specifying keysize in bits, as it is required in IKEv2
authorMartin Willi <martin@strongswan.org>
Fri, 9 Jun 2006 07:31:30 +0000 (07:31 -0000)
committerMartin Willi <martin@strongswan.org>
Fri, 9 Jun 2006 07:31:30 +0000 (07:31 -0000)
added generic kernel SA algorithm handling, which brings us:
        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs

src/charon/config/proposal.h
src/charon/encoding/payloads/transform_substructure.c
src/charon/sa/child_sa.c
src/charon/sa/ike_sa.c
src/charon/testing/kernel_interface_test.c
src/charon/threads/kernel_interface.c
src/charon/threads/kernel_interface.h
src/charon/threads/stroke_interface.c

index 0281955..9cb8f04 100644 (file)
@@ -112,7 +112,7 @@ struct algorithm_t {
        u_int16_t algorithm;
        
        /**
-        * the associated key size, or zero if not needed
+        * the associated key size in bits, or zero if not needed
         */
        u_int16_t key_size;
 };
index 350ad63..d814f76 100644 (file)
@@ -473,12 +473,15 @@ transform_substructure_t *transform_substructure_create_type(transform_type_t tr
        transform->set_transform_type(transform,transform_type);
        transform->set_transform_id(transform,transform_id);
        
-       /* a keylength attribute is only created for AES encryption */
+       /* a keylength attribute is only created for variable length algos */
        if (transform_type == ENCRYPTION_ALGORITHM &&
-               transform_id == ENCR_AES_CBC)
+               (transform_id == ENCR_AES_CBC ||
+                transform_id == ENCR_IDEA ||
+                transform_id == ENCR_CAST ||
+                transform_id == ENCR_BLOWFISH))
        {
                transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
-               transform->add_transform_attribute(transform,attribute);                
+               transform->add_transform_attribute(transform,attribute);
        }
 
        return transform;
index 87fcea0..af73bc1 100644 (file)
@@ -164,13 +164,9 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
 static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
 {
        u_int32_t spi;
-       encryption_algorithm_t enc_algo;
-       integrity_algorithm_t int_algo;
-       chunk_t enc_key, int_key;
-       algorithm_t *algo;
-       crypter_t *crypter;
-       signer_t *signer;
-       size_t key_size;
+       algorithm_t *enc_algo, *int_algo;
+       algorithm_t enc_algo_none = {ENCR_UNDEFINED, 0};
+       algorithm_t int_algo_none = {AUTH_UNDEFINED, 0};
        host_t *src;
        host_t *dst;
        status_t status;
@@ -201,75 +197,44 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
                this->other.spi = spi;
        }
        
-       /* derive encryption key first */
-       if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
+       this->logger->log(this->logger, CONTROL|LEVEL1, "Adding %s %s SA",
+                                         mine ? "inbound" : "outbound",
+                                         mapping_find(protocol_id_m, this->protocol));
+       
+       /* select encryption algo */
+       if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo))
        {
-               enc_algo = algo->algorithm;
-               this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
-                                                       mapping_find(protocol_id_m, this->protocol),
-                                                       mine ? "me" : "other",
-                                                       mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
-                                                       mapping_find(encryption_algorithm_m, enc_algo));
-               
-               /* we must create a (unused) crypter, since its the only way to get the size
-                * of the key. This is not so nice, since charon must support all algorithms
-                * the kernel supports...
-                * TODO: build something of a encryption algorithm lookup function 
-                */
-               crypter = crypter_create(enc_algo, algo->key_size);
-               key_size = crypter->get_key_size(crypter);
-               crypter->destroy(crypter);
-               prf_plus->allocate_bytes(prf_plus, key_size, &enc_key);
-               this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key);
+               this->logger->log(this->logger, CONTROL|LEVEL2, "  using %s for encryption",
+                                                       mapping_find(encryption_algorithm_m, enc_algo->algorithm));
        }
        else
        {
-               enc_algo = ENCR_UNDEFINED;
+               enc_algo = &enc_algo_none;
        }
        
