From: Steffen Klassert <steffen.klassert@secunet.com>
To: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
Tom St Denis <tstdenis@elliptictech.com>,
David Miller <davem@davemloft.net>
Subject: Re: [PATCH] CMAC support for CryptoAPI, fixed patch issues, indent, and testmgr build issues
Date: Thu, 24 Jan 2013 13:32:10 +0100 [thread overview]
Message-ID: <20130124123210.GK9147@secunet.com> (raw)
In-Reply-To: <20130124112410.8535.75598.stgit@localhost6.localdomain6>
On Thu, Jan 24, 2013 at 01:25:46PM +0200, Jussi Kivilinna wrote:
>
> Maybe it would be cleaner to not mess with pfkeyv2.h at all, but instead mark algorithms that do not support pfkey with flag. See patch below.
>
Yes, would be an option too. I would be fine with that,
but let's here if someone else has an opinion on this.
Anyway, we need a solution to integrate Tom's patch soon.
> Then I started looking up if sadb_alg_id is being used somewhere outside pfkey. Seems that its value is just being copied around.. but at "http://lxr.linux.no/linux+v3.7/net/xfrm/xfrm_policy.c#L1991" it's used as bit-index. So do larger values than 31 break some stuff? Can multiple algorithms have same sadb_alg_id value? Also in af_key.c, sadb_alg_id being used as bit-index.
>
Herbert tried to address this already in git commit c5d18e984
([IPSEC]: Fix catch-22 with algorithm IDs above 31) some years
ago.
But this looks still messy. If the aalgos, ealgos and calgos mask is ~0,
we allow all algorithms. If this is not the case, xfrm and pfkey check
the aalgos mask against the algorithm ID, only pfkey checks the ealgo
mask and noone checks the calgos mask.
WARNING: multiple messages have this Message-ID (diff)
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Cc: Herbert Xu <herbert@gondor.hengli.com.au>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
Tom St Denis <tstdenis@elliptictech.com>,
David Miller <davem@davemloft.net>
Subject: Re: [PATCH] CMAC support for CryptoAPI, fixed patch issues, indent, and testmgr build issues
Date: Thu, 24 Jan 2013 13:32:10 +0100 [thread overview]
Message-ID: <20130124123210.GK9147@secunet.com> (raw)
In-Reply-To: <20130124112410.8535.75598.stgit@localhost6.localdomain6>
On Thu, Jan 24, 2013 at 01:25:46PM +0200, Jussi Kivilinna wrote:
>
> Maybe it would be cleaner to not mess with pfkeyv2.h at all, but instead mark algorithms that do not support pfkey with flag. See patch below.
>
Yes, would be an option too. I would be fine with that,
but let's here if someone else has an opinion on this.
Anyway, we need a solution to integrate Tom's patch soon.
> Then I started looking up if sadb_alg_id is being used somewhere outside pfkey. Seems that its value is just being copied around.. but at "http://lxr.linux.no/linux+v3.7/net/xfrm/xfrm_policy.c#L1991" it's used as bit-index. So do larger values than 31 break some stuff? Can multiple algorithms have same sadb_alg_id value? Also in af_key.c, sadb_alg_id being used as bit-index.
>
Herbert tried to address this already in git commit c5d18e984
([IPSEC]: Fix catch-22 with algorithm IDs above 31) some years
ago.
But this looks still messy. If the aalgos, ealgos and calgos mask is ~0,
we allow all algorithms. If this is not the case, xfrm and pfkey check
the aalgos mask against the algorithm ID, only pfkey checks the ealgo
mask and noone checks the calgos mask.
next prev parent reply other threads:[~2013-01-24 12:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <537355069.94465.1358772395763.JavaMail.root@elliptictech.com>
2013-01-21 12:57 ` [PATCH] CMAC support for CryptoAPI, fixed patch issues, indent, and testmgr build issues Tom St Denis
2013-01-21 12:57 ` Tom St Denis
2013-01-21 16:35 ` David Dillow
2013-01-21 16:40 ` David Dillow
2013-01-23 7:41 ` Steffen Klassert
2013-01-23 7:41 ` Steffen Klassert
2013-01-23 14:36 ` Jussi Kivilinna
2013-01-23 14:36 ` Jussi Kivilinna
2013-01-23 14:46 ` Tom St Denis
2013-01-23 14:46 ` Tom St Denis
2013-01-23 15:35 ` Jussi Kivilinna
2013-01-23 15:35 ` Jussi Kivilinna
2013-01-23 15:46 ` Tom St Denis
2013-01-23 15:46 ` Tom St Denis
2013-01-23 16:16 ` YOSHIFUJI Hideaki
2013-01-23 16:16 ` YOSHIFUJI Hideaki
2013-01-23 16:25 ` YOSHIFUJI Hideaki
2013-01-23 16:25 ` YOSHIFUJI Hideaki
2013-01-24 8:45 ` Jussi Kivilinna
2013-01-24 8:45 ` Jussi Kivilinna
2013-01-24 9:43 ` Steffen Klassert
2013-01-24 9:43 ` Steffen Klassert
2013-01-24 11:25 ` Jussi Kivilinna
2013-01-24 11:25 ` Jussi Kivilinna
2013-01-24 12:32 ` Steffen Klassert [this message]
2013-01-24 12:32 ` Steffen Klassert
2013-01-24 12:37 ` Tom St Denis
2013-01-24 12:37 ` Tom St Denis
2013-01-24 12:52 ` Steffen Klassert
2013-01-24 12:52 ` Steffen Klassert
2013-01-24 13:00 ` Tom St Denis
2013-01-24 13:00 ` Tom St Denis
2013-01-29 9:33 ` Steffen Klassert
2013-01-29 9:33 ` Steffen Klassert
2013-01-31 9:35 ` Jussi Kivilinna
2013-01-31 9:35 ` Jussi Kivilinna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130124123210.GK9147@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jussi.kivilinna@mbnet.fi \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tstdenis@elliptictech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.