[PATCH 1/1]: Add support for aes-ctr to ipsec

Very sorry, re-posting as first patch was incomplete. The below patch allows IPsec to use CTR mode with AES encryption algorithm. Tested this using setkey in ipsec-tools. regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> -- diff -urpN net-2.6.25/include/linux/pfkeyv2.h net-

PATCH[1/1]: Add ctr-aes support to ipsec

The below patch allows IPsec to use CTR mode with AES encryption algorithm. Tested this using setkey in ipsec-tools. regards, Joy diff -urpN net-2.6.25/include/linux/pfkeyv2.h net-2.6.25.patch/include/linux/pfkeyv2.h --- net-2.6.25/include/linux/pfkeyv2.h 2008-01-29 11:48:00.0 -0600 +++

Re: IPsec replay sequence number overflow behavior? (RFC4303 section 3.3.3)

>Rereading the thread it's unclear to me which solution was deemed "correct". >I'm not a big fan of fiddling/forcing SA lifetimes unless we have no other >option; if someone is foolish enough to use manual keying with replay >protection and no mechanism to catch rollover then they most likely h

Re: Labeled IPsec with NAT

>I am working on setting up Labeled IPsec along with iptables nat >rules. Once I insert nat related rules, the ipsec connection breaks >and the system tries to re-negotiate and creates multiple SAs. I am >using 2.6.19 kernel (with Venkat's MLSXFRM patches & bugfixes). I >guess those were i

Re: [PATCH] XFRM: RFC4303 compliant auditing

On Fri, 2007-12-07 at 16:06 -0500, Paul Moore wrote: > On Friday 07 December 2007 3:52:31 pm Eric Paris wrote: > > On Fri, 2007-12-07 at 14:57 -0500, Paul Moore wrote: > > > NOTE: This really is an RFC patch, it compiles and boots but that is > > > pretty much all I can promise at this point. I'm

Re: [PATCH] XFRM: SPD auditing fix to include the netmask/prefix-length

On Fri, 2007-11-30 at 09:51 -0500, Paul Moore wrote: > On Thursday 29 November 2007 8:45:46 am Paul Moore wrote: > > On Thursday 29 November 2007 5:34:59 am Herbert Xu wrote: > > > On Mon, Nov 26, 2007 at 07:55:12PM +, Paul Moore wrote: > > > > Currently the netmask/prefix-length of an IPsec SP

Re: [PATCH 1/1]: SAs created although tmpl->optional set

>Heh I made the same mistake when I first read this piece of >code too :) The optional flag isn't saying that it doesn't need >to be protected, but rather that the SA may not be present on >input. It's only used for IPComp where we may skip the IPComp >if the data is not compressible. > >In other

[PATCH 1/1]: SAs created although tmpl->optional set

frm'ing? regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.orig/net/xfrm/xfrm_state.c linux-2.6.spd/net/xfrm/xfrm_state.c --- linux-2.6.orig/net/xfrm/xfrm_state.c2007-11-18 16:53:16.0 -0600 +++ linux-2.6.spd/net/xfrm/xfrm_state.c 2007-11

[PATCH 1/1]: Using ICMP type and code in xfrm selector

copy into dport to be closer to rfc? Similar question for MH type... Seems ok as is, but I could be missing something. xfrm_user did not appear to require this change. I tested icmp with my patched ipsec-tools. Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.24-rc1-git11/

Re: [PATCH]: xfrm audit calls

On Wed, 2007-09-12 at 14:56 -0400, [EMAIL PROTECTED] wrote: > On Tue, 11 Sep 2007 19:03:14 CDT, Joy Latten said: > > This patch modifies the current ipsec audit layer > > by breaking it up into purpose driven audit calls. > > > > So far, the only audit calls made ar

Re: net-2.6.24 build problem

On Wed, 2007-09-12 at 07:18 -0700, David Miller wrote: > From: Stephen Hemminger <[EMAIL PROTECTED]> > Date: Wed, 12 Sep 2007 16:08:33 +0200 > > > ERROR: "xfrm_audit_state_delete" [net/key/af_key.ko] undefined! > > ERROR: "xfrm_audit_state_add" [net/key/af_key.ko] undefined! > > ERROR: "xfrm_audit

