From: tobhe <tobhe@openbsd.org>
Date: Wed, 10 Nov 2021 13:09:05 +0000 (+0000)
Subject: Look for INVALID_KE group from IKE_SA_INIT in IKE transforms,
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f617cbfb4352cea2eba64adb5c2bc28b6b045a92;p=openbsd

Look for INVALID_KE group from IKE_SA_INIT in IKE transforms,
not ESP transforms.  Fixes broken key exchange negotiation with
matching proposals.

ok patrick@ markus@
---

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 52ce7e616b9..99366f4432a 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.329 2021/10/12 10:01:59 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.330 2021/11/10 13:09:05 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -3059,7 +3059,7 @@ ikev2_handle_notifies(struct iked *env, struct iked_message *msg)
 		    groupid);
 		switch (msg->msg_exchange) {
 		case IKEV2_EXCHANGE_IKE_SA_INIT:
-			protoid = IKEV2_SAPROTO_ESP;
+			protoid = IKEV2_SAPROTO_IKE;
 			if (!sa->sa_hdr.sh_initiator) {
 				log_debug("%s: not an initiator", __func__);
 				ikev2_ike_sa_setreason(sa,