1. 25 9月, 2013 1 次提交
    • T
      xfrm: Fix aevent generation for each received packet · cd808fc9
      Thomas Egerer 提交于
      If asynchronous events are enabled for a particular netlink socket,
      the notify function is called by the advance function. The notify
      function creates and dispatches a km_event if a replay timeout occurred,
      or at least replay_maxdiff packets have been received since the last
      asynchronous event has been sent. The function is supposed to return if
      neither of the two events were detected for a state, or replay_maxdiff
      is equal to zero.
      Replay_maxdiff is initialized in xfrm_state_construct to the value of
      the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
      if the netlink attribute XFRMA_REPLAY_THRESH is set.
      If, however, replay_maxdiff is set to zero, then all of the three notify
      implementations perform a break from the switch statement instead of
      checking whether a timeout occurred, and -- if not -- return.  As a
      result an asynchronous event is generated for every replay update of a
      state that has a zero replay_maxdiff value.
      This patch modifies the notify functions such that they immediately
      return if replay_maxdiff has the value zero, unless a timeout occurred.
      Signed-off-by: NThomas Egerer <thomas.egerer@secunet.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      cd808fc9
  2. 17 9月, 2013 1 次提交
    • F
      xfrm: Guard IPsec anti replay window against replay bitmap · 33fce60d
      Fan Du 提交于
      For legacy IPsec anti replay mechanism:
      
      bitmap in struct xfrm_replay_state could only provide a 32 bits
      window size limit in current design, thus user level parameter
      sadb_sa_replay should honor this limit, otherwise misleading
      outputs("replay=244") by setkey -D will be:
      
      192.168.25.2 192.168.22.2
      	esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
      	E: aes-cbc  9a8d7468 7655cf0b 719d27be b0ddaac2
      	A: hmac-sha1  2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
      	seq=0x00000000 replay=244 flags=0x00000000 state=mature
      	created: Sep 17 14:00:00 2013	current: Sep 17 14:00:22 2013
      	diff: 22(s)	hard: 30(s)	soft: 26(s)
      	last: Sep 17 14:00:00 2013	hard: 0(s)	soft: 0(s)
      	current: 1408(bytes)	hard: 0(bytes)	soft: 0(bytes)
      	allocated: 22	hard: 0	soft: 0
      	sadb_seq=1 pid=4854 refcnt=0
      192.168.22.2 192.168.25.2
      	esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
      	E: aes-cbc  6485d990 f61a6bd5 e5660252 608ad282
      	A: hmac-sha1  0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
      	seq=0x00000000 replay=244 flags=0x00000000 state=mature
      	created: Sep 17 14:00:00 2013	current: Sep 17 14:00:22 2013
      	diff: 22(s)	hard: 30(s)	soft: 26(s)
      	last: Sep 17 14:00:00 2013	hard: 0(s)	soft: 0(s)
      	current: 1408(bytes)	hard: 0(bytes)	soft: 0(bytes)
      	allocated: 22	hard: 0	soft: 0
      	sadb_seq=0 pid=4854 refcnt=0
      
      And also, optimizing xfrm_replay_check window checking by setting the
      desirable x->props.replay_window with only doing the comparison once
      for all when xfrm_state is first born.
      Signed-off-by: NFan Du <fan.du@windriver.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      33fce60d
  3. 25 3月, 2013 1 次提交
  4. 20 3月, 2013 1 次提交
  5. 18 1月, 2013 1 次提交
    • N
      net/xfrm/xfrm_replay: avoid division by zero · e2f67259
      Nickolai Zeldovich 提交于
      All of the xfrm_replay->advance functions in xfrm_replay.c check if
      x->replay_esn->replay_window is zero (and return if so).  However,
      one of them, xfrm_replay_advance_bmp(), divides by that value (in the
      '%' operator) before doing the check, which can potentially trigger
      a divide-by-zero exception.  Some compilers will also assume that the
      earlier division means the value cannot be zero later, and thus will
      eliminate the subsequent zero check as dead code.
      
      This patch moves the division to after the check.
      Signed-off-by: NNickolai Zeldovich <nickolai@csail.mit.edu>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      e2f67259
  6. 08 11月, 2012 1 次提交
  7. 05 9月, 2012 1 次提交
  8. 23 3月, 2012 1 次提交
  9. 01 11月, 2011 1 次提交
  10. 19 10月, 2011 1 次提交
  11. 08 6月, 2011 1 次提交
  12. 11 5月, 2011 1 次提交
    • S
      xfrm: Don't allow esn with disabled anti replay detection · 6fa5ddcc
      Steffen Klassert 提交于
      Unlike the standard case, disabled anti replay detection needs some
      nontrivial extra treatment on ESN. RFC 4303 states:
      
      Note: If a receiver chooses to not enable anti-replay for an SA, then
      the receiver SHOULD NOT negotiate ESN in an SA management protocol.
      Use of ESN creates a need for the receiver to manage the anti-replay
      window (in order to determine the correct value for the high-order
      bits of the ESN, which are employed in the ICV computation), which is
      generally contrary to the notion of disabling anti-replay for an SA.
      
      So return an error if an ESN state with disabled anti replay detection
      is inserted for now and add the extra treatment later if we need it.
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6fa5ddcc
  13. 27 4月, 2011 1 次提交
  14. 29 3月, 2011 1 次提交
  15. 14 3月, 2011 3 次提交