[PATCH]: xfrm audit calls

they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. I compiled and tested with CONFIG_AUDITSYSCALLS on and off. Regards, Joy Latten Signed-off-by: Joy Latten <[EMAIL PROTECTED

Re: [PATCH] improved xfrm_audit_log() patch

On Wed, 2007-08-22 at 20:05 -0700, David Miller wrote: > I would suggest, at this point, to make purpose built situation > specific interfaces that pass specific objects (the ones being > operated upon) to the audit layer. > > Let the audit layer pick out the bits it actually wants in the > format

Re: [PATCH] improved xfrm_audit_log() patch

On Wed, 2007-08-22 at 12:51 -0700, David Miller wrote: > From: David Miller <[EMAIL PROTECTED]> > Date: Tue, 21 Aug 2007 00:24:05 -0700 (PDT) > > > Looks good, applied to net-2.6.24, thanks Joy. > > Something is still buggered up in this patch, you can't add this local > "audit_info" variable unc

Re: [PATCH] improved xfrm_audit_log() patch

On Tue, 2007-08-07 at 18:32 -0700, David Miller wrote: >From: Joy Latten <[EMAIL PROTECTED]> >Date: Thu, 2 Aug 2007 15:56:47 -0500 > >> @@ -426,10 +426,15 @@ struct xfrm_audit >> }; >> >> #ifdef CONFIG_AUDITSYSCALL >> -extern void xfrm_audit_lo

[PATCH] improved xfrm_audit_log() patch

Sorry for delay, here is xfrm_audit_log() modification with recommended changes. Let me know if this looks better. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch10/include/linux/audit.h --- linux-2.6.22/i

ipsec not working in 2.6.23-rc1-git10 when using pfkey

Although an ipsec SA was established, kernel couldn't seem to find it. I think since we are now using "x->sel.family" instead of "family" in the xfrm_selector_match() called in xfrm_state_find(), af_key needs to set this field too, just as xfrm_user. In af_key.c, x->sel.family only gets set

Re: [PATCH]: 2nd revision of make xfrm_audit_log more generic

On Wed, 2007-07-25 at 17:17 -0700, David Miller wrote: > From: Joy Latten <[EMAIL PROTECTED]> > Date: Wed, 25 Jul 2007 14:21:43 -0500 > > > This is 2nd revision of patch to modify xfrm_audit_log() such > > that it can accomodate auditing other ipsec events > > b

[PATCH]: 2nd revision of make xfrm_audit_log more generic

escription for report parsing. This is a small change to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linu

Re: [PATCH]: revised make xfrm_audit_log more generic patch

On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote: > It also wouldn't hurt to change the text being sent to this function to have > a > hyphen instead of a space, so "SPD delete" becomes "SPD-delete". This keeps > the parser happy. > Steve, more for my education, should all entries have thi

Re: [PATCH]: revised make xfrm_audit_log more generic patch

On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote: > > + audit_log_format(audit_buf, "%s: auid=%u", buf, auid); > > > > if (sid != 0 && > > security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) > > The operation in buf will not be parsed by the user space to

[PATCH]: revised make xfrm_audit_log more generic patch

to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/i

Re: [PATCH] make xfrm_audit_log more generic

On Thu, 2007-07-19 at 21:45 -0400, James Morris wrote: > On Thu, 19 Jul 2007, Joy Latten wrote: > > > --- linux-2.6.22/include/linux/audit.h 2007-07-19 13:17:22.0 > > -0500 > > +++ linux-2.6.22.patch/include/linux/audit.h2007-07-19 >

[PATCH] make xfrm_audit_log more generic

. Please let me know if ok. I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec without selinux. Also compiled and tested with auditing disabled. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include

Re: [PATCH]: Add security check before flushing SAD/SPD

step up an re-ack the patch to get it moving into the > > tree? > > Looks good to me. > > Acked-by: James Morris <[EMAIL PROTECTED]> > > I have also tested with 2.6.22-rc3-git7 and all appears to be working as expected. Acked-by: Joy Latten <[EMAIL PROTECTED]&

PATCH[1/1]: kernel panic when large security contexts in ACQUIRE

ity context from xfrm_state to alloc skb. Following fix does that Please let me know if this is acceptable. Patch was built and tested against 2.6.21-rc6-git5. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> diff -urpN linux-2.6.20/net/xfrm/xfrm_user.c linux-2.6.20.patch

Re: [PATCH]: SAD sometimes has double SAs.

testing. I strongly think this should be fixed in userspace. The permission check before flushing does still need to be added to kernel. Regards, Joy On Mon, 2007-03-26 at 19:04 -0600, Joy Latten wrote: > On Mon, 2007-03-26 at 14:48 -0700, David Miller wrote: > > From: Eric Paris <[EMA

Re: [PATCH]: SAD sometimes has double SAs.

