diff options
author | tobhe <tobhe@cvs.openbsd.org> | 2021-03-15 22:29:18 +0000 |
---|---|---|
committer | tobhe <tobhe@cvs.openbsd.org> | 2021-03-15 22:29:18 +0000 |
commit | 6739b89b52a16895e7970ab84a1052db9ff36110 (patch) | |
tree | 0e1a16de21c6db01c4b8723606fbf5859c906038 /sbin | |
parent | 8d01540547773a58e55ce3e3740e9758c85e4e32 (diff) |
Ignore msg_ke in CREATE_CHILD_SA if DH negotiation results in group
'none' (disabling PFS). Fixes a bug when the initiator sends a KE
payload but the negotiation results in DH group "none".
For other DH group mismatches we send an INVALID_KE notify, for 'none'
we can just ignore the KE payload.
ok patrick@
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/iked/ikev2.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 97ef3983f1f..819e9d5be24 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.317 2021/03/14 20:23:43 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.318 2021/03/15 22:29:17 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -4622,6 +4622,7 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) struct iked_kex *kex, *kextmp = NULL; struct iked_sa *nsa = NULL, *sa = msg->msg_sa; struct iked_spi *spi, *rekey = &msg->msg_rekey; + struct iked_transform *xform; struct ikev2_keyexchange *ke; struct ikev2_payload *pld = NULL; struct ibuf *e = NULL, *nonce = NULL; @@ -4709,8 +4710,11 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) goto fail; } - /* check KE payload for PFS */ - if (ibuf_length(msg->msg_ke)) { + /* Check KE payload for PFS, ignore if DH transform is NONE */ + if (((xform = config_findtransform(&proposals, + IKEV2_XFORMTYPE_DH, protoid)) != NULL) && + xform->xform_id != IKEV2_XFORMDH_NONE && + ibuf_length(msg->msg_ke)) { log_debug("%s: using PFS", __func__); if (ikev2_sa_responder_dh(kex, &proposals, msg, protoid) < 0) { |