xfrm: Add basic infrastructure to support IPsec extended sequence numbers

This patch adds the struct xfrm_replay_state_esn which will be
used to support IPsec extended sequence numbers and anti replay windows
bigger than 32 packets. Also we add a function that returns the actual
size of the xfrm_replay_state_esn, a xfrm netlink atribute and a xfrm state
flag for the use of extended sequence numbers.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index b93d6f5980851e5c7fe4ea1cfe11235ebada4fd3..22e61fdf75a2bd46a656e164e046a006acd43343 100644 (file)
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -84,6 +84,16 @@ struct xfrm_replay_state {
        __u32   bitmap;
 };
 
+struct xfrm_replay_state_esn {
+       unsigned int    bmp_len;
+       __u32           oseq;
+       __u32           seq;
+       __u32           oseq_hi;
+       __u32           seq_hi;
+       __u32           replay_window;
+       __u32           bmp[0];
+};
+
 struct xfrm_algo {
        char            alg_name[64];
        unsigned int    alg_key_len;    /* in bits */
@@ -284,6 +294,7 @@ enum xfrm_attr_type_t {
        XFRMA_ALG_AUTH_TRUNC,   /* struct xfrm_algo_auth */
        XFRMA_MARK,             /* struct xfrm_mark */
        XFRMA_TFCPAD,           /* __u32 */
+       XFRMA_REPLAY_ESN_VAL,   /* struct xfrm_replay_esn */
        __XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -351,6 +362,7 @@ struct xfrm_usersa_info {
 #define XFRM_STATE_ICMP                16
 #define XFRM_STATE_AF_UNSPEC   32
 #define XFRM_STATE_ALIGN4      64
+#define XFRM_STATE_ESN         128
 };
 
 struct xfrm_usersa_id {

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 8f8bd82606bff3f23f55f27e02f3e2f64731be0e..7640822bc5154c9e15b6339ae3fe5893b9e4d9bf 100644 (file)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -186,9 +186,11 @@ struct xfrm_state {
 
        /* State for replay detection */
        struct xfrm_replay_state replay;
+       struct xfrm_replay_state_esn *replay_esn;
 
        /* Replay detection state at the time we sent the last notification */
        struct xfrm_replay_state preplay;
+       struct xfrm_replay_state_esn *preplay_esn;
 
        /* internal flag that only holds state for delayed aevent at the
         * moment
@@ -1569,6 +1571,11 @@ static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
 }
 
+static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
+{
+       return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
+}
+
 #ifdef CONFIG_XFRM_MIGRATE
 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
 {