提交 · 5c04c819a20af40adb7d282199f4e34e14fa05c5 · openeuler / Kernel

29 3月, 2011 1 次提交

xfrm: Assign esn pointers when cloning a state · af2f464e

由 Steffen Klassert 提交于 3月 28, 2011

When we clone a xfrm state we have to assign the replay_esn
and the preplay_esn pointers to the state if we use the
new replay detection method. To this end, we add a
xfrm_replay_clone() function that allocates memory for
the replay detection and takes over the necessary values
from the original state.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

af2f464e

22 3月, 2011 1 次提交

xfrm: Fix initialize repl field of struct xfrm_state · a454f0cc

由 Wei Yongjun 提交于 3月 21, 2011

Commit 'xfrm: Move IPsec replay detection functions to a separate file'
  (9fdc4883)
introduce repl field to struct xfrm_state, and only initialize it
under SA's netlink create path, the other path, such as pf_key,
ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if
the SA is created by pf_key, any input packet with SA's encryption
algorithm will cause panic.

    int xfrm_input()
    {
        ...
        x->repl->advance(x, seq);
        ...
    }

This patch fixed it by introduce new function __xfrm_init_state().

Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs
EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0
EIP is at xfrm_input+0x31c/0x4cc
EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000
ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000)
Stack:
 00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0
 00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000
 dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32
Call Trace:
 [<c0786848>] xfrm4_rcv_encap+0x22/0x27
 [<c0786868>] xfrm4_rcv+0x1b/0x1d
 [<c074ee56>] ip_local_deliver_finish+0x112/0x1b1
 [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
 [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
 [<c074ef77>] ip_local_deliver+0x3e/0x44
 [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
 [<c074ec03>] ip_rcv_finish+0x30a/0x332
 [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
 [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
 [<c074f188>] ip_rcv+0x20b/0x247
 [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
 [<c072797d>] __netif_receive_skb+0x373/0x399
 [<c0727bc1>] netif_receive_skb+0x4b/0x51
 [<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp]
 [<c072818f>] net_rx_action+0x9a/0x17d
 [<c0445b5c>] __do_softirq+0xa1/0x149
 [<c0445abb>] ? __do_softirq+0x0/0x149
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

a454f0cc

14 3月, 2011 4 次提交

xfrm: Add support for IPsec extended sequence numbers · 2cd08467

由 Steffen Klassert 提交于 3月 08, 2011

This patch adds support for IPsec extended sequence numbers (esn)
as defined in RFC 4303. The bits to manage the anti-replay window
are based on a patch from Alex Badea.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

2cd08467

xfrm: Move IPsec replay detection functions to a separate file · 9fdc4883

由 Steffen Klassert 提交于 3月 08, 2011

To support multiple versions of replay detection, we move the replay
detection functions to a separate file and make them accessible
via function pointers contained in the struct xfrm_replay.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

9fdc4883

xfrm: Use separate low and high order bits of the sequence numbers in xfrm_skb_cb · 1ce3644a

由 Steffen Klassert 提交于 3月 08, 2011

To support IPsec extended sequence numbers, we split the
output sequence numbers of xfrm_skb_cb in low and high order 32 bits
and we add the high order 32 bits to the input sequence numbers.
All users are updated accordingly.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

1ce3644a

xfrm: Add basic infrastructure to support IPsec extended sequence numbers · 9736acf3

由 Steffen Klassert 提交于 3月 08, 2011

This patch adds the struct xfrm_replay_state_esn which will be
used to support IPsec extended sequence numbers and anti replay windows
bigger than 32 packets. Also we add a function that returns the actual
size of the xfrm_replay_state_esn, a xfrm netlink atribute and a xfrm state
flag for the use of extended sequence numbers.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

9736acf3

13 3月, 2011 3 次提交

D
net: Use flowi4 and flowi6 in xfrm layer. · 7e1dc7b6
由 David S. Miller 提交于 3月 12, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
7e1dc7b6

net: Make flowi ports AF dependent. · 6281dcc9

由 David S. Miller 提交于 3月 12, 2011

Create two sets of port member accessors, one set prefixed by fl4_*
and the other prefixed by fl6_*

This will let us to create AF optimal flow instances.

