diff options
| author |   tobhe <tobhe@openbsd.org> | 2021-02-09 21:35:48 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2021-02-09 21:35:48 +0000 |
| commit | a60f62668082c812f344ac31ff5687e4e18855dc (patch) | |
| tree | 770beb390e6472a10a1fa705a39bb6b862629e26 /sbin/iked/policy.c | |
| parent | Fix lldb. (diff) | |
| download | wireguard-openbsd-a60f62668082c812f344ac31ff5687e4e18855dc.tar.xz wireguard-openbsd-a60f62668082c812f344ac31ff5687e4e18855dc.zip | |
Add optional 'group none' transform for child SAs and fix handling of
'group none'. We currently send no transform of type DH by default,
which should be equivalent to explicitly sending a single DH transform
of type 'none'. However, the proposal matching logic had a bug where
these two would not match, effectively breaking the ability to negotiate
optional PFS. This commit fixes the bug but continues to send
no DH proposal by default to remain backwards compatible with older
versions.
ok patrick@
Diffstat (limited to 'sbin/iked/policy.c')
| -rw-r--r-- | sbin/iked/policy.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index df7f2676dd1..d312980c392 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.75 2021/02/01 16:37:48 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.76 2021/02/09 21:35:48 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -1009,7 +1009,8 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, */ if (rekey && requiredh == 0 && protoid == IKEV2_SAPROTO_ESP && - tlocal->xform_type == IKEV2_XFORMTYPE_DH) + tlocal->xform_type == IKEV2_XFORMTYPE_DH && + tlocal->xform_id != IKEV2_XFORMDH_NONE) requiredh = 1; /* Compare peer and local proposals */ |