summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2003-09-02 18:14:53 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2003-09-02 18:14:53 +0000
commitf8d9aec3f9075dde07456435c79c00a7f40ed7fd (patch)
treefdc6c9368d7363a82635bee81ad5e1638e9e6cd1 /sbin/isakmpd
parent9df3fe7c730259fc964131b0b2020590a6e55df2 (diff)
Require ISAKMP_FLAGS_ENC on phase 2 messages. ok markus@, deraadt@.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/message.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index b7edbffaf71..e7eee52a07b 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.60 2003/06/14 11:47:13 ho Exp $ */
+/* $OpenBSD: message.c,v 1.61 2003/09/02 18:14:52 ho Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -1217,6 +1217,14 @@ message_recv (struct message *msg)
&& (flags & ISAKMP_FLAGS_COMMIT))
msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED;
+ /* Require encryption for any phase 2 message. XXX Always? */
+ if (msg->exchange->phase == 2 && (flags & ISAKMP_FLAGS_ENC) == 0)
+ {
+ log_print ("message_recv: cleartext phase 2 message");
+ message_drop (msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
+ return -1;
+ }
+
/* OK let the exchange logic do the rest. */
exchange_run (msg);