Very sorry, re-posting as first patch was incomplete.
The below patch allows IPsec to use CTR mode with
AES encryption algorithm. Tested this using setkey
in ipsec-tools.
regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
--
diff -urpN net-2.6.25/include/linux/pfkeyv2.h
net-2.6.25
The below patch allows IPsec to use CTR mode with
AES encryption algorithm. Tested this using setkey
in ipsec-tools.
regards,
Joy
diff -urpN net-2.6.25/include/linux/pfkeyv2.h
net-2.6.25.patch/include/linux/pfkeyv2.h
--- net-2.6.25/include/linux/pfkeyv2.h 2008-01-29 11:48:00.0 -0600
Rereading the thread it's unclear to me which solution was deemed correct.
I'm not a big fan of fiddling/forcing SA lifetimes unless we have no other
option; if someone is foolish enough to use manual keying with replay
protection and no mechanism to catch rollover then they most likely have
I am working on setting up Labeled IPsec along with iptables nat
rules. Once I insert nat related rules, the ipsec connection breaks
and the system tries to re-negotiate and creates multiple SAs. I am
using 2.6.19 kernel (with Venkat's MLSXFRM patches bugfixes). I
guess those were
On Fri, 2007-12-07 at 16:06 -0500, Paul Moore wrote:
On Friday 07 December 2007 3:52:31 pm Eric Paris wrote:
On Fri, 2007-12-07 at 14:57 -0500, Paul Moore wrote:
NOTE: This really is an RFC patch, it compiles and boots but that is
pretty much all I can promise at this point. I'm posting
On Fri, 2007-11-30 at 09:51 -0500, Paul Moore wrote:
On Thursday 29 November 2007 8:45:46 am Paul Moore wrote:
On Thursday 29 November 2007 5:34:59 am Herbert Xu wrote:
On Mon, Nov 26, 2007 at 07:55:12PM +, Paul Moore wrote:
Currently the netmask/prefix-length of an IPsec SPD entry
,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.orig/net/xfrm/xfrm_state.c
linux-2.6.spd/net/xfrm/xfrm_state.c
--- linux-2.6.orig/net/xfrm/xfrm_state.c2007-11-18 16:53:16.0
-0600
+++ linux-2.6.spd/net/xfrm/xfrm_state.c 2007-11-18 23:38:08.0 -0600
Heh I made the same mistake when I first read this piece of
code too :) The optional flag isn't saying that it doesn't need
to be protected, but rather that the SA may not be present on
input. It's only used for IPComp where we may skip the IPComp
if the data is not compressible.
In other words
for MH type...
Seems ok as is, but I could be missing something.
xfrm_user did not appear to require this change.
I tested icmp with my patched ipsec-tools.
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.24-rc1-git11/include/linux/ipsec.h
linux-2.6.24-rc1-git11.patch/include
On Wed, 2007-09-12 at 07:18 -0700, David Miller wrote:
From: Stephen Hemminger [EMAIL PROTECTED]
Date: Wed, 12 Sep 2007 16:08:33 +0200
ERROR: xfrm_audit_state_delete [net/key/af_key.ko] undefined!
ERROR: xfrm_audit_state_add [net/key/af_key.ko] undefined!
ERROR: xfrm_audit_policy_add
On Wed, 2007-09-12 at 14:56 -0400, [EMAIL PROTECTED] wrote:
On Tue, 11 Sep 2007 19:03:14 CDT, Joy Latten said:
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy.
What
they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
I compiled and tested with CONFIG_AUDITSYSCALLS on and off.
Regards,
Joy Latten
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff
On Wed, 2007-08-22 at 20:05 -0700, David Miller wrote:
I would suggest, at this point, to make purpose built situation
specific interfaces that pass specific objects (the ones being
operated upon) to the audit layer.
Let the audit layer pick out the bits it actually wants in the
format it
On Wed, 2007-08-22 at 12:51 -0700, David Miller wrote:
From: David Miller [EMAIL PROTECTED]
Date: Tue, 21 Aug 2007 00:24:05 -0700 (PDT)
Looks good, applied to net-2.6.24, thanks Joy.
