20 Jul, 2008
1 commit
-
Without CONFIG_NET_NS, namespace is always &init_net.
Compiler will be able to omit namespace comparisons with this patch.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
11 Jul, 2008
1 commit
-
Add a XFRM_STATE_AF_UNSPEC flag to handle the AF_UNSPEC behavior for
the selector family. Userspace applications can set this flag to leave
the selector family of the xfrm_state unspecified. This can be used
to to handle inter family tunnels if the selector is not set from
userspace.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
05 Jun, 2008
1 commit
-
This patch fixes the usage of RIPEMD-160 in xfrm_algo which in turn
allows hmac(rmd160) to be used as authentication mechanism in IPsec
ESP and AH (see RFC 2857).Signed-off-by: Adrian-Ken Rueegsegger
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
22 May, 2008
1 commit
-
The crypto layer will determine whether that is valid
or not.Suggested by Herbert Xu, based upon a report and patch
by Martin Willi.Signed-off-by: David S. Miller
Acked-by: Herbert Xu
13 May, 2008
1 commit
-
This patch adds needed_headroom/needed_tailroom members to struct
net_device and updates many places that allocate sbks to use them. Not
all of them can be converted though, and I'm sure I missed some (I
mostly grepped for LL_RESERVED_SPACE)Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller
30 Apr, 2008
1 commit
-
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] new predicate - AUDIT_FILETYPE
[patch 2/2] Use find_task_by_vpid in audit code
[patch 1/2] audit: let userspace fully control TTY input auditing
[PATCH 2/2] audit: fix sparse shadowed variable warnings
[PATCH 1/2] audit: move extern declarations to audit.h
Audit: MAINTAINERS update
Audit: increase the maximum length of the key field
Audit: standardize string audit interfaces
Audit: stop deadlock from signals under load
Audit: save audit_backlog_limit audit messages in case auditd comes back
Audit: collect sessionid in netlink messages
Audit: end printk with newline
29 Apr, 2008
1 commit
-
Some drivers have duplicated unlikely() macros. IS_ERR() already has
unlikely() in itself.This patch cleans up such pointless code.
Signed-off-by: Hirofumi Nakagawa
Acked-by: David S. Miller
Acked-by: Jeff Garzik
Cc: Paul Clements
Cc: Richard Purdie
Cc: Alessandro Zummo
Cc: David Brownell
Cc: James Bottomley
Cc: Michael Halcrow
Cc: Anton Altaparmakov
Cc: Al Viro
Cc: Carsten Otte
Cc: Patrick McHardy
Cc: Paul Mundt
Cc: Jaroslav Kysela
Cc: Takashi Iwai
Acked-by: Mike Frysinger
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Apr, 2008
3 commits
-
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages. This patch adds that information to netlink messages
so we can audit who sent netlink messages.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
Previously digest_null had no setkey function which meant that
we used hmac(digest_null) for IPsec since IPsec always calls
setkey. Now that digest_null has a setkey we no longer need to
do that.In fact when only confidentiality is specified for ESP we already
use digest_null directly. However, when the null algorithm is
explicitly specified by the user we still opt for hmac(digest_null).This patch removes this discrepancy. I have not added a new compat
name for it because by chance it wasn't actualy possible for the user
to specify the name hmac(digest_null) due to a key length check in
xfrm_user (which I found out when testing that compat name :)Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Flowlabel text format was not correct and thus ambiguous.
For example, 0x00123 or 0x01203 are formatted as 0x123.
This is not what audit tools want.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
22 Apr, 2008
1 commit
-
As it stands it's impossible to use any authentication algorithms
with an ID above 31 portably. It just happens to work on x86 but
fails miserably on ppc64.The reason is that we're using a bit mask to check the algorithm
ID but the mask is only 32 bits wide.After looking at how this is used in the field, I have concluded
that in the long term we should phase out state matching by IDs
because this is made superfluous by the reqid feature. For current
applications, the best solution IMHO is to allow all algorithms when
the bit masks are all ~0.The following patch does exactly that.
