lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 31 Dec 2007 12:48:40 -0500
From:	Paul Moore <paul.moore@...com>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_input

On Sunday 30 December 2007 11:23:55 pm Herbert Xu wrote:
> Hi Dave:
>
> While refreshing the async IPsec patches I noticed some fresh code
> duplication.
>
> [IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_input
>
> Let's nip the code duplication in the bud :)

Thanks, not sure why I didn't see that in the first place :)

> Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
>
> diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
> index ec8de0a..d76803a 100644
> --- a/net/ipv4/ah4.c
> +++ b/net/ipv4/ah4.c
> @@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct
> sk_buff *skb) err = ah_mac_digest(ahp, skb, ah->auth_data);
>  		if (err)
>  			goto unlock;
> -		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
> -			xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
> +		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
>  			err = -EBADMSG;
> -		}
>  	}
>  unlock:
>  	spin_unlock(&x->lock);
> diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> index b334c76..28ea5c7 100644
> --- a/net/ipv4/esp4.c
> +++ b/net/ipv4/esp4.c
> @@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct
> sk_buff *skb) BUG();
>
>  		if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
> -			xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
>  			err = -EBADMSG;
>  			goto unlock;
>  		}
> diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
> index 2d32772..fb0d07a 100644
> --- a/net/ipv6/ah6.c
> +++ b/net/ipv6/ah6.c
> @@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct
> sk_buff *skb) err = ah_mac_digest(ahp, skb, ah->auth_data);
>  		if (err)
>  			goto unlock;
> -		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
> -			xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
> +		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
>  			err = -EBADMSG;
> -		}
>  	}
>  unlock:
>  	spin_unlock(&x->lock);
> diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
> index e10f10b..5bd5292 100644
> --- a/net/ipv6/esp6.c
> +++ b/net/ipv6/esp6.c
> @@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct
> sk_buff *skb) BUG();
>
>  		if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
> -			xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
>  			ret = -EBADMSG;
>  			goto unlock;
>  		}
> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
> index 1b250f3..039e701 100644
> --- a/net/xfrm/xfrm_input.c
> +++ b/net/xfrm/xfrm_input.c
> @@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr,
> __be32 spi, int encap_type) resume:
>  		spin_lock(&x->lock);
>  		if (nexthdr <= 0) {
> -			if (nexthdr == -EBADMSG)
> +			if (nexthdr == -EBADMSG) {
> +				xfrm_audit_state_icvfail(x, skb,
> +							 x->type->proto);
>  				x->stats.integrity_failed++;
> +			}
>  			XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR);
>  			goto drop_unlock;
>  		}
>
> Thanks,



-- 
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