diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-04-01 21:09:28 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-04-01 21:09:28 +0000 |
| commit | 99a294a8cc3d5da27a7874b5c79ba2598281bb86 (patch) | |
| tree | 96bf7f237026970b1089a72d32a8ef73b28b48c1 /sbin/iked/ca.c | |
| parent | 3dbe53d4f4e2f0d2f86d8085a6f7f55e057e27ca (diff) | |
Properly handle multiple CERTREQ payloads in CA process. Only for the
last CERTREQ a mismatch should trigger the fallback case, otherwise the
following CERTREQs are ignored.
ok markus@
Diffstat (limited to 'sbin/iked/ca.c')
| -rw-r--r-- | sbin/iked/ca.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index e3b1cdcf931..f750c9261cd 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.54 2020/03/31 20:19:51 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.55 2020/04/01 21:09:26 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -281,10 +281,10 @@ ca_setcert(struct iked *env, struct iked_sahdr *sh, struct iked_id *id, int ca_setreq(struct iked *env, struct iked_sa *sa, - struct iked_static_id *localid, uint8_t type, uint8_t *data, + struct iked_static_id *localid, uint8_t type, uint8_t more, uint8_t *data, size_t len, enum privsep_procid procid) { - struct iovec iov[4]; + struct iovec iov[5]; int iovcnt = 0; struct iked_static_id idb; struct iked_id id; @@ -311,6 +311,9 @@ ca_setreq(struct iked *env, struct iked_sa *sa, iov[iovcnt].iov_base = &type; iov[iovcnt].iov_len = sizeof(type); iovcnt++; + iov[iovcnt].iov_base = &more; + iov[iovcnt].iov_len = sizeof(more); + iovcnt++; iov[iovcnt].iov_base = data; iov[iovcnt].iov_len = len; iovcnt++; @@ -438,7 +441,7 @@ ca_getreq(struct iked *env, struct imsg *imsg) { struct ca_store *store = env->sc_priv; struct iked_sahdr sh; - uint8_t type; + uint8_t type, more; uint8_t *ptr; size_t len; unsigned int i, n; @@ -449,7 +452,7 @@ ca_getreq(struct iked *env, struct imsg *imsg) ptr = (uint8_t *)imsg->data; len = IMSG_DATA_SIZE(imsg); - i = sizeof(id) + sizeof(uint8_t) + sizeof(sh); + i = sizeof(id) + sizeof(uint8_t) + sizeof(sh) + sizeof(more); if (len < i || ((len - i) % SHA_DIGEST_LENGTH) != 0) return (-1); @@ -457,7 +460,8 @@ ca_getreq(struct iked *env, struct imsg *imsg) if (id.id_type == IKEV2_ID_NONE) return (-1); memcpy(&sh, ptr + sizeof(id), sizeof(sh)); - memcpy(&type, ptr + sizeof(id) + sizeof(sh), sizeof(uint8_t)); + memcpy(&type, ptr + sizeof(id) + sizeof(sh), sizeof(type)); + memcpy(&more, ptr + sizeof(id) + sizeof(sh) + sizeof(type), sizeof(more)); switch (type) { case IKEV2_CERT_RSA_KEY: @@ -497,9 +501,13 @@ ca_getreq(struct iked *env, struct imsg *imsg) fallback: /* - * If no certificate matching one of the CAs was found, try to - * find one with subjectAltName matching the ID + * If no certificate or key matching any of the trust-anchors + * was found and this was the last CERTREQ, try to find one with + * subjectAltName matching the ID */ + if (more) + return (0); + if (cert == NULL) cert = ca_by_subjectaltname(store->ca_certs, &id); |