From 3a944f1099b50247da0339e37ab7668b1a0dd37c Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@cvs.openbsd.org>
Date: Sat, 4 Apr 2020 20:36:35 +0000
Subject: It makes no sense to fall back to original policy if the relookup
 with the received initiator ID fails. Send AUTH_FAILED message and exit
 instead.

ok markus@
---
 sbin/iked/ikev2.c  | 12 +++++++++---
 sbin/iked/policy.c | 12 +++++-------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 27c602dcac1..1f18df99740 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.209 2020/04/02 19:44:41 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.210 2020/04/04 20:36:34 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -688,8 +688,14 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
 		struct iked_policy	*old = sa->sa_policy;
 
 		sa->sa_policy = NULL;
-		if (policy_lookup(env, msg, &sa->sa_proposals) == 0 && msg->msg_policy &&
-		    msg->msg_policy != old) {
+		if (policy_lookup(env, msg, &sa->sa_proposals) != 0 ||
+		    msg->msg_policy == NULL) {
+			log_info("%s: no compatible policy found",
+			    SPI_SA(sa, __func__));
+			ikev2_send_auth_failed(env, sa);
+			return (-1);
+		}
+		if (msg->msg_policy != old) {
 			/* move sa to new policy */
 			policy = sa->sa_policy = msg->msg_policy