Add optional 'group none' transform for child SAs and fix handling of
'group none'. We currently send no transform of type DH by default,
which should be equivalent to explicitly sending a single DH transform
of type 'none'. However, the proposal matching logic had a bug where
these two would not match, effectively breaking the ability to negotiate
optional PFS. This commit fixes the bug but continues to send
no DH proposal by default to remain backwards compatible with older
versions.
ok patrick@
projects / openbsd / commit