tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

xfrm: Add basic infrastructure to support IPsec extended sequence numbers

This patch adds the struct xfrm_replay_state_esn which will be
used to support IPsec extended sequence numbers and anti replay windows
bigger than 32 packets. Also we add a function that returns the actual
size of the xfrm_replay_state_esn, a xfrm netlink atribute and a xfrm state
flag for the use of extended sequence numbers.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Steffen Klassert and committed by
David S. Miller 9736acf3 a5079d08

+19
+12
include/linux/xfrm.h
··· 84 84 __u32 bitmap; 85 85 }; 86 86 87 + struct xfrm_replay_state_esn { 88 + unsigned int bmp_len; 89 + __u32 oseq; 90 + __u32 seq; 91 + __u32 oseq_hi; 92 + __u32 seq_hi; 93 + __u32 replay_window; 94 + __u32 bmp[0]; 95 + }; 96 + 87 97 struct xfrm_algo { 88 98 char alg_name[64]; 89 99 unsigned int alg_key_len; /* in bits */ ··· 294 284 XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ 295 285 XFRMA_MARK, /* struct xfrm_mark */ 296 286 XFRMA_TFCPAD, /* __u32 */ 287 + XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */ 297 288 __XFRMA_MAX 298 289 299 290 #define XFRMA_MAX (__XFRMA_MAX - 1) ··· 362 351 #define XFRM_STATE_ICMP 16 363 352 #define XFRM_STATE_AF_UNSPEC 32 364 353 #define XFRM_STATE_ALIGN4 64 354 + #define XFRM_STATE_ESN 128 365 355 }; 366 356 367 357 struct xfrm_usersa_id {
+7
include/net/xfrm.h
··· 186 186 187 187 /* State for replay detection */ 188 188 struct xfrm_replay_state replay; 189 + struct xfrm_replay_state_esn *replay_esn; 189 190 190 191 /* Replay detection state at the time we sent the last notification */ 191 192 struct xfrm_replay_state preplay; 193 + struct xfrm_replay_state_esn *preplay_esn; 192 194 193 195 /* internal flag that only holds state for delayed aevent at the 194 196 * moment ··· 1569 1567 static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) 1570 1568 { 1571 1569 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1570 + } 1571 + 1572 + static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn) 1573 + { 1574 + return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); 1572 1575 } 1573 1576 1574 1577 #ifdef CONFIG_XFRM_MIGRATE