aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* [NetLabel]: SELinux supportVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add NetLabel support to the SELinux LSM and modify the socket_post_create() LSM hook to return an error code. The most significant part of this patch is the addition of NetLabel hooks into the following SELinux LSM hooks: * selinux_file_permission() * selinux_socket_sendmsg() * selinux_socket_post_create() * selinux_socket_sock_rcv_skb() * selinux_socket_getpeersec_stream() * selinux_socket_getpeersec_dgram() * selinux_sock_graft() * selinux_inet_conn_request() The basic reasoning behind this patch is that outgoing packets are "NetLabel'd" by labeling their socket and the NetLabel security attributes are checked via the additional hook in selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling mechanism, similar to filesystem extended attributes, it is up to the SELinux enforcement mechanism to perform the actual access checks. In addition to the changes outlined above this patch also includes some changes to the extended bitmap (ebitmap) and multi-level security (mls) code to import and export SELinux TE/MLS attributes into and out of NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: CIPSOv4 and Unlabeled packet integrationPaul Moore2006-09-22
| | | | | | | | | | | Add CIPSO/IPv4 and unlabeled packet management to the NetLabel subsystem. The CIPSO/IPv4 changes allow the configuration of CIPSO/IPv4 within the overall NetLabel framework. The unlabeled packet changes allows NetLabel to pass unlabeled packets without error. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: core NetLabel subsystemPaul Moore2006-09-22
| | | | | | | | | | | | | | Add a new kernel subsystem, NetLabel, to provide explicit packet labeling services (CIPSO, RIPSO, etc.) to LSM developers. NetLabel is designed to work in conjunction with a LSM to intercept and decode security labels on incoming network packets as well as ensure that outgoing network packets are labeled according to the security mechanism employed by the LSM. The NetLabel subsystem is configured through a Generic NETLINK interface described in the header files included in this patch. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: CIPSOv4 enginePaul Moore2006-09-22
| | | | | | | | | | | | | | | | | | | | | Add support for the Commercial IP Security Option (CIPSO) to the IPv4 network stack. CIPSO has become a de-facto standard for trusted/labeled networking amongst existing Trusted Operating Systems such as Trusted Solaris, HP-UX CMW, etc. This implementation is designed to be used with the NetLabel subsystem to provide explicit packet labeling to LSM developers. The CIPSO/IPv4 packet labeling works by the LSM calling a NetLabel API function which attaches a CIPSO label (IPv4 option) to a given socket; this in turn attaches the CIPSO label to every packet leaving the socket without any extra processing on the outbound side. On the inbound side the individual packet's sk_buff is examined through a call to a NetLabel API function to determine if a CIPSO/IPv4 label is present and if so the security attributes of the CIPSO label are returned to the caller of the NetLabel API function. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: core network changesPaul Moore2006-09-22
| | | | | | | | Changes to the core network stack to support the NetLabel subsystem. This includes changes to the IPv4 option handling to support CIPSO labels. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NetLabel]: documentationPaul Moore2006-09-22
| | | | | | | | | | | | Documentation for the NetLabel system, this includes a basic overview of how NetLabel works, how LSM developers can integrate it into their favorite LSM, as well as documentation on the CIPSO related sysctl variables. Also, due to the difficulty of finding expired IETF drafts, I am including the IETF CIPSO draft that is the basis of the NetLabel CIPSO implementation. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Fix build with SECURITY_NETWORK_XFRM disabled.Venkat Yekkirala2006-09-22
| | | | | | | | | | | | | | The following patch will fix the build problem (encountered by Andrew Morton) when SECURITY_NETWORK_XFRM is not enabled. As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in -mm, this patch sets the return parameter sid to SECSID_NULL in selinux_xfrm_decode_session() and handles this value in the caller selinux_inet_conn_request() appropriately. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Auto-labeling of child socketsVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | This automatically labels the TCP, Unix stream, and dccp child sockets as well as openreqs to be at the same MLS level as the peer. This will result in the selection of appropriately labeled IPSec Security Associations. This also uses the sock's sid (as opposed to the isec sid) in SELinux enforcement of secmark in rcv_skb and postroute_last hooks. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Default labeling of socket specific IPSec policiesVenkat Yekkirala2006-09-22
| | | | | | | | This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add flow labelingVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | | | | | | | | | | This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add security context to acquire messages using PF_KEYVenkat Yekkirala2006-09-22
| | | | | | | | | | | This includes the security context of a security association created for use by IKE in the acquire messages sent to IKE daemons using PF_KEY. This would allow the daemons to include the security context in the negotiation, so that the resultant association is unique to that security context. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add security context to acquire messages using netlinkSerge Hallyn2006-09-22
| | | | | | | | | | | This includes the security context of a security association created for use by IKE in the acquire messages sent to IKE daemons using netlink/xfrm_user. This would allow the daemons to include the security context in the negotiation, so that the resultant association is unique to that security context. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Flow based matching of xfrm policy and stateVenkat Yekkirala2006-09-22
