aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
Commit message (Collapse)AuthorAge
* xfrm: Restrict extended sequence numbers to espSteffen Klassert2011-03-29
| | | | | | | | | | The IPsec extended sequence numbers are fully implemented just for esp. So restrict the usage to esp until other protocols have support too. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Check for esn buffer len in xfrm_new_aeSteffen Klassert2011-03-29
| | | | | | | | | | In xfrm_new_ae() we may overwrite the allocated esn replay state buffer with a wrong size. So check that the new size matches the original allocated size and return an error if this is not the case. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Assign esn pointers when cloning a stateSteffen Klassert2011-03-29
| | | | | | | | | | | | | When we clone a xfrm state we have to assign the replay_esn and the preplay_esn pointers to the state if we use the new replay detection method. To this end, we add a xfrm_replay_clone() function that allocates memory for the replay detection and takes over the necessary values from the original state. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Move the test on replay window size into the replay check functionsSteffen Klassert2011-03-29
| | | | | | | | | | | As it is, the replay check is just performed if the replay window of the legacy implementation is nonzero. So we move the test on a nonzero replay window inside the replay check functions to be sure we are testing for the right implementation. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* dst: Clone child entry in skb_dst_popSteffen Klassert2011-03-27
| | | | | | | | | We clone the child entry in skb_dst_pop before we call skb_dst_drop(). Otherwise we might kill the child right before we return it to the caller. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Force a dst refcount before entering the xfrm type handlersSteffen Klassert2011-03-27
| | | | | | | | | | | | | Crypto requests might return asynchronous. In this case we leave the rcu protected region, so force a refcount on the skb's destination entry before we enter the xfrm type input/output handlers. This fixes a crash when a route is deleted whilst sending IPsec data that is transformed by an asynchronous algorithm. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Fix initialize repl field of struct xfrm_stateWei Yongjun2011-03-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 'xfrm: Move IPsec replay detection functions to a separate file' (9fdc4883d92d20842c5acea77a4a21bb1574b495) introduce repl field to struct xfrm_state, and only initialize it under SA's netlink create path, the other path, such as pf_key, ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if the SA is created by pf_key, any input packet with SA's encryption algorithm will cause panic. int xfrm_input() { ... x->repl->advance(x, seq); ... } This patch fixed it by introduce new function __xfrm_init_state(). Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0 EIP is at xfrm_input+0x31c/0x4cc EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000 ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000) Stack: 00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0 00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000 dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32 Call Trace: [<c0786848>] xfrm4_rcv_encap+0x22/0x27 [<c0786868>] xfrm4_rcv+0x1b/0x1d [<c074ee56>] ip_local_deliver_finish+0x112/0x1b1 [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1 [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44 [<c074ef77>] ip_local_deliver+0x3e/0x44 [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1 [<c074ec03>] ip_rcv_finish+0x30a/0x332 [<c074e8f9>] ? ip_rcv_finish+0x0/0x332 [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44 [<c074f188>] ip_rcv+0x20b/0x247 [<c074e8f9>] ? ip_rcv_finish+0x0/0x332 [<c072797d>] __netif_receive_skb+0x373/0x399 [<c0727bc1>] netif_receive_skb+0x4b/0x51 [<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp] [<c072818f>] net_rx_action+0x9a/0x17d [<c0445b5c>] __do_softirq+0xa1/0x149 [<c0445abb>] ? __do_softirq+0x0/0x149 Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Refcount destination entry on xfrm_lookupSteffen Klassert2011-03-16
| | | | | | | | | | | | | | We return a destination entry without refcount if a socket policy is found in xfrm_lookup. This triggers a warning on a negative refcount when freeeing this dst entry. So take a refcount in this case to fix it. This refcount was forgotten when xfrm changed to cache bundles instead of policies for outgoing flows. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: fix __xfrm_route_forward()Eric Dumazet2011-03-15
| | | | | | | | | | This function should return 0 in case of error, 1 if OK commit 452edd598f60522 (xfrm: Return dst directly from xfrm_lookup()) got it wrong. Reported-and-bisected-by: Michael Smith <msmith@cbnco.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Add user interface for esn and big anti-replay windowsSteffen Klassert2011-03-13
| | | | | | | | | | | | | | This patch adds a netlink based user interface to configure esn and big anti-replay windows. The new netlink attribute XFRMA_REPLAY_ESN_VAL is used to configure the new implementation. If the XFRM_STATE_ESN flag is set, we use esn and support for big anti-replay windows for the configured state. If this flag is not set we use the new implementation with 32 bit sequence numbers. A big anti-replay window can be configured in this case anyway. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Add support for IPsec extended sequence numbersSteffen Klassert2011-03-13
| | | | | | | | | | This patch adds support for IPsec extended sequence numbers (esn) as defined in RFC 4303. The bits to manage the anti-replay window are based on a patch from Alex Badea. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Support anti-replay window size bigger than 32 packetsSteffen Klassert2011-03-13
