kernel-pfkey: Add support for AES-GCM

The next release of FreeBSD will support this.

While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it.  When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).

1 files changed, 11 insertions, 3 deletions

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 50b804c01..f1b975e75 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -106,6 +106,12 @@
 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
 #endif
 
+#if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
+#define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
+#define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
+#define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
+#endif
+
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
 #define SOL_IPV6 IPPROTO_IPV6
@@ -826,9 +832,11 @@ static kernel_algorithm_t encryption_algs[] = {
 /*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
 /*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
 /*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */
-/*	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	}, */
-/*	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	}, */
-/*	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	}, */
+#ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
+	{ENCR_AES_GCM_ICV8,			SADB_X_EALG_AES_GCM_ICV8	},
+	{ENCR_AES_GCM_ICV12,		SADB_X_EALG_AES_GCM_ICV12	},
+	{ENCR_AES_GCM_ICV16,		SADB_X_EALG_AES_GCM_ICV16	},
+#endif
 	{END_OF_LIST,				0							},
 };