| | | | | | | | | This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add security sid to flowiVenkat Yekkirala2006-09-22
| | | | | | | | This adds security to flow key for labeling of flows as also to allow for making flow cache lookups based on the security label seemless. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add security sid to sockVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | This adds security for IP sockets at the sock level. Security at the sock level is needed to enforce the SELinux security policy for security associations even when a sock is orphaned (such as in the TCP LAST_ACK state). This will also be used to enforce SELinux controls over data arriving at or leaving a child socket while it's still waiting to be accepted. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Define new SELinux service routineVenkat Yekkirala2006-09-22
| | | | | | | | | | | This defines a routine that combines the Type Enforcement portion of one sid with the MLS portion from the other sid to arrive at a new sid. This would be used to define a sid for a security association that is to be negotiated by IKE as well as for determing the sid for open requests and connection-oriented child sockets. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Granular IPSec associations for use in MLS environmentsVenkat Yekkirala2006-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current approach to labeling Security Associations for SELinux purposes uses a one-to-one mapping between xfrm policy rules and security associations. This doesn't address the needs of real world MLS (Multi-level System, traditional Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a range, classified to secret for example) might need to map to multiple Security Associations (one each for classified, secret, top secret and all the compartments applicable to these security levels). This patch set addresses the above problem by allowing for the mapping of a single xfrm policy rule to multiple security associations, with each association used in the security context it is defined for. It also includes the security context to be used in IKE negotiation in the acquire messages sent to the IKE daemon so that a unique SA can be negotiated for each unique security context. A couple of bug fixes are also included; checks to make sure the SAs used by a packet match policy (security context-wise) on the inbound and also that the bundle used for the outbound matches the security context of the flow. This patch set also makes the use of the SELinux sid in flow cache lookups seemless by including the sid in the flow key itself. Also, open requests as well as connection-oriented child sockets are labeled automatically to be at the same level as the peer to allow for use of appropriately labeled IPSec associations. Description of changes: A "sid" member has been added to the flow cache key resulting in the sid being available at all needed locations and the flow cache lookups automatically using the sid. The flow sid is derived from the socket on the outbound and the SAs (unlabeled where an SA was not used) on the inbound. Outbound case: 1. Find policy for the socket. 2. OLD: Find an SA that matches the policy. NEW: Find an SA that matches BOTH the policy and the flow/socket. This is necessary since not every SA that matches the policy can be used for the flow/socket. Consider policy range Secret-TS, and SAs each for Secret and TS. We don't want a TS socket to use the Secret SA. Hence the additional check for the SA Vs. flow/socket. 3. NEW: When looking thru bundles for a policy, make sure the flow/socket can use the bundle. If a bundle is not found, create one, calling for IKE if necessary. If using IKE, include the security context in the acquire message to the IKE daemon. Inbound case: 1. OLD: Find policy for the socket. NEW: Find policy for the incoming packet based on the sid of the SA(s) it used or the unlabeled sid if no SAs were used. (Consider a case where a socket is "authorized" for two policies (unclassified-confidential, secret-top_secret). If the packet has come in using a secret SA, we really ought to be using the latter policy (secret-top_secret).) 2. OLD: BUG: No check to see if the SAs used by the packet agree with the policy sec_ctx-wise. (It was indicated in selinux_xfrm_sock_rcv_skb() that this was being accomplished by (x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok, but it turns out tmpl->id.spi would normally be zero (unless xfrm policy rules specify one at the template level, which they usually don't). NEW: The socket is checked for access to the SAs used (based on the sid of the SAs) in selinux_xfrm_sock_rcv_skb(). Forward case: This would be Step 1 from the Inbound case, followed by Steps 2 and 3 from the Outbound case. Outstanding items/issues: - Timewait acknowledgements and such are generated in the current/upstream implementation using a NULL socket resulting in the any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed by this patch set. This patch: Add new flask definitions to SELinux Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm policy rule. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.infradead.org/~dwmw2/hdronelineLinus Torvalds2006-09-22
|\ | | | | | | | | | | | | * git://git.infradead.org/~dwmw2/hdroneline: [HEADERS] One line per header in Kbuild files to reduce conflicts Manual (trivial) conflict resolution in include/asm-s390/Kbuild
| * [HEADERS] One line per header in Kbuild files to reduce conflictsDavid Woodhouse2006-09-19
| | | | | | | | Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* | Merge branch 'upstream-linus' of ↵Linus Torvalds2006-09-22
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2 * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2: ocfs2: Remove overzealous BUG_ON() ocfs2: Don't print on unknown remote blocking call ocfs2: Remove EXPERIMENTAL dependency ocfs2: implement directory read-ahead ocfs2: properly update i_mtime on buffered write ocfs2: Fix directory link count checks in ocfs2_link() ocfs2: move nlink check in ocfs2_mknod() ocfs2: Fix heartbeat sector calculation [PATCH] fs/ocfs2/ioctl.c should #include "ioctl.h" ocfs2: add ext2 attributes configfs: Prevent duplicate subsystem names.
