xfrm: Add Traffic Flow Confidentiality padding XFRM attribute

The XFRMA_TFCPAD attribute for XFRM state installation configures Traffic Flow Confidentiality by padding ESP packets to a specified length. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>

xfrm: Add Traffic Flow Confidentiality padding XFRM attribute
The XFRMA_TFCPAD attribute for XFRM state installation configures Traffic Flow Confidentiality by padding ESP packets to a specified length. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Martin Willi · David S. Miller
1 parent 957fca95e3
Showing 3 changed files with 19 additions and 2 deletions Side-by-side Diff
include/linux/xfrm.h
include/net/xfrm.h
net/xfrm/xfrm_user.c
@@ -283,6 +283,7 @@
 	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
 	XFRMA_ALG_AUTH_TRUNC,	/* struct xfrm_algo_auth */
 	XFRMA_MARK,		/* struct xfrm_mark */
+	XFRMA_TFCPAD,		/* __u32 */
 	__XFRMA_MAX
  
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -143,6 +143,7 @@
 	struct xfrm_id		id;
 	struct xfrm_selector	sel;
 	struct xfrm_mark	mark;
+	u32			tfcpad;
  
 	u32			genid;
  
@@ -148,7 +148,8 @@
 		     !attrs[XFRMA_ALG_AUTH_TRUNC]) ||
 		    attrs[XFRMA_ALG_AEAD]	||
 		    attrs[XFRMA_ALG_CRYPT]	||
-		    attrs[XFRMA_ALG_COMP])
+		    attrs[XFRMA_ALG_COMP]	||
+		    attrs[XFRMA_TFCPAD])
 			goto out;
 		break;
  
@@ -165,6 +166,9 @@
 		     attrs[XFRMA_ALG_CRYPT]) &&
 		    attrs[XFRMA_ALG_AEAD])
 			goto out;
+		if (attrs[XFRMA_TFCPAD] &&
+		    p->mode != XFRM_MODE_TUNNEL)
+			goto out;
 		break;
  
 	case IPPROTO_COMP:
@@ -172,7 +176,8 @@
 		    attrs[XFRMA_ALG_AEAD]	||
 		    attrs[XFRMA_ALG_AUTH]	||
 		    attrs[XFRMA_ALG_AUTH_TRUNC]	||
-		    attrs[XFRMA_ALG_CRYPT])
+		    attrs[XFRMA_ALG_CRYPT]	||
+		    attrs[XFRMA_TFCPAD])
 			goto out;
 		break;
  
@@ -186,6 +191,7 @@
 		    attrs[XFRMA_ALG_CRYPT]	||
 		    attrs[XFRMA_ENCAP]		||
 		    attrs[XFRMA_SEC_CTX]	||
+		    attrs[XFRMA_TFCPAD]		||
 		    !attrs[XFRMA_COADDR])
 			goto out;
 		break;
@@ -439,6 +445,9 @@
 			goto error;
 	}
  
+	if (attrs[XFRMA_TFCPAD])
+		x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+
 	if (attrs[XFRMA_COADDR]) {
 		x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
 				    sizeof(*x->coaddr), GFP_KERNEL);
@@ -688,6 +697,9 @@
 	if (x->encap)
 		NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
  
+	if (x->tfcpad)
+		NLA_PUT_U32(skb, XFRMA_TFCPAD, x->tfcpad);
+
 	if (xfrm_mark_put(skb, &x->mark))
 		goto nla_put_failure;
  
@@ -2122,6 +2134,7 @@
 	[XFRMA_MIGRATE]		= { .len = sizeof(struct xfrm_user_migrate) },
 	[XFRMA_KMADDRESS]	= { .len = sizeof(struct xfrm_user_kmaddress) },
 	[XFRMA_MARK]		= { .len = sizeof(struct xfrm_mark) },
+	[XFRMA_TFCPAD]		= { .type = NLA_U32 },
 };
  
