1. 26 11月, 2008 9 次提交
  2. 07 11月, 2008 1 次提交
  3. 01 11月, 2008 1 次提交
    • A
      key: fix setkey(8) policy set breakage · 920da692
      Alexey Dobriyan 提交于
      Steps to reproduce:
      
      	#/usr/sbin/setkey -f
      	flush;
      	spdflush;
      
      	add 192.168.0.42 192.168.0.1 ah 24500 -A hmac-md5 "1234567890123456";
      	add 192.168.0.42 192.168.0.1 esp 24501 -E 3des-cbc "123456789012123456789012";
      
      	spdadd 192.168.0.42 192.168.0.1 any -P out ipsec
      		esp/transport//require
      		ah/transport//require;
      
      setkey: invalid keymsg length
      
      Policy dump will bail out with the same message after that.
      
      -recv(4, "\2\16\0\0\32\0\3\0\0\0\0\0\37\r\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\0*\0"..., 32768, 0) = 208
      +recv(4, "\2\16\0\0\36\0\3\0\0\0\0\0H\t\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\0*\0"..., 32768, 0) = 208
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      920da692
  4. 11 10月, 2008 1 次提交
  5. 06 10月, 2008 1 次提交
  6. 01 10月, 2008 2 次提交
  7. 26 7月, 2008 1 次提交
  8. 12 6月, 2008 4 次提交
  9. 11 6月, 2008 1 次提交
  10. 22 5月, 2008 1 次提交
  11. 28 4月, 2008 1 次提交
  12. 25 4月, 2008 1 次提交
  13. 22 4月, 2008 1 次提交
    • H
      [IPSEC]: Fix catch-22 with algorithm IDs above 31 · c5d18e98
      Herbert Xu 提交于
      As it stands it's impossible to use any authentication algorithms
      with an ID above 31 portably.  It just happens to work on x86 but
      fails miserably on ppc64.
      
      The reason is that we're using a bit mask to check the algorithm
      ID but the mask is only 32 bits wide.
      
      After looking at how this is used in the field, I have concluded
      that in the long term we should phase out state matching by IDs
      because this is made superfluous by the reqid feature.  For current
      applications, the best solution IMHO is to allow all algorithms when
      the bit masks are all ~0.
      
      The following patch does exactly that.
      
      This bug was identified by IBM when testing on the ppc64 platform
      using the NULL authentication algorithm which has an ID of 251.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5d18e98
  14. 13 4月, 2008 1 次提交
  15. 25 3月, 2008 1 次提交
  16. 04 3月, 2008 1 次提交
  17. 29 2月, 2008 1 次提交
    • T
      [XFRM]: Speed up xfrm_policy and xfrm_state walking · 4c563f76
      Timo Teras 提交于
      Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
      This is achieved adding the entries to one more list which is used
      solely for walking the entries.
      
      This also fixes some races where the dump can have duplicate or missing
      entries when the SPD/SADB is modified during an ongoing dump.
      
      Dumping SADB with 20000 entries using "time ip xfrm state" the sys
      time dropped from 1.012s to 0.080s.
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c563f76
  18. 27 2月, 2008 1 次提交
  19. 15 2月, 2008 1 次提交
  20. 10 2月, 2008 2 次提交
  21. 02 2月, 2008 1 次提交
  22. 29 1月, 2008 1 次提交
  23. 21 1月, 2008 1 次提交
  24. 20 12月, 2007 1 次提交
    • H
      [IPSEC]: Avoid undefined shift operation when testing algorithm ID · f398035f
      Herbert Xu 提交于
      The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
      to test them with the expression 1 << id where id can be as large as
      253.  This produces different behaviour on different architectures.
      
      The following patch explicitly checks whether ID is greater than 31
      and fails the check if that's the case.
      
      We cannot easily extend the mask to be longer than 32 bits due to
      exposure to user-space.  Besides, this whole interface is obsolete
      anyway in favour of the xfrm_user interface which doesn't use this
      bit mask in templates (well not within the kernel anyway).
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f398035f
  25. 26 11月, 2007 1 次提交
    • H
      [IPSEC]: Temporarily remove locks around copying of non-atomic fields · 8053fc3d
      Herbert Xu 提交于
      The change 050f009e
      
      	[IPSEC]: Lock state when copying non-atomic fields to user-space
      
      caused a regression.
      
      Ingo Molnar reports that it causes a potential dead-lock found by the
      lock validator as it tries to take x->lock within xfrm_state_lock while
      numerous other sites take the locks in opposite order.
      
      For 2.6.24, the best fix is to simply remove the added locks as that puts
      us back in the same state as we've been in for years.  For later kernels
      a proper fix would be to reverse the locking order for every xfrm state
      user such that if x->lock is taken together with xfrm_state_lock then
      it is to be taken within it.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      8053fc3d
  26. 22 11月, 2007 1 次提交
  27. 01 11月, 2007 1 次提交