kernel-pfkey: Pass ESN flag to kernel if ESN is enabled

This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.

Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155.

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 37170a310e98d73ba9d8ec0484ea0a6f917c91d1..92bbe5796fc5d4ecf09ee3f1dc48c7f443d8b130 100644 (file)
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1758,6 +1758,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                        sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
                        sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
+#endif
+               }
+               if (data->esn)
+               {
+#ifdef SADB_X_SAFLAGS_ESN
+                       DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
+                       sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
+#else
+                       DBG1(DBG_KNL, "extended sequence numbers (ESN) not supported by "
+                                "kernel!");
+                       return FAILED;
 #endif
                }
                sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);