[PATCH] crypto: Unlink and free instances when deleted

2011-11-08 Thread Steffen Klassert 
We leak the crypto instance when we unregister an instance with
crypto_del_alg(). Therefore we introduce crypto_unregister_instance()
to unlink the crypto instance from the template's instances list and
to free the recources of the instance properly.

Signed-off-by: Steffen Klassert steffen.klass...@secunet.com
---
 crypto/algapi.c |   29 +
 crypto/crypto_user.c|2 +-
 include/crypto/algapi.h |1 +
 3 files changed, 31 insertions(+), 1 deletions(-)

diff --git a/crypto/algapi.c b/crypto/algapi.c
index 54dd4e3..9d4a9fe 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -518,6 +518,35 @@ err:
 }
 EXPORT_SYMBOL_GPL(crypto_register_instance);
 
+int crypto_unregister_instance(struct crypto_alg *alg)
+{
+   int err;
+   struct crypto_instance *inst = (void *)alg;
+   struct crypto_template *tmpl = inst-tmpl;
+   LIST_HEAD(users);
+
+   if (!(alg-cra_flags  CRYPTO_ALG_INSTANCE))
+   return -EINVAL;
+
+   BUG_ON(atomic_read(alg-cra_refcnt) != 1);
+
+   down_write(crypto_alg_sem);
+
+   hlist_del_init(inst-list);
+   err = crypto_remove_alg(alg, users);
+
+   up_write(crypto_alg_sem);
+
+   if (err)
+   return err;
+
+   tmpl-free(inst);
+   crypto_remove_final(users);
+
+   return 0;
+}
+EXPORT_SYMBOL_GPL(crypto_unregister_instance);
+
 int crypto_init_spawn(struct crypto_spawn *spawn, struct crypto_alg *alg,
  struct crypto_instance *inst, u32 mask)
 {
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 0605a2b..3ba6ef5 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -298,7 +298,7 @@ static int crypto_del_alg(struct sk_buff *skb, struct 
nlmsghdr *nlh,
if (atomic_read(alg-cra_refcnt) != 1)
return -EBUSY;
 
-   return crypto_unregister_alg(alg);
+   return crypto_unregister_instance(alg);
 }
 
 static int crypto_add_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index ecc721d..418d270 100644
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -134,6 +134,7 @@ struct crypto_template *crypto_lookup_template(const char 
*name);
 
 int crypto_register_instance(struct crypto_template *tmpl,
 struct crypto_instance *inst);
+int crypto_unregister_instance(struct crypto_alg *alg);
 
 int crypto_init_spawn(struct crypto_spawn *spawn, struct crypto_alg *alg,
  struct crypto_instance *inst, u32 mask);
-- 
1.7.0.4

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
 On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
 Hello!
 
 Found that the stack IPSec in Linux does not support any IP range. Many 
 people ask this question. The archives say strongswan said that their daemon 
 supports a range, but the Linux IPSec stack supports only the subnets. I am 
 writing to you to implement support for IP range in Linux. I think that a 
 lot more people will appreciate this innovation.

 It'd be even better if you could write a patch for us to review.

 Cheers,
 -PJ

I was a little not so put it:) I'd certainly be happy and he would write a 
patch, but I'm afraid do not have the necessary knowledge to implement IPSec 
Linux. I turned to you, the developers, but rather to urge you to implement 
this feature using IP range. I hope very much for your help and support. This 
is especially beneficial for all - the Linux kernel will be more flexible and 
more compatible with different devices and software.

Regards
Daniil Stolnikov



--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Alexey Dobriyan 
On Tue, Nov 8, 2011 at 8:24 AM, Peter P Waskiewicz Jr
peter.p.waskiewicz...@intel.com wrote:
 On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
 Hello!

