kernel-netlink: Use correct 4 byte alignment for AH with IPv4

By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4.  For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index b2ccbe04194e3eebe9fa38393b140f08d03b3226..1d5e3b2bd291bdd40f019f2a8c148c8271d09e19 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1369,6 +1369,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                default:
                        break;
        }
+       if (id->proto == IPPROTO_AH && sa->family == AF_INET)
+       {       /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
+                * alignment that's used by default but is only valid for IPv6 */
+               sa->flags |= XFRM_STATE_ALIGN4;
+       }
 
        sa->reqid = data->reqid;
        sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);