lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 23 Nov 2022 09:37:20 +0100
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Leon Romanovsky <leon@...nel.org>
CC:     "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "Jakub Kicinski" <kuba@...nel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH xfrm-next v7 6/8] xfrm: speed-up lookup of HW policies

On Tue, Nov 22, 2022 at 03:57:43PM +0200, Leon Romanovsky wrote:
> On Tue, Nov 22, 2022 at 02:10:02PM +0100, Steffen Klassert wrote:
> > On Mon, Nov 21, 2022 at 03:01:42PM +0200, Leon Romanovsky wrote:
> > > On Mon, Nov 21, 2022 at 01:43:49PM +0100, Steffen Klassert wrote:
> > > > On Mon, Nov 21, 2022 at 02:02:52PM +0200, Leon Romanovsky wrote:
> > > > 
> > > > If policy and state do not match here, this means the lookup
> > > > returned the wrong state. The correct state might still sit
> > > > in the database. At this point, you should either have found
> > > > a matching state, or no state at all.
> > > 
> > > I check for "x" because of "x = NULL" above.
> > 
> > This does not change the fact that the lookup returned the wrong state.
> 
> Steffen, but this is exactly why we added this check - to catch wrong
> states and configurations. 

No, you have to adjust the lookup so that this can't happen.
This is not a missconfiguration, The lookup found the wrong
SA, this is a difference.

Use the offload type and dev as a lookup key and don't consider
SAs that don't match this in the lookup.

This is really not too hard to do. The thing that could be a bit
more difficult is that the lookup should be only adjusted when
we really have HW policies installed. Otherwise this affects
even systems that don't use this kind of offload.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