Hi tech@, a week ago I reported to bugs@ that iked "forgets" the local and peer addresses associated with an IKE SA while rekeying it if iked has initiated the rekeying, breaking any IKE requests iked tries to send after rekeying [1]. The patch below fixes the bug by copying the addresses from the current IKE SA when initiating the rekeying. Please review and apply if OK.
[1] https://marc.info/?l=openbsd-bugs&m=147739504516767&w=2 Index: ikev2.c =================================================================== RCS file: /cvs/src/sbin/iked/ikev2.c,v retrieving revision 1.131 diff -u -p -u -r1.131 ikev2.c --- ikev2.c 2 Jun 2016 07:14:26 -0000 1.131 +++ ikev2.c 8 Nov 2016 14:06:12 -0000 @@ -2665,6 +2665,13 @@ ikev2_ike_sa_rekey(struct iked *env, voi sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS); nonce = nsa->sa_inonce; + /* Copy local and peer address from the old SA */ + if (sa_address(nsa, &nsa->sa_peer, &sa->sa_peer.addr) == -1 || + sa_address(nsa, &nsa->sa_local, &sa->sa_local.addr) == -1) { + log_debug("%s: failed copy address data", __func__); + goto done; + } + if ((e = ibuf_static()) == NULL) goto done;
