summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortobhe <tobhe@cvs.openbsd.org>2020-10-02 20:02:04 +0000
committertobhe <tobhe@cvs.openbsd.org>2020-10-02 20:02:04 +0000
commitddf5aeced0fddd692b54c83cbe602fe2d1303fea (patch)
tree357327a3eb1974869854f52f4ca69538edf55a83
parent6681af48c12adeb21e5a50dff3ed512c5c276b1f (diff)
Send AUTH_FAILED in ikev2_ike_auth_recv() if the message did not contain
an AUTH payload and the policy does not use EAP authentication. ok patrick@
-rw-r--r--sbin/iked/ikev2.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 0b1a7a505aa..005f268ba35 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.261 2020/09/24 13:16:52 tobhe Exp $ */
+/* $OpenBSD: ikev2.c,v 1.262 2020/10/02 20:02:03 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -875,6 +875,19 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
return (-1);
}
+ /* AUTH payload is required for non-EAP */
+ if (!msg->msg_auth.id_type &&
+ !sa->sa_policy->pol_auth.auth_eap) {
+ /* get dstid */
+ if (msg->msg_id.id_type) {
+ memcpy(id, &msg->msg_id, sizeof(*id));
+ bzero(&msg->msg_id, sizeof(msg->msg_id));
+ }
+ log_debug("%s: missing auth payload", SPI_SA(sa, __func__));
+ ikev2_send_auth_failed(env, sa);
+ return (-1);
+ }
+
if (msg->msg_id.id_type) {
memcpy(id, &msg->msg_id, sizeof(*id));
bzero(&msg->msg_id, sizeof(msg->msg_id));