From 956b25a4cc1848fd0b79f61c9d8065ca32f0ffa3 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 31 Jan 2022 14:01:42 +0100 Subject: [PATCH] proposal: Add ESN transform to default ESP AEAD proposal The commit mentioned below adds an AES-GCM default proposal for ESP. That proposal does not include any ESN or non-ESN transform to indicate if extended sequence numbers are supported. A standards-compliant peer will include one or more ESN support transforms, and will be unable to select this proposal due to a proposal mismatch. Fix the default AES-GCM proposal by adding a NO_ESN algorithm. While ESN has been supported in the Linux kernel for a while, having it in the default proposal can be problematic with kernel-libipsec or on other platforms. Fixes: c7bef954eec6 ("proposal: Add AES-GCM to the ESP default AEAD proposal") Closes strongswan/strongswan#868 --- src/libstrongswan/crypto/proposal/proposal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c index 971d5a37c..85db91f25 100644 --- a/src/libstrongswan/crypto/proposal/proposal.c +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -1304,6 +1304,7 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256); + add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); return &this->public; case PROTO_AH: default: -- 2.47.3