From 2f8859da96b8bfd096efcc4a70940a891b5d41a8 Mon Sep 17 00:00:00 2001 From: patrick Date: Fri, 1 Dec 2017 20:19:05 +0000 Subject: [PATCH] The RFC specifies that in an SA payload the proposals must be numbered starting with number 1. Subsequent proposals must be one more than the previous proposal. ok sthen@ --- sbin/iked/parse.y | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 5a38333398b..58b12e6d0b4 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.67 2017/11/27 18:39:35 patrick Exp $ */ +/* $OpenBSD: parse.y,v 1.68 2017/12/01 20:19:05 patrick Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -2589,6 +2589,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts, struct iked_policy pol; struct iked_proposal prop[2]; unsigned int j; + unsigned int ikepropid = 1, ipsecpropid = 1; struct iked_transform ikexforms[64], ipsecxforms[64]; struct iked_flow flows[64]; static unsigned int policy_id = 0; @@ -2719,7 +2720,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts, TAILQ_INIT(&pol.pol_proposals); RB_INIT(&pol.pol_flows); - prop[0].prop_id = ++pol.pol_nproposals; + prop[0].prop_id = ikepropid++; prop[0].prop_protoid = IKEV2_SAPROTO_IKE; if (ike_sa == NULL || ike_sa->xfs == NULL) { prop[0].prop_nxforms = ikev2_default_nike_transforms; @@ -2750,8 +2751,9 @@ create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts, prop[0].prop_xforms = ikexforms; } TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[0], prop_entry); + pol.pol_nproposals++; - prop[1].prop_id = ++pol.pol_nproposals; + prop[1].prop_id = ipsecpropid++; prop[1].prop_protoid = saproto; if (ipsec_sa == NULL || ipsec_sa->xfs == NULL) { prop[1].prop_nxforms = ikev2_default_nesp_transforms; @@ -2790,6 +2792,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts, prop[1].prop_xforms = ipsecxforms; } TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[1], prop_entry); + pol.pol_nproposals++; if (hosts == NULL || hosts->src == NULL || hosts->dst == NULL) fatalx("create_ike: no traffic selectors/flows"); -- 2.20.1