Moved add_proposal() for SHA2_512
add_proposal() for SHA2_512 AES 256 breaks VPNs connecting to openSwan
servers. Support for SHA2_512 is broken on openSwan. To maintain backward
compatibility, we need to move add_proposal() for SHA2_512 below
SHA2_384 and SHA2_256. Verified with the fix on openswan, libreswan &
strongswan
Bug: 34755806
Bug: 34114242
Test: Verified on nyc-mr2-dev build
Change-Id: I71f5e09181e30137996a561676bf02dec07c30ef
diff --git a/setup.c b/setup.c
index 6f075f3..58e86f1 100644
--- a/setup.c
+++ b/setup.c
@@ -505,11 +505,14 @@
/* Add proposals. */
add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
- add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
+ // VPNs to openswan breaks when SHA2_512 is used as the first proposal.
+ // openswan supports SHA2_256 or lower hash alg. With this add_proposal
+ // order, openswan picks SHA2_256 and others pick SHA2_384
+ add_proposal(remoteconf, auth,
+ OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,
OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
add_proposal(remoteconf, auth,