History log of /net/xfrm/xfrm_algo.c
Revision Date Author Comments
0c7ddf36c29c3ce12f2d2931a357ccaa0861035a 07-Nov-2013 Mathias Krause <mathias.krause@secunet.com> net: move pskb_put() to core code

This function has usage beside IPsec so move it to the core skbuff code.
While doing so, give it some documentation and change its return type to
'unsigned char *' to be in line with skb_put().

Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
d2049d8566bf74723f0c353621174b37ff3d75ec 08-Apr-2013 Jussi Kivilinna <jussi.kivilinna@iki.fi> xfrm: add rfc4494 AES-CMAC-96 support

Now that CryptoAPI has support for CMAC, we can add support for AES-CMAC-96
(rfc4494).

Cc: Tom St Denis <tstdenis@elliptictech.com>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
7e50f84c94b82c3b2d23ac8878012b3b60ea0e96 30-Jan-2013 Jussi Kivilinna <jussi.kivilinna@mbnet.fi> pf_key/xfrm_algo: prepare pf_key and xfrm_algo for new algorithms without pfkey support

Mark existing algorithms as pfkey supported and make pfkey only use algorithms
that have pfkey_supported set.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
71331da500cc13dc3c7e5db397d553c80b2e9994 27-Dec-2012 Jussi Kivilinna <jussi.kivilinna@mbnet.fi> xfrm_algo: probe asynchronous block ciphers instead of synchronous

IPSEC uses block ciphers asynchronous, but probes only for synchronous block
ciphers and makes ealg entries only available if synchronous block cipher is
found. So with setup, where hardware crypto driver registers asynchronous
block ciphers and software crypto module is not build, ealg is not marked
as being available.

Use crypto_has_ablkcipher instead and remove ASYNC mask.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
71b697fcc7b0a88da5106dd3671d732d0b4360d1 15-May-2012 Jan Beulich <JBeulich@suse.com> xfrm_algo: drop an unnecessary inclusion

For several releases, this has not been needed anymore, as no helper
functions declared in net/ah.h get implemented by xfrm_algo.c anymore.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7e1525249814acfd293d579abcb6462767643a8a 15-May-2012 Jan Beulich <JBeulich@suse.com> xfrm: make xfrm_algo.c a module

By making this a standalone config option (auto-selected as needed),
selecting CRYPTO from here rather than from XFRM (which is boolean)
allows the core crypto code to become a module again even when XFRM=y.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
4203223a1aed862b4445fdcd260d6139603a51d9 28-Jul-2011 Tushar Gohad <tgohad@mvista.com> xfrm: Fix key lengths for rfc3686(ctr(aes))

Fix the min and max bit lengths for AES-CTR (RFC3686) keys.
The number of bits in key spec is the key length (128/256)
plus 32 bits of nonce.

This change takes care of the "Invalid key length" errors
reported by setkey when specifying 288 bit keys for aes-ctr.

Signed-off-by: Tushar Gohad <tgohad@mvista.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
6f2f19ed955e62a6789495da512d510f26ad4885 28-Feb-2011 David S. Miller <davem@davemloft.net> xfrm: Pass name as const to xfrm_*_get_byname().

Signed-off-by: David S. Miller <davem@davemloft.net>
73c89c15b959adf06366722c4be8d2eddec0a529 17-Jan-2010 Tobias Brunner <tobias@strongswan.org> crypto: gcm - Add RFC4543 wrapper for GCM

This patch adds the RFC4543 (GMAC) wrapper for GCM similar to the
existing RFC4106 wrapper. The main differences between GCM and GMAC are
the contents of the AAD and that the plaintext is empty for the latter.

Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
138f3c8518976953563a1316d7e0420c72d4ab96 02-Dec-2009 Li Yewang <lyw@cn.fujitsu.com> ipsec: can not add camellia cipher algorithm when using "ip xfrm state" command

can not add camellia cipher algorithm when using "ip xfrm state" command.

Signed-off-by: Li Yewang <lyw@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
bc74b0c8af17458ecae77f725e507ab5fd100105 25-Nov-2009 Martin Willi <martin@strongswan.org> xfrm: Add SHA384 and SHA512 HMAC authentication algorithms to XFRM

These algorithms use a truncation of 192/256 bits, as specified
in RFC4868.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
eb2ff967a587a4a784fd2390f38e324a5bec01ec 08-Oct-2009 Steffen Klassert <steffen.klassert@secunet.com> xfrm: remove skb_icv_walk

The last users of skb_icv_walk are converted to ahash now,
so skb_icv_walk is unused and can be removed.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
245acb87729bc76ba65c7476665c01837e0cdccb 24-Jun-2009 Herbert Xu <herbert@gondor.apana.org.au> ipsec: Fix name of CAST algorithm

Our CAST algorithm is called cast5, not cast128. Clearly nobody
has ever used it :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
d4fd3bc101909802f9ed083093cce688cc3416aa 09-Jun-2009 David S. Miller <davem@davemloft.net> xfrm: Use frag list abstraction interfaces.

Signed-off-by: David S. Miller <davem@davemloft.net>
547b792cac0a038b9dbf958d3c120df3740b5572 26-Jul-2008 Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> net: convert BUG_TRAP to generic WARN_ON

Removes legacy reinvent-the-wheel type thing. The generic
machinery integrates much better to automated debugging aids
such as kerneloops.org (and others), and is unambiguous due to
better naming. Non-intuively BUG_TRAP() is actually equal to
WARN_ON() rather than BUG_ON() though some might actually be
promoted to BUG_ON() but I left that to future.

I could make at least one BUILD_BUG_ON conversion.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
a13366c632132bb9f8f2950a79773d8f68f4871e 04-Jun-2008 Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch> xfrm: xfrm_algo: correct usage of RIPEMD-160

This patch fixes the usage of RIPEMD-160 in xfrm_algo which in turn
allows hmac(rmd160) to be used as authentication mechanism in IPsec
ESP and AH (see RFC 2857).

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
01a2202c95989a4df48e9a5b5e013cb80c6b2d66 27-Apr-2008 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Use digest_null directly for auth

Previously digest_null had no setkey function which meant that
we used hmac(digest_null) for IPsec since IPsec always calls
setkey. Now that digest_null has a setkey we no longer need to
do that.

In fact when only confidentiality is specified for ESP we already
use digest_null directly. However, when the null algorithm is
explicitly specified by the user we still opt for hmac(digest_null).

This patch removes this discrepancy. I have not added a new compat
name for it because by chance it wasn't actualy possible for the user
to specify the name hmac(digest_null) due to a key length check in
xfrm_user (which I found out when testing that compat name :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
405137d16fbe4c80b9e06e61af05856027745d23 08-Feb-2008 Joy Latten <latten@austin.ibm.com> [IPSEC]: Add support for aes-ctr.

The below patch allows IPsec to use CTR mode with AES encryption
algorithm. Tested this using setkey in ipsec-tools.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
1a6509d991225ad210de54c63314fd9542922095 29-Jan-2008 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Add support for combined mode algorithms

This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.

Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.

For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
6fbf2cb77461a0cd0675228d20dd0f70d7b2251f 29-Jan-2008 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Allow async algorithms

Now that ESP uses authenc we can turn on the support for async
algorithms in IPsec.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
50dd79653e295ce40da38c03bbfb5966aa1c1598 09-Jan-2008 Sebastian Siewior <sebastian@breakpoint.cc> [XFRM]: Remove ifdef crypto.

and select the crypto subsystem if neccessary

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
87ae9afdcada236d0a1b38ce2c465a65916961dc 30-Oct-2007 Adrian Bunk <bunk@kernel.org> cleanup asm/scatterlist.h includes

Not architecture specific code should not #include <asm/scatterlist.h>.

This patch therefore either replaces them with
#include <linux/scatterlist.h> or simply removes them if they were
unused.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
0e0940d4bb9b19c0a45c844a83e1d25686aaf433 26-Oct-2007 David S. Miller <davem@sunset.davemloft.net> [IPSEC]: Fix scatterlist handling in skb_icv_walk().

Use sg_init_one() and sg_init_table() as needed.

Signed-off-by: David S. Miller <davem@davemloft.net>
642f149031d70415d9318b919d50b71e4724adbd 24-Oct-2007 Jens Axboe <jens.axboe@oracle.com> SG: Change sg_set_page() to take length and offset argument

Most drivers need to set length and offset as well, so may as well fold
those three lines into one.

Add sg_assign_page() for those two locations that only needed to set
the page, where the offset/length is set outside of the function context.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
b3b724f48c0c0ade1d5120744cc5c9a3e5193d08 23-Oct-2007 Heiko Carstens <heiko.carstens@de.ibm.com> net: fix xfrm build - missing scatterlist.h include

net/xfrm/xfrm_algo.c: In function 'skb_icv_walk':
net/xfrm/xfrm_algo.c:555: error: implicit declaration of function
'sg_set_page'
make[2]: *** [net/xfrm/xfrm_algo.o] Error 1

Cc: David Miller <davem@davemloft.net>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
fa05f1286be25a8ce915c5dd492aea61126b3f33 22-Oct-2007 Jens Axboe <jens.axboe@oracle.com> Update net/ to use sg helpers

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
26b8e51e98ae09cfc770b918577c004a376de4b8 23-May-2007 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Fix warnings with casting int to pointer

This patch adds some casts to shut up the warnings introduced by my
last patch that added a common interator function for xfrm algorightms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
c92b3a2f1f11655ecf6774b745017a414241d07c 19-May-2007 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC] pfkey: Load specific algorithm in pfkey_add rather than all

This is a natural extension of the changeset

[XFRM]: Probe selected algorithm only.

which only removed the probe call for xfrm_user. This patch does exactly
the same thing for af_key. In other words, we load the algorithm requested
by the user rather than everything when adding xfrm states in af_key.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
1a028e50729b85d0a038fad13daf0ee201a37454 28-Apr-2007 David S. Miller <davem@sunset.davemloft.net> [NET]: Revert sk_buff walker cleanups.

This reverts eefa3906283a2b60a6d02a2cda593a7d7d7946c5

The simplification made in that change works with the assumption that
the 'offset' parameter to these functions is always positive or zero,
which is not true. It can be and often is negative in order to access
SKB header values in front of skb->data.

Signed-off-by: David S. Miller <davem@davemloft.net>
eefa3906283a2b60a6d02a2cda593a7d7d7946c5 26-Apr-2007 Jean Delvare <jdelvare@suse.de> [NET]: Clean up sk_buff walkers.

I noticed recently that, in skb_checksum(), "offset" and "start" are
essentially the same thing and have the same value throughout the
function, despite being computed differently. Using a single variable
allows some cleanups and makes the skb_checksum() function smaller,
more readable, and presumably marginally faster.

We appear to have many other "sk_buff walker" functions built on the
exact same model, so the cleanup applies to them, too. Here is a list
of the functions I found to be affected:

net/appletalk/ddp.c:atalk_sum_skb()
net/core/datagram.c:skb_copy_datagram_iovec()
net/core/datagram.c:skb_copy_and_csum_datagram()
net/core/skbuff.c:skb_copy_bits()
net/core/skbuff.c:skb_store_bits()
net/core/skbuff.c:skb_checksum()
net/core/skbuff.c:skb_copy_and_csum_bit()
net/core/user_dma.c:dma_skb_copy_datagram_iovec()
net/xfrm/xfrm_algo.c:skb_icv_walk()
net/xfrm/xfrm_algo.c:skb_to_sgvec()

OTOH, I admit I'm a bit surprised, the cleanup is rather obvious so I'm
really wondering if I am missing something. Can anyone please comment
on this?

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
716ea3a7aae3a2bfc44cb97b5419c1c9868c7bc9 03-Apr-2007 David Howells <dhowells@redhat.com> [NET]: Move generic skbuff stuff from XFRM code to generic code

Move generic skbuff stuff from XFRM code to generic code so that
AF_RXRPC can use it too.

