summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick Wildt <patrick@cvs.openbsd.org>2021-11-26 16:22:45 +0000
committerPatrick Wildt <patrick@cvs.openbsd.org>2021-11-26 16:22:45 +0000
commitf9bbd8376cb268be1f5656ff17a67dd38416697f (patch)
tree2c910ad5c0c736d12db68adc5f4692a99e141072
parent04443475169b159a095e6b2e2c589d1a3cc2dc2e (diff)
A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup. ok tobhe@
-rw-r--r--sbin/iked/iked.h3
-rw-r--r--sbin/iked/ikev2_msg.c4
-rw-r--r--sbin/iked/ikev2_pld.c11
-rw-r--r--sbin/iked/policy.c11
4 files changed, 22 insertions, 7 deletions
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index c8d8372d3f5..3067d86f94a 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: iked.h,v 1.197 2021/11/24 21:06:21 tobhe Exp $ */
+/* $OpenBSD: iked.h,v 1.198 2021/11/26 16:22:44 patrick Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -598,6 +598,7 @@ struct iked_message {
struct ibuf *msg_ke; /* dh key exchange */
struct iked_id msg_auth; /* AUTH payload */
struct iked_id msg_id;
+ struct iked_id msg_localid;
struct iked_id msg_cert;
struct ibuf *msg_cookie;
uint16_t msg_group;
diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c
index ee057559b5a..1b66b997c9f 100644
--- a/sbin/iked/ikev2_msg.c
+++ b/sbin/iked/ikev2_msg.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2_msg.c,v 1.80 2021/09/07 14:06:23 tobhe Exp $ */
+/* $OpenBSD: ikev2_msg.c,v 1.81 2021/11/26 16:22:44 patrick Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -194,6 +194,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
ibuf_release(msg->msg_ke);
ibuf_release(msg->msg_auth.id_buf);
ibuf_release(msg->msg_id.id_buf);
+ ibuf_release(msg->msg_localid.id_buf);
ibuf_release(msg->msg_cert.id_buf);
ibuf_release(msg->msg_cookie);
ibuf_release(msg->msg_cookie2);
@@ -207,6 +208,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
msg->msg_ke = NULL;
msg->msg_auth.id_buf = NULL;
msg->msg_id.id_buf = NULL;
+ msg->msg_localid.id_buf = NULL;
msg->msg_cert.id_buf = NULL;
msg->msg_cookie = NULL;
msg->msg_cookie2 = NULL;
diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index 1c2ed558c07..12d1d18576c 100644
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2_pld.c,v 1.119 2021/11/12 14:18:54 tobhe Exp $ */
+/* $OpenBSD: ikev2_pld.c,v 1.120 2021/11/26 16:22:44 patrick Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -759,14 +759,17 @@ ikev2_pld_id(struct iked *env, struct ikev2_payload *pld,
return (0);
}
- if (!((sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) ||
- (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi))) {
+ if (((sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) ||
+ (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi)))
+ idp = &msg->msg_parent->msg_id;
+ else if (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr)
+ idp = &msg->msg_parent->msg_localid;
+ else {
ibuf_release(idb.id_buf);
log_debug("%s: unexpected id payload", __func__);
return (0);
}
- idp = &msg->msg_parent->msg_id;
if (idp->id_type) {
ibuf_release(idb.id_buf);
log_debug("%s: duplicate id payload", __func__);
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 90b442d97f2..66354e7acbf 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.86 2021/11/24 20:48:00 tobhe Exp $ */
+/* $OpenBSD: policy.c,v 1.87 2021/11/26 16:22:44 patrick Exp $ */
/*
* Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -112,6 +112,15 @@ policy_lookup(struct iked *env, struct iked_message *msg,
sizeof(pol.pol_peerid.id_data));
log_debug("%s: peerid '%s'", __func__, s+1);
}
+ if (msg->msg_localid.id_type &&
+ ikev2_print_id(&msg->msg_localid, idstr, IKED_ID_SIZE) == 0 &&
+ (s = strchr(idstr, '/')) != NULL) {
+ pol.pol_localid.id_type = msg->msg_localid.id_type;
+ pol.pol_localid.id_length = strlen(s+1);
+ strlcpy(pol.pol_localid.id_data, s+1,
+ sizeof(pol.pol_localid.id_data));
+ log_debug("%s: localid '%s'", __func__, s+1);
+ }
/* Try to find a matching policy for this message */
if ((msg->msg_policy = policy_test(env, &pol)) != NULL) {