diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-10-02 20:02:04 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-10-02 20:02:04 +0000 |
| commit | ddf5aeced0fddd692b54c83cbe602fe2d1303fea (patch) | |
| tree | 357327a3eb1974869854f52f4ca69538edf55a83 /sbin/iked/ikev2.c | |
| parent | 6681af48c12adeb21e5a50dff3ed512c5c276b1f (diff) | |
Send AUTH_FAILED in ikev2_ike_auth_recv() if the message did not contain
an AUTH payload and the policy does not use EAP authentication.
ok patrick@
Diffstat (limited to 'sbin/iked/ikev2.c')
| -rw-r--r-- | sbin/iked/ikev2.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 0b1a7a505aa..005f268ba35 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.261 2020/09/24 13:16:52 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.262 2020/10/02 20:02:03 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -875,6 +875,19 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa, return (-1); } + /* AUTH payload is required for non-EAP */ + if (!msg->msg_auth.id_type && + !sa->sa_policy->pol_auth.auth_eap) { + /* get dstid */ + if (msg->msg_id.id_type) { + memcpy(id, &msg->msg_id, sizeof(*id)); + bzero(&msg->msg_id, sizeof(msg->msg_id)); + } + log_debug("%s: missing auth payload", SPI_SA(sa, __func__)); + ikev2_send_auth_failed(env, sa); + return (-1); + } + if (msg->msg_id.id_type) { memcpy(id, &msg->msg_id, sizeof(*id)); bzero(&msg->msg_id, sizeof(msg->msg_id)); |