kernel-pfkey: Pass ESN flag to kernel if ESN is enabled master
authorPatryk Duda <pdk@semihalf.com>
Tue, 17 Sep 2019 08:12:49 +0000 (08:12 +0000)
committerTobias Brunner <tobias@strongswan.org>
Mon, 14 Oct 2019 16:03:34 +0000 (18:03 +0200)
This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.

Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155.

src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 37170a3..92bbe57 100644 (file)
@@ -1760,6 +1760,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                        sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
 #endif
                }
+               if (data->esn)
+               {
+#ifdef SADB_X_SAFLAGS_ESN
+                       DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
+                       sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
+#else
+                       DBG1(DBG_KNL, "extended sequence numbers (ESN) not supported by "
+                                "kernel!");
+                       return FAILED;
+#endif
+               }
                sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
                sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM,
                                                                                           data->enc_alg);