 Found that the stack IPSec in Linux does not support any IP range. Many 
 people ask this question. The archives say strongswan said that their daemon 
 supports a range, but the Linux IPSec stack supports only the subnets. I am 
 writing to you to implement support for IP range in Linux. I think that a 
 lot more people will appreciate this innovation.

 It'd be even better if you could write a patch for us to review.

oh, come on!
changing addr_match() is trivial for ipv4 and easy for ipv6. :-)
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
 On Tue, Nov 8, 2011 at 8:24 AM, Peter P Waskiewicz Jr
 peter.p.waskiewicz...@intel.com wrote:
 On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
 Hello!

 Found that the stack IPSec in Linux does not support any IP range. Many 
 people ask this question. The archives say strongswan said that their 
 daemon supports a range, but the Linux IPSec stack supports only the 
 subnets. I am writing to you to implement support for IP range in Linux. I 
 think that a lot more people will appreciate this innovation.

 It'd be even better if you could write a patch for us to review.

 oh, come on!
 changing addr_match() is trivial for ipv4 and easy for ipv6. :-)


Is not entirely clear how this function works. It seems that it works again 
with the subnet bits and comparing the length of the prefix networks.

Probably you mean that you need to add back the comparison ranges? If so, what 
if we use zywall we do not know the format of the range.
Well, as I said, I badly oriented in the kernel code. I can tell kettle. A 
change in the function code certainly entail a change in at least the data 
types passed to the function.

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
 From: Daniil Stolnikov danila...@mail.ru
 Date: Tue, 08 Nov 2011 12:40:13 +0400

 I turned to you, the developers, but rather to urge you to implement
 this feature using IP range.

 This won't be implemented, the keys used for IPSEC rule lookups supported by
 the kernel are already way too complex.

 From: Alexey Dobriyan adobri...@gmail.com
 Date: Tue, 8 Nov 2011 14:08:24 +0200

 changing addr_match() is trivial for ipv4 and easy for ipv6. :-)

 No, this is not happening.  This added complexity screws up all the hash table
 and lookup optimizations we have in the XFRM layer.

I never imagined that it will cause some difficulties. Several questions arise:

1) How complex is this implementation?
2) How to do this time?
3) Will this feature is implemented vsetaki? If so, how soon and what will it 
take?


 Ranges can be synthesized by userspace, and that's the way it has to
 be supported.

That is, you want to say that all this can be done at the user level? How so?

In general, if there are alternative implementations of this feature without 
support at the kernel level? What are some loopholes, tricks? It is meant to 
create multiple connections to the same subnet subranges without the use of 
masks such as / 29. Perhaps this can be achieved through l2tp? There, in the 
present setup IP range. Or is it both?

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] crypto: talitos - fix descriptor buffer access code

2011-11-08 Thread Kim Phillips 
On Tue, 8 Nov 2011 19:34:57 -0600
Kim Phillips kim.phill...@freescale.com wrote:

 commit 3e721ae (crypto: talitos - handle descriptor not found in
 error path) used the wrong offset method to access a channel's
 descriptor buffer registers - the TALITOS_DESCBUF macro
 doesn't take a channel argument.  Fix it to use the
 base chan[x].reg offset instead.
 
 Signed-off-by: Kim Phillips kim.phill...@freescale.com
 ---

scratch this - I got confused working on a merge branch.

existing code is fine - ignore me.

Kim

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread David Miller 
From: Daniil Stolnikov danila...@mail.ru
Date: Wed, 9 Nov 2011 09:36:07 +0800

 I never imagined that it will cause some difficulties.

Ever feature has side effects and costs associated with it.  Some of
which can be non-trivial.

Like I said, if you want address ranges, ask the userland IPSEC daemon
authors to synthesize it.

I'm really not able to devote the time necessary to explain every
nuance of how we store IPSEC rules in the kernel side database and
what implications that has for expanding the kind of match keys we
support.
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Herbert Xu 
David Miller da...@davemloft.net wrote:

 Like I said, if you want address ranges, ask the userland IPSEC daemon
 authors to synthesize it.

