diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-04-04 20:36:35 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-04-04 20:36:35 +0000 |
| commit | 3a944f1099b50247da0339e37ab7668b1a0dd37c (patch) | |
| tree | 02406bfcfa9ecee3019a911d7bab7ae43e62c687 | |
| parent | e77332b323357bb8368fd4436e4ac48a7472addd (diff) | |
It makes no sense to fall back to original policy if the relookup with the
received initiator ID fails. Send AUTH_FAILED message and exit instead.
ok markus@
| -rw-r--r-- | sbin/iked/ikev2.c | 12 | ||||
| -rw-r--r-- | sbin/iked/policy.c | 12 |
2 files changed, 14 insertions, 10 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 27c602dcac1..1f18df99740 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.209 2020/04/02 19:44:41 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.210 2020/04/04 20:36:34 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -688,8 +688,14 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa, struct iked_policy *old = sa->sa_policy; sa->sa_policy = NULL; - if (policy_lookup(env, msg, &sa->sa_proposals) == 0 && msg->msg_policy && - msg->msg_policy != old) { + if (policy_lookup(env, msg, &sa->sa_proposals) != 0 || + msg->msg_policy == NULL) { + log_info("%s: no compatible policy found", + SPI_SA(sa, __func__)); + ikev2_send_auth_failed(env, sa); + return (-1); + } + if (msg->msg_policy != old) { /* move sa to new policy */ policy = sa->sa_policy = msg->msg_policy; TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry); diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index 67d0b8baa31..3a05d947927 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.57 2020/03/10 18:54:52 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.58 2020/04/04 20:36:34 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -81,7 +81,7 @@ policy_lookup(struct iked *env, struct iked_message *msg, if (msg->msg_sa != NULL && msg->msg_sa->sa_policy != NULL) { /* Existing SA with policy */ msg->msg_policy = msg->msg_sa->sa_policy; - goto found; + return (0); } bzero(&pol, sizeof(pol)); @@ -102,17 +102,14 @@ policy_lookup(struct iked *env, struct iked_message *msg, /* Try to find a matching policy for this message */ if ((msg->msg_policy = policy_test(env, &pol)) != NULL) - goto found; + return (0); /* No matching policy found, try the default */ if ((msg->msg_policy = env->sc_defaultcon) != NULL) - goto found; + return (0); /* No policy found */ return (-1); - - found: - return (0); } /* @@ -164,6 +161,7 @@ policy_test(struct iked *env, struct iked_policy *key) } /* make sure the peer ID matches */ if (key->pol_peerid.id_type && + p->pol_peerid.id_type && (key->pol_peerid.id_type != p->pol_peerid.id_type || memcmp(key->pol_peerid.id_data, p->pol_peerid.id_data, |