kernel-pfkey: Add support for AES-GCM
authorTobias Brunner <tobias@strongswan.org>
Wed, 29 Jul 2015 09:23:34 +0000 (11:23 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 20 Aug 2015 16:55:45 +0000 (18:55 +0200)
The next release of FreeBSD will support this.

While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it.  When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).

src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index 50b804c..f1b975e 100644 (file)
 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
 #endif
 
+#if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
+#define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
+#define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
+#define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
+#endif
+
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
 #define SOL_IPV6 IPPROTO_IPV6
@@ -826,9 +832,11 @@ static kernel_algorithm_t encryption_algs[] = {
 /*  {ENCR_AES_CCM_ICV8,                        SADB_X_EALG_AES_CCM_ICV8        }, */
 /*     {ENCR_AES_CCM_ICV12,            SADB_X_EALG_AES_CCM_ICV12       }, */
 /*     {ENCR_AES_CCM_ICV16,            SADB_X_EALG_AES_CCM_ICV16       }, */
-/*     {ENCR_AES_GCM_ICV8,                     SADB_X_EALG_AES_GCM_ICV8        }, */
-/*     {ENCR_AES_GCM_ICV12,            SADB_X_EALG_AES_GCM_ICV12       }, */
-/*     {ENCR_AES_GCM_ICV16,            SADB_X_EALG_AES_GCM_ICV16       }, */
+#ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
+       {ENCR_AES_GCM_ICV8,                     SADB_X_EALG_AES_GCM_ICV8        },
+       {ENCR_AES_GCM_ICV12,            SADB_X_EALG_AES_GCM_ICV12       },
+       {ENCR_AES_GCM_ICV16,            SADB_X_EALG_AES_GCM_ICV16       },
+#endif
        {END_OF_LIST,                           0                                                       },
 };