| * | ocfs2: Remove overzealous BUG_ON()Mark Fasheh2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | The truncate code was never supposed to BUG() on an allocator it doesn't know about, but rather to ignore it. Right now, this does nothing, but when we change our allocation paths to use all suballocator files, this will allow current versions of the fs module to work fine. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: Don't print on unknown remote blocking callMark Fasheh2006-09-20
| | | | | | | | | | | | Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: Remove EXPERIMENTAL dependencyMark Fasheh2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Things have been working pretty well for a while now. We should've probably done this at least one kernel revision ago, but it doesn't hurt to be paranoid. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: implement directory read-aheadMark Fasheh2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Uptodate.c now knows about read-ahead buffers. Use some more aggressive logic in ocfs2_readdir(). The two functions which currently use directory read-ahead are ocfs2_find_entry() and ocfs2_readdir(). Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: properly update i_mtime on buffered writeMark Fasheh2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | We weren't always updating i_mtime on writes, so fix ocfs2_commit_write() to handle this. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com> Acked-by: Zach Brown <zach.brown@oracle.com>
| * | ocfs2: Fix directory link count checks in ocfs2_link()Tiger Yang2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | Remove the redundant "i_nlink >= OCFS2_LINK_MAX" check and adds an unlinked directory check in ocfs2_link(). Signed-off-by: Tiger Yang <tiger.yang@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: move nlink check in ocfs2_mknod()Mark Fasheh2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | The dir nlink check in ocfs2_mknod() was being done outside of the cluster lock, which means we could have been checking against a stale version of the inode. Fix this by doing the check after the cluster lock instead. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: Fix heartbeat sector calculationMathieu Avila2006-09-20
| | | | | | | | | | | | | | | | | | This fixes things for devices which set max_sectors to 8. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | [PATCH] fs/ocfs2/ioctl.c should #include "ioctl.h"Adrian Bunk2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | Every file should #include the headers containing the prototypes for its global functions. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | ocfs2: add ext2 attributesHerbert Poetzl2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Support immutable, and other attributes. Some renaming and other minor fixes done by myself. Signed-off-by: Herbert Poetzl <herbert@13thfloor.at> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
| * | configfs: Prevent duplicate subsystem names.Joel Becker2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For all child objects, creation comes through mkdir(2), so duplicate names are prevented. Subsystems, though, are registered by client drivers at init_module()/__init time. This patch prevents duplicate subsystem names. Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
* | | Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds2006-09-22
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (64 commits) [BLOCK] dm-crypt: trivial comment improvements [CRYPTO] api: Deprecate crypto_digest_* and crypto_alg_available [CRYPTO] padlock: Convert padlock-sha to use crypto_hash [CRYPTO] users: Use crypto_comp and crypto_has_* [CRYPTO] api: Add crypto_comp and crypto_has_* [CRYPTO] users: Use crypto_hash interface instead of crypto_digest [SCSI] iscsi: Use crypto_hash interface instead of crypto_digest [CRYPTO] digest: Remove old HMAC implementation [CRYPTO] doc: Update documentation for hash and me [SCTP]: Use HMAC template and hash interface [IPSEC]: Use HMAC template and hash interface [CRYPTO] tcrypt: Use HMAC template and hash interface [CRYPTO] hmac: Add crypto template implementation [CRYPTO] digest: Added user API for new hash type [CRYPTO] api: Mark parts of cipher interface as deprecated [PATCH] scatterlist: Add const to sg_set_buf/sg_init_one pointer argument [CRYPTO] drivers: Remove obsolete block cipher operations [CRYPTO] users: Use block ciphers where applicable [SUNRPC] GSS: Use block ciphers where applicable [IPSEC] ESP: Use block ciphers where applicable ...