On Mon, 2007-03-26 at 14:48 -0700, David Miller wrote: > From: Eric Paris <[EMAIL PROTECTED]> > Date: Mon, 26 Mar 2007 17:34:59 -0400 > > > I'm not at all able to speak on the correctness or validity of the > > solution, > > Neither am I yet :) > > > but shouldn't the ipv6 case be a && not an ||

Re: [PATCH]: SAD sometimes has double SAs.

On Mon, 2007-03-26 at 17:34 -0400, Eric Paris wrote: > On Fri, 2007-03-23 at 16:58 -0600, Joy Latten wrote: > > > @@ -710,11 +713,20 @@ static struct xfrm_state *__find_acq_cor > > > > switch (family) { > > case AF_INET: > > +

Re: [PATCH]: Add security check before flushing SAD/SPD

Sending again since one of the email addresses was incorrect. Ok, I have made improvements based on James' and Eric's comments. Regards, Joy Signed-off-by: Joy Latten<[EMAIL PROTECTED]> diff -urpN linux-2.6.20.orig/include/net/xfrm.h linux-2.6.20.patch/in

Re: [PATCH]: Add security check before flushing SAD/SPD

I have made improvements based on James' and Eric's comments. Regards, Joy Signed-off-by: Joy Latten<[EMAIL PROTECTED]> diff -urpN linux-2.6.20.orig/include/net/xfrm.h linux-2.6.20.patch/include/net/xfrm.h --- linux-2.6.20.orig/include/net/xfrm.h2007-03-23 11:01:48.

Re: [PATCH]: Add security check before flushing SAD/SPD

On Thu, 2007-03-22 at 20:56 -0400, James Morris wrote: >On Thu, 22 Mar 2007, Joy Latten wrote: >> > Perhaps a better semantic would be to fail the entire flush operation if >> > one of the security checks failed. e.g. loop through for permissions >> > first, th

[PATCH]: SAD sometimes has double SAs.

ction of ACQUIRE. > Calling __find_acq_core() should ensure we don't create duplicate > larval SAs. Also, should IKE negotiations return error, larval SAs > should expire. They also should be removed when we do the > xfrm_state_add() and xfrm_state_update() to add the new SAs. > J

Re: [PATCH]: Add security check before flushing SAD/SPD

On Fri, 2007-03-23 at 12:59 -0400, Eric Paris wrote: > On Fri, 2007-03-23 at 10:33 -0600, Joy Latten wrote: > > On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote: > > > > > > > > In either case though proper auditing needs to be addressed. I see that > &

Re: [PATCH]: Add security check before flushing SAD/SPD

On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote: > > In either case though proper auditing needs to be addressed. I see that > the first patch from Joy wouldn't audit deletion failures. It appears > to me if the check is done per policy then the security hook return code > needs to be recor

Re: [PATCH]: Add security check before flushing SAD/SPD

On Thu, 2007-03-22 at 19:49 -0400, James Morris wrote: > On Thu, 22 Mar 2007, Joy Latten wrote: > > > > I would look at this patch differently if there were some > > > security level key being checked for a match here, which is > > > an input key to the flush,

Re: [PATCH]: Add security check before flushing SAD/SPD

On Thu, 2007-03-22 at 12:01 -0700, David Miller wrote: > From: Joy Latten <[EMAIL PROTECTED]> > Date: Thu, 22 Mar 2007 12:35:39 -0600 > > > Within selinux we check for authorization before deleting entries from > > SAD and SPD. > > > > We are not checking

[PATCH]: Add security check before flushing SAD/SPD

this patch is ok. It was built against linux-2.6.21-rc4-git5. I have also tested it. Joy Signed-off-by: Joy Latten<[EMAIL PROTECTED]> diff -urpN linux-2.6.20.orig/net/xfrm/xfrm_policy.c linux-2.6.20/net/xfrm/xfrm_policy.c --- linux-2.6.20.orig/net/xfrm/xfrm_policy.c2007-03-21

Possible solution to those doubly created SAs in ipsec

A while back I reported that I sometimes saw double and triple SAs being created. The patch to check for protocol when deleting larval SA removed one obstacle in that I no longer see triple SAs. Now, once in a while double SAs. I think I have figured out the second obstacle. The initiator instal

[PATCH]: ipsecv6 needs a space when printing audit record.

ipsecv6 audit record is much better. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTED]> Patch is against linux-2.6.20-rc4. diff -urpN linux-2.6.20.orig/net/xfrm/xfrm_policy.c linux-2.6.20.patch/net/xfrm/xfrm_policy.c --- linux-2.6.20.orig/net/xfrm/xfrm_policy.c2007-03-16

Re: [PATCH]: double SAs are created when using AH and ESP together

On Fri, 2007-03-09 at 19:54 -0500, Eric Paris wrote: > On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote: > > From: Joy Latten <[EMAIL PROTECTED]> > > Date: Fri, 9 Mar 2007 17:14:54 -0600 > > > > > I noticed that in xfrm_state_add we look for the lar

Re: [PATCH]: double SAs are created when using AH and ESP together

On Fri, 2007-03-09 at 16:20 -0800, David Miller wrote: > From: Joy Latten <[EMAIL PROTECTED]> > Date: Fri, 9 Mar 2007 17:14:54 -0600 > > > I noticed that in xfrm_state_add we look for the larval SA in a few > > places without checking for protocol match. So when

[PATCH]: double SAs are created when using AH and ESP together

On Tue, 2007-03-06 at 14:40 -0500, James Morris wrote: On Tue, 6 Mar 2007, Joy Latten wrote: > > > > I saw something similar to this some time ago when testing various > > > failure modes, and discused it with Herbert. > > > > > > IIRC, there's a

Re: when having to acquire an SA, ipsec drops the packet

On Mon, 2007-03-05 at 22:21 -0500, James Morris wrote: > On Mon, 5 Mar 2007, Joy Latten wrote: > > > 5. Around the time the set of SAs for OUT direction are to be > >inserted into SAD, I see another ACQUIRE happening. > > > >I have not yet figured out w

Re: when having to acquire an SA, ipsec drops the packet

>From: Joy Latten <[EMAIL PROTECTED]> >Date: Mon, 05 Feb 2007 14:53:39 -0600 > >> I can run some tests with this patch and report any results... > >Please check out the two most recent patches I posted: > >1) Updated core patch with ipv6 side added. >2) Fix f

Re: when having to acquire an SA, ipsec drops the packet

>From: Joy Latten <[EMAIL PROTECTED]> >Date: Mon, 05 Feb 2007 14:53:39 -0600 > >> I can run some tests with this patch and report any results... > >Please check out the two most recent patches I posted: > >1) Updated core patch with ipv6 side added. >2) Fix f

Re: when having to acquire an SA, ipsec drops the packet

I can run some tests with this patch and report any results... Regards, Joy On Sun, 2007-02-04 at 20:53 -0800, David Miller wrote: > From: James Morris <[EMAIL PROTECTED]> > Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST) > > > A quick & dirty solution, which is what I think the BSD kernels do, is t

Re: when having to acquire an SA, ipsec drops the packet

On Thu, 2007-02-01 at 18:44 -0500, James Morris wrote: > On Thu, 1 Feb 2007, Joy Latten wrote: > > > IPsec returns EAGAIN when it needs to acquire an SA. > > There have been a thread or two about this... > > Has there been any info or progress in how best to fix thi

when having to acquire an SA, ipsec drops the packet

IPsec returns EAGAIN when it needs to acquire an SA. There have been a thread or two about this... Has there been any info or progress in how best to fix this? James Morris presented some work/ideas, http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf When using labeled xfrms (xfrm

Re: [patch]net/xfrm:fix crash in ipsec audit logging

o audit since we are only auditing creation and deletion of xfrm and policy. Ingo, could you try this patch and let me know if everything works ok for you. I have built and test in my environment, but not tested as you are using it. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTECTE

Re: [PATCH 1/1] additional ipsec audit patch

On Wed, 2006-11-29 at 19:32 -0500, James Morris wrote: > On Wed, 29 Nov 2006, James Morris wrote: > > > On Wed, 29 Nov 2006, Joy Latten wrote: > > > > > This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is > > > disabled in the kernel. > &g

[PATCH 1/1] additional change to ipsec audit

Sorry! Sign off included this time. This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. This patch also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. regards, Joy Signed-off-by: Joy Latten [EMAIL PROTECTED

[PATCH 1/1] additional ipsec audit patch

This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. This patch also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Let me know if it looks ok. My mail gateway has been acting crazy so I apologize for any replicas being sent f

[PATCH 1/1] add auditing to ipsec

This patch adds auditing to ipsec. An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Patch was built against linux kernel 2.6.19-rc6. Please let me know if this is acceptable. Regards, Joy Signed-off-by: Joy Latten <[EMAIL PROTEC

[PATCH 1/1] add auditing to ipsec

This patch adds auditing to ipsec in support of labeled ipsec. An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Patch was built against linux kernel 2.6.19-rc6. Please let me know if this is acceptable. Regards, Joy -

RE: [redhat-lspp] ipsec acquire has security context although I a m not using it.

garbage >> on my pseries and a call such as "if (policy->security)" may >> come back as true such that security context is included in >> my acquire message although I believe it should not be. >> >> Hopefully, the below patch is acceptable. I have compi

ipsec acquire has security context although I am not using it.

h as "if (policy->security)" may come back as true such that security context is included in my acquire message although I believe it should not be. Hopefully, the below patch is acceptable. I have compiled and tested it. Regards, Joy Latten diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_p

Re: IPSec kernel oops on ppc64

It works! I applied the patch to linux-2.6.17 + patch-2.6.17-rc1 and tried icmp, tcp and udp as well as sftp with ipsec and they all worked. Thanks Regards, Joy >Herbert Xu writes: > >> Interesting. We were previously off by 28 bytes, now we're off by 8 :) > >You missed a couple of 'beql

Re: IPSec kernel oops on ppc64

>-- >diff --git a/arch/powerpc/lib/memcpy_64.S b/arch/powerpc/lib/memcpy_64.S >index fd66acf..9e8d9e7 100644 >--- a/arch/powerpc/lib/memcpy_64.S >+++ b/arch/powerpc/lib/memcpy_64.S >@@ -11,6 +11,7 @@ #include > > .align 7 > _GLOBAL(memcpy) >+ std r3,-8(r1) > mtcrf 0x01,r5

Re: IPSec kernel oops on ppc64

>> I can try patch-2.6.18-rc1, etc... to see which one it stops >> working on to narrow it down. > >If you could do this in the meanwhile, it would help us out >a lot. > It stops working in patch-2.6.18-rc1. Regards, Joy - To unsubscribe from this list: send the line "unsubscribe netdev" in the b

Re: IPSec kernel oops on ppc64

>Joy Latten <[EMAIL PROTECTED]> wrote: >> I installed 2.6.17 + patch-2.6.18-rc4 + 2.6.18-rc4-mm2 >> onto two pSeries power 5 (ppc64 lpars) machines. I configured >> IPSec using the configuration listed below. > >Could you try straight 2.6.17? If that crashes t

IPSec kernel oops on ppc64

transport//require; spdadd x.x.x.206 x.x.x.55 any -P out ipsec esp/transport//require; Same config on both machines, except for spdadd entry. The "in" and "out" are swapped on the other machine. Regards, Joy Latten - To unsubscribe from this list: send the line &q

Re: [Patch 1/1] updated: TCP/UDP getpeersec

then know a "null" context returned means no context for peer. > On 2/10/06, Joy Latten <[EMAIL PROTECTED]> wrote: > > Catherine, > > I am just wondering about something... > > Should a peer_sid of 0 or SECSID_NULL be an error here if > > the connection doesn

Re: [Patch 1/1] updated: TCP/UDP getpeersec

Catherine, My mailer may have been acting up, but the from header of your email had [EMAIL PROTECTED] instead of [EMAIL PROTECTED] :-) > diff -puN security/selinux/hooks.c~lsm-secpeer security/selinux/hooks.c > --- linux-2.6.16-rc1/security/selinux/hooks.c~lsm-secpeer 2006-02-01 > 00:55:23.00