Hello again, Tim Stewart <[email protected]> writes:
> Tim Stewart <[email protected]> writes: > >> This patch teaches iked to reject a KE with a Notify payload of type >> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group >> than is configured locally. The rejection indicates the desired >> group. >> >> In my environment, this patch allows stock strongSwan on Android from >> the Google Play store to interop with iked. strongSwan's logs show >> the following once iked is patched: >> >> [IKE] initiating IKE_SA android[7] to 192.0.2.1 >> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] >> [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 >> [IKE] initiating IKE_SA android[7] to 192.0.2.1 >> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ N(HASH_ALG) ] >> >> I'm happy to iterate on this patch to get it into proper shape for >> inclusion. > > I discovered a bug in the previous patch that broke renegotiation of > CHILD SAs. I was ignoring "other than NONE" in the following sentence > from RFC 5996 section 3.4: > > If the selected proposal uses a different Diffie-Hellman group > (other than NONE), the message MUST be rejected with a Notify > payload of type INVALID_KE_PAYLOAD. > > The new patch below repairs the flaw. After re-reading relevant parts of the RFC I'm not convinced that my fix (rejecting with INVALID_KE_PAYLOAD unless msg->msg_dhgroup is IKEV2_XFORMDH_NONE) is correct. It happens to resolve my local issue but I think it may accidentally work due to a side effect of the code path for rekeying a child SA. I will look at it more closely this week. -TimS P.S. Is there someone I could add to the To: or Cc: headers of these iked-related messages? Or should I simply be patient? -- Tim Stewart ----------- Mail: [email protected] Matrix: @tim:stoo.org
