From ee76753a6794a0b8111530fafcbc64b98017da8a Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Mon, 24 Oct 2022 15:52:39 +0000
Subject: [PATCH] Fix DH group lookup when checking if PFS is required. Compare
 ID directly instead of calling group_get() and leaking the result.

ok markus@
---
 sbin/iked/ikev2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 9c13905d1c0..ab213a89097 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.354 2022/10/10 11:33:55 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.355 2022/10/24 15:52:39 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4156,7 +4156,7 @@ ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa,
 	len = ibuf_size(nonce);
 
 	if ((xform = config_findtransform(&pol->pol_proposals, IKEV2_XFORMTYPE_DH,
-	    protoid)) && group_get(xform->xform_id) != IKEV2_XFORMDH_NONE) {
+	    protoid)) && xform->xform_id != IKEV2_XFORMDH_NONE) {
 		log_debug("%s: enable PFS", __func__);
 		ikev2_sa_cleanup_dh(sa);
 		if (proposed_group) {
-- 
2.20.1