Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit c5d18e98 authored Apr 22, 2008 by Herbert Xu Committed by David S. Miller Apr 22, 2008

[IPSEC]: Fix catch-22 with algorithm IDs above 31



As it stands it's impossible to use any authentication algorithms
with an ID above 31 portably.  It just happens to work on x86 but
fails miserably on ppc64.

The reason is that we're using a bit mask to check the algorithm
ID but the mask is only 32 bits wide.

After looking at how this is used in the field, I have concluded
that in the long term we should phase out state matching by IDs
because this is made superfluous by the reqid feature.  For current
applications, the best solution IMHO is to allow all algorithms when
the bit masks are all ~0.

The following patch does exactly that.

This bug was identified by IBM when testing on the ppc64 platform
using the NULL authentication algorithm which has an ID of 251.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 7c3f944e

include/net/xfrm.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -436,6 +436,9 @@ struct xfrm_tmpl
		/* May skip this transfomration if no SA is found */
		__u8 optional;

		/* Skip aalgos/ealgos/calgos checks. */
		__u8 allalgs;

		/* Bit mask of algos allowed for acquisition */
		__u32 aalgos;
		__u32 ealgos;

net/key/af_key.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1907,7 +1907,7 @@ parse_ipsecrequest(struct xfrm_policy xp, struct sadb_x_ipsecrequest rq)
		t->encap_family = xp->family;

		/* No way to set this via kame pfkey */
		t->aalgos = t->ealgos = t->calgos = ~0;
		t->allalgs = 1;
		xp->xfrm_nr++;
		return 0;
		}

net/xfrm/xfrm_policy.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1819,7 +1819,7 @@ xfrm_state_ok(struct xfrm_tmpl tmpl, struct xfrm_state x,
		(x->id.spi == tmpl->id.spi \|\| !tmpl->id.spi) &&
		(x->props.reqid == tmpl->reqid \|\| !tmpl->reqid) &&
		x->props.mode == tmpl->mode &&
		((tmpl->aalgos & (1<<x->props.aalgo)) \|\|
		(tmpl->allalgs \|\| (tmpl->aalgos & (1<<x->props.aalgo)) \|\|
		!(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
		!(x->props.mode != XFRM_MODE_TRANSPORT &&
		xfrm_state_addr_cmp(tmpl, x, family));

net/xfrm/xfrm_user.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -981,6 +981,8 @@ static void copy_templates(struct xfrm_policy xp, struct xfrm_user_tmpl ut,
		t->aalgos = ut->aalgos;
		t->ealgos = ut->ealgos;
		t->calgos = ut->calgos;
		/* If all masks are ~0, then we allow all algorithms. */
		t->allalgs = !~(t->aalgos & t->ealgos & t->calgos);
		t->encap_family = ut->family;
		}
		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE