diff options
| author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-10-01 14:07:17 +0000 |
|---|---|---|
| committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-10-01 14:07:17 +0000 |
| commit | 67d73772340553007a7975649cb772df85784120 (patch) | |
| tree | d037e34760fa2b3b4e67fd5e9d4f42c5a64e7cf0 /sbin/isakmpd/ike_quick_mode.c | |
| parent | 9a80ef958e3311ba96337676e9aa0f454a9ebd3f (diff) | |
Merge with EOM 1.100
author: niklas
AUTHENTICATION_ALGORITHM is a must in AH transforms. Better error reporting.
author: ho
More debugging output.
author: angelos
Remove evil experimental code, fix off-by-1 buffer allocation.
Diffstat (limited to 'sbin/isakmpd/ike_quick_mode.c')
| -rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 9c8042e74a6..ca07d783337 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,5 +1,5 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.21 1999/08/26 22:30:21 niklas Exp $ */ -/* $EOM: ike_quick_mode.c,v 1.97 1999/08/26 11:21:50 niklas Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.22 1999/10/01 14:07:16 niklas Exp $ */ +/* $EOM: ike_quick_mode.c,v 1.100 1999/10/01 13:44:21 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -128,9 +128,10 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) { case ISAKMP_CERTENC_NONE: /* For shared keys, just duplicate the passphrase. */ - principal = strdup (isakmp_sa->recv_cert); + principal = calloc (isakmp_sa->recv_certlen + 1, sizeof (char)); if (principal == NULL) return 0; + memcpy (principal, isakmp_sa->recv_cert, isakmp_sa->recv_certlen); break; case ISAKMP_CERTENC_X509_SIG: @@ -1203,8 +1204,18 @@ responder_recv_HASH_SA_NONCE (struct message *msg) { for (proto = TAILQ_FIRST (&sa->protos); proto; proto = TAILQ_NEXT (proto, link)) - /* XXX we need to have some attributes per proto, not all per SA. */ - ipsec_decode_transform (msg, sa, proto, proto->chosen->p); + { + /* XXX we need to have some attributes per proto, not all per SA. */ + ipsec_decode_transform (msg, sa, proto, proto->chosen->p); + if (proto->proto == IPSEC_PROTO_IPSEC_AH + && !((struct ipsec_proto *)proto->data)->auth) + { + log_print ("responder_recv_HASH_SA_NONCE: " + "AH proposed without an algorithm attribute"); + message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + goto next_sa; + } + } isa = sa->data; @@ -1213,6 +1224,8 @@ responder_recv_HASH_SA_NONCE (struct message *msg) { if (!isa->group_desc) { + log_print ("responder_recv_HASH_SA_NONCE: " + "KEY_EXCH payload without a group desc. attribute"); message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); continue; } @@ -1222,6 +1235,8 @@ responder_recv_HASH_SA_NONCE (struct message *msg) group_desc = isa->group_desc; else if (group_desc != isa->group_desc) { + log_print ("responder_recv_HASH_SA_NONCE: " + "differing group descriptions in one QM"); message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); continue; } @@ -1229,6 +1244,8 @@ responder_recv_HASH_SA_NONCE (struct message *msg) /* At least one SA was accepted. */ retval = 0; + + next_sa: } if (kep) |