diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-27 09:47:57 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-27 09:47:57 +0000 |
| commit | 2d7c52e6f52476eb5275366b9135703ced38d7a6 (patch) | |
| tree | be263716b4f69762315a03a12c17f7219ae4f71b /sbin | |
| parent | 79e3b716b5c55d1f62da8d5a98274bc14fbcc445 (diff) | |
sanity check constraints for transforms.
ok deraadt@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipsecctl/parse.y | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 1fa00ee1819..bd11dbc3578 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.43 2005/11/27 03:50:58 deraadt Exp $ */ +/* $OpenBSD: parse.y,v 1.44 2005/11/27 09:47:56 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -1306,12 +1306,20 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, yyerror("ah does not provide encryption"); return (0); } + if (xfs->compxf) { + yyerror("ah does not provide compression"); + return (0); + } } if (protocol == IPSEC_ESP) { if (!xfs) { yyerror("no transforms specified"); return (0); } + if (xfs->compxf) { + yyerror("esp does not provide compression"); + return (0); + } if (!xfs->authxf) xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; if (!xfs->encxf) @@ -1322,6 +1330,10 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, yyerror("no transform specified"); return (0); } + if (xfs->authxf || xfs->encxf) { + yyerror("no encryption or authenticaion with ipcomp"); + return (0); + } if (!xfs->compxf) xfs->compxf = &compxfs[COMPXF_DEFLATE]; } |