The kdoc comments I've attached to the functions needs to be checked
by whoever wrote them as I had to make some guesses about the workings
of these functions.

Signed-off-By: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
a716c1197d608c55adfba45692a890ca64e10df0 09-Feb-2007 YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> [NET] XFRM: Fix whitespace errors.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
6a0dc8d733de4aca958a73019877f96b4754d671 22-Oct-2006 Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> [IPSEC]: added the entry of Camellia cipher algorithm to ealg_list[]

This patch adds the entry of Camellia cipher algorithm to ealg_list[].

Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
b836267aa79c1c5e23e00d9cec047b6870ae0db1 29-Dec-2006 Martin Willi <martin@strongswan.org> [XFRM]: Algorithm lookup using .compat name

Installing an IPsec SA using old algorithm names (.compat) does not work
if the algorithm is not already loaded. When not using the PF_KEY
interface, algorithms are not preloaded in xfrm_probe_algs() and
installing a IPsec SA fails.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
7cf4c1a5fd13820d7591179c0b925d739b2be9a7 28-Oct-2006 Kazunori MIYAZAWA <miyazawa@linux-ipv6.org> [IPSEC]: Add support for AES-XCBC-MAC

The glue of xfrm.

Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
e4d5b79c661c7cfca9d8d5afd040a295f128d3cb 26-Aug-2006 Herbert Xu <herbert@gondor.apana.org.au> [CRYPTO] users: Use crypto_comp and crypto_has_*

This patch converts all users to use the new crypto_comp type and the
crypto_has_* functions.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
07d4ee583e21830ec5604d31f65cdc60a6eca19e 20-Aug-2006 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Use HMAC template and hash interface

This patch converts IPsec to use the new HMAC template. The names of
existing simple digest algorithms may still be used to refer to their
HMAC composites.

The same structure can be used by other MACs such as AES-XCBC-MAC.

This patch also switches from the digest interface to hash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
6b7326c8497f954c2cfcb4c49fe42be5b80887bc 30-Jul-2006 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC] ESP: Use block ciphers where applicable

This patch converts IPSec/ESP to use the new block cipher type where
applicable. Similar to the HMAC conversion, existing algorithm names
have been kept for compatibility.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
04ff12609445c7b462d7fc7f2d30dad442c922f3 13-Aug-2006 Herbert Xu <herbert@gondor.apana.org.au> [IPSEC]: Add compatibility algorithm name support

This patch adds a compatibility name field for each IPsec algorithm. This
is needed when parameterised algorithms are used. For example, "md5" will
become "hmac(md5)", and "aes" will become "cbc(aes)".

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6ab3d5624e172c553004ecc862bfeac16d9d68b7 30-Jun-2006 Jörn Engel <joern@wohnheim.fh-wedel.de> Remove obsolete #include <linux/config.h>

Signed-off-by: Jörn Engel <joern@wohnheim.fh-wedel.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
09a626600b437d91f6b13ade5c7c4b374893c54e 09-Jan-2006 Kris Katterjohn <kjak@users.sourceforge.net> [NET]: Change some "if (x) BUG();" to "BUG_ON(x);"

This changes some simple "if (x) BUG();" statements to "BUG_ON(x);"

Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
d48102007d068df7ba3055cdc1723e12db1ba30f 19-May-2005 Evgeniy Polyakov <johnpol@2ka.mipt.ru> [XFRM]: skb_cow_data() does not set proper owner for new skbs.

It looks like skb_cow_data() does not set
proper owner for newly created skb.

If we have several fragments for skb and some of them
are shared(?) or cloned (like in async IPsec) there
might be a situation when we require recreating skb and
thus using skb_copy() for it.
Newly created skb has neither a destructor nor a socket
assotiated with it, which must be copied from the old skb.
As far as I can see, current code sets destructor and socket
for the first one skb only and uses truesize of the first skb
only to increment sk_wmem_alloc value.

If above "analysis" is correct then attached patch fixes that.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 17-Apr-2005 Linus Torvalds <torvalds@ppc970.osdl.org> Linux-2.6.12-rc2

Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!