| | | | | | | | | | | | | | | | | As it is, the anti-replay bitmap in struct xfrm_replay_state can only accomodate 32 packets. Even though it is possible to configure anti-replay window sizes up to 255 packets from userspace. So we reject any packet with a sequence number within the configured window but outside the bitmap. With this patch, we represent the anti-replay window as a bitmap of variable length that can be accessed via the new struct xfrm_replay_state_esn. Thus, we have no limit on the window size anymore. To use the new anti-replay window implementantion, new userspace tools are required. We leave the old implementation untouched to stay in sync with old userspace tools. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Move IPsec replay detection functions to a separate fileSteffen Klassert2011-03-13
| | | | | | | | | | To support multiple versions of replay detection, we move the replay detection functions to a separate file and make them accessible via function pointers contained in the struct xfrm_replay. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Use separate low and high order bits of the sequence numbers in ↵Steffen Klassert2011-03-13
| | | | | | | | | | | | | xfrm_skb_cb To support IPsec extended sequence numbers, we split the output sequence numbers of xfrm_skb_cb in low and high order 32 bits and we add the high order 32 bits to the input sequence numbers. All users are updated accordingly. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Use flowi4 and flowi6 in xfrm layer.David S. Miller2011-03-12
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Break struct flowi out into AF specific instances.David S. Miller2011-03-12
| | | | | | | | | | | Now we have struct flowi4, flowi6, and flowidn for each address family. And struct flowi is just a union of them all. It might have been troublesome to convert flow_cache_uli_match() but as it turns out this function is completely unused and therefore can be simply removed. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flowi ports AF dependent.David S. Miller2011-03-12
| | | | | | | | | | | | Create two sets of port member accessors, one set prefixed by fl4_* and the other prefixed by fl6_* This will let us to create AF optimal flow instances. It will work because every context in which we access the ports, we have to be fully aware of which AF the flowi is anyways. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Put flowi_* prefix on AF independent members of struct flowiDavid S. Miller2011-03-12
| | | | | | | | | | I intend to turn struct flowi into a union of AF specific flowi structs. There will be a common structure that each variant includes first, much like struct sock_common. This is the first step to move in that direction. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Eliminate "fl" and "pol" args to xfrm_bundle_ok().David S. Miller2011-03-12
| | | | | | | There is only one caller of xfrm_bundle_ok(), and that always passes these parameters as NULL. Signed-off-by: David S. Miller <davem@davemloft.net>
* netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parmsPatrick McHardy2011-03-03
| | | | | | | | Netlink message processing in the kernel is synchronous these days, the session information can be collected when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Return dst directly from xfrm_lookup()David S. Miller2011-03-02
| | | | | | Instead of on the stack. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Handle blackhole route creation via afinfo.David S. Miller2011-03-01
| | | | | | | That way we don't have to potentially do this in every xfrm_lookup() caller. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Kill XFRM_LOOKUP_WAIT flag.David S. Miller2011-03-01
| | | | | | This can be determined from the flow flags instead. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass const xfrm_address_t objects to xfrm_state_lookup* and xfrm_find_acq.David S. Miller2011-02-28
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass name as const to xfrm_*_get_byname().David S. Miller2011-02-28
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to xfrm_state_find.David S. Miller2011-02-24
| | | | | | This required a const'ification in xfrm_init_tempstate() too. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Remove unused 'saddr' and 'daddr' args to xfrm_state_look_at.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to __xfrm_state_lookup{,_byaddr}.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_tmpl arg to xfrm_init_tempstate.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to xfrm_*_hash.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify sec_path arg to secpath_has_nontransport.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_policy_ok.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_state_ok.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector arg to xfrm_dst_update_parent.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg to clone_policy.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg and local selector in xfrm_policy_match.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify local xfrm_address_t pointers in xfrm_policy_lookup_bytype.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector args in xfrm_migrate paths.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address args to hash helpers.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify pointer args to km_migrate() and implementations.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify pointer args to migrate_tmpl_match and xfrm_migrate_checkDavid S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address arguments to __xfrm_dst_lookup()David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector argument to xfrm_selector_match()David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass km_event pointers around as const when possible.David S. Miller2011-02-24
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flow cache paths use a const struct flowi.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_resolve_and_create_bundle() const.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_dst_{alloc_copy,update_origin}() const.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_bundle_create() const.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_tmpl_resolve{,_one}() const.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_expand_policies() const.David S. Miller2011-02-22
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>