Moved add_proposal() for SHA2_512 add_proposal() for SHA2_512 AES 256 breaks VPNs connecting to openSwan servers. Support for SHA2_512 is broken on openSwan. To maintain backward compatibility, we need to move add_proposal() for SHA2_512 below SHA2_384 and SHA2_256. Verified with the fix on openswan, libreswan & strongswan Bug: 34755806 Bug: 34114242 Test: Verified on nyc-mr2-dev build Change-Id: I71f5e09181e30137996a561676bf02dec07c30ef

commit: 25e4998b0888f2f7d1739ae2ebd37751019040bc [log] [tgz]
author: Girish Moturu <gmoturu@google.com> Tue Feb 07 10:52:16 2017 -0800
committer: Girish Moturu <gmoturu@google.com> Wed Feb 08 11:56:21 2017 -0800
tree: d07218299fa375b09ed11845d8c057361e28c239
parent: 12fee5fe621659791b204617d369f8085bb5ebec [diff]
diff --git a/setup.c b/setup.c
index 6f075f3..58e86f1 100644
--- a/setup.c
+++ b/setup.c

@@ -505,11 +505,14 @@
 
     /* Add proposals. */
     add_proposal(remoteconf, auth,
-            OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
-    add_proposal(remoteconf, auth,
             OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 256);
     add_proposal(remoteconf, auth,
             OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
+    // VPNs to openswan breaks when SHA2_512 is used as the first proposal.
+    // openswan supports SHA2_256 or lower hash alg. With this add_proposal
+    // order, openswan picks SHA2_256 and others pick SHA2_384
+    add_proposal(remoteconf, auth,
+            OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
     add_proposal(remoteconf, auth,
             OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
     add_proposal(remoteconf, auth,
commit	25e4998b0888f2f7d1739ae2ebd37751019040bc	[log] [tgz]
author	Girish Moturu <gmoturu@google.com>	Tue Feb 07 10:52:16 2017 -0800
committer	Girish Moturu <gmoturu@google.com>	Wed Feb 08 11:56:21 2017 -0800
tree	d07218299fa375b09ed11845d8c057361e28c239
parent	12fee5fe621659791b204617d369f8085bb5ebec [diff]