pull request (net): ipsec 2016-12-01

pull request (net): ipsec 2016-12-01

[Steffen Klassert]

1) Change the error value when someone tries to run 32bit
   userspace on a 64bit host from -ENOTSUPP to the userspace
   exported -EOPNOTSUPP. Fix from Yi Zhao.

2) On inbound, ESN sequence numbers are already in network
   byte order. So don't try to convert it again, this fixes
   integrity verification for ESN. Fixes from Tobias Brunner.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit f2ebf2a6ca94e78be179e8c99d34c87efc5e8bfb:

  Merge branch 'fixed-phy-phydev-leaks' (2016-11-29 23:17:04 -0500)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master

for you to fetch changes up to a55e23864d381c5a4ef110df94b00b2fe121a70d:

  esp6: Fix integrity verification when ESN are used (2016-11-30 11:10:16 +0100)

----------------------------------------------------------------
Tobias Brunner (2):
      esp4: Fix integrity verification when ESN are used
      esp6: Fix integrity verification when ESN are used

Yi Zhao (1):
      xfrm_user: fix return value from xfrm_user_rcv_msg

 net/ipv4/esp4.c      | 2 +-
 net/ipv6/esp6.c      | 2 +-
 net/xfrm/xfrm_user.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

[PATCH 1/3] xfrm_user: fix return value from xfrm_user_rcv_msg

[Steffen Klassert]

From: Yi Zhao <yi.zhao@windriver.com>

It doesn't support to run 32bit 'ip' to set xfrm objdect on 64bit host.
But the return value is unknown for user program:

ip xfrm policy list
RTNETLINK answers: Unknown error 524

Replace ENOTSUPP with EOPNOTSUPP:

ip xfrm policy list
RTNETLINK answers: Operation not supported

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 0889209..671a1d0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2450,7 +2450,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 
 #ifdef CONFIG_COMPAT
 	if (in_compat_syscall())
-		return -ENOTSUPP;
+		return -EOPNOTSUPP;
 #endif
 
 	type = nlh->nlmsg_type;
-- 
1.9.1

[PATCH 2/3] esp4: Fix integrity verification when ESN are used

[Steffen Klassert]

From: Tobias Brunner <tobias@strongswan.org>

When handling inbound packets, the two halves of the sequence number
stored on the skb are already in network order.

Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/ipv4/esp4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index d95631d..20fb25e 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -476,7 +476,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
 		esph = (void *)skb_push(skb, 4);
 		*seqhi = esph->spi;
 		esph->spi = esph->seq_no;
-		esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
+		esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
 		aead_request_set_callback(req, 0, esp_input_done_esn, skb);
 	}
 
-- 
1.9.1

[PATCH 3/3] esp6: Fix integrity verification when ESN are used

[Steffen Klassert]

From: Tobias Brunner <tobias@strongswan.org>

When handling inbound packets, the two halves of the sequence number
stored on the skb are already in network order.

Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/ipv6/esp6.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 060a60b..111ba55 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -418,7 +418,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 		esph = (void *)skb_push(skb, 4);
 		*seqhi = esph->spi;
 		esph->spi = esph->seq_no;
-		esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
+		esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
 		aead_request_set_callback(req, 0, esp_input_done_esn, skb);
 	}
 
-- 
1.9.1

Re: pull request (net): ipsec 2016-12-01

[David Miller]

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Thu, 1 Dec 2016 12:44:49 +0100

> 1) Change the error value when someone tries to run 32bit
>    userspace on a 64bit host from -ENOTSUPP to the userspace
>    exported -EOPNOTSUPP. Fix from Yi Zhao.
> 
> 2) On inbound, ESN sequence numbers are already in network
>    byte order. So don't try to convert it again, this fixes
>    integrity verification for ESN. Fixes from Tobias Brunner.
> 
> Please pull or let me know if there are problems.

Pulled, thanks Steffen.