPsec
    data that is transformed by an asynchronous algorithm.

    Signed-off-by: Steffen Klassert
    Signed-off-by: David S. Miller

    Steffen Klassert
     

14 Mar, 2011

3 commits


23 Feb, 2010

1 commit


03 Jun, 2009

1 commit

  • Define three accessors to get/set dst attached to a skb

    struct dst_entry *skb_dst(const struct sk_buff *skb)

    void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)

    void skb_dst_drop(struct sk_buff *skb)
    This one should replace occurrences of :
    dst_release(skb->dst)
    skb->dst = NULL;

    Delete skb->dst field

    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

19 Dec, 2008

1 commit


05 Dec, 2008

1 commit


26 Nov, 2008

3 commits


25 Mar, 2008

1 commit


13 Feb, 2008

1 commit


01 Feb, 2008

2 commits

  • o Outbound sequence number overflow error status
    is counted as XfrmOutStateSeqError.
    o Additionaly, it changes inbound sequence number replay
    error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError
    to apply name scheme above.
    o Inbound IPv4 UDP encapsuling type mismatch error is wrongly
    mapped to XfrmInStateInvalid then this patch fiex the error
    to XfrmInStateMismatch.

    Signed-off-by: Masahide NAKAMURA
    Signed-off-by: David S. Miller

    Masahide NAKAMURA
     
  • This patch removes the following no longer used EXPORT_SYMBOL's:
    - xfrm_input.c: xfrm_parse_spi
    - xfrm_state.c: xfrm_replay_check
    - xfrm_state.c: xfrm_replay_advance

    Signed-off-by: Adrian Bunk
    Signed-off-by: David S. Miller

    Adrian Bunk
     

29 Jan, 2008

12 commits

  • Let's nip the code duplication in the bud :)

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • This patch adds a number of new IPsec audit events to meet the auditing
    requirements of RFC4303. This includes audit hooks for the following events:

    * Could not find a valid SA [sections 2.1, 3.4.2]
    . xfrm_audit_state_notfound()
    . xfrm_audit_state_notfound_simple()

    * Sequence number overflow [section 3.3.3]
    . xfrm_audit_state_replay_overflow()

    * Replayed packet [section 3.4.3]
    . xfrm_audit_state_replay()

    * Integrity check failure [sections 3.4.4.1, 3.4.4.2]
    . xfrm_audit_state_icvfail()

    While RFC4304 deals only with ESP most of the changes in this patch apply to
    IPsec in general, i.e. both AH and ESP. The one case, integrity check
    failure, where ESP specific code had to be modified the same was done to the
    AH code for the sake of consistency.

    Signed-off-by: Paul Moore
    Acked-by: James Morris
    Signed-off-by: David S. Miller

    Paul Moore
     
  • Signed-off-by: Masahide NAKAMURA
    Signed-off-by: David S. Miller

    Masahide NAKAMURA
     
  • This patch adds the xfrm_input_state helper function which returns the
    current xfrm state being processed on the input path given an sk_buff.
    This is currently only used by xfrm_input but will be used by ESP upon
    asynchronous resumption.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • When merging the input paths of IPsec I accidentally left a hard-coded
    AF_INET for the state lookup call. This broke IPv6 obviously. This
    patch fixes by getting the input callers to specify the family through
    skb->cb.

    Credit goes to Kazunori Miyazawa for diagnosing this and providing an
    initial patch.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • This patch adds support for async resumptions on input. To do so, the
    transform would return -EINPROGRESS and subsequently invoke the
    function xfrm_input_resume to resume processing.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • The nhoff field isn't actually necessary in xfrm_input. For tunnel
    mode transforms we now throw away the output IP header so it makes no
    sense to fill in the nexthdr field. For transport mode we can now let
    the function transport_finish do the setting and it knows where the
    nexthdr field is.

    The only other thing that needs the nexthdr field to be set is the
    header extraction code. However, we can simply move the protocol
    extraction out of the generic header extraction.

    We want to minimise the amount of info we have to carry around between
    transforms as this simplifies the resumption process for async crypto.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • This patch releases the lock on the state before calling
    x->type->input. It also adds the lock to the spots where they're
    currently needed.

    Most of those places (all except mip6) are expected to disappear with
    async crypto.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • Similar to the moving out of the replay processing on the output, this
    patch moves the integrity stat collectin from x->type->input into
    xfrm_input.

    This would eventually allow transforms such as AH/ESP to be lockless.

    The error value EBADMSG (currently unused in the crypto layer) is used
    to indicate a failed integrity check. In future this error can be
    directly returned by the crypto layer once we switch to aead
    algorithms.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • As it is xfrm_input first collects a list of xfrm states on the stack
    before storing them in the packet's security path just before it
    returns. For async crypto, this construction presents an obstacle
    since we may need to leave the loop after each transform.

    In fact, it's much easier to just skip the stack completely and always
    store to the security path. This is proven by the fact that this
    patch actually shrinks the code.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • As part of the work on asynchronous cryptographic operations, we need
    to be able to resume from the spot where they occur. As such, it
    helps if we isolate them to one spot.

    This patch moves most of the remaining family-specific processing into
    the common input code.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • With inter-family transforms the inner mode differs from the outer
    mode. Attempting to handle both sides from the same function means
    that it needs to handle both IPv4 and IPv6 which creates duplication
    and confusion.

    This patch separates the two parts on the input path so that each
    function deals with one family only.

    In particular, the functions xfrm4_extract_inut/xfrm6_extract_inut
    moves the pertinent fields from the IPv4/IPv6 IP headers into a
    neutral format stored in skb->cb. This is then used by the inner mode
    input functions to modify the inner IP header. In this way the input
    function no longer has to know about the outer address family.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     

18 Oct, 2007

1 commit

  • Currently xfrm_parse_spi requires there to be 16 bytes for AH and ESP.
    In contrived cases there may not actually be 16 bytes there since the
    respective header sizes are less than that (8 and 12 currently).

    This patch changes the test to use the actual header length instead of 16.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     

20 Jul, 2007

1 commit

  • Slab destructors were no longer supported after Christoph's
    c59def9f222d44bb7e2f0a559f2906191a0862d7 change. They've been
    BUGs for both slab and slub, and slob never supported them
    either.

    This rips out support for the dtor pointer from kmem_cache_create()
    completely and fixes up every single callsite in the kernel (there were
    about 224, not including the slab allocator definitions themselves,
    or the documentation references).

    Signed-off-by: Paul Mundt

    Paul Mundt
     

26 Apr, 2007

1 commit


11 Feb, 2007

1 commit


08 Dec, 2006

2 commits

  • Replace all uses of kmem_cache_t with struct kmem_cache.

    The patch was generated using the following script:

    #!/bin/sh
    #
    # Replace one string by another in all the kernel sources.
    #

    set -e

    for file in `find * -name "*.c" -o -name "*.h"|xargs grep -l $1`; do
    quilt add $file
    sed -e "1,\$s/$1/$2/g" $file >/tmp/$$
    mv /tmp/$$ $file
    quilt refresh
    done

    The script was run like this

    sh replace kmem_cache_t "struct kmem_cache"

    Signed-off-by: Christoph Lameter
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Christoph Lameter
     
  • SLAB_ATOMIC is an alias of GFP_ATOMIC

    Signed-off-by: Christoph Lameter
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Christoph Lameter
     

29 Sep, 2006

1 commit


23 Sep, 2006

1 commit


23 May, 2006

1 commit


01 Apr, 2006

1 commit


30 Aug, 2005

1 commit