diff options
author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-07-16 02:02:00 +0000 |
---|---|---|
committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-07-16 02:02:00 +0000 |
commit | 9e2853823c92af3c3ed247622175ff75af176b46 (patch) | |
tree | 0459989ff11c50c98940516a261ff09e50590cf9 /sbin | |
parent | 319b030df597eda3e580ec5f4dc4fb94e8e33659 (diff) |
Merge with EOM 1.6
author: niklas
Bugs found when interoperating with KAME:
Inbound policy was not checked properly. Lifetime duration could be in
long format. Main mode can carry different DH-groups.
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/ike_phase_1.c | 68 |
1 files changed, 34 insertions, 34 deletions
diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 179f87ca429..f605a77d96e 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,5 +1,5 @@ -/* $OpenBSD: ike_phase_1.c,v 1.4 1999/07/07 22:15:42 niklas Exp $ */ -/* $EOM: ike_phase_1.c,v 1.5 1999/06/15 11:21:21 niklas Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.5 1999/07/16 02:01:59 niklas Exp $ */ +/* $EOM: ike_phase_1.c,v 1.6 1999/07/16 02:01:52 niklas Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -213,22 +213,31 @@ ike_phase_1_initiator_send_SA (struct message *msg) /* Record the real transform size. */ transforms_len += transform_len[i] = attr - transform[i]; - /* - * Make sure that if a group description is specified, it is - * specified for all transforms equally. - */ - attr = conf_get_str (xf->field, "GROUP_DESCRIPTION"); - new_group_desc = attr ? constant_value (ike_group_desc_cst, attr) : 0; - if (group_desc == -1) - group_desc = new_group_desc; - else if (group_desc != new_group_desc) + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) { - log_print ("ike_phase_1_inititor_send_SA: " - "differing group descriptions in a proposal"); - goto bail_out; + /* + * Make sure that if a group description is specified, it is + * specified for all transforms equally. + */ + attr = conf_get_str (xf->field, "GROUP_DESCRIPTION"); + new_group_desc + = attr ? constant_value (ike_group_desc_cst, attr) : 0; + if (group_desc == -1) + group_desc = new_group_desc; + else if (group_desc != new_group_desc) + { + log_print ("ike_phase_1_inititor_send_SA: " + "differing group descriptions in a proposal"); + goto bail_out; + } } } + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) + ie->group = group_get (group_desc); + proposal_len = ISAKMP_PROP_SPI_OFF; proposal = malloc (proposal_len); if (!proposal) @@ -322,9 +331,6 @@ ike_phase_1_initiator_send_SA (struct message *msg) transforms_len += transform_len[i]; } - if (group_desc) - ie->group = group_get (group_desc); - conf_free_list (conf); free (transform); free (transform_len); @@ -353,10 +359,9 @@ int ike_phase_1_initiator_recv_SA (struct message *msg) { struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; struct sa *sa = TAILQ_FIRST (&exchange->sa_list); + struct ipsec_exch *ie = exchange->data; struct ipsec_sa *isa = sa->data; - struct proto *proto; struct payload *sa_p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA]); struct payload *prop = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_PROPOSAL]); struct payload *xf = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); @@ -375,26 +380,20 @@ ike_phase_1_initiator_recv_SA (struct message *msg) return -1; } - /* Build the protection suite in our SA. */ - if (sa_add_transform (sa, xf, msg->exchange->initiator, &proto)) - { - /* XXX Log? */ - return -1; - } + /* Check that the chosen transform matches an offer. */ + if (message_negotiate_sa (msg, ike_phase_1_validate_prop) + || !TAILQ_FIRST (&sa->protos)) + return -1; - /* XXX Check that the chosen transform matches an offer. */ ipsec_decode_transform (msg, sa, TAILQ_FIRST (&sa->protos), xf->p); + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type != ISAKMP_EXCH_AGGRESSIVE) + ie->group = group_get (isa->group_desc); + /* Mark the SA as handled. */ sa_p->flags |= PL_MARK; - if ((isa->group_desc && (!ie->group || ie->group->id != isa->group_desc)) - || (!isa->group_desc && ie->group)) - { - log_print ("ike_phase_1_initiator_recv_SA: disagreement on DH group"); - return -1; - } - return 0; } @@ -1178,7 +1177,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, rv = 1; goto bail_out; } - rv = !conf_match_num (vs->life, "LIFE_DURATION", decode_16 (value)); + rv = !conf_match_num (vs->life, "LIFE_DURATION", + len == 4 ? decode_32 (value) : decode_16 (value)); free (vs->life); vs->life = 0; break; |