Something is still buggered up in this patch, you can't add this local
audit_info variable
On Tue, 2007-08-07 at 18:32 -0700, David Miller wrote:
From: Joy Latten [EMAIL PROTECTED]
Date: Thu, 2 Aug 2007 15:56:47 -0500
@@ -426,10 +426,15 @@ struct xfrm_audit
};
#ifdef CONFIG_AUDITSYSCALL
-extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result
Although an ipsec SA was established, kernel couldn't seem to find it.
I think since we are now using x-sel.family instead of family
in the xfrm_selector_match() called in xfrm_state_find(), af_key
needs to set this field too, just as xfrm_user.
In af_key.c, x-sel.family only gets set when
Sorry for delay, here is xfrm_audit_log() modification with
recommended changes. Let me know if this looks better.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.22/include/linux/audit.h
linux-2.6.22.patch10/include/linux/audit.h
--- linux-2.6.22/include/linux
On Wed, 2007-07-25 at 17:17 -0700, David Miller wrote:
From: Joy Latten [EMAIL PROTECTED]
Date: Wed, 25 Jul 2007 14:21:43 -0500
This is 2nd revision of patch to modify xfrm_audit_log() such
that it can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry
for report parsing.
This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.22/include/linux
On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote:
+ audit_log_format(audit_buf, %s: auid=%u, buf, auid);
if (sid != 0
security_secid_to_secctx(sid, secctx, secctx_len) == 0)
The operation in buf will not be parsed by the user space tools. Let's
On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote:
It also wouldn't hurt to change the text being sent to this function to have
a
hyphen instead of a space, so SPD delete becomes SPD-delete. This keeps
the parser happy.
Steve, more for my education, should all entries have this sort
On Thu, 2007-07-19 at 21:45 -0400, James Morris wrote:
On Thu, 19 Jul 2007, Joy Latten wrote:
--- linux-2.6.22/include/linux/audit.h 2007-07-19 13:17:22.0
-0500
+++ linux-2.6.22.patch/include/linux/audit.h2007-07-19
13:21:29.0 -0500
@@ -108,10 +108,7
to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.22/include/linux/audit.h
linux-2.6.22.patch/include/linux
. Please let me know if ok.
I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec
without selinux. Also compiled and tested with auditing disabled.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.22/include/linux/audit.h
linux-2.6.22.patch/include/linux
to me.
Acked-by: James Morris [EMAIL PROTECTED]
I have also tested with 2.6.22-rc3-git7 and all appears to be working as
expected.
Acked-by: Joy Latten [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More
context
from xfrm_state to alloc skb. Following fix does that
Please let me know if this is acceptable.
Patch was built and tested against 2.6.21-rc6-git5.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
diff -urpN linux-2.6.20/net/xfrm/xfrm_user.c
linux-2.6.20.patch/net/xfrm/xfrm_user.c
for testing. I strongly think this should be fixed
in userspace.
The permission check before flushing does still
need to be added to kernel.
Regards,
Joy
On Mon, 2007-03-26 at 19:04 -0600, Joy Latten wrote:
On Mon, 2007-03-26 at 14:48 -0700, David Miller wrote:
From: Eric Paris [EMAIL PROTECTED
On Thu, 2007-03-22 at 20:56 -0400, James Morris wrote:
On Thu, 22 Mar 2007, Joy Latten wrote:
Perhaps a better semantic would be to fail the entire flush operation if
one of the security checks failed. e.g. loop through for permissions
first, then if all ok, loop through for deletion
I have made improvements based on James' and Eric's comments.
Regards,
Joy
Signed-off-by: Joy Latten[EMAIL PROTECTED]
diff -urpN linux-2.6.20.orig/include/net/xfrm.h
linux-2.6.20.patch/include/net/xfrm.h
--- linux-2.6.20.orig/include/net/xfrm.h2007-03-23 11:01:48.0
-0500
Sending again since one of the email addresses was incorrect.
Ok, I have made improvements based on James' and Eric's comments.