-       /* derive integrity key */
-       if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
+       /* select integrity algo */
+       if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo))
        {
-               int_algo = algo->algorithm;
-               this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
-                                                       mapping_find(protocol_id_m, this->protocol),
-                                                       mine ? "me" : "other",
-                                                       mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
-                                                       mapping_find(integrity_algorithm_m, algo->algorithm));
-               
-               signer = signer_create(int_algo);
-               key_size = signer->get_key_size(signer);
-               signer->destroy(signer);
-               prf_plus->allocate_bytes(prf_plus, key_size, &int_key);
-               this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key);
+               this->logger->log(this->logger, CONTROL|LEVEL2, "  using %s for integrity",
+                                                 mapping_find(integrity_algorithm_m, int_algo->algorithm));
        }
        else
        {
-               int_algo = AUTH_UNDEFINED;
+               int_algo = &int_algo_none;
        }
        
-       /* send keys down to kernel */
-       this->logger->log(this->logger, CONTROL|LEVEL1, 
-                                               "installing 0x%.8x for %s, src %s dst %s",
-                                               ntohl(spi), mapping_find(protocol_id_m, this->protocol), 
-                                               src->get_address(src), dst->get_address(dst));
+       /* send SA down to the kernel */
+       this->logger->log(this->logger, CONTROL|LEVEL2,
+                                               "  SPI 0x%.8x, src %s dst %s",
+                                               ntohl(spi), src->get_address(src), dst->get_address(dst));
        status = charon->kernel_interface->add_sa(charon->kernel_interface,
                                                                                                src, dst,
                                                                                                spi, this->protocol,
                                                                                                this->reqid,
                                                                                                mine ? 0 : this->soft_lifetime,
                                                                                                this->hard_lifetime,
-                                                                                               enc_algo, enc_key,
-                                                                                               int_algo, int_key, mine);
-       /* clean up */
-       if (enc_algo != ENCR_UNDEFINED)
-       {
-               chunk_free(&enc_key);
-       }
-       if (int_algo != AUTH_UNDEFINED)
-       {
-               chunk_free(&int_key);
-       }
+                                                                                               enc_algo, int_algo, prf_plus, mine);
+
        return status;
 }
 
index bc18713..8dbca19 100644 (file)
@@ -486,8 +486,8 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
                this->crypter_responder->destroy(this->crypter_responder);
        }
        
-       this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size);
-       this->crypter_responder = crypter_create(algo->algorithm, algo->key_size);
+       this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size / 8);
+       this->crypter_responder = crypter_create(algo->algorithm, algo->key_size / 8);
        if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
        {
                this->logger->log(this->logger, ERROR|LEVEL1, 
index 29b3dc3..a5638dc 100644 (file)
@@ -39,24 +39,18 @@ void test_kernel_interface(protected_tester_t *tester)
        u_int32_t spi;
        host_t *me, *other, *left, *right;
        status_t status;
-       
-       u_int8_t enc_key_bytes[] = {
-               0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
-               0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
-       };
-       
-       u_int8_t inc_key_bytes[] = {
-               0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+       prf_plus_t *prf_plus;
+       prf_t *prf;     
+       u_int8_t key_bytes[] = {
                0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
        };
+       chunk_t key = chunk_from_buf(key_bytes);
+       algorithm_t int_alg = {AUTH_HMAC_MD5_96, 0};
+       algorithm_t enc_alg = {ENCR_AES_CBC, 128};
        
-       chunk_t enc_key,inc_key;
-       enc_key.ptr = enc_key_bytes;
-       enc_key.len = sizeof(enc_key_bytes);
-       inc_key.ptr = inc_key_bytes;
-       inc_key.len = sizeof(inc_key_bytes);
-       
-       
+       prf = prf_create(PRF_HMAC_MD5);
+       prf->set_key(prf, key);
+       prf_plus = prf_plus_create(prf, key);   
        
        kernel_interface = kernel_interface_create();
        
@@ -66,7 +60,7 @@ void test_kernel_interface(protected_tester_t *tester)
        status = kernel_interface->get_spi(kernel_interface, me, other, 50, 1234, &spi);
        tester->assert_true(tester, status == SUCCESS, "spi get");
        