Alternatively you can do this with marking and use netfilter
to set the mark.

Cheers,
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
 Like I said, if you want address ranges, ask the userland IPSEC daemon
 authors to synthesize it.

In this letter, the mailing list 
http://marc.info/?l=strongswan-usersm=130613736616488w=4 strongswan-users say 
that their product has support for IP ranges, but the stack of Linux is based 
on network masks. So I do not understand how this would work without the 
support at the kernel level? How will coordination of policies?

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
Herbert Xu herb...@gondor.apana.org.au wrote:

 Alternatively you can do this with marking and use netfilter
 to set the mark.

 Cheers,

We focus on connections to devices zywall. If you choose to zywall IP range as 
the remote side will not harmonize policies. The connection is not established. 
And this alternative makes no sense.

Regards
Daniil Stolnikov

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Herbert Xu 
Daniil Stolnikov danila...@mail.ru wrote:
 Like I said, if you want address ranges, ask the userland IPSEC daemon
 authors to synthesize it.
 
 In this letter, the mailing list 
 http://marc.info/?l=strongswan-usersm=130613736616488w=4 strongswan-users 
 say that their product has support for IP ranges, but the stack of Linux is 
 based on network masks. So I do not understand how this would work without 
 the support at the kernel level? How will coordination of policies?

Simple, you break a range policy into parts that can be expressed
as network/mask and install multiple policies.  The actual policies
in the kernel just has to have the same effect as the one you
negotiated with the other side, it does not have to look the same.

This is also why you can do the same thing with masks + netfilter.

Cheers,
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/18] crypto: Add helper functions for parallelized LRW and XTS modes

2011-11-08 Thread Herbert Xu 
On Tue, Oct 18, 2011 at 01:32:08PM +0300, Jussi Kivilinna wrote:
 This series adds lrw_crypt() and xts_crypt() functions for cipher 
 implementations that
 can benefit from parallel cipher block operations. To make interface 
 flexible, 
 caller is reponsible of allocating buffer large enough to store temporary 
 cipher
 blocks. This buffer size should be as large as size of parallel blocks 
 processed at
 once. Cryption callback is called with buffer size at maximum of parallel 
 blocks size
 and at minimum size of one block.
 
 Series adds LRW/XTS support to serpent-sse2 and twofish-x86_64-3way, and 
 therefore
 depends on those series.
 
 Patches 1-4: include LRW fixes/cleanups, export gf128mul table and add 
 lrw_crypt().
 Patches 5-7: add LRW support to serpent-sse2, with tcrypt tests and test 
 vectors.
 Patches 8-10: add LRW support to twofish-x86_64-3way, with tcrypt tests and 
 test vectors.
 Patches 11-12: include XTS cleanup for blocksize usage and add xts_crypt().
 Patches 13-15: add XTS support to serpent-sse2, with tcrypt tests and test 
 vectors.
 Patches 16-18: add XTS support to twofish-x86_64-3way, with tcrypt tests and 
 test vectors.

All applied except for the serpent patches.  Please resend those
after you've fixed up the previous serpent patches.

I've also merged your later fixes into these.

Thanks,
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH][RESEND] fix typo in crypto/Kconfig

2011-11-08 Thread Herbert Xu 
On Mon, Nov 07, 2011 at 01:51:51AM -0500, valdis.kletni...@vt.edu wrote:
 (Sent this a while back, I don't see it in next-2004, so resending)
 
 Fix a typo in the Kconfig file help text.
 
