Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-23 12:42:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
c7a5899eb2
linux/net/xfrm
History
Antony Antony c7a5899eb2 xfrm: redact SA secret with lockdown confidentiality 
redact XFRM SA secret in the netlink response to xfrm_get_sa()
or dumpall sa.
Enable lockdown, confidentiality mode, at boot or at run time.

e.g. when enabled:
cat /sys/kernel/security/lockdown
none integrity [confidentiality]

ip xfrm state
src 172.16.1.200 dst 172.16.1.100
	proto esp spi 0x00000002 reqid 2 mode tunnel
	replay-window 0
	aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96

note: the aead secret is redacted.
Redacting secret is also a FIPS 140-2 requirement.

v1->v2
 - add size checks before memset calls
v2->v3
 - replace spaces with tabs for consistency
v3->v4
 - use kernel lockdown instead of a /proc setting
v4->v5
 - remove kconfig option

Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2020-11-27 11:03:06 +01:00
..
espintcp.c espintcp: restore IP CB before handing the packet to xfrm 2020-08-17 15:58:04 +02:00
Kconfig xfrm/compat: Add 32=>64-bit messages translator 2020-09-24 08:53:03 +02:00
Makefile xfrm: Provide API to register translator module 2020-09-24 08:53:03 +02:00
xfrm_algo.c crypto: skcipher - remove the "blkcipher" algorithm type 2019-11-01 13:38:32 +08:00
xfrm_compat.c xfrm/compat: Translate 32-bit user_policy from sockptr 2020-09-24 08:53:04 +02:00
xfrm_device.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-25 19:29:51 -07:00
xfrm_hash.c
xfrm_hash.h
xfrm_inout.h xfrm: move xfrm4_extract_header to common helper 2020-05-06 09:40:08 +02:00
xfrm_input.c net: xfrm: convert tasklets to use new tasklet_setup() API 2020-11-07 10:41:15 -08:00
xfrm_interface.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-11-04 08:12:52 -08:00
xfrm_ipcomp.c net: Use skb_frag_off accessors 2019-07-30 14:21:32 -07:00
xfrm_output.c xfrm: merge fixup for "remove output_finish indirection from xfrm_state_afinfo" 2020-06-05 08:10:08 +02:00
xfrm_policy.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
xfrm_proc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xfrm_replay.c xfrm: introduce oseq-may-wrap flag 2020-06-24 07:51:01 +02:00
xfrm_state.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-11-04 08:12:52 -08:00
xfrm_sysctl.c
xfrm_user.c xfrm: redact SA secret with lockdown confidentiality 2020-11-27 11:03:06 +01:00