By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4. For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.
default:
break;
}
+ if (id->proto == IPPROTO_AH && sa->family == AF_INET)
+ { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
+ * alignment that's used by default but is only valid for IPv6 */
+ sa->flags |= XFRM_STATE_ALIGN4;
+ }
sa->reqid = data->reqid;
sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);