[PATCH] xfrm: Don't allow esn with disabled anti replay detection

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] xfrm: Don't allow esn with disabled anti replay detection
@ 2011-05-10  5:43 Steffen Klassert
  2011-05-10 19:28 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Steffen Klassert @ 2011-05-10  5:43 UTC (permalink / raw)
  To: David Miller, Herbert Xu; +Cc: netdev

Unlike the standard case, disabled anti replay detection needs some
nontrivial extra treatment on ESN. RFC 4303 states:

Note: If a receiver chooses to not enable anti-replay for an SA, then
the receiver SHOULD NOT negotiate ESN in an SA management protocol.
Use of ESN creates a need for the receiver to manage the anti-replay
window (in order to determine the correct value for the high-order
bits of the ESN, which are employed in the ICV computation), which is
generally contrary to the notion of disabling anti-replay for an SA.

So return an error if an ESN state with disabled anti replay detection
is inserted for now and add the extra treatment later if we need it.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_replay.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index e8a7814..47f1b86 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -535,6 +535,9 @@ int xfrm_init_replay(struct xfrm_state *x)
 		    replay_esn->bmp_len * sizeof(__u32) * 8)
 			return -EINVAL;

+	if ((x->props.flags & XFRM_STATE_ESN) && replay_esn->replay_window == 0)
+		return -EINVAL;
+
 	if ((x->props.flags & XFRM_STATE_ESN) && x->replay_esn)
 		x->repl = &xfrm_replay_esn;
 	else
-- 
1.7.0.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] xfrm: Don't allow esn with disabled anti replay detection
  2011-05-10  5:43 [PATCH] xfrm: Don't allow esn with disabled anti replay detection Steffen Klassert
@ 2011-05-10 19:28 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2011-05-10 19:28 UTC (permalink / raw)
  To: steffen.klassert; +Cc: herbert, netdev

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Tue, 10 May 2011 07:43:05 +0200

> Unlike the standard case, disabled anti replay detection needs some
> nontrivial extra treatment on ESN. RFC 4303 states:
> 
> Note: If a receiver chooses to not enable anti-replay for an SA, then
> the receiver SHOULD NOT negotiate ESN in an SA management protocol.
> Use of ESN creates a need for the receiver to manage the anti-replay
> window (in order to determine the correct value for the high-order
> bits of the ESN, which are employed in the ICV computation), which is
> generally contrary to the notion of disabling anti-replay for an SA.
> 
> So return an error if an ESN state with disabled anti replay detection
> is inserted for now and add the extra treatment later if we need it.
> 
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Also applied, thanks for fixing these bugs!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-05-10 19:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-10  5:43 [PATCH] xfrm: Don't allow esn with disabled anti replay detection Steffen Klassert
2011-05-10 19:28 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).