 static struct xfrm_link {
@@ -2301,6 +2314,8 @@
 		l += nla_total_size(sizeof(*x->calg));
 	if (x->encap)
 		l += nla_total_size(sizeof(*x->encap));
+	if (x->tfcpad)
+		l += nla_total_size(sizeof(x->tfcpad));
 	if (x->security)
 		l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
 				    x->security->ctx_len);
...	...	@@ -283,6 +283,7 @@
283	283	XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */
284	284	XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */
285	285	XFRMA_MARK, /* struct xfrm_mark */
	286	+ XFRMA_TFCPAD, /* __u32 */
286	287	__XFRMA_MAX
287	288
288	289	#define XFRMA_MAX (__XFRMA_MAX - 1)
...	...	@@ -143,6 +143,7 @@
143	143	struct xfrm_id id;
144	144	struct xfrm_selector sel;
145	145	struct xfrm_mark mark;
	146	+ u32 tfcpad;
146	147
147	148	u32 genid;
148	149
...	...	@@ -148,7 +148,8 @@
148	148	!attrs[XFRMA_ALG_AUTH_TRUNC]) \|\|
149	149	attrs[XFRMA_ALG_AEAD] \|\|
150	150	attrs[XFRMA_ALG_CRYPT] \|\|
151		- attrs[XFRMA_ALG_COMP])
	151	+ attrs[XFRMA_ALG_COMP] \|\|
	152	+ attrs[XFRMA_TFCPAD])
152	153	goto out;
153	154	break;
154	155
...	...	@@ -165,6 +166,9 @@
165	166	attrs[XFRMA_ALG_CRYPT]) &&
166	167	attrs[XFRMA_ALG_AEAD])
167	168	goto out;
	169	+ if (attrs[XFRMA_TFCPAD] &&
	170	+ p->mode != XFRM_MODE_TUNNEL)
	171	+ goto out;
168	172	break;
169	173
170	174	case IPPROTO_COMP:
...	...	@@ -172,7 +176,8 @@
172	176	attrs[XFRMA_ALG_AEAD] \|\|
173	177	attrs[XFRMA_ALG_AUTH] \|\|
174	178	attrs[XFRMA_ALG_AUTH_TRUNC] \|\|
175		- attrs[XFRMA_ALG_CRYPT])
	179	+ attrs[XFRMA_ALG_CRYPT] \|\|
	180	+ attrs[XFRMA_TFCPAD])
176	181	goto out;
177	182	break;
178	183
...	...	@@ -186,6 +191,7 @@
186	191	attrs[XFRMA_ALG_CRYPT] \|\|
187	192	attrs[XFRMA_ENCAP] \|\|
188	193	attrs[XFRMA_SEC_CTX] \|\|
	194	+ attrs[XFRMA_TFCPAD] \|\|
189	195	!attrs[XFRMA_COADDR])
190	196	goto out;
191	197	break;
...	...	@@ -439,6 +445,9 @@
439	445	goto error;
440	446	}
441	447
	448	+ if (attrs[XFRMA_TFCPAD])
	449	+ x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
	450	+
442	451	if (attrs[XFRMA_COADDR]) {
443	452	x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
444	453	sizeof(*x->coaddr), GFP_KERNEL);
...	...	@@ -688,6 +697,9 @@
688	697	if (x->encap)
689	698	NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
690	699
	700	+ if (x->tfcpad)
	701	+ NLA_PUT_U32(skb, XFRMA_TFCPAD, x->tfcpad);
	702	+
691	703	if (xfrm_mark_put(skb, &x->mark))
692	704	goto nla_put_failure;
693	705
...	...	@@ -2122,6 +2134,7 @@
2122	2134	[XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) },
2123	2135	[XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) },
2124	2136	[XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) },
	2137	+ [XFRMA_TFCPAD] = { .type = NLA_U32 },
2125	2138	};
2126	2139
2127	2140	static struct xfrm_link {
...	...	@@ -2301,6 +2314,8 @@
2301	2314	l += nla_total_size(sizeof(*x->calg));
2302	2315	if (x->encap)
2303	2316	l += nla_total_size(sizeof(*x->encap));
	2317	+ if (x->tfcpad)
	2318	+ l += nla_total_size(sizeof(x->tfcpad));
2304	2319	if (x->security)
2305	2320	l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
2306	2321	x->security->ctx_len);