diff -Naur libreswan-3.12-orig/programs/pluto/kernel_netlink.c libreswan-3.12/programs/pluto/kernel_netlink.c
--- libreswan-3.12-orig/programs/pluto/kernel_netlink.c 2015-02-26 22:02:15.641000000 -0600
+++ libreswan-3.12/programs/pluto/kernel_netlink.c 2015-02-26 22:04:29.990000000 -0600
@@ -426,7 +426,7 @@
struct {
struct nlmsghdr n;
struct nlmsgerr e;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
size_t len;
ssize_t r;
@@ -547,7 +547,7 @@
struct {
struct nlmsghdr n;
struct nlmsgerr e;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
int error;
@@ -610,7 +610,7 @@
struct xfrm_userpolicy_info p;
struct xfrm_userpolicy_id id;
} u;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} req;
int shift;
int dir;
@@ -907,7 +907,7 @@
struct {
struct nlmsghdr n;
struct xfrm_usersa_info p;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} req;
struct rtattr *attr;
const struct aead_alg *aead;
@@ -1233,7 +1233,7 @@
struct {
struct nlmsghdr n;
struct xfrm_usersa_id id;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} req;
zero(&req);
@@ -1513,7 +1513,7 @@
struct {
struct nlmsghdr n;
struct xfrm_userpolicy_info pol;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe))) {
@@ -1569,7 +1569,7 @@
{
struct {
struct nlmsghdr n;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
ssize_t r;
struct sockaddr_nl addr;
@@ -1650,7 +1650,7 @@
struct nlmsgerr e;
struct xfrm_usersa_info sa;
} u;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
static bool get_cpi_bug = FALSE; /* sticky after failure */
@@ -2235,7 +2235,7 @@
struct {
struct nlmsghdr n;
struct xfrm_usersa_info info;
- char data[1024];
+ char data[MAX_NETLINK_DATA_SIZE];
} rsp;
zero(&req);
diff -Naur libreswan-3.12-orig/programs/pluto/kernel_netlink.h libreswan-3.12/programs/pluto/kernel_netlink.h
--- libreswan-3.12-orig/programs/pluto/kernel_netlink.h 2014-11-06 21:52:50.000000000 -0600
+++ libreswan-3.12/programs/pluto/kernel_netlink.h 2015-02-26 22:02:44.521000000 -0600
@@ -15,4 +15,13 @@
#if defined(linux) && defined(NETKEY_SUPPORT)
extern const struct kernel_ops netkey_kernel_ops;
+/*
+ * The socket buffer is used to queue netlink messages between sender and
+ * receiver. The size of these buffers specifies the maximum size you will be
+ * able to write() to a netlink socket, i.e. it will indirectly define the
+ * maximum message size. The default is 32KiB. For now we picked a somewhat
+ * arbitrary maximum of 8192 for the data portion to accomdate large selinux
+ * IPsec labels (see rhbz#1154784)
+ */
+#define MAX_NETLINK_DATA_SIZE 8192
#endif
diff -Naur libreswan-3.12-orig/programs/pluto/state.h libreswan-3.12/programs/pluto/state.h
--- libreswan-3.12-orig/programs/pluto/state.h 2015-02-26 22:02:15.658000000 -0600
+++ libreswan-3.12/programs/pluto/state.h 2015-02-26 22:02:44.521000000 -0600
@@ -195,10 +195,16 @@
};
#ifdef HAVE_LABELED_IPSEC
-/* security label length should not exceed 256 in most cases,
- * (discussed with kernel and selinux people).
+/*
+ * While security label length usually does not exceed 256,
+ * there have been requests (rhbz#1154784) for using larger
+ * labels. The maximum label size is PAGE_SIZE (4096 on a
+ * x86_64, but 64kb on ppc64). However, this label has to fit
+ * inside a netlink message whose maximum size is 32KiB.
+ * For now we picked the somewhat arbitrary size of 4096.
*/
-#define MAX_SECCTX_LEN 257 /* including '\0'*/
+#define MAX_SECCTX_LEN 4096 /* including '\0'*/
+
struct xfrm_user_sec_ctx_ike {
u_int16_t len;
u_int16_t exttype;