diff options
| author | Tobias Heider <tobhe@cvs.openbsd.org> | 2023-11-10 08:03:03 +0000 |
|---|---|---|
| committer | Tobias Heider <tobhe@cvs.openbsd.org> | 2023-11-10 08:03:03 +0000 |
| commit | 33bd7e9b8f3fc0e211e1364190c0b595ce4bd990 (patch) | |
| tree | 4ddd6d49f3a548db9f1889f7fc4f1d4f826849ad | |
| parent | 9856470c230ea64e91021ee5f79d7b2a5e2acfcd (diff) | |
Always prefer group from initial KE payload as responder if supported.
from markus@
| -rw-r--r-- | sbin/iked/ikev2.c | 14 | ||||
| -rw-r--r-- | sbin/iked/policy.c | 5 |
2 files changed, 10 insertions, 9 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index e243432a742..4b39b1f94d0 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.378 2023/08/11 11:24:55 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.379 2023/11/10 08:03:02 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -118,7 +118,8 @@ void ikev2_ike_sa_rekey_schedule_fast(struct iked *, struct iked_sa *); void ikev2_ike_sa_alive(struct iked *, void *); void ikev2_ike_sa_keepalive(struct iked *, void *); -int ikev2_sa_negotiate_common(struct iked *, struct iked_sa *, struct iked_message *); +int ikev2_sa_negotiate_common(struct iked *, struct iked_sa *, + struct iked_message *, int); int ikev2_sa_initiator(struct iked *, struct iked_sa *, struct iked_sa *, struct iked_message *); int ikev2_sa_responder(struct iked *, struct iked_sa *, struct iked_sa *, @@ -5443,13 +5444,14 @@ ikev2_sa_initiator_dh(struct iked_sa *sa, struct iked_message *msg, } int -ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa, struct iked_message *msg) +ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa, + struct iked_message *msg, int groupid) { struct iked_transform *xform; /* XXX we need a better way to get this */ if (proposals_negotiate(&sa->sa_proposals, - &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, -1) != 0) { + &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, groupid) != 0) { log_info("%s: proposals_negotiate", __func__); ikestat_inc(env, ikes_sa_proposals_negotiate_failures); return (-1); @@ -5543,7 +5545,7 @@ ikev2_sa_initiator(struct iked *env, struct iked_sa *sa, msg->msg_nonce = NULL; } - if (ikev2_sa_negotiate_common(env, sa, msg) != 0) + if (ikev2_sa_negotiate_common(env, sa, msg, -1) != 0) return (-1); ibuf_free(sa->sa_2ndmsg); @@ -5655,7 +5657,7 @@ ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa, sa->sa_inonce = msg->msg_nonce; msg->msg_nonce = NULL; - if (ikev2_sa_negotiate_common(env, sa, msg) != 0) + if (ikev2_sa_negotiate_common(env, sa, msg, msg->msg_dhgroup) != 0) return (-1); if (ikev2_sa_responder_dh(&sa->sa_kex, &sa->sa_proposals, msg, 0) < 0) diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index dc6b3e76803..1e39beac2ff 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.96 2023/08/14 11:55:03 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.97 2023/11/10 08:03:02 tobhe Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org> @@ -1133,8 +1133,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, continue; type = tpeer->xform_type; - if (rekey && nodh == 0 && dhgroup >= 0 && - protoid == IKEV2_SAPROTO_ESP && + if (nodh == 0 && dhgroup >= 0 && type == IKEV2_XFORMTYPE_DH) { if (dhforced) continue; |