artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3090f0a) | patch
Turns out that, as specified in the RFC, the initial Child SA does not
authorpatrick <patrick@openbsd.org>
Fri, 1 Dec 2017 19:49:31 +0000 (19:49 +0000)
committerpatrick <patrick@openbsd.org>
Fri, 1 Dec 2017 19:49:31 +0000 (19:49 +0000)
commit0313ffb557a660130f140caabf27430884cfcf5f
tree1954d573d7e2867492291ad37e090812cb6781fctree | snapshot
parent3090f0a32e67ac5264080c10c51a018790810131commit | diff
Turns out that, as specified in the RFC, the initial Child SA does not
do PFS and is assumed to be secured using the DH exchange in the first
handshake.  Thus there is no KE/N payload in the IKE_AUTH exchange and
we must not include a DH group other than None, which essentially means
we must not supply any DH transforms in the IKE_AUTH messages.  So now
we skip adding the DH transforms for initiating and responding to
IKE_AUTH messages.

ok sthen@
sbin/iked/ikev2.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim