From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 5 Jun 2020 09:01:29 +0000 (+0200)
Subject: proposal: Add AES-GCM to the ESP default AEAD proposal
X-Git-Tag: 5.9.0dr2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7bef954eec6953c87f7a336fd0c6e74c1b1ede2;p=thirdparty%2Fstrongswan.git

proposal: Add AES-GCM to the ESP default AEAD proposal

References #3461.
---

diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c
index af2c6874a1..971d5a37c2 100644
--- a/src/libstrongswan/crypto/proposal/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@@ -1298,9 +1298,13 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol)
 			}
 			return &this->public;
 		case PROTO_ESP:
-			/* we currently don't include any AEAD proposal for ESP, as we
-			 * don't know if our kernel backend actually supports it. */
-			return NULL;
+			/* AES-GCM should be supported by pretty much all current kernels,
+			 * RFC 8221 even made it mandatory */
+			this = (private_proposal_t*)proposal_create(protocol, 0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256);
+			return &this->public;
 		case PROTO_AH:
 		default:
 			return NULL;