summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authortobhe <tobhe@cvs.openbsd.org>2021-03-15 22:29:18 +0000
committertobhe <tobhe@cvs.openbsd.org>2021-03-15 22:29:18 +0000
commit6739b89b52a16895e7970ab84a1052db9ff36110 (patch)
tree0e1a16de21c6db01c4b8723606fbf5859c906038 /sbin
parent8d01540547773a58e55ce3e3740e9758c85e4e32 (diff)
Ignore msg_ke in CREATE_CHILD_SA if DH negotiation results in group
'none' (disabling PFS). Fixes a bug when the initiator sends a KE payload but the negotiation results in DH group "none". For other DH group mismatches we send an INVALID_KE notify, for 'none' we can just ignore the KE payload. ok patrick@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/iked/ikev2.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 97ef3983f1f..819e9d5be24 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.317 2021/03/14 20:23:43 tobhe Exp $ */
+/* $OpenBSD: ikev2.c,v 1.318 2021/03/15 22:29:17 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4622,6 +4622,7 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
struct iked_kex *kex, *kextmp = NULL;
struct iked_sa *nsa = NULL, *sa = msg->msg_sa;
struct iked_spi *spi, *rekey = &msg->msg_rekey;
+ struct iked_transform *xform;
struct ikev2_keyexchange *ke;
struct ikev2_payload *pld = NULL;
struct ibuf *e = NULL, *nonce = NULL;
@@ -4709,8 +4710,11 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg)
goto fail;
}
- /* check KE payload for PFS */
- if (ibuf_length(msg->msg_ke)) {
+ /* Check KE payload for PFS, ignore if DH transform is NONE */
+ if (((xform = config_findtransform(&proposals,
+ IKEV2_XFORMTYPE_DH, protoid)) != NULL) &&
+ xform->xform_id != IKEV2_XFORMDH_NONE &&
+ ibuf_length(msg->msg_ke)) {
log_debug("%s: using PFS", __func__);
if (ikev2_sa_responder_dh(kex, &proposals,
msg, protoid) < 0) {