From cca7226094f020540dfe79ca61d67c0299276777 Mon Sep 17 00:00:00 2001 From: tobhe Date: Mon, 15 Mar 2021 22:32:44 +0000 Subject: [PATCH] We makes sure that a dh group is required if the local proposal contains an explicit group transform. Override requiredh if one of the local options is 'none' so that a proposal with no DH group and on with explicit group 'none' result in a match. ok patrick@ --- sbin/iked/policy.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index bef0cbf9850..5d9dbb7295c 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.79 2021/03/01 16:38:07 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.80 2021/03/15 22:32:44 tobhe Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider @@ -1090,7 +1090,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, struct iked_transform **xforms, int rekey) { struct iked_transform *tpeer, *tlocal; - unsigned int i, j, type, score, requiredh = 0, noauth = 0; + unsigned int i, j, type, score, requiredh = 0, nodh = 0, noauth = 0; uint8_t protoid = peer->prop_protoid; uint8_t peerxfs[IKEV2_XFORMTYPE_MAX]; @@ -1131,6 +1131,16 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, tlocal->xform_id != IKEV2_XFORMDH_NONE) requiredh = 1; + /* + * If none is an explicit option, don't require + * DH group. Overrides requiredh = 1. + */ + if (rekey && nodh == 0 && + protoid == IKEV2_SAPROTO_ESP && + tlocal->xform_type == IKEV2_XFORMTYPE_DH && + tlocal->xform_id == IKEV2_XFORMDH_NONE) + nodh = 1; + /* Compare peer and local proposals */ if (tpeer->xform_type != tlocal->xform_type || tpeer->xform_id != tlocal->xform_id || @@ -1169,7 +1179,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, break; } else if (protoid == IKEV2_SAPROTO_ESP && xforms[i] == NULL && (i == IKEV2_XFORMTYPE_ENCR || i == IKEV2_XFORMTYPE_ESN || - (requiredh && i == IKEV2_XFORMTYPE_DH))) { + (requiredh && !nodh && i == IKEV2_XFORMTYPE_DH))) { score = 0; break; } else if (peerxfs[i] && xforms[i] == NULL) { -- 2.20.1