It will work because every context in which we access the ports,
we have to be fully aware of which AF the flowi is anyways.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

6281dcc9

net: Put flowi_* prefix on AF independent members of struct flowi · 1d28f42c

由 David S. Miller 提交于 3月 12, 2011

I intend to turn struct flowi into a union of AF specific flowi
structs.  There will be a common structure that each variant includes
first, much like struct sock_common.

This is the first step to move in that direction.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

1d28f42c

02 3月, 2011 1 次提交

xfrm: Handle blackhole route creation via afinfo. · 2774c131

由 David S. Miller 提交于 3月 01, 2011

That way we don't have to potentially do this in every xfrm_lookup()
caller.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

2774c131

28 2月, 2011 4 次提交
- D
  xfrm: Pass const xfrm_mark to xfrm_mark_put(). · e3dfa389
  由 David S. Miller 提交于 2月 27, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  e3dfa389
- D
  xfrm: Pass const xfrm_address_t objects to xfrm_state_lookup* and xfrm_find_acq. · a70486f0
  由 David S. Miller 提交于 2月 27, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  a70486f0
- D
  xfrm: Pass const arg to xfrm_alg_len and xfrm_alg_auth_len. · 85158621
  由 David S. Miller 提交于 2月 27, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  85158621
- D
  xfrm: Pass name as const to xfrm_*_get_byname(). · 6f2f19ed
  由 David S. Miller 提交于 2月 27, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  6f2f19ed
24 2月, 2011 12 次提交
- D
  xfrm: Const'ify xfrm_address_t args to xfrm_state_find. · 33765d06
  由 David S. Miller 提交于 2月 24, 2011
```
This required a const'ification in xfrm_init_tempstate() too.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  33765d06
- D
  xfrm: Const'ify ptr args to xfrm_state_*_check and xfrm_state_kern. · f8848067
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  f8848067
- D
  xfrm: Const'ify xfrm_tmpl and xfrm_state args to xfrm_state_addr_cmp. · 21eddb5c
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  21eddb5c
- D
  xfrm: Const'ify policy arg to xp_net. · 63eb23f5
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  63eb23f5
- D
  xfrm: Const'ify selector args in xfrm_migrate paths. · b4b7c0b3
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  b4b7c0b3
- D
  xfrm: Const'ify pointer args to km_migrate() and implementations. · 183cad12
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  183cad12
- D
  xfrm: Const'ify address argument to xfrm_addr_any() · 6cc32961
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  6cc32961
- D
  xfrm: Const'ify address arguments to xfrm_addr_cmp() · ff6acd16
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  ff6acd16
- D
  xfrm: Const'ify address arguments to ->dst_lookup() · 5e6b930f
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  5e6b930f
- D
  xfrm: Const'ify selector argument to xfrm_selector_match() · 200ce96e
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  200ce96e
- D
  xfrm: Const'ify tmpl and address arguments to ->init_temprop() · 19bd6244
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  19bd6244
- D
  xfrm: Pass km_event pointers around as const when possible. · 214e005b
  由 David S. Miller 提交于 2月 24, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  214e005b
23 2月, 2011 8 次提交
- D
  xfrm: Mark flowi arg to xfrm_state_find() const. · b520e9f6
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  b520e9f6
- D
  xfrm: Mark flowi arg to xfrm_selector_match() const. · e1ad2ab2
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  e1ad2ab2
- D
  xfrm: Mark token args to addr_match() const. · 1744a8fe