 Signed-off-by: Valdis Kletnieks valdis.kletni...@vt.edu

Your patch still does not apply:

$ git apply ~/p
error: patch failed: crypto/Kconfig:104
error: crypto/Kconfig: patch does not apply
$ 

Thanks,
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] crypto: Small spelling correction for Kconfig CRYPTO_USER

2011-11-08 Thread Herbert Xu 
On Sun, Nov 06, 2011 at 10:41:44AM +0100, Jörg Sommer wrote:
 Signed-off-by: Jörg Sommer jo...@alea.gnuu.de

Your patch doesn't apply against my tree:

error: patch failed: crypto/Kconfig:104
error: crypto/Kconfig: patch does not apply
Patch failed at 0001.
When you have resolved this problem run git-am --resolved.
If you would prefer to skip this patch, instead run git-am --skip.

Thanks,
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] ansi_cprng: enforce key != seed in fips mode

2011-11-08 Thread Herbert Xu 
On Fri, Nov 04, 2011 at 11:25:13AM -0400, Neil Horman wrote:
 On Fri, Nov 04, 2011 at 10:01:25AM -0400, Jarod Wilson wrote:
  Apparently, NIST is tightening up its requirements for FIPS validation
  with respect to RNGs. Its always been required that in fips mode, the
  ansi cprng not be fed key and seed material that was identical, but
  they're now interpreting FIPS 140-2, section AS07.09 as requiring that
  the implementation itself must enforce the requirement. Easy fix, we
  just do a memcmp of key and seed in fips_cprng_reset and call it a day.
  
  v2: Per Neil's advice, ensure slen is sufficiently long before we
  compare key and seed to avoid looking at potentially unallocated mem.
  
  CC: Neil Horman nhor...@tuxdriver.com
  CC: Stephan Mueller smuel...@atsec.com
  CC: Steve Grubb sgr...@redhat.com
  Signed-off-by: Jarod Wilson ja...@redhat.com
 Thanks Jarod.  Adding Herbert to the cc list so he can pull this into the 
 crypto
 tree.
 
 Acked-by: Neil Horman nhor...@tuxdriver.com

Patch applied.  Jarod, please cc me in future for patches.

Thanks!
-- 
Email: Herbert Xu herb...@gondor.apana.org.au
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Add IPSec IP Range in Linux kernel

2011-11-08 Thread Daniil Stolnikov 
 Simple, you break a range policy into parts that can be expressed
 as network/mask and install multiple policies.  The actual policies
 in the kernel just has to have the same effect as the one you
 negotiated with the other side, it does not have to look the same.

 This is also why you can do the same thing with masks + netfilter.

 Cheers,


Please describe in detail, including the schema and sample configuration files!

The fact that I have already tried some options and I did not. Here is a link 
to a Russian-language correspondence on my problem: 
http://www.opennet.ru/openforum/vsluhforumID10/4941.html.

Once again, draw a diagram of which should be implemented:

 (server)   
 (client 1)
 ___
  ___
 |  |   
 |  |---192.168.7.1
 |  |   
 |  |---192.168.7.2
192.168.1.0/24---|  
|192.168.5.1/24192.168.5.2/24|  |---192.168.7.3
 |  |   |   
 |  |---192.168.7.4
 |__|   |   
 |__|---192.168.7.5  
|
|   
  (client 2)
|   
 ___
|   
 |  |---192.168.7.6
|   
 |  |---192.168.7.7

---192.168.5.3/24|  |---192.168.7.8
|   
 |  |---192.168.7.9
|   
 |__|---192.168.7.10
|
|   
  (client 3)
|   
 ___
|   
 |  |---192.168.7.11
|   
 |  |---192.168.7.12

---192.168.5.4/24|  |---192.168.7.13

 |  |---192.168.7.14

 |__|---192.168.7.15


Tried to do the following:

1) network to host. The connection of course been established, but not all 
traffic be encrypted.
2) host to host. similarly to 1.
3) network to IP range. I tried different configurations, but the connection 
did not succeed.

So I came to the conclusion that when we point to the IP range zywall IPSec we 
actually prescribe what kind of traffic will be encrypted. The rest will be 
routed but no encryption. Correct if I'm wrong.
If you are not working hard to lay out the configuration files!

--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html