kernel-pfkey: Support anti-replay windows > 2k

FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.

Fixes #2461.

1 files changed, 14 insertions, 1 deletions

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index eca0bc132..710107889 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1740,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 #ifdef __linux__
 			sa->sadb_sa_replay = min(data->replay_window, 32);
 #else
-			sa->sadb_sa_replay = (data->replay_window + 7) / 8;
+			sa->sadb_sa_replay = min((data->replay_window + 7) / 8, UINT8_MAX);
 #endif
 		}
 		sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
@@ -1749,6 +1749,19 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	}
 	PFKEY_EXT_ADD(msg, sa);
 
+#ifdef SADB_X_EXT_SA_REPLAY
+	if (data->inbound)
+	{
+		struct sadb_x_sa_replay *replay;
+
+		replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg);
+		replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY;
+		replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay));
+		replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32);
+		PFKEY_EXT_ADD(msg, replay);
+	}
+#endif
+
 	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
 	sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
 	sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));