From 1e04fb30013b013b39344fc00ba3475116595da5 Mon Sep 17 00:00:00 2001
From: "Dr. Matthias St. Pierre" <matthias.st.pierre@ncp-e.com>
Date: Mon, 28 Jun 2021 01:02:46 +0200
Subject: [PATCH] ipsec: calculate and verified the AEAD ICV only if enabled

AEAD ciphers should behave in the same way as the classical
cipher+hmac methods: the ICV should be calculated and verified
if the user has enabled the authentication check in the ESP
protocol options.
---
 epan/dissectors/packet-ipsec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-ipsec.c b/epan/dissectors/packet-ipsec.c
index f54e65caeb..6bc606fd1c 100644
--- a/epan/dissectors/packet-ipsec.c
+++ b/epan/dissectors/packet-ipsec.c
@@ -2018,7 +2018,7 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
 
 
 #ifdef HAVE_LIBGCRYPT_AEAD
-          if (icv_type == ICV_TYPE_AEAD) {
+          if (g_esp_enable_authentication_check && icv_type == ICV_TYPE_AEAD) {
             /* Allocate buffer for ICV  */
             esp_icv = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, esp_packet_len - esp_icv_len, esp_icv_len);
 
@@ -2050,7 +2050,7 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
             decrypt_ok = TRUE;
 
 #ifdef HAVE_LIBGCRYPT_AEAD
-            if (icv_type == ICV_TYPE_AEAD) {
+            if (g_esp_enable_authentication_check && icv_type == ICV_TYPE_AEAD) {
               guchar *esp_icv_computed;
               gint tag_len;