diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-06-10 12:54:54 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-06-10 12:54:54 +0000 |
| commit | 823082bc23f082927ba04e7a9d76845537fb3209 (patch) | |
| tree | 6c6a337aac9d1fae2f9670291af57fb6a45440f7 /sbin/isakmpd/message.c | |
| parent | 7157c5e66354032062f2cc7d5bb062d01886dabf (diff) | |
Mark authenticated messages explicitly. Better check for authentication before
deleteing SAs.
This fix is needed to solve the problems reported by Thomas Walpuski, previous
diff was not sufficient. Pointed out by Thomas. Thanks!
ok ho@ niklas@, testing and spellcheck by todd@ msf@
Diffstat (limited to 'sbin/isakmpd/message.c')
| -rw-r--r-- | sbin/isakmpd/message.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 380473f8ab4..919cd8ed6cc 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.75 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: message.c,v 1.76 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -506,6 +506,12 @@ message_validate_delete(struct message *msg, struct payload *p) u_int32_t i; char *addr; + /* Only accpet authenticated DELETEs. */ + if ((msg->flags & MSG_AUTHENTICATED) == 0) { + log_print("message_validate_delete: got unauthenticated DELETE"); + return -1; + } + doi = doi_lookup(GET_ISAKMP_DELETE_DOI(p->p)); if (!doi) { log_print("message_validate_delete: DOI not supported"); @@ -603,7 +609,8 @@ message_validate_hash(struct message *msg, struct payload *p) u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; size_t rest_len; - if (msg->exchange) /* active exchange validates hash payload. */ + /* active exchanges other than INFORMATIONAL validates hash payload. */ + if (msg->exchange && (msg->exchange->type != ISAKMP_EXCH_INFO)) return 0; if (isakmp_sa == NULL) { @@ -676,6 +683,9 @@ message_validate_hash(struct message *msg, struct payload *p) /* Mark the HASH as handled. */ hashp->flags |= PL_MARK; + /* Mark message as authenticated. */ + msg->flags |= MSG_AUTHENTICATED; + return 0; } |