From: Tobias Brunner Date: Fri, 5 Jun 2020 09:12:06 +0000 (+0200) Subject: ike: Send AEAD ESP default proposal first X-Git-Tag: 5.9.0dr2~3 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=33412158f58c6dabefa91b39ca7282a6584a8261;p=thirdparty%2Fstrongswan.git ike: Send AEAD ESP default proposal first We generally prefer AEAD nowadays. References #3461. --- diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index b91c89830a..0481d78d42 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -362,9 +362,8 @@ static child_cfg_t* create_child_cfg(private_cmd_connection_t *this, } else { + child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); - child_cfg->add_proposal(child_cfg, - proposal_create_default_aead(PROTO_ESP)); } while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS) { diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index db4cf4faba..4ea20f9905 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -834,8 +834,8 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, } else { - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); } ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/conftest/config.c b/src/conftest/config.c index ff47a77ee0..7b49367374 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -192,9 +192,8 @@ static child_cfg_t *load_child_config(private_config_t *this, } else { + child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); - child_cfg->add_proposal(child_cfg, - proposal_create_default_aead(PROTO_ESP)); } token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child); diff --git a/src/frontends/osx/charon-xpc/xpc_dispatch.c b/src/frontends/osx/charon-xpc/xpc_dispatch.c index 51b2b5008a..991d286f75 100644 --- a/src/frontends/osx/charon-xpc/xpc_dispatch.c +++ b/src/frontends/osx/charon-xpc/xpc_dispatch.c @@ -150,8 +150,8 @@ static child_cfg_t* create_child_cfg(char *name) child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, "aes128gcm8-aes128gcm12-aes128gcm16-" "aes256gcm8-aes256gcm12-aes256gcm16")); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index f942915054..ce9505c2b0 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -256,8 +256,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, child_cfg->add_traffic_selector(child_cfg, FALSE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); child_cfg->add_traffic_selector(child_cfg, FALSE, ts); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); peer_cfg->add_child_cfg(peer_cfg, child_cfg); this->backend.cfg = peer_cfg; diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index be42d7d7d0..e88c11d3a0 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -196,8 +196,8 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &child); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); peer_cfg->add_child_cfg(peer_cfg, child_cfg); @@ -277,8 +277,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &child); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); this->current->add_child_cfg(this->current, child_cfg); diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index fb8ea8c5ef..dff6b6442d 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -153,8 +153,8 @@ static void add_esp_proposals(private_sql_config_t *this, } if (use_default) { - child->add_proposal(child, proposal_create_default(PROTO_ESP)); child->add_proposal(child, proposal_create_default_aead(PROTO_ESP)); + child->add_proposal(child, proposal_create_default(PROTO_ESP)); } } diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index eb679290de..3ce1e36192 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2006,12 +2006,12 @@ CALLBACK(children_sn, bool, } if (child.proposals->get_count(child.proposals) == 0) { - proposal = proposal_create_default(PROTO_ESP); + proposal = proposal_create_default_aead(PROTO_ESP); if (proposal) { child.proposals->insert_last(child.proposals, proposal); } - proposal = proposal_create_default_aead(PROTO_ESP); + proposal = proposal_create_default(PROTO_ESP); if (proposal) { child.proposals->insert_last(child.proposals, proposal);