iked: send correct proposal number

Thu, 30 Nov 2017 09:20:56 -0800 

Hi,

the RFC specifies that in an SA payload the proposals must be numbered
starting with number 1.  Subsequent proposals must be one more than the
previous proposal.

Since IKE SA proposals and Child SA proposals are a different list,
we must make sure that both proposals start with proposal #1.  Since
our code uses the policy's number of proposals, which contains both
IKE and Child SA proposals, the Child SA proposal we send out starts
with proporsal #2.  Strongswan doesn't trip, but since it's a MUST in
the RFC I would like to rectify this.

ok?

Patrick

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 5a38333398b..c54ed387569 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -2589,6 +2589,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct 
ipsec_hosts *hosts,
        struct iked_policy       pol;
        struct iked_proposal     prop[2];
        unsigned int             j;
+       unsigned int             ikepropid = 1, ipsecpropid = 1;
        struct iked_transform    ikexforms[64], ipsecxforms[64];
        struct iked_flow         flows[64];
        static unsigned int      policy_id = 0;
@@ -2719,7 +2720,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct 
ipsec_hosts *hosts,
        TAILQ_INIT(&pol.pol_proposals);
        RB_INIT(&pol.pol_flows);
 
-       prop[0].prop_id = ++pol.pol_nproposals;
+       prop[0].prop_id = ikepropid++;
        prop[0].prop_protoid = IKEV2_SAPROTO_IKE;
        if (ike_sa == NULL || ike_sa->xfs == NULL) {
                prop[0].prop_nxforms = ikev2_default_nike_transforms;
@@ -2750,8 +2751,9 @@ create_ike(char *name, int af, uint8_t ipproto, struct 
ipsec_hosts *hosts,
                prop[0].prop_xforms = ikexforms;
        }
        TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[0], prop_entry);
+       pol.pol_nproposals++;
 
-       prop[1].prop_id = ++pol.pol_nproposals;
+       prop[1].prop_id = ipsecpropid++;
        prop[1].prop_protoid = saproto;
        if (ipsec_sa == NULL || ipsec_sa->xfs == NULL) {
                prop[1].prop_nxforms = ikev2_default_nesp_transforms;
@@ -2790,6 +2792,7 @@ create_ike(char *name, int af, uint8_t ipproto, struct 
ipsec_hosts *hosts,
                prop[1].prop_xforms = ipsecxforms;
        }
        TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[1], prop_entry);
+       pol.pol_nproposals++;
 
        if (hosts == NULL || hosts->src == NULL || hosts->dst == NULL)
                fatalx("create_ike: no traffic selectors/flows");

Reply via email to