summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/message.c61
1 files changed, 19 insertions, 42 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 6fde0bb777b..cd313a2a54f 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.97 2005/03/05 12:25:12 ho Exp $ */
+/* $OpenBSD: message.c,v 1.98 2005/03/05 12:35:03 ho Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -652,8 +652,6 @@ message_validate_delete(struct message *msg, struct payload *p)
/*
* Validate the hash payload P in message MSG.
- * XXX Currently hash payloads are processed by the particular exchanges,
- * except INFORMATIONAL. This should be actually done here.
*/
static int
message_validate_hash(struct message *msg, struct payload *p)
@@ -663,7 +661,7 @@ message_validate_hash(struct message *msg, struct payload *p)
struct hash *hash;
struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH);
struct prf *prf;
- u_int8_t *comp_hash, *rest;
+ u_int8_t *rest;
u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
size_t rest_len;
@@ -671,28 +669,18 @@ message_validate_hash(struct message *msg, struct payload *p)
if (msg->exchange && (msg->exchange->type != ISAKMP_EXCH_INFO))
return 0;
- if (isakmp_sa == NULL) {
- log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
- 0, 1, 1);
- return -1;
- }
+ if (isakmp_sa == NULL)
+ goto invalid;
+
isa = isakmp_sa->data;
hash = hash_get(isa->hash);
+ if (hash == NULL)
+ goto invalid;
- if (hash == NULL) {
- log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
- 0, 1, 1);
- return -1;
- }
/* If no SKEYID_a, we can not do anything (should not happen). */
- if (!isa->skeyid_a) {
- log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
- 0, 1, 1);
- return -1;
- }
+ if (!isa->skeyid_a)
+ goto invalid;
+
/* Allocate the prf and start calculating our HASH(1). */
LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a",
isa->skeyid_a, isa->skeyid_len));
@@ -702,14 +690,6 @@ message_validate_hash(struct message *msg, struct payload *p)
message_free(msg);
return -1;
}
- comp_hash = (u_int8_t *)malloc(hash->hashsize);
- if (!comp_hash) {
- log_error("message_validate_hash: malloc (%lu) failed",
- (unsigned long)hash->hashsize);
- prf_free(prf);
- message_free(msg);
- return -1;
- }
/* This is not an active exchange. */
GET_ISAKMP_HDR_MESSAGE_ID(msg->iov[0].iov_base, message_id);
@@ -723,20 +703,12 @@ message_validate_hash(struct message *msg, struct payload *p)
LOG_DBG_BUF((LOG_MISC, 90,
"message_validate_hash: payloads after HASH(1)", rest, rest_len));
prf->Update(prf->prfctx, rest, rest_len);
- prf->Final(comp_hash, prf->prfctx);
+ prf->Final(hash->digest, prf->prfctx);
prf_free(prf);
- if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash,
- hash->hashsize)) {
- log_print("message_validate_hash: invalid hash value for %s "
- "payload", payload_first(msg, ISAKMP_PAYLOAD_DELETE) ?
- "DELETE" : "NOTIFY");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
- 0, 1, 1);
- free(comp_hash);
- return -1;
- }
- free(comp_hash);
+ if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest,
+ hash->hashsize))
+ goto invalid;
/* Mark the HASH as handled. */
hashp->flags |= PL_MARK;
@@ -745,6 +717,11 @@ message_validate_hash(struct message *msg, struct payload *p)
msg->flags |= MSG_AUTHENTICATED;
return 0;
+
+ invalid:
+ log_print("message_validate_hash: invalid hash information");
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1);
+ return -1;
}
/* Validate the identification payload P in message MSG. */