| * | | [BLOCK] dm-crypt: trivial comment improvementsRik Snel2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Just some minor comment nits. - little-endian is better than low-endian - and since it is called essiv everywere it should also be essiv in the comments (and not ess_iv) Signed-off-by: Rik Snel <rsnel@cube.dyndns.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] api: Deprecate crypto_digest_* and crypto_alg_availableHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch marks the crypto_digest_* functions and crypto_alg_available as deprecated. They've been replaced by crypto_hash_* and crypto_has_* respectively. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] padlock: Convert padlock-sha to use crypto_hashHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts padlock-sha to use crypto_hash for its fallback. It also changes the fallback selection to use selection by type instead of name. This is done through the new CRYPTO_ALG_NEED_FALLBACK bit, which is set if and only if an algorithm needs a fallback of the same type. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] users: Use crypto_comp and crypto_has_*Herbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts all users to use the new crypto_comp type and the crypto_has_* functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] api: Add crypto_comp and crypto_has_*Herbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the crypto_comp type to complete the compile-time checking conversion. The functions crypto_has_alg and crypto_has_cipher, etc. are also added to replace crypto_alg_available. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] users: Use crypto_hash interface instead of crypto_digestHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts all remaining crypto_digest users to use the new crypto_hash interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [SCSI] iscsi: Use crypto_hash interface instead of crypto_digestHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts ISCSI to use the new crypto_hash interface instead of crypto_digest. It's a fairly straightforward substitution. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] digest: Remove old HMAC implementationHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the old HMAC implementation now that nobody uses it anymore. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | [CRYPTO] doc: Update documentation for hash and meHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch updates the documentation to reflect the switch from digest to hash. It also replaces notes about emailing James Morris to refer to me instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [SCTP]: Use HMAC template and hash interfaceHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts SCTP to use the new HMAC template and hash interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | [IPSEC]: Use HMAC template and hash interfaceHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts IPsec to use the new HMAC template. The names of existing simple digest algorithms may still be used to refer to their HMAC composites. The same structure can be used by other MACs such as AES-XCBC-MAC. This patch also switches from the digest interface to hash. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | [CRYPTO] tcrypt: Use HMAC template and hash interfaceHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts tcrypt to use the new HMAC template rather than the hard-coded version of HMAC. It also converts all digest users to use the new cipher interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | [CRYPTO] hmac: Add crypto template implementationHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch rewrites HMAC as a crypto template. This means that HMAC is no longer a hard-coded part of the API. It's now a template that generates standard digest algorithms like any other. The old HMAC is preserved until all current users are converted. The same structure can be used by other MACs such as AES-XCBC-MAC. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | [CRYPTO] digest: Added user API for new hash typeHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing digest user interface is inadequate for support asynchronous operations. For one it doesn't return a value to indicate success or failure, nor does it take a per-operation descriptor which is essential for the issuing of requests while other requests are still outstanding. This patch is the first in a series of steps to remodel the interface for asynchronous operations. For the ease of transition the new interface will be known as "hash" while the old one will remain as "digest". This patch also changes sg_next to allow chaining. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] api: Mark parts of cipher interface as deprecatedHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mark the parts of the cipher interface that have been replaced by block ciphers as deprecated. Thanks to Andrew Morton for suggesting doing this before removing them completely. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [PATCH] scatterlist: Add const to sg_set_buf/sg_init_one pointer argumentHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a const modifier to the buf argument of sg_set_buf and sg_init_one. This lets people call it with pointers that are const. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] drivers: Remove obsolete block cipher operationsHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes obsolete block operations of the simple cipher type from drivers. These were preserved so that existing users can make a smooth transition. Now that the transition is complete, they are no longer needed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | [CRYPTO] users: Use block ciphers where applicableHerbert Xu2006-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts all remaining users to use the new block cipher type where applicable. It also changes all simple cipher operations to use the new encrypt_one/decrypt_one interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>