On Fri, 2010-11-19 at 16:43 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > +static int datablob_format(char __user *buffer,
> > + struct encrypted_key_payload *epayload,
> > + int asciiblob_len)
>
> size_t? There are other instances where you sh
Signed-off-by: Steffen Klassert
---
include/linux/xfrm.h | 12
ip/ipxfrm.c |8 +++-
ip/xfrm_state.c | 37 +
3 files changed, 48 insertions(+), 9 deletions(-)
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index
This patch adds a netlink based user interface to configure
esn and big anti-replay windows. The new netlink attribute
XFRMA_REPLAY_ESN_VAL is used to configure the new implementation.
If the XFRM_STATE_ESN flag is set, we use esn and support for big
anti-replay windows for the configured state. If
This patch adds support for IPsec extended sequence numbers (esn)
as defined in RFC 4303. The bits to manage the anti-replay window
are based on a patch from Alex Badea.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h |1 +
net/xfrm/xfrm_input.c |4 +
net/xfrm/xfrm_replay.c |
As it is, the anti-replay bitmap in struct xfrm_replay_state can
only accomodate 32 packets. Even though it is possible to configure
anti-replay window sizes up to 255 packets from userspace. So we
reject any packet with a sequence number within the configured window
but outside the bitmap. With th
To support multiple versions of replay detection, we move the replay
detection functions to a separate file and make them accessible
via function pointers contained in the struct xfrm_replay.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 24 ++-
net/xfrm/Makefile |2
this patch adds IPsec extended sequence numbers support to esp6.
We use the authencesn crypto algorithm to handle esp with separate
encryption/authentication algorithms.
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6.c | 103 --
1 files cha
This patch adds IPsec extended sequence numbers support to esp4.
We use the authencesn crypto algorithm to handle esp with separate
encryption/authentication algorithms.
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 98 --
1 files cha
To support IPsec extended sequence numbers, we split the
output sequence numbers of xfrm_skb_cb in low and high order 32 bits
and we add the high order 32 bits to the input sequence numbers.
All users are updated accordingly.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 10
This patch adds the struct xfrm_replay_state_esn which will be
used to support IPsec extended sequence numbers and anti replay windows
bigger than 32 packets. Also we add a function that returns the actual
size of the xfrm_replay_state_esn, a xfrm netlink atribute and a xfrm state
flag for the use
ESP with separate encryption/authentication algorithms needs a special
treatment for the associated data. This patch add a new algorithm that
handles esp with extended sequence numbers.
Signed-off-by: Steffen Klassert
---
crypto/Makefile |2 +-
crypto/authencesn.c | 821
Use scatterwalk_crypto_chain in favor of locally defined chaining functions.
Signed-off-by: Steffen Klassert
---
crypto/authenc.c | 22 --
crypto/eseqiv.c | 18 ++
crypto/gcm.c | 19 ++-
3 files changed, 8 insertions(+), 51 deletions
A lot of crypto algorithms implement their own chaining function.
So add a generic one that can be used from all the algorithms that
need scatterlist chaining.
Signed-off-by: Steffen Klassert
---
include/crypto/scatterwalk.h | 15 +++
1 files changed, 15 insertions(+), 0 deletions(
This patchset adds support for IPsec extended (64-bit) sequence numbers for
esp as defined in RFC 4303. Also it adds support for anti-replay windows
bigger than 32 packets. To make use of big anti-replay windows and extended
sequence numbers, new userspace tools are needed. An example patch for
ipr
14 matches
Mail list logo