pull request (net): ipsec 2013-03-27

pull request (net): ipsec 2013-03-27

[Steffen Klassert]

1) Initialize the satype field in key_notify_policy_flush(),
   this was left uninitialized. From Nicolas Dichtel.

2) The sequence number difference for replay notifications
   was misscalculated on ESN sequence number wrap. We need
   a separate replay notify function for esn.

3) Fix an off by one in the esn replay notify function.
   From Mathias Krause.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit a0b1c42951dd06ec83cc1bc2c9788131d9fefcd8:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next (2013-02-20 18:58:50 -0800)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master

for you to fetch changes up to 799ef90c55e692e096d8bd9e5871b95264b1e9ba:

  xfrm: Fix esn sequence number diff calculation in xfrm_replay_notify_esn() (2013-03-25 07:25:50 +0100)

----------------------------------------------------------------
Mathias Krause (1):
      xfrm: Fix esn sequence number diff calculation in xfrm_replay_notify_esn()

Nicolas Dichtel (1):
      af_key: initialize satype in key_notify_policy_flush()

Steffen Klassert (1):
      xfrm: Fix replay notification for esn.

 net/key/af_key.c       |    1 +
 net/xfrm/xfrm_replay.c |   66 +++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 66 insertions(+), 1 deletion(-)

[PATCH 1/3] af_key: initialize satype in key_notify_policy_flush()

[Steffen Klassert]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

This field was left uninitialized. Some user daemons perform check against this
field.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/key/af_key.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 9ef7985..d5a4a79 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2694,6 +2694,7 @@ static int key_notify_policy_flush(const struct km_event *c)
 	hdr->sadb_msg_pid = c->portid;
 	hdr->sadb_msg_version = PF_KEY_V2;
 	hdr->sadb_msg_errno = (uint8_t) 0;
+	hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 	return 0;
-- 
1.7.9.5

[PATCH 2/3] xfrm: Fix replay notification for esn.

[Steffen Klassert]

We may miscalculate the sequence number difference from the
last time we send a notification if a sequence number wrap
occured in the meantime. We fix this by adding a separate
replay notify function for esn. Here we take the high bits
of the sequence number into account to calculate the
difference.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_replay.c |   68 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 35754cc..a390673 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -334,6 +334,72 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
 		x->xflags &= ~XFRM_TIME_DEFER;
 }
 
+static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
+{
+	u32 seq_diff, oseq_diff;
+	struct km_event c;
+	struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+	struct xfrm_replay_state_esn *preplay_esn = x->preplay_esn;
+
+	/* we send notify messages in case
+	 *  1. we updated on of the sequence numbers, and the seqno difference
+	 *     is at least x->replay_maxdiff, in this case we also update the
+	 *     timeout of our timer function
+	 *  2. if x->replay_maxage has elapsed since last update,
+	 *     and there were changes
+	 *
+	 *  The state structure must be locked!
+	 */
+
+	switch (event) {
+	case XFRM_REPLAY_UPDATE:
+		if (!x->replay_maxdiff)
+			break;
+
+		if (replay_esn->seq_hi == preplay_esn->seq_hi)
+			seq_diff = replay_esn->seq - preplay_esn->seq;
+		else
+			seq_diff = UINT_MAX - preplay_esn->seq
+				   + replay_esn->seq;
+
+		if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
+			oseq_diff = replay_esn->oseq - preplay_esn->oseq;
+		else
+			oseq_diff = UINT_MAX - preplay_esn->oseq
+				    + replay_esn->oseq;
+
+		if (seq_diff < x->replay_maxdiff &&
+		    oseq_diff < x->replay_maxdiff) {
+
+			if (x->xflags & XFRM_TIME_DEFER)
+				event = XFRM_REPLAY_TIMEOUT;
+			else
+				return;
+		}
+
+		break;
+
+	case XFRM_REPLAY_TIMEOUT:
+		if (memcmp(x->replay_esn, x->preplay_esn,
+			   xfrm_replay_state_esn_len(replay_esn)) == 0) {
+			x->xflags |= XFRM_TIME_DEFER;
+			return;
+		}
+
+		break;
+	}
+
+	memcpy(x->preplay_esn, x->replay_esn,
+	       xfrm_replay_state_esn_len(replay_esn));
+	c.event = XFRM_MSG_NEWAE;
+	c.data.aevent = event;
+	km_state_notify(x, &c);
+
+	if (x->replay_maxage &&
+	    !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+		x->xflags &= ~XFRM_TIME_DEFER;
+}
+
 static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int err = 0;
@@ -510,7 +576,7 @@ static struct xfrm_replay xfrm_replay_esn = {
 	.advance	= xfrm_replay_advance_esn,
 	.check		= xfrm_replay_check_esn,
 	.recheck	= xfrm_replay_recheck_esn,
-	.notify		= xfrm_replay_notify_bmp,
+	.notify		= xfrm_replay_notify_esn,
 	.overflow	= xfrm_replay_overflow_esn,
 };
 
-- 
1.7.9.5

[PATCH 3/3] xfrm: Fix esn sequence number diff calculation in xfrm_replay_notify_esn()

[Steffen Klassert]

From: Mathias Krause <minipli@googlemail.com>

Commit 0017c0b "xfrm: Fix replay notification for esn." is off by one
for the sequence number wrapped case as UINT_MAX is 0xffffffff, not
0x100000000. ;)

Just calculate the diff like done everywhere else in the file.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_replay.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index a390673..8dafe6d3 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -359,14 +359,12 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
 		if (replay_esn->seq_hi == preplay_esn->seq_hi)
 			seq_diff = replay_esn->seq - preplay_esn->seq;
 		else
-			seq_diff = UINT_MAX - preplay_esn->seq
-				   + replay_esn->seq;
+			seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
 
 		if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
 			oseq_diff = replay_esn->oseq - preplay_esn->oseq;
 		else
-			oseq_diff = UINT_MAX - preplay_esn->oseq
-				    + replay_esn->oseq;
+			oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
 
 		if (seq_diff < x->replay_maxdiff &&
 		    oseq_diff < x->replay_maxdiff) {
-- 
1.7.9.5

Re: pull request (net): ipsec 2013-03-27

[David Miller]

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 27 Mar 2013 08:41:05 +0100

> 1) Initialize the satype field in key_notify_policy_flush(),
>    this was left uninitialized. From Nicolas Dichtel.
> 
> 2) The sequence number difference for replay notifications
>    was misscalculated on ESN sequence number wrap. We need
>    a separate replay notify function for esn.
> 
> 3) Fix an off by one in the esn replay notify function.
>    From Mathias Krause.
> 
> Please pull or let me know if there are problems.

Pulled, thanks Steffen.