From: Tobias Brunner Date: Fri, 23 Feb 2024 16:55:41 +0000 (+0100) Subject: Revert "kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows" X-Git-Tag: android-2.5.1~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f5aa8017f879ce6e5969196da62560586c121ef;p=thirdparty%2Fstrongswan.git Revert "kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows" This reverts commit 8b9b11919d92e9738bb52901c9dbcc72e35b9fed. Since ESN was negotiated via proposal, just configuring the SA without ESN won't work as the ICV will be incorrect if the peer enabled ESN on its SA. While the Linux kernel currently doesn't support disabling replay protection for SAs that use ESN, this at least gets users an explicit error not just dropped packets, and it will automatically work if the kernel supports this combination at some point. References strongswan/strongswan#2117 --- diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 2420236d3b..db0b2ac37a 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -2046,7 +2046,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { data->replay_window = data->esn ? 1 : 0; } - if (data->replay_window != 0 && (data->esn || data->replay_window > 32)) + if (data->esn || data->replay_window > 32) { /* for ESN or larger replay windows we need the new * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */