1. 02 Aug, 2004 28 commits
  2. 01 Aug, 2004 6 commits
  3. 31 Jul, 2004 6 commits
    • James Morris's avatar
      [CRYPTO]: Add i586 optimized AES · 817bbc47
      James Morris authored
      Below is an updated version of patch from Fruhwirth which integrates the 
      Gladman AES code into the crypto API.
      
      I've tried to ensure that this is done as simply as possible: the user 
      gets the asm version by default if it's suitable.
      
      I've also now added the alternate GPL licensing provided by Brian Gladman, 
      and licensed the code as GPL.
      Signed-off-by: default avatarJames Morris <jmorris@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      817bbc47
    • Bert Hubert's avatar
      [IPSEC]: Fix UDP decap code. · 8f49b589
      Bert Hubert authored
      The missing break causes the packet to be tested against
      both encapsulation types, one will always fail.
      Signed-off-by: default avatarbert hubert <ahu@ds9a.nl>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      8f49b589
    • Herbert Xu's avatar
      [PF_KEY]: spirange should be in host byte order. · 0797db20
      Herbert Xu authored
      I'm looking through the xfrm_alloc_spi stuff and noticed that the
      netlink alloc_spi function takes the range in host order while the
      PFKEY alloc_spi function takes them in network order.
      
      First I thought that I stuffed up since I was the one who changed
      the code in the netlink interface to take them in host order :)
      
      But reading RFC 2367 seems to indicate otherwise.  It says that all
      fields are host order unless specified otherwise.  And the spirange
      fields are not specified to be network order at all.
      
      Looking at the existing PFKEY users:
      
      User Space
      ----------
      Openswan - Doesn't use PFKEY for this.
      Racoon - Puts zeros in there so it doesn't care.  However its test-pfkey
      	 program stores things in host order.
      ISAKMPD - Stores things in host order.
      
      So the conclusion is that we can and should change our PFKEY
      implementation to use host order for these fields.
      
      This patch does exactly that.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      0797db20
    • Herbert Xu's avatar
      [IPSEC]: xfrm_alloc_spi always succeeds on non-trivial range · 3860b281
      Herbert Xu authored
      xfrm_alloc_spi will always succeed if minspi < maxspi, even if
      minspi + 1 == maxspi.  If the range is already occupied this
      will obviously lead to breakage.
      
      Of course this is very unlikely to occur in reality due to the
      size of the range.  Although with IPCOMP it might actually happen
      on a very large server.
      
      The fix is obivous.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      3860b281
    • Herbert Xu's avatar
      [IPSEC]: Remove redundant check in xfrm_state_add() · 5eb968f9
      Herbert Xu authored
      This is the patch referred to in the netlink_get_spi thread.
      
      I was actually wrong about the reason for this patch though.  Firstly
      it's the SPI check that is redundant and not the find_acq() call.
      And it's redundant because of the find_acq() patch, not because
      of the fact that this is in xfrm_state_add().
      
      Now that find_acq() only returns SAs with SPIs, we don't need to
      check this in xfrm_state_add() anymore.
      
      We do still need the call though to clean up leftover larval states.
      
      Another side-effect of the change is that we can move the existence
      check above find_acq() since find_acq() will never return any SAs
      matching the SPI we're trying to add (It doesn't need to because if
      an SA with a matching SPI existed, it would've been returned by
      state_lookup() already).
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      5eb968f9
    • Herbert Xu's avatar
      [IPSEC]: Fix SPI generation by netlink_get_spi() · 94408b14
      Herbert Xu authored
      The issue is that two successive calls to netlink_get_spi is returning
      the same SA.  Since netlink_get_spi is meant to be a creation operation
      this is incorrect.
      
      The netlink_get_spi operation is modelled off the PFKEY SADB_GETSPI
      command which is specified in RFC 2367.  The purpose of SADB_GETSPI
      is to create a new larval SA that can then be filled in by SADB_UPDATE.
      
      Its semantics does not allow two SADB_GETSPI calls to return the same
      SA, even if there is no SADB_UPDATE call in between.
      
      The reason the second netlink_get_spi is returning the same SA is
      because in find_acq(), the code is looking at all larval states as
      opposed to only larval states with an SPI of zero.
      
      Since the only other caller of find_acq() -- xfrm_state_add() intentionally
      ignores all return values with a non-zero SPI, it is safe to not look at
      SAs with non-zero SPIs at all in find_acq().
      
      The following patch does exactly that.
      
      In fact, the find_acq() call in xfrm_state_add() is a remnant from
      the days when we had xfrm_state_replace() instead of xfrm_state_add()
      and xfrm_state_update().  It can now be safely removed.
      
      I'll post a separate patch for that.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
      94408b14