Always prefer group from initial KE payload as responder if supported.

from markus@

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index e243432..4b39b1f 100644 (file)
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2.c,v 1.378 2023/08/11 11:24:55 tobhe Exp $       */
+/*     $OpenBSD: ikev2.c,v 1.379 2023/11/10 08:03:02 tobhe Exp $       */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -118,7 +118,8 @@ void         ikev2_ike_sa_rekey_schedule_fast(struct iked *, struct iked_sa *);
 void    ikev2_ike_sa_alive(struct iked *, void *);
 void    ikev2_ike_sa_keepalive(struct iked *, void *);
 
-int     ikev2_sa_negotiate_common(struct iked *, struct iked_sa *, struct iked_message *);
+int     ikev2_sa_negotiate_common(struct iked *, struct iked_sa *,
+           struct iked_message *, int);
 int     ikev2_sa_initiator(struct iked *, struct iked_sa *,
            struct iked_sa *, struct iked_message *);
 int     ikev2_sa_responder(struct iked *, struct iked_sa *, struct iked_sa *,
@@ -5443,13 +5444,14 @@ ikev2_sa_initiator_dh(struct iked_sa *sa, struct iked_message *msg,
 }
 
 int
-ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa, struct iked_message *msg)
+ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa,
+    struct iked_message *msg, int groupid)
 {
        struct iked_transform   *xform;
 
        /* XXX we need a better way to get this */
        if (proposals_negotiate(&sa->sa_proposals,
-           &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, -1) != 0) {
+           &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, groupid) != 0) {
                log_info("%s: proposals_negotiate", __func__);
                ikestat_inc(env, ikes_sa_proposals_negotiate_failures);
                return (-1);
@@ -5543,7 +5545,7 @@ ikev2_sa_initiator(struct iked *env, struct iked_sa *sa,
                msg->msg_nonce = NULL;
        }
 
-       if (ikev2_sa_negotiate_common(env, sa, msg) != 0)
+       if (ikev2_sa_negotiate_common(env, sa, msg, -1) != 0)
                return (-1);
 
        ibuf_free(sa->sa_2ndmsg);
@@ -5655,7 +5657,7 @@ ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa,
        sa->sa_inonce = msg->msg_nonce;
        msg->msg_nonce = NULL;
 
-       if (ikev2_sa_negotiate_common(env, sa, msg) != 0)
+       if (ikev2_sa_negotiate_common(env, sa, msg, msg->msg_dhgroup) != 0)
                return (-1);
 
        if (ikev2_sa_responder_dh(&sa->sa_kex, &sa->sa_proposals, msg, 0) < 0)

diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index dc6b3e7..1e39bea 100644 (file)
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: policy.c,v 1.96 2023/08/14 11:55:03 tobhe Exp $       */
+/*     $OpenBSD: policy.c,v 1.97 2023/11/10 08:03:02 tobhe Exp $       */
 
 /*
  * Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -1133,8 +1133,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer,
                                continue;
                        type = tpeer->xform_type;
 
-                       if (rekey && nodh == 0 && dhgroup >= 0 &&
-                           protoid == IKEV2_SAPROTO_ESP &&
+                       if (nodh == 0 && dhgroup >= 0 &&
                            type == IKEV2_XFORMTYPE_DH) {
                                if (dhforced)
                                        continue;