This bug was identified by IBM when testing on the ppc64 platform
using the NULL authentication algorithm which has an ID of 251.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
15 Apr, 2008
1 commit
-
When CONFIG_SECURITY_NETWORK_XFRM is undefined the following warnings appears:
net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire':
net/xfrm/xfrm_user.c:1576: warning: 'ctx' may be used uninitialized in this function
net/xfrm/xfrm_user.c: In function 'xfrm_get_policy':
net/xfrm/xfrm_user.c:1340: warning: 'ctx' may be used uninitialized in this function
(security_xfrm_policy_alloc is noop for the case).It seems that they are result of the commit
03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b ("LSM: Make the Labeled IPsec
hooks more stack friendly")Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
14 Apr, 2008
1 commit
-
Conflicts:
drivers/net/ehea/ehea_main.c
drivers/net/wireless/iwlwifi/Kconfig
drivers/net/wireless/rt2x00/rt61pci.c
net/ipv4/inet_timewait_sock.c
net/ipv6/raw.c
net/mac80211/ieee80211_sta.c
13 Apr, 2008
1 commit
-
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs
on the stack to work around the LSM API. This patch attempts to fix that
problem by changing the LSM API to require only the relevant "security"
pointers instead of the entire SPD entry; we do this for all of the
security_xfrm_policy*() functions to keep things consistent.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
10 Apr, 2008
1 commit
-
Commit df9dcb45 ([IPSEC]: Fix inter address family IPsec tunnel handling)
broke openswan by removing the selector initialization for tunnel mode
in case it is uninitialized.This patch restores the initialization, fixing openswan, but probably
breaking inter-family tunnels again (unknown since the patch author
disappeared). The correct thing for inter-family tunnels is probably
to simply initialize the selector family explicitly.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
Conflicts:
drivers/net/usb/rndis_host.c
drivers/net/wireless/b43/dma.c
net/ipv6/ndisc.c
26 Mar, 2008
1 commit
-
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.Signed-off-by: YOSHIFUJI Hideaki
25 Mar, 2008
2 commits
-
Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source
address to be mangled in the IPv6 header (that is "CoA").
On Inter-MN communication after both nodes binds each other,
they use route optimized traffic two MIPv6 states applied, and
both source and destination address in the IPv6 header
are replaced by the states respectively.
The packet format is correct, however, next-hop routing search
are not.
This patch fixes it by remembering address pairs for later states.Based on patch from Masahide NAKAMURA .
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
29 Feb, 2008
1 commit
-
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
This is achieved adding the entries to one more list which is used
solely for walking the entries.This also fixes some races where the dump can have duplicate or missing
entries when the SPD/SADB is modified during an ongoing dump.Dumping SADB with 20000 entries using "time ip xfrm state" the sys
time dropped from 1.012s to 0.080s.Signed-off-by: Timo Teras
Signed-off-by: David S. Miller
18 Feb, 2008
1 commit
-
Keep ordering of policy entries with same selector in
xfrm_dst_hash_transfer().Issue should not appear in usual cases because multiple policy entries
with same selector are basically not allowed so far. Bug was pointed
out by Sebastien Decugis .We could convert bydst from hlist to list and use list_add_tail()
instead.Signed-off-by: YOSHIFUJI Hideaki
Acked-by: Sebastien Decugis
Signed-off-by: David S. Miller
15 Feb, 2008
2 commits
-
From: YOSHIFUJI Hideaki
When we destory a new policy entry, we need to tell
xfrm_policy_destroy() explicitly that the entry is not
alive yet.Signed-off-by: David S. Miller
-
net/built-in.o: In function `xfrm_policy_init':
/home/pmundt/devel/git/sh-2.6.25/net/xfrm/xfrm_policy.c:2338: undefined reference to `snmp_mib_init'snmp_mib_init() is only built in if CONFIG_INET is set.