-       status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, 1234, 5, 10, ENCR_AES_CBC, enc_key,AUTH_UNDEFINED,inc_key,TRUE);        
+       status = kernel_interface->add_sa(kernel_interface, me, other, spi, 50, 1234, 5, 10, &enc_alg, &int_alg, prf_plus,  TRUE);      
        tester->assert_true(tester, status == SUCCESS, "add sa");
        
        left = host_create(AF_INET, "10.1.0.0", 0);
index 41dee48..b78f674 100644 (file)
@@ -45,7 +45,7 @@
 
 #define SPD_PRIORITY 1024
 
-#define XFRM_DATA_LENGTH 512
+#define XFRM_DATA_LENGTH 1024
 
 
 typedef struct xfrm_data_t xfrm_data_t;
@@ -109,6 +109,85 @@ struct netlink_message_t {
        u_int8_t data[XFRM_DATA_LENGTH];
 };
 
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping from the algorithms defined in IKEv2 to
+ * kernel level algorithm names and their key length
+ */
+struct kernel_algorithm_t {
+       /**
+        * Identifier specified in IKEv2
+        */
+       int ikev2_id;
+       
+       /**
+        * Name of the algorithm, as used as kernel identifier
+        */
+       char *name;
+       
+       /**
+        * Key length in bits, if fixed size
+        */
+       u_int key_size;
+};
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+kernel_algorithm_t encryption_algs[] = {
+/*     {ENCR_DES_IV64,         "***",                  0}, */
+       {ENCR_DES,                      "des",                  64},
+       {ENCR_3DES,             "des3_ede",             192},
+/*     {ENCR_RC5,                      "***",                  0}, */
+/*     {ENCR_IDEA,             "***",                  0}, */
+       {ENCR_CAST,             "cast128",              0},
+       {ENCR_BLOWFISH,         "blowfish",             0},
+/*     {ENCR_3IDEA,            "***",                  0}, */
+/*     {ENCR_DES_IV32,         "***",                  0}, */
+       {ENCR_NULL,             "cipher_null",  0},
+       {ENCR_AES_CBC,          "aes",                  0},
+/*     {ENCR_AES_CTR,          "***",                  0}, */
+       {END_OF_LIST,           NULL,                   0},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+kernel_algorithm_t integrity_algs[] = {
+       {AUTH_HMAC_MD5_96,      "md5",                  128},
+       {AUTH_HMAC_SHA1_96,     "sha1",                 160},
+/*     {AUTH_DES_MAC,          "***",                  0}, */
+/*     {AUTH_KPDK_MD5,         "***",                  0}, */
+/*     {AUTH_AES_XCBC_96,      "***",                  0}, */
+       {END_OF_LIST,           NULL,                   0},
+};
+
+/**
+ * Look up a kernel algorithm name and its key size
+ */
+char* lookup_algorithm(kernel_algorithm_t *kernel_algo, algorithm_t *ikev2_algo, u_int *key_size)
+{
+       while (kernel_algo->ikev2_id != END_OF_LIST)
+       {
+               if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
+               {
+                       /* match, evaluate key length */
+                       if (ikev2_algo->key_size)
+                       {       /* variable length */
+                               *key_size = ikev2_algo->key_size;
+                       }
+                       else
+                       {       /* fixed length */
+                               *key_size = kernel_algo->key_size;
+                       }
+                       return kernel_algo->name;
+               }
+               kernel_algo++;
+       }
+       return NULL;    
+}
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -174,42 +253,6 @@ struct private_kernel_interface_t {
 };
 
 /**
- * In the kernel, algorithms are identified as strings, we use our
- * mapping functions...
- * Algorithms for encryption.
- * TODO: Add missing algorithm strings
- */
-mapping_t kernel_encryption_algs_m[] = {
-       {ENCR_DES_IV64, ""},
-       {ENCR_DES, "des"},
-       {ENCR_3DES, "des3_ede"},
-       {ENCR_RC5, ""},
-       {ENCR_IDEA, "idea"},
-       {ENCR_CAST, "cast128"},
-       {ENCR_BLOWFISH, "blowfish"},
-       {ENCR_3IDEA, ""},
-       {ENCR_DES_IV32, ""},
-       {ENCR_NULL, ""},
-       {ENCR_AES_CBC, "aes"},
-       {ENCR_AES_CTR, ""},
-       {MAPPING_END, NULL}
-};
-/**
- * In the kernel, algorithms are identified as strings, we use our
- * mapping functions...
- * Algorithms for integrity protection.
- * TODO: Add missing algorithm strings
- */
-mapping_t kernel_integrity_algs_m[] = {
-       {AUTH_HMAC_MD5_96, "md5"},
-       {AUTH_HMAC_SHA1_96, "sha1"},
-       {AUTH_DES_MAC, ""},
-       {AUTH_KPDK_MD5, ""},
-       {AUTH_AES_XCBC_96, ""},
-       {MAPPING_END, NULL}
-};
-
-/**
  * Implementation of kernel_interface_t.get_spi.
  */
 static status_t get_spi(private_kernel_interface_t *this, 
@@ -277,15 +320,17 @@ static status_t add_sa(   private_kernel_interface_t *this,
                                                u_int32_t reqid,
                                                u_int64_t expire_soft,
                                                u_int64_t expire_hard,
-                                               encryption_algorithm_t enc_alg,
-                                               chunk_t encryption_key,
-                                               integrity_algorithm_t int_alg,
-                                               chunk_t integrity_key,
+                                               algorithm_t *enc_alg,
+                                               algorithm_t *int_alg,
+                                               prf_plus_t *prf_plus,
                                                bool replace)
 {
        netlink_message_t request, *response;
-       memset(&request, 0, sizeof(request));
        status_t status = SUCCESS;
+       int key_size;
+       char *alg_name;
+       
+       memset(&request, 0, sizeof(request));
        
        this->logger->log(this->logger, CONTROL|LEVEL2, "adding SA");
        
@@ -314,36 +359,52 @@ static status_t add_sa(   private_kernel_interface_t *this,
        
        request.hdr.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(request.sa)));
        
-       if (enc_alg != ENCR_UNDEFINED)
+       if (enc_alg->algorithm != ENCR_UNDEFINED)
        {
                xfrm_data_t *data = (xfrm_data_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
                
                data->type = XFRMA_ALG_CRYPT;
-               data->length = 4 + sizeof(data->algo) + encryption_key.len;
-               data->algo.alg_key_len = encryption_key.len * 8;
+               alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
+               if (alg_name == NULL)
+               {
+                       this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!", 
+                                                         mapping_find(encryption_algorithm_m, enc_alg->algorithm));
+                       return FAILED;
+               }
+               this->logger->log(this->logger, CONTROL|LEVEL2, "using key size %d", key_size);
+               data->length = 4 + sizeof(data->algo) + key_size;
+               data->algo.alg_key_len = key_size;
                request.hdr.nlmsg_len += data->length;
                if (request.hdr.nlmsg_len > sizeof(request))
                {
                        return FAILED;
                }
-               strcpy(data->algo.alg_name, mapping_find(kernel_encryption_algs_m, enc_alg));
-               memcpy(data->algo.alg_key, encryption_key.ptr, encryption_key.len);
+               strcpy(data->algo.alg_name, alg_name);
+               prf_plus->get_bytes(prf_plus, key_size / 8, data->algo.alg_key);
        }
        
-       if (int_alg != AUTH_UNDEFINED)
+       if (int_alg->algorithm  != AUTH_UNDEFINED)
        {
                xfrm_data_t *data = (xfrm_data_t*)(((u_int8_t*)&request) + request.hdr.nlmsg_len);
                
                data->type = XFRMA_ALG_AUTH;
-               data->length = 4 + sizeof(data->algo) + integrity_key.len;
-               data->algo.alg_key_len = integrity_key.len * 8;
+               alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
+               if (alg_name == NULL)
+               {
+                       this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!", 
+                                                         mapping_find(integrity_algorithm_m, int_alg->algorithm));
+                       return FAILED;
+               }
+               this->logger->log(this->logger, CONTROL|LEVEL2, "using key size %d", key_size);
+               data->length = 4 + sizeof(data->algo) + key_size;
+               data->algo.alg_key_len = key_size;
                request.hdr.nlmsg_len += data->length;
                if (request.hdr.nlmsg_len > sizeof(request))
                {
                        return FAILED;
                }
-               strcpy(data->algo.alg_name, mapping_find(kernel_integrity_algs_m, int_alg));
-               memcpy(data->algo.alg_key, integrity_key.ptr, integrity_key.len);
+               strcpy(data->algo.alg_name, alg_name);
+               prf_plus->get_bytes(prf_plus, key_size / 8, data->algo.alg_key);
        }
        
        /* TODO: add IPComp here*/
@@ -739,7 +800,7 @@ kernel_interface_t *kernel_interface_create()
        
        /* public functions */
        this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-       this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,encryption_algorithm_t,chunk_t,integrity_algorithm_t,chunk_t,bool))add_sa;
+       this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,bool))add_sa;
        this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*, host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int,bool,bool,u_int32_t))add_policy;
        this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
        this->public.del_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int))del_policy;
index 6c9a181..9d5846f 100644 (file)
@@ -26,6 +26,7 @@
 #include <linux/xfrm.h>
 
 #include <utils/host.h>
+#include <crypto/prf_plus.h>
 #include <encoding/payloads/proposal_substructure.h>
 
 typedef struct kernel_interface_t kernel_interface_t;
@@ -70,7 +71,9 @@ struct kernel_interface_t {
         * SPI (via get_spi). In this case, the replace
         * flag must be set.
         * This function does install a single SA for a
-        * single protocol in one direction.
+        * single protocol in one direction. The kernel-interface
+        * gets the keys itself from the PRF, as we don't know
+        * his algorithms and key sizes.
         * 
         * @param this                  calling object
         * @param src                   source address for this SA
@@ -81,9 +84,8 @@ struct kernel_interface_t {
         * @param expire_soft   lifetime in seconds before rekeying
         * @param expire_hard   lieftime in seconds before delete
         * @param enc_alg               Algorithm to use for encryption (ESP only)
-        * @param enc_key               Key to use for encryption
         * @param int_alg               Algorithm to use for integrity protection
-        * @param int_key               Key for integrity protection
+        * @param prf_plus              PRF to derive keys
         * @param replace               Should an already installed SA be updated?
         * @return
         *                                              - SUCCESS
@@ -96,10 +98,9 @@ struct kernel_interface_t {
                                u_int32_t reqid,
                                u_int64_t expire_soft,
                                u_int64_t expire_hard,
-                               encryption_algorithm_t enc_alg,
-                               chunk_t enc_key,
-                               integrity_algorithm_t int_alg,
-                               chunk_t int_key,
+                               algorithm_t *enc_alg,
+                               algorithm_t *int_alg,
+                               prf_plus_t *prf_plus,
                                bool replace);
        /**
         * @brief Delete a previusly installed SA from the SAD.
index 33de801..b2d49c9 100755 (executable)
@@ -311,7 +311,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
                                                                   my_host, other_host,
                                                                   RSA_DIGITAL_SIGNATURE);
        proposal = proposal_create(PROTO_IKE);
-       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
+       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
        proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
        proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
        proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
@@ -334,8 +334,12 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
        
        policy = policy_create(msg->add_conn.name, my_id, other_id);
        proposal = proposal_create(PROTO_ESP);
-       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
+       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
+       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
+       proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
        proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+       proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
        policy->add_proposal(policy, proposal);
        policy->add_my_traffic_selector(policy, my_ts);
        policy->add_other_traffic_selector(policy, other_ts);
@@ -514,6 +518,7 @@ logger_context_t get_context(char *context)
        else if (strcasecmp(context, "CONFG") == 0) return CONFIG;
        else if (strcasecmp(context, "ENCPL") == 0) return ENCRYPTION_PAYLOAD;
        else if (strcasecmp(context, "PAYLD") == 0) return PAYLOAD;
+       else if (strcasecmp(context, "XFRM") == 0) return XFRM;
        else return -2;
 }