From: Martin Willi Date: Mon, 31 Jan 2022 13:01:42 +0000 (+0100) Subject: proposal: Add ESN transform to default ESP AEAD proposal X-Git-Tag: 5.9.6rc1~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=956b25a4cc1848fd0b79f61c9d8065ca32f0ffa3;p=thirdparty%2Fstrongswan.git proposal: Add ESN transform to default ESP AEAD proposal The commit mentioned below adds an AES-GCM default proposal for ESP. That proposal does not include any ESN or non-ESN transform to indicate if extended sequence numbers are supported. A standards-compliant peer will include one or more ESN support transforms, and will be unable to select this proposal due to a proposal mismatch. Fix the default AES-GCM proposal by adding a NO_ESN algorithm. While ESN has been supported in the Linux kernel for a while, having it in the default proposal can be problematic with kernel-libipsec or on other platforms. Fixes: c7bef954eec6 ("proposal: Add AES-GCM to the ESP default AEAD proposal") Closes strongswan/strongswan#868 --- diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c index 971d5a37c2..85db91f251 100644 --- a/src/libstrongswan/crypto/proposal/proposal.c +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -1304,6 +1304,7 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256); + add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); return &this->public; case PROTO_AH: default: