aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2006-09-22 18:17:35 -0400
committerDavid S. Miller <davem@davemloft.net>2006-09-22 18:17:35 -0400
commite4bec827feda76d5e7417a2696a75424834d564f (patch)
treebd899e0c2fbf7f6dd1d33ce0610d88fc4a8864ee /net
parent44e36b42a8378be1dcf7e6f8a1cb2710a8903387 (diff)
[IPSEC] esp: Defer output IV initialization to first use.
First of all, if the xfrm_state only gets used for input packets this entropy is a complete waste. Secondly, it is often the case that a configuration loads many rules (perhaps even dynamically) and they don't all necessarily ever get used. This get_random_bytes() call was showing up in the profiles for xfrm_state inserts which is how I noticed this. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/esp4.c9
-rw-r--r--net/ipv6/esp6.c9
2 files changed, 14 insertions, 4 deletions
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index e87377e1d6b6..13b29360d102 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -95,8 +95,13 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
95 esph->seq_no = htonl(++x->replay.oseq); 95 esph->seq_no = htonl(++x->replay.oseq);
96 xfrm_aevent_doreplay(x); 96 xfrm_aevent_doreplay(x);
97 97
98 if (esp->conf.ivlen) 98 if (esp->conf.ivlen) {
99 if (unlikely(!esp->conf.ivinitted)) {
100 get_random_bytes(esp->conf.ivec, esp->conf.ivlen);
101 esp->conf.ivinitted = 1;
102 }
99 crypto_blkcipher_set_iv(tfm, esp->conf.ivec, esp->conf.ivlen); 103 crypto_blkcipher_set_iv(tfm, esp->conf.ivec, esp->conf.ivlen);
104 }
100 105
101 do { 106 do {
102 struct scatterlist *sg = &esp->sgbuf[0]; 107 struct scatterlist *sg = &esp->sgbuf[0];
@@ -378,7 +383,7 @@ static int esp_init_state(struct xfrm_state *x)
378 esp->conf.ivec = kmalloc(esp->conf.ivlen, GFP_KERNEL); 383 esp->conf.ivec = kmalloc(esp->conf.ivlen, GFP_KERNEL);
379 if (unlikely(esp->conf.ivec == NULL)) 384 if (unlikely(esp->conf.ivec == NULL))
380 goto error; 385 goto error;
381 get_random_bytes(esp->conf.ivec, esp->conf.ivlen); 386 esp->conf.ivinitted = 0;
382 } 387 }
383 if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len)) 388 if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len))
384 goto error; 389 goto error;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index ae50b9511151..e78680a9985b 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -99,8 +99,13 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
99 esph->seq_no = htonl(++x->replay.oseq); 99 esph->seq_no = htonl(++x->replay.oseq);
100 xfrm_aevent_doreplay(x); 100 xfrm_aevent_doreplay(x);
101 101
102 if (esp->conf.ivlen) 102 if (esp->conf.ivlen) {
103 if (unlikely(!esp->conf.ivinitted)) {
104 get_random_bytes(esp->conf.ivec, esp->conf.ivlen);
105 esp->conf.ivinitted = 1;
106 }
103 crypto_blkcipher_set_iv(tfm, esp->conf.ivec, esp->conf.ivlen); 107 crypto_blkcipher_set_iv(tfm, esp->conf.ivec, esp->conf.ivlen);
108 }
104 109
105 do { 110 do {
106 struct scatterlist *sg = &esp->sgbuf[0]; 111 struct scatterlist *sg = &esp->sgbuf[0];
@@ -353,7 +358,7 @@ static int esp6_init_state(struct xfrm_state *x)
353 esp->conf.ivec = kmalloc(esp->conf.ivlen, GFP_KERNEL); 358 esp->conf.ivec = kmalloc(esp->conf.ivlen, GFP_KERNEL);
354 if (unlikely(esp->conf.ivec == NULL)) 359 if (unlikely(esp->conf.ivec == NULL))
355 goto error; 360 goto error;
356 get_random_bytes(esp->conf.ivec, esp->conf.ivlen); 361 esp->conf.ivinitted = 0;
357 } 362 }
358 if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len)) 363 if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len))
359 goto error; 364 goto error;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-28 18:24:55 -0400