src - OpenBSD base system

diff options


context:
space:
mode:

author	Reyk Floeter <reyk@cvs.openbsd.org>	2010-06-26 19:48:05 +0000
committer	Reyk Floeter <reyk@cvs.openbsd.org>	2010-06-26 19:48:05 +0000
commit	d2627aea56cfdda0e369bfc25115206f9e3077c2 (patch)
tree	5b0d72cc0165e1c325f40eaf22abe39477f319d5 /sbin/iked
parent	b73e2a049f3087a55bcace404c2bd5b6a454113c (diff)

mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatch

Diffstat (limited to 'sbin/iked')

-rw-r--r--

sbin/iked/iked.h

-rw-r--r--

sbin/iked/ikev2.c

-rw-r--r--

sbin/iked/ikev2_pld.c

-rw-r--r--

sbin/iked/parse.y

4 files changed, 35 insertions, 21 deletions

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 2084d0d899a..99a46c958e8 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: iked.h,v 1.12 2010/06/26 18:32:34 reyk Exp $ */

+/* $OpenBSD: iked.h,v 1.13 2010/06/26 19:48:04 reyk Exp $ */

/* $vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $ */

@@ -389,6 +389,8 @@ struct iked_message {

struct iked_spi msg_rekey;

struct ibuf *msg_nonce; /* dh NONCE */

struct ibuf *msg_ke; /* dh key exchange */

+ struct iked_id msg_id;

+ struct iked_id msg_cert;

/* Parse stack */

struct iked_proposal *msg_prop;

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index c11a6ef8642..1b1f3c919c3 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikev2.c,v 1.16 2010/06/26 18:32:34 reyk Exp $ */

+/* $OpenBSD: ikev2.c,v 1.17 2010/06/26 19:48:04 reyk Exp $ */

/* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */

@@ -761,6 +761,21 @@ ikev2_init_done(struct iked *env, struct iked_sa *sa,

struct iked_message *msg)

{

int ret;

+ struct ibuf *authmsg;

+ if (msg->msg_id.id_type) {

+ memcpy(&sa->sa_rid, &msg->msg_id, sizeof(sa->sa_rid));

+ bzero(&msg->msg_id, sizeof(msg->msg_id));

+ if ((authmsg = ikev2_msg_auth(env, sa, 0)) == NULL) {

+ log_debug("%s: failed to get response auth data",

+ __func__);

+ return (-1);

+ }

+ ca_setauth(env, sa, authmsg, PROC_CERT);

+ return (0);

+ }

if (msg != NULL && !TAILQ_EMPTY(&msg->msg_proposals)) {

if (ikev2_sa_negotiate(sa,

diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index 9644aa5ff4f..904b04efdc6 100644
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikev2_pld.c,v 1.8 2010/06/26 18:32:34 reyk Exp $ */

+/* $OpenBSD: ikev2_pld.c,v 1.9 2010/06/26 19:48:04 reyk Exp $ */

/* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */

@@ -434,7 +434,6 @@ ikev2_pld_id(struct iked *env, struct ikev2_payload *pld,

struct iked_id *idp, idb;

struct iked_sa *sa = msg->msg_sa;

u_int8_t *msgbuf = ibuf_data(msg->msg_data);

- struct ibuf *authmsg;

char idstr[IKED_ID_SIZE];

memcpy(&id, msgbuf + offset, sizeof(id));

@@ -461,26 +460,22 @@ ikev2_pld_id(struct iked *env, struct ikev2_payload *pld,

return (0);

}

- if (sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) {

- idp = &sa->sa_rid;

- } else if (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi) {

- idp = &sa->sa_iid;

- } else {

+ if (!((sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDr) ||

+ (!sa->sa_hdr.sh_initiator && payload == IKEV2_PAYLOAD_IDi))) {

log_debug("%s: unexpected id payload", __func__);

- return (0);

+ return (-1);

}

- ibuf_release(idp->id_buf);

- idp->id_buf = idb.id_buf;

- idp->id_type = idb.id_type;

- if ((authmsg = ikev2_msg_auth(env, sa,

- !sa->sa_hdr.sh_initiator)) == NULL) {

- log_debug("%s: failed to get response auth data", __func__);

+ idp = &msg->msg_id;

+ if (idp->id_type) {

+ log_debug("%s: duplicate id payload", __func__);

return (-1);

}

- ca_setauth(env, sa, authmsg, PROC_CERT);

+ ibuf_release(idp->id_buf);

+ idp->id_buf = idb.id_buf;

+ idp->id_offset = idb.id_offset;

+ idp->id_type = idb.id_type;

return (0);

}

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 5cbaa24f5e3..23fd6687111 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.7 2010/06/26 18:32:34 reyk Exp $ */

+/* $OpenBSD: parse.y,v 1.8 2010/06/26 19:48:04 reyk Exp $ */

/* $vantronix: parse.y,v 1.22 2010/06/03 11:08:34 reyk Exp $ */

@@ -586,7 +586,8 @@ host_spec : STRING {

host : host_spec { $$ = $1; }

| host_spec '(' host_spec ')' {

- if ($3->af != $1->af) {

+ if (($1->af != AF_UNSPEC) && ($3->af != AF_UNSPEC) &&

+ ($3->af != $1->af)) {

yyerror("Flow NAT address family mismatch");

YYERROR;

}

@@ -2163,7 +2164,8 @@ create_ike(char *name, u_int8_t ipproto, struct ipsec_hosts *hosts,

}

if (peers && peers->src && peers->dst &&

- peers->src->af != peers->dst->af)

+ (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) &&

+ (peers->src->af != peers->dst->af))

fatalx("create_ike: address family mismatch");

ipa = ipb = NULL;