Signed-off-by: Paul Mundt
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
13 Feb, 2008
1 commit
-
Al Viro spotted a bogus use of u64 on the input sequence number which
is big-endian. This patch fixes it by giving the input sequence number
its own member in the xfrm_skb_cb structure.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
08 Feb, 2008
1 commit
-
The below patch allows IPsec to use CTR mode with AES encryption
algorithm. Tested this using setkey in ipsec-tools.Signed-off-by: Joy Latten
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
02 Feb, 2008
1 commit
-
all callers pass something->audit_context
Signed-off-by: Al Viro
01 Feb, 2008
5 commits
-
o Outbound sequence number overflow error status
is counted as XfrmOutStateSeqError.
o Additionaly, it changes inbound sequence number replay
error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError
to apply name scheme above.
o Inbound IPv4 UDP encapsuling type mismatch error is wrongly
mapped to XfrmInStateInvalid then this patch fiex the error
to XfrmInStateMismatch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This patch removes the following no longer used EXPORT_SYMBOL's:
- xfrm_input.c: xfrm_parse_spi
- xfrm_state.c: xfrm_replay_check
- xfrm_state.c: xfrm_replay_advanceSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Now that ESP uses authenc we can turn on the support for async
algorithms in IPsec.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
9 commits
-
Create a specific helper for netlink kernel socket disposal. This just
let the code look better and provides a ground for proper disposal
inside a namespace.Signed-off-by: Denis V. Lunev
Tested-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
net/xfrm/xfrm_policy.c:
xfrm_audit_policy_delete | -692
xfrm_audit_policy_add | -692
2 functions changed, 1384 bytes removed, diff: -1384net/xfrm/xfrm_policy.c:
xfrm_audit_common_policyinfo | +704
1 function changed, 704 bytes added, diff: +704net/xfrm/xfrm_policy.o:
3 functions changed, 704 bytes added, 1384 bytes removed, diff: -680Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
and select the crypto subsystem if neccessary
Signed-off-by: Sebastian Siewior
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
xfrm_state_clone() is not used outside of net/xfrm/xfrm_state.c
There is no need to export it.Spoted by sparse checker.
CHECK net/xfrm/xfrm_state.c
net/xfrm/xfrm_state.c:1103:19: warning: symbol 'xfrm_state_clone' was not
declared. Should it be static?Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Since __xfrm_policy_destroy is used to destory the resources
allocated by xfrm_policy_alloc. So using the name
__xfrm_policy_destroy is not correspond with xfrm_policy_alloc.
Rename it to xfrm_policy_destroy.And along with some instances that call xfrm_policy_alloc
but not using xfrm_policy_destroy to destroy the resource,
fix them.Signed-off-by: WANG Cong
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
o Increment PolError counter when flow_cache_lookup() returns
errored pointer.o Increment NoStates counter at larval-drop.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
net/xfrm/xfrm_state.c:
xfrm_audit_state_delete | -589
xfrm_replay_check | -542
xfrm_audit_state_icvfail | -520
xfrm_audit_state_add | -589
xfrm_audit_state_replay_overflow | -523
xfrm_audit_state_notfound_simple | -509
xfrm_audit_state_notfound | -521
7 functions changed, 3793 bytes removed, diff: -3793net/xfrm/xfrm_state.c:
xfrm_audit_helper_pktinfo | +522
xfrm_audit_helper_sainfo | +598
2 functions changed, 1120 bytes added, diff: +1120net/xfrm/xfrm_state.o:
9 functions changed, 1120 bytes added, 3793 bytes removed, diff: -2673Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
Previously we made it an error on the output path if the sequence number
overflowed. However we did not set the err variable accordingly. This
patch sets err to -EOVERFLOW in that case.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Add __acquires() and __releases() annotations to suppress some sparse
warnings.example of warnings :
net/ipv4/udp.c:1555:14: warning: context imbalance in 'udp_seq_start' - wrong
count at exit
net/ipv4/udp.c:1571:13: warning: context imbalance in 'udp_seq_stop' -
unexpected unlockSigned-off-by: Eric Dumazet
Signed-off-by: David S. Miller