From: tobhe Date: Mon, 4 Jul 2022 08:39:55 +0000 (+0000) Subject: Fix error in the comparison of the Child SA nonces to decide which X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=09a7f1736bfe877b04e90f4f62962a2791fd5e9d;p=openbsd Fix error in the comparison of the Child SA nonces to decide which SA shall be deleted. ni should be set to the minimum nonce for the exchange intitiated by us while nr should be the smaller of the nonces of the simultaneous exchange initiated by the peer, which is stored in sa_simulat. This fixes the ni < nr comparison below and makes sure our Child SA is only deleted in the correct case as specified in RFC 7296. Reported by and fix from Sibar Soumi ok mbuhl@ --- diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 5b2026cde75..e3a51fcbb90 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.347 2022/05/28 18:51:16 gerhard Exp $ */ +/* $OpenBSD: ikev2.c,v 1.348 2022/07/04 08:39:55 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -4387,14 +4387,14 @@ ikev2_init_create_child_sa(struct iked *env, struct iked_message *msg) sa->sa_rnonce = msg->msg_nonce; msg->msg_nonce = NULL; - if (csa && (ni = sa->sa_simult) != NULL) { + if (csa && (nr = sa->sa_simult) != NULL) { log_info("%s: resolving simultaneous CHILD SA rekeying", SPI_SA(sa, __func__)); - /* set nr to minimum nonce for exchange initiated by peer */ + /* set ni to minimum nonce for exchange initiated by us */ if (ikev2_nonce_cmp(sa->sa_inonce, sa->sa_rnonce) < 0) - nr = sa->sa_inonce; + ni = sa->sa_inonce; else - nr = sa->sa_rnonce; + ni = sa->sa_rnonce; /* * If the exchange initated by us has smaller nonce, * then we have to delete our SAs.