From 121390fb3cdcb51e5a81f926cc3f6118d2b1e6ab Mon Sep 17 00:00:00 2001
From: Patryk Duda <pdk@semihalf.com>
Date: Tue, 17 Sep 2019 08:12:49 +0000
Subject: [PATCH] kernel-pfkey: Pass ESN flag to kernel if ESN is enabled

This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.

Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155.
---
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c         | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 37170a310e..92bbe5796f 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1758,6 +1758,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
 			sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
+#endif
+		}
+		if (data->esn)
+		{
+#ifdef SADB_X_SAFLAGS_ESN
+			DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
+			sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
+#else
+			DBG1(DBG_KNL, "extended sequence numbers (ESN) not supported by "
+				 "kernel!");
+			return FAILED;
 #endif
 		}
 		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
-- 
2.47.2