Regards,
Joy
Signed-off-by: Joy Latten[EMAIL PROTECTED]
diff -urpN linux-2.6.20.orig/include/net/xfrm.h
linux-2.6.20.patch/include/net/xfrm.h
On Mon, 2007-03-26 at 17:34 -0400, Eric Paris wrote:
On Fri, 2007-03-23 at 16:58 -0600, Joy Latten wrote:
@@ -710,11 +713,20 @@ static struct xfrm_state *__find_acq_cor
switch (family) {
case AF_INET:
+ if (x-id.daddr.a4 == saddr-a4
On Mon, 2007-03-26 at 14:48 -0700, David Miller wrote:
From: Eric Paris [EMAIL PROTECTED]
Date: Mon, 26 Mar 2007 17:34:59 -0400
I'm not at all able to speak on the correctness or validity of the
solution,
Neither am I yet :)
but shouldn't the ipv6 case be a not an || like the ipv4
On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote:
In either case though proper auditing needs to be addressed. I see that
the first patch from Joy wouldn't audit deletion failures. It appears
to me if the check is done per policy then the security hook return code
needs to be recorded
On Fri, 2007-03-23 at 12:59 -0400, Eric Paris wrote:
On Fri, 2007-03-23 at 10:33 -0600, Joy Latten wrote:
On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote:
In either case though proper auditing needs to be addressed. I see that
the first patch from Joy wouldn't audit deletion
, larval SAs
should expire. They also should be removed when we do the
xfrm_state_add() and xfrm_state_update() to add the new SAs.
Joy
This patch is against linux-2.6.21-rc4-git5
Signed-off-by: Joy Latten[EMAIL PROTECTED]
diff -urpN linux-2.6.20.orig/net/xfrm/xfrm_state.c
linux-2.6.20/net
if this patch is ok.
It was built against linux-2.6.21-rc4-git5. I have also tested it.
Joy
Signed-off-by: Joy Latten[EMAIL PROTECTED]
diff -urpN linux-2.6.20.orig/net/xfrm/xfrm_policy.c
linux-2.6.20/net/xfrm/xfrm_policy.c
--- linux-2.6.20.orig/net/xfrm/xfrm_policy.c2007-03-21 14:25:51.0
On Thu, 2007-03-22 at 12:01 -0700, David Miller wrote:
From: Joy Latten [EMAIL PROTECTED]
Date: Thu, 22 Mar 2007 12:35:39 -0600
Within selinux we check for authorization before deleting entries from
SAD and SPD.
We are not checking for authorization when flushing the SPD
A while back I reported that I sometimes saw double and triple
SAs being created. The patch to check for protocol when deleting
larval SA removed one obstacle in that I no longer see triple SAs.
Now, once in a while double SAs. I think I have figured out the
second obstacle.
The initiator
ipsecv6 audit record is much better.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
Patch is against linux-2.6.20-rc4.
diff -urpN linux-2.6.20.orig/net/xfrm/xfrm_policy.c
linux-2.6.20.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.20.orig/net/xfrm/xfrm_policy.c2007-03-16 17:21:27.0
On Tue, 2007-03-06 at 14:40 -0500, James Morris wrote:
On Tue, 6 Mar 2007, Joy Latten wrote:
I saw something similar to this some time ago when testing various
failure modes, and discused it with Herbert.
IIRC, there's a larval SA which is not torn down properly by Racoon once
On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote:
From: Joy Latten [EMAIL PROTECTED]
Date: Fri, 9 Mar 2007 17:14:54 -0600
I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol match. So when using both
AH and ESP, whichever one
On Fri, 2007-03-09 at 19:54 -0500, Eric Paris wrote:
On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote:
From: Joy Latten [EMAIL PROTECTED]
Date: Fri, 9 Mar 2007 17:14:54 -0600
I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol
On Mon, 2007-03-05 at 22:21 -0500, James Morris wrote:
On Mon, 5 Mar 2007, Joy Latten wrote:
5. Around the time the set of SAs for OUT direction are to be
inserted into SAD, I see another ACQUIRE happening.
I have not yet figured out where this second ACQUIRE comes from
From: Joy Latten [EMAIL PROTECTED]
Date: Mon, 05 Feb 2007 14:53:39 -0600
I can run some tests with this patch and report any results...
Please check out the two most recent patches I posted:
1) Updated core patch with ipv6 side added.
2) Fix for thinko noticed by Venkat.
I have been testing
From: Joy Latten [EMAIL PROTECTED]
Date: Mon, 05 Feb 2007 14:53:39 -0600
I can run some tests with this patch and report any results...
