Package: libstrongswan-standard-plugins
Version: 5.9.8-5+deb12u2
Severity: important

Dear Maintainer,

on systems lacking AES-NI support critical strongswan processes (charon,
swanctl) get terminated by SIGILL in libstrongswan-aesni.so.

The issue is that strongswan applications auto-load all plugins and
libstrongswan-aesni.so loads even when AES-NI are not available.



Issue appeared after upgrading from bullseye (5.9.1-1+deb11u5).
I did not yet have a chance to test this with trixie yet, sorry.

Explicitely configuring charon AND swanctl plugins or simply deleting
the .so makes strongswan fall back non-AES-NI path and work correctly.



Is it possible to modify libstrongswan-aesni.so so it refuses to load
when AES-NI are not available instead of causing hard-to-debug SIGILL?



Best,
n.b.f.

Reply via email to