[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 22 Apr 2008 00:47:27 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: herbert@...dor.apana.org.au
Cc: netdev@...r.kernel.org, kuznet@....inr.ac.ru, latten@...ibm.com,
tchicks@...ibm.com
Subject: Re: [IPSEC]: Fix catch-22 with algorithm IDs above 31
From: Herbert Xu <herbert@...dor.apana.org.au>
Date: Tue, 22 Apr 2008 15:43:04 +0800
> [IPSEC]: Fix catch-22 with algorithm IDs above 31
>
> As it stands it's impossible to use any authentication algorithms
> with an ID above 31 portably. It just happens to work on x86 but
> fails miserably on ppc64.
>
> The reason is that we're using a bit mask to check the algorithm
> ID but the mask is only 32 bits wide.
>
> After looking at how this is used in the field, I have concluded
> that in the long term we should phase out state matching by IDs
> because this is made superfluous by the reqid feature. For current
> applications, the best solution IMHO is to allow all algorithms when
> the bit masks are all ~0.
>
> The following patch does exactly that.
>
> This bug was identified by IBM when testing on the ppc64 platform
> using the NULL authentication algorithm which has an ID of 251.
>
> Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
Applied, and I'll queue up for -stable, thanks Herbert!
> diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
Please update your GIT index :-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists