From 4ab2d7ce0eefef3afa8416624dfd691c23a8a66a Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Thu, 11 Nov 2021 22:12:52 +0000
Subject: [PATCH] Add test case for INVALID_KE in IKE_SA_INIT fallback.

---
 regress/sbin/iked/live/Makefile | 24 ++++++++++++++++++++++--
 regress/sbin/iked/live/iked.in  |  1 +
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/regress/sbin/iked/live/Makefile b/regress/sbin/iked/live/Makefile
index d5b7a44b352..ac48876c75b 100644
--- a/regress/sbin/iked/live/Makefile
+++ b/regress/sbin/iked/live/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.30 2021/07/10 15:05:22 tobhe Exp $
+#	$OpenBSD: Makefile,v 1.31 2021/11/11 22:12:52 tobhe Exp $
 
 # Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
 #
@@ -38,7 +38,8 @@ TEST_FLOWS = \
 	if [ -n "$$config_address" ]; then \
 		dynamic="172.16.13.[0-9]+"; \
 	fi; \
-	while [[ $$count -le 3 ]]; do \
+	[ -z "$$maxwait" ] && maxwait=3; \
+	while [[ $$count -le $$maxwait ]]; do \
 		ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
 		ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
 		flowleft=`echo "$$ipsecctlleft" \
@@ -144,6 +145,7 @@ SETUP_CONFIG = \
 	echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
 	echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
 	echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
+	echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
 	echo "$$global" >> $@_$$side.conf; \
 	cat ${.CURDIR}/iked.in >> $@_$$side.conf
 
@@ -387,6 +389,24 @@ run-cert-second-altname:
 	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
 	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
 
+REGRESS_TARGETS += run-invalid-ke
+run-invalid-ke:
+	flowtype=esp; \
+	leftid=left-from-ca-both; \
+	rightid=right-from-ca-both; \
+	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
+	    dstid="dstid $$rightid"; \
+	    ikesa="ikesa group ecp256 group curve25519"; \
+	    ${SETUP_CONFIG}; \
+	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
+	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
+	    ikesa="ikesa group curve25519"; \
+	    ${SETUP_CONFIG}; \
+	    ${DEPLOY_CONFIGS}
+	${SETUP_START}
+	flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+
 REGRESS_TARGETS += run-psk-fail
 run-psk-fail:
 	auth=psk; \
diff --git a/regress/sbin/iked/live/iked.in b/regress/sbin/iked/live/iked.in
index 694ce996ba7..2631e6b5b4e 100644
--- a/regress/sbin/iked/live/iked.in
+++ b/regress/sbin/iked/live/iked.in
@@ -1,5 +1,6 @@
 ikev2 "test" $MODE $IPCOMP $TMODE esp from $FROM to $TO \
 	peer $PEER_ADDR \
+	$IKESA \
 	srcid $SRCID $DSTID \
 	$AUTH \
 	$CONFIG
-- 
2.20.1