Please check out the two most recent patches I posted:
1) Updated core patch with ipv6 side added.
2) Fix for thinko noticed by Venkat.
Just a quick update
On Thu, 2007-02-01 at 18:44 -0500, James Morris wrote:
On Thu, 1 Feb 2007, Joy Latten wrote:
IPsec returns EAGAIN when it needs to acquire an SA.
There have been a thread or two about this...
Has there been any info or progress in how best to fix this?
James Morris presented some
I can run some tests with this patch and report any results...
Regards,
Joy
On Sun, 2007-02-04 at 20:53 -0800, David Miller wrote:
From: James Morris [EMAIL PROTECTED]
Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST)
A quick dirty solution, which is what I think the BSD kernels do, is to
IPsec returns EAGAIN when it needs to acquire an SA.
There have been a thread or two about this...
Has there been any info or progress in how best to fix this?
James Morris presented some work/ideas,
http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf
When using labeled xfrms
know if everything works ok
for you. I have built and test in my environment, but not tested as
you are using it.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED]
--
diff -urpN linux-2.6.19.orig/net/xfrm
Sorry! Sign off included this time.
This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is
disabled in the kernel.
This patch also includes a bug fix for xfrm_state.c as a result of
original ipsec audit patch.
regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED
On Wed, 2006-11-29 at 19:32 -0500, James Morris wrote:
On Wed, 29 Nov 2006, James Morris wrote:
On Wed, 29 Nov 2006, Joy Latten wrote:
This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is
disabled in the kernel.
This patch also includes a bug fix for xfrm_state.c
This patch adds auditing to ipsec.
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.
Patch was built against linux kernel 2.6.19-rc6.
Please let me know if this is acceptable.
Regards,
Joy
Signed-off-by: Joy Latten [EMAIL PROTECTED
This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is
disabled in the kernel.
This patch also includes a bug fix for xfrm_state.c as a result of
original ipsec audit patch.
Let me know if it looks ok.
My mail gateway has been acting crazy so I apologize for any
replicas being sent
is included in
my acquire message although I believe it should not be.
Hopefully, the below patch is acceptable. I have compiled and
tested it.
Regards,
Joy Latten
diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c
linux-2.6.17.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.17.orig/net/xfrm
such as if (policy-security) may
come back as true such that security context is included in
my acquire message although I believe it should not be.
Hopefully, the below patch is acceptable. I have compiled and
tested it.
Regards,
Joy Latten
diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c
linux-2.6.17
It works! I applied the patch to
linux-2.6.17 + patch-2.6.17-rc1
and tried icmp, tcp and udp as well as sftp with
ipsec and they all worked.
Thanks
Regards,
Joy
Herbert Xu writes:
Interesting. We were previously off by 28 bytes, now we're off by 8 :)
You missed a couple of 'beqlr'
I can try patch-2.6.18-rc1, etc... to see which one it stops
working on to narrow it down.
If you could do this in the meanwhile, it would help us out
a lot.
It stops working in patch-2.6.18-rc1.
Regards,
Joy
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a
Joy Latten [EMAIL PROTECTED] wrote:
I installed 2.6.17 + patch-2.6.18-rc4 + 2.6.18-rc4-mm2
onto two pSeries power 5 (ppc64 lpars) machines. I configured
IPSec using the configuration listed below.
Could you try straight 2.6.17? If that crashes too, then at least we
can be sure that it isn't
out ipsec
esp/transport//require;
Same config on both machines, except for spdadd entry. The in and out
are swapped on the other machine.
Regards,
Joy Latten
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo
.
On 2/10/06, Joy Latten [EMAIL PROTECTED] wrote:
Catherine,
I am just wondering about something...
Should a peer_sid of 0 or SECSID_NULL be an error here if
the connection doesn't have a transform? I understand we only get
peer's context if a xfrm is involved, but I am thinking
most
Catherine,
My mailer may have been acting up, but the from header of your email had
[EMAIL PROTECTED] instead of [EMAIL PROTECTED] :-)
diff -puN security/selinux/hooks.c~lsm-secpeer security/selinux/hooks.c
--- linux-2.6.16-rc1/security/selinux/hooks.c~lsm-secpeer 2006-02-01
61 matches
Mail list logo