From 203153b6ff3680d530b1d6684e51573e587c25b9 Mon Sep 17 00:00:00 2001 From: tobhe Date: Fri, 10 Nov 2023 08:03:02 +0000 Subject: [PATCH] Always prefer group from initial KE payload as responder if supported. from markus@ --- sbin/iked/ikev2.c | 14 ++++++++------ sbin/iked/policy.c | 5 ++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index e243432a742..4b39b1f94d0 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.378 2023/08/11 11:24:55 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.379 2023/11/10 08:03:02 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -118,7 +118,8 @@ void ikev2_ike_sa_rekey_schedule_fast(struct iked *, struct iked_sa *); void ikev2_ike_sa_alive(struct iked *, void *); void ikev2_ike_sa_keepalive(struct iked *, void *); -int ikev2_sa_negotiate_common(struct iked *, struct iked_sa *, struct iked_message *); +int ikev2_sa_negotiate_common(struct iked *, struct iked_sa *, + struct iked_message *, int); int ikev2_sa_initiator(struct iked *, struct iked_sa *, struct iked_sa *, struct iked_message *); int ikev2_sa_responder(struct iked *, struct iked_sa *, struct iked_sa *, @@ -5443,13 +5444,14 @@ ikev2_sa_initiator_dh(struct iked_sa *sa, struct iked_message *msg, } int -ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa, struct iked_message *msg) +ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa, + struct iked_message *msg, int groupid) { struct iked_transform *xform; /* XXX we need a better way to get this */ if (proposals_negotiate(&sa->sa_proposals, - &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, -1) != 0) { + &msg->msg_policy->pol_proposals, &msg->msg_proposals, 0, groupid) != 0) { log_info("%s: proposals_negotiate", __func__); ikestat_inc(env, ikes_sa_proposals_negotiate_failures); return (-1); @@ -5543,7 +5545,7 @@ ikev2_sa_initiator(struct iked *env, struct iked_sa *sa, msg->msg_nonce = NULL; } - if (ikev2_sa_negotiate_common(env, sa, msg) != 0) + if (ikev2_sa_negotiate_common(env, sa, msg, -1) != 0) return (-1); ibuf_free(sa->sa_2ndmsg); @@ -5655,7 +5657,7 @@ ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa, sa->sa_inonce = msg->msg_nonce; msg->msg_nonce = NULL; - if (ikev2_sa_negotiate_common(env, sa, msg) != 0) + if (ikev2_sa_negotiate_common(env, sa, msg, msg->msg_dhgroup) != 0) return (-1); if (ikev2_sa_responder_dh(&sa->sa_kex, &sa->sa_proposals, msg, 0) < 0) diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index dc6b3e76803..1e39beac2ff 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.96 2023/08/14 11:55:03 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.97 2023/11/10 08:03:02 tobhe Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider @@ -1133,8 +1133,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, continue; type = tpeer->xform_type; - if (rekey && nodh == 0 && dhgroup >= 0 && - protoid == IKEV2_SAPROTO_ESP && + if (nodh == 0 && dhgroup >= 0 && type == IKEV2_XFORMTYPE_DH) { if (dhforced) continue; -- 2.20.1