sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

Revert "kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows"

Browse Source 
This reverts commit 8b9b11919d92e9738bb52901c9dbcc72e35b9fed.

Since ESN was negotiated via proposal, just configuring the SA without
ESN won't work as the ICV will be incorrect if the peer enabled ESN
on its SA.  While the Linux kernel currently doesn't support disabling
replay protection for SAs that use ESN, this at least gets users an
explicit error not just dropped packets, and it will automatically work
if the kernel supports this combination at some point.

References strongswan/strongswan#2117
This commit is contained in:
Tobias Brunner 2024-02-23 17:55:41 +01:00
parent f566a85fcf
commit 1f5aa8017f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
View File

@ -2046,7 +2046,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
{
data->replay_window = data->esn ? 1 : 0;
}
if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
if (data->esn || data->replay_window > 32)
{
/* for ESN or larger replay windows we need the new
* XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */