kernel-netlink: Use correct 4 byte alignment for AH with IPv4
authorTobias Brunner <tobias@strongswan.org>
Fri, 4 Nov 2016 09:14:30 +0000 (10:14 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 25 Jan 2017 16:51:35 +0000 (17:51 +0100)
By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4.  For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index b2ccbe0..1d5e3b2 100644 (file)
@@ -1369,6 +1369,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                default:
                        break;
        }
+       if (id->proto == IPPROTO_AH && sa->family == AF_INET)
+       {       /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
+                * alignment that's used by default but is only valid for IPv6 */
+               sa->flags |= XFRM_STATE_ALIGN4;
+       }
 
        sa->reqid = data->reqid;
        sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);