Mark authenticated messages explicitly. Better check for authentication before

deleteing SAs.

This fix is needed to solve the problems reported by Thomas Walpuski, previous
diff was not sufficient.  Pointed out by Thomas.  Thanks!

ok ho@ niklas@, testing and spellcheck by todd@ msf@

5 files changed, 48 insertions, 11 deletions

diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c
index 26073877aba..1a6897ea46c 100644
--- a/sbin/isakmpd/ike_phase_1.c
+++ b/sbin/isakmpd/ike_phase_1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_phase_1.c,v 1.48 2004/06/09 14:02:44 ho Exp $	 */
+/* $OpenBSD: ike_phase_1.c,v 1.49 2004/06/10 12:54:53 hshoexer Exp $	 */
 /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $	 */
 
 /*
@@ -1037,6 +1037,10 @@ ike_phase_1_recv_AUTH(struct message *msg)
 		/* XXX Log?  */
 		return -1;
 	}
+
+	/* Mark message as authenticated. */
+	msg->flags |= MSG_AUTHENTICATED;
+
 	return 0;
 }
 
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 52264f5e648..1ae011d900d 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.79 2004/06/09 14:02:44 ho Exp $	 */
+/* $OpenBSD: ike_quick_mode.c,v 1.80 2004/06/10 12:54:53 hshoexer Exp $	 */
 /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $	 */
 
 /*
@@ -1431,6 +1431,9 @@ responder_recv_HASH_SA_NONCE(struct message *msg)
 	free(my_hash);
 	my_hash = 0;
 
+	/* Mark message as authenticated. */
+	msg->flags |= MSG_AUTHENTICATED;
+
 	kep = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_KEY_EXCH]);
 	if (kep)
 		ie->pfs = 1;
@@ -1849,6 +1852,9 @@ responder_recv_HASH(struct message *msg)
 	}
 	free(my_hash);
 
+	/* Mark message as authenticated. */
+	msg->flags |= MSG_AUTHENTICATED;
+
 	post_quick_mode(msg);
 
 	return 0;
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 1b6f6f2d448..614689e2dc6 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.92 2004/06/09 14:02:44 ho Exp $	 */
+/* $OpenBSD: ipsec.c,v 1.93 2004/06/10 12:54:53 hshoexer Exp $	 */
 /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	 */
 
 /*
@@ -1040,7 +1040,15 @@ ipsec_responder(struct message *msg)
 			    "ipsec_responder: got NOTIFY of type %s",
 			    constant_name(isakmp_notify_cst, type)));
 
-			p->flags |= PL_MARK;
+			switch (type) {
+			case IPSEC_NOTIFY_INITIAL_CONTACT:
+				/* Handled by leftover logic. */
+				break;
+
+			default:
+				p->flags |= PL_MARK;
+				break;
+			}
 		}
 
 		/*
@@ -1603,6 +1611,12 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
 				    "INITIAL-CONTACT without ISAKMP SA");
 				return -1;
 			}
+
+			if ((msg->flags & MSG_AUTHENTICATED) == 0) {
+				log_print("ipsec_handle_leftover_payload: "
+				    "got unauthenticated INITIAL-CONTACT");
+				return -1;
+			}
 			/*
 			 * Find out who is sending this and then delete every
 			 * SA that is ready.  Exchanges will timeout
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 380473f8ab4..919cd8ed6cc 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.75 2004/06/09 14:02:44 ho Exp $	 */
+/* $OpenBSD: message.c,v 1.76 2004/06/10 12:54:53 hshoexer Exp $	 */
 /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $	 */
 
 /*
@@ -506,6 +506,12 @@ message_validate_delete(struct message *msg, struct payload *p)
 	u_int32_t       i;
 	char           *addr;
 
+	/* Only accpet authenticated DELETEs. */
+	if ((msg->flags & MSG_AUTHENTICATED) == 0) {
+		log_print("message_validate_delete: got unauthenticated DELETE");
+		return -1;
+	}
+
 	doi = doi_lookup(GET_ISAKMP_DELETE_DOI(p->p));
 	if (!doi) {
 		log_print("message_validate_delete: DOI not supported");
@@ -603,7 +609,8 @@ message_validate_hash(struct message *msg, struct payload *p)
 	u_int8_t        message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
 	size_t          rest_len;
 
-	if (msg->exchange)	/* active exchange validates hash payload. */
+	/* active exchanges other than INFORMATIONAL validates hash payload. */
+	if (msg->exchange && (msg->exchange->type != ISAKMP_EXCH_INFO))
 		return 0;
 
 	if (isakmp_sa == NULL) {
@@ -676,6 +683,9 @@ message_validate_hash(struct message *msg, struct payload *p)
 	/* Mark the HASH as handled. */
 	hashp->flags |= PL_MARK;
 
+	/* Mark message as authenticated. */
+	msg->flags |= MSG_AUTHENTICATED;
+
 	return 0;
 }
 
diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h
index 63c2571cd06..709278eeefb 100644
--- a/sbin/isakmpd/message.h
+++ b/sbin/isakmpd/message.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.h,v 1.19 2004/05/23 18:17:56 hshoexer Exp $	 */
+/* $OpenBSD: message.h,v 1.20 2004/06/10 12:54:53 hshoexer Exp $	 */
 /* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $	 */
 
 /*
@@ -152,16 +152,19 @@ struct message {
  * retransmitted other than if we see duplicates from our peer's last
  * message.
  */
-#define MSG_LAST	1
+#define MSG_LAST	0x01
 
 /* The message has already been encrypted.  */
-#define MSG_ENCRYPTED	2
+#define MSG_ENCRYPTED	0x02
 
 /* The message is on the send queue.  */
-#define MSG_IN_TRANSIT	4
+#define MSG_IN_TRANSIT	0x04
 
 /* This message should be kept on the prioritized sendq.  */
-#define MSG_PRIORITIZED	8
+#define MSG_PRIORITIZED	0x08
+
+/* This message has successfully been authenticated. */
+#define MSG_AUTHENTICATED	0x10
 
 TAILQ_HEAD(msg_head, message);