From e3f5cf2ee26929d75dc2df9e86d97c36b2a94268 Mon Sep 17 00:00:00 2001
From: patrick <patrick@openbsd.org>
Date: Fri, 26 Nov 2021 16:22:44 +0000
Subject: [PATCH] A peer sends both his local id and remote id he expects us to
 be.  So far we have only looked at the peer's local id, so that we can find a
 policy with the matching dstid set.  Hence dstid is involved in the decision
 making.  While we do send out our local id, which the peer will use to verify
 his policies, we do not yet make a decision based on the id the peer expects
 us to have.  If you have two policies configured with only srcid set, we will
 always pick the same. To be able to choose a policy that matches the peer's
 expectations, save the local id the peer expects us to have and use it during
 policy lookup.

ok tobhe@
---
 sbin/iked/iked.h      |  3 ++-
 sbin/iked/ikev2_msg.c |  4 +++-
 sbin/iked/ikev2_pld.c | 11 +++++++----
 sbin/iked/policy.c    | 11 ++++++++++-
 4 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index c8d8372d3f5..3067d86f94a 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.197 2021/11/24 21:06:21 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.198 2021/11/26 16:22:44 patrick Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -598,6 +598,7 @@ struct iked_message {
 	struct ibuf		*msg_ke;	/* dh key exchange */
 	struct iked_id		 msg_auth;	/* AUTH payload */
 	struct iked_id		 msg_id;
+	struct iked_id		 msg_localid;
 	struct iked_id		 msg_cert;
 	struct ibuf		*msg_cookie;
 	uint16_t		 msg_group;
diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c
index ee057559b5a..1b66b997c9f 100644
--- a/sbin/iked/ikev2_msg.c
+++ b/sbin/iked/ikev2_msg.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_msg.c,v 1.80 2021/09/07 14:06:23 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_msg.c,v 1.81 2021/11/26 16:22:44 patrick Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -194,6 +194,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
 		ibuf_release(msg->msg_ke);
 		ibuf_release(msg->msg_auth.id_buf);
 		ibuf_release(msg->msg_id.id_buf);
+		ibuf_release(msg->msg_localid.id_buf);
 		ibuf_release(msg->msg_cert.id_buf);
 		ibuf_release(msg->msg_cookie);
 		ibuf_release(msg->msg_cookie2);
@@ -207,6 +208,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
 		msg->msg_ke = NULL;
 		msg->msg_auth.id_buf = NULL;
 		msg->msg_id.id_buf = NULL;
+		msg->msg_localid.id_buf = NULL;
 		msg->msg_cert.id_buf = NULL;
 		msg->msg_cookie = NULL;
 		msg->msg_cookie2 = NULL;
diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index 1c2ed558c07..12d1d18576c 100644
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_pld.c,v 1.119 2021/11/12 14:18:54 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_pld.c,v 1.120 2021/11/26 16:22:44 patrick Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -759,14 +759,17 @@ ikev2_pld_id(struct iked *env, struct ikev2_payload *pld,
 		return (0);
 	}
 
-	if (!((sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) ||
-	    (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi))) {
+	if (((sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) ||
+	    (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi)))
+		idp = &msg->msg_parent->msg_id;
+	else if (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr)
+		idp = &msg->msg_parent->msg_localid;
+	else {
 		ibuf_release(idb.id_buf);
 		log_debug("%s: unexpected id payload", __func__);
 		return (0);
 	}
 
-	idp = &msg->msg_parent->msg_id;
 	if (idp->id_type) {
 		ibuf_release(idb.id_buf);
 		log_debug("%s: duplicate id payload", __func__);
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 90b442d97f2..66354e7acbf 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.86 2021/11/24 20:48:00 tobhe Exp $	*/
+/*	$OpenBSD: policy.c,v 1.87 2021/11/26 16:22:44 patrick Exp $	*/
 
 /*
  * Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -112,6 +112,15 @@ policy_lookup(struct iked *env, struct iked_message *msg,
 		    sizeof(pol.pol_peerid.id_data));
 		log_debug("%s: peerid '%s'", __func__, s+1);
 	}
+	if (msg->msg_localid.id_type &&
+	    ikev2_print_id(&msg->msg_localid, idstr, IKED_ID_SIZE) == 0 &&
+	    (s = strchr(idstr, '/')) != NULL) {
+		pol.pol_localid.id_type = msg->msg_localid.id_type;
+		pol.pol_localid.id_length = strlen(s+1);
+		strlcpy(pol.pol_localid.id_data, s+1,
+		    sizeof(pol.pol_localid.id_data));
+		log_debug("%s: localid '%s'", __func__, s+1);
+	}
 
 	/* Try to find a matching policy for this message */
 	if ((msg->msg_policy = policy_test(env, &pol)) != NULL) {
-- 
2.20.1