  由 David S. Miller 提交于 2月 22, 2011
```
Also, make it return a real bool.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  1744a8fe
- D
  xfrm: Mark flowi arg to xfrm_type->reject() const. · 8f029de2
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  8f029de2
- D
  xfrm: Mark flowi arg to ->init_tempsel() const. · 73e5ebb2
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  73e5ebb2
- D
  xfrm: Mark flowi arg to ->fill_dst() const. · 0c7b3eef
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  0c7b3eef
- D
  xfrm: Mark flowi arg to ->get_tos() const. · 05d84025
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  05d84025
- D
  xfrm: Mark flowi arg const in key extraction helpers. · e8a4e377
  由 David S. Miller 提交于 2月 22, 2011
```
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  e8a4e377
09 2月, 2011 1 次提交

ipsec: allow to align IPv4 AH on 32 bits · fa9921e4

由 Nicolas Dichtel 提交于 2月 02, 2011

The Linux IPv4 AH stack aligns the AH header on a 64 bit boundary
(like in IPv6). This is not RFC compliant (see RFC4302, Section
3.3.3.2.1), it should be aligned on 32 bits.

For most of the authentication algorithms, the ICV size is 96 bits.
The AH header alignment on 32 or 64 bits gives the same results.

However for SHA-256-128 for instance, the wrong 64 bit alignment results
in adding useless padding in IPv4 AH, which is forbidden by the RFC.

To avoid breaking backward compatibility, we use a new flag
(XFRM_STATE_ALIGN4) do change original behavior.

Initial patch from Dang Hongwu <hongwu.dang@6wind.com> and
Christophe Gouault <christophe.gouault@6wind.com>.
Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

fa9921e4

11 12月, 2010 1 次提交

xfrm: Add Traffic Flow Confidentiality padding XFRM attribute · 35d2856b

由 Martin Willi 提交于 12月 08, 2010

The XFRMA_TFCPAD attribute for XFRM state installation configures
Traffic Flow Confidentiality by padding ESP packets to a specified
length.
Signed-off-by: NMartin Willi <martin@strongswan.org>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

35d2856b

29 11月, 2010 1 次提交

xfrm: fix gre key endianess · aa285b17

由 Timo Teräs 提交于 11月 23, 2010

fl->fl_gre_key is network byte order contrary to fl->fl_icmp_*.
Make xfrm_flowi_{s|d}port return network byte order values for gre
key too.
Signed-off-by: NTimo Teräs <timo.teras@iki.fi>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

aa285b17

16 11月, 2010 1 次提交

xfrm: use gre key as flow upper protocol info · cc9ff19d

由 Timo Teräs 提交于 11月 03, 2010

The GRE Key field is intended to be used for identifying an individual
traffic flow within a tunnel. It is useful to be able to have XFRM
policy selector matches to have different policies for different
GRE tunnels.
Signed-off-by: NTimo Teräs <timo.teras@iki.fi>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

cc9ff19d

28 10月, 2010 1 次提交

tunnels: add __rcu annotations · b33eab08

由 Eric Dumazet 提交于 10月 25, 2010

Add __rcu annotations to :
        (struct ip_tunnel)->prl
        (struct ip_tunnel_prl_entry)->next
        (struct xfrm_tunnel)->next
	struct xfrm_tunnel *tunnel4_handlers
	struct xfrm_tunnel *tunnel64_handlers

And use appropriate rcu primitives to reduce sparse warnings if
CONFIG_SPARSE_RCU_POINTER=y
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

b33eab08

26 10月, 2010 1 次提交

tunnels: add _rcu annotations · 6f0bcf15

由 Eric Dumazet 提交于 10月 24, 2010

(struct ip6_tnl)->next is rcu protected :
(struct ip_tunnel)->next is rcu protected :
(struct xfrm6_tunnel)->next is rcu protected :

add __rcu annotation and proper rcu primitives.
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

6f0bcf15

openeuler / Kernel 接近 2 年 前同步成功

openeuler / Kernel
接近 2 年前同步成功