diff options
| -rw-r--r-- | sbin/isakmpd/ike_phase_1.c | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 8 | ||||
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 18 | ||||
| -rw-r--r-- | sbin/isakmpd/message.c | 14 | ||||
| -rw-r--r-- | sbin/isakmpd/message.h | 13 |
5 files changed, 48 insertions, 11 deletions
diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 26073877aba..1a6897ea46c 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_phase_1.c,v 1.48 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.49 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ /* @@ -1037,6 +1037,10 @@ ike_phase_1_recv_AUTH(struct message *msg) /* XXX Log? */ return -1; } + + /* Mark message as authenticated. */ + msg->flags |= MSG_AUTHENTICATED; + return 0; } diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 52264f5e648..1ae011d900d 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.79 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.80 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -1431,6 +1431,9 @@ responder_recv_HASH_SA_NONCE(struct message *msg) free(my_hash); my_hash = 0; + /* Mark message as authenticated. */ + msg->flags |= MSG_AUTHENTICATED; + kep = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_KEY_EXCH]); if (kep) ie->pfs = 1; @@ -1849,6 +1852,9 @@ responder_recv_HASH(struct message *msg) } free(my_hash); + /* Mark message as authenticated. */ + msg->flags |= MSG_AUTHENTICATED; + post_quick_mode(msg); return 0; diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 1b6f6f2d448..614689e2dc6 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.92 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: ipsec.c,v 1.93 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -1040,7 +1040,15 @@ ipsec_responder(struct message *msg) "ipsec_responder: got NOTIFY of type %s", constant_name(isakmp_notify_cst, type))); - p->flags |= PL_MARK; + switch (type) { + case IPSEC_NOTIFY_INITIAL_CONTACT: + /* Handled by leftover logic. */ + break; + + default: + p->flags |= PL_MARK; + break; + } } /* @@ -1603,6 +1611,12 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, "INITIAL-CONTACT without ISAKMP SA"); return -1; } + + if ((msg->flags & MSG_AUTHENTICATED) == 0) { + log_print("ipsec_handle_leftover_payload: " + "got unauthenticated INITIAL-CONTACT"); + return -1; + } /* * Find out who is sending this and then delete every * SA that is ready. Exchanges will timeout diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 380473f8ab4..919cd8ed6cc 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.75 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: message.c,v 1.76 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -506,6 +506,12 @@ message_validate_delete(struct message *msg, struct payload *p) u_int32_t i; char *addr; + /* Only accpet authenticated DELETEs. */ + if ((msg->flags & MSG_AUTHENTICATED) == 0) { + log_print("message_validate_delete: got unauthenticated DELETE"); + return -1; + } + doi = doi_lookup(GET_ISAKMP_DELETE_DOI(p->p)); if (!doi) { log_print("message_validate_delete: DOI not supported"); @@ -603,7 +609,8 @@ message_validate_hash(struct message *msg, struct payload *p) u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; size_t rest_len; - if (msg->exchange) /* active exchange validates hash payload. */ + /* active exchanges other than INFORMATIONAL validates hash payload. */ + if (msg->exchange && (msg->exchange->type != ISAKMP_EXCH_INFO)) return 0; if (isakmp_sa == NULL) { @@ -676,6 +683,9 @@ message_validate_hash(struct message *msg, struct payload *p) /* Mark the HASH as handled. */ hashp->flags |= PL_MARK; + /* Mark message as authenticated. */ + msg->flags |= MSG_AUTHENTICATED; + return 0; } diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h index 63c2571cd06..709278eeefb 100644 --- a/sbin/isakmpd/message.h +++ b/sbin/isakmpd/message.h @@ -1,4 +1,4 @@ -/* $OpenBSD: message.h,v 1.19 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: message.h,v 1.20 2004/06/10 12:54:53 hshoexer Exp $ */ /* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */ /* @@ -152,16 +152,19 @@ struct message { * retransmitted other than if we see duplicates from our peer's last * message. */ -#define MSG_LAST 1 +#define MSG_LAST 0x01 /* The message has already been encrypted. */ -#define MSG_ENCRYPTED 2 +#define MSG_ENCRYPTED 0x02 /* The message is on the send queue. */ -#define MSG_IN_TRANSIT 4 +#define MSG_IN_TRANSIT 0x04 /* This message should be kept on the prioritized sendq. */ -#define MSG_PRIORITIZED 8 +#define MSG_PRIORITIZED 0x08 + +/* This message has successfully been authenticated. */ +#define MSG_AUTHENTICATED 0x10 TAILQ_HEAD(msg_head, message); |