diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-11-04 10:14:30 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-01-25 17:51:35 +0100 |
commit | 965daa1df3ba55af0851257364c9ea488f8ef2af (patch) | |
tree | 74dbd99cc9f5af372e5f2b0b4b59895eb6672b65 /src/libcharon | |
parent | 8a91729dfe3cda0078c9ce2461e19bfa71414be1 (diff) | |
download | strongswan-965daa1df3ba55af0851257364c9ea488f8ef2af.tar.bz2 strongswan-965daa1df3ba55af0851257364c9ea488f8ef2af.tar.xz |
kernel-netlink: Use correct 4 byte alignment for AH with IPv4
By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4. For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte
alignment.
Diffstat (limited to 'src/libcharon')
-rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index b2ccbe041..1d5e3b2bd 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1369,6 +1369,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t, default: break; } + if (id->proto == IPPROTO_AH && sa->family == AF_INET) + { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte + * alignment that's used by default but is only valid for IPv6 */ + sa->flags |= XFRM_STATE_ALIGN4; + } sa->reqid = data->reqid; sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey); |