From: Patryk Duda <pdk@semihalf.com>
Date: Tue, 17 Sep 2019 08:12:49 +0000 (+0000)
Subject: kernel-pfkey: Pass ESN flag to kernel if ESN is enabled
X-Git-Tag: 5.8.2dr1~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=121390fb3cdcb51e5a81f926cc3f6118d2b1e6ab;p=thirdparty%2Fstrongswan.git

kernel-pfkey: Pass ESN flag to kernel if ESN is enabled

This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.

Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155.
---

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 37170a310e..92bbe5796f 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1758,6 +1758,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
 			sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
+#endif
+		}
+		if (data->esn)
+		{
+#ifdef SADB_X_SAFLAGS_ESN
+			DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
+			sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
+#else
+			DBG1(DBG_KNL, "extended sequence numbers (ESN) not supported by "
+				 "kernel!");
+			return FAILED;
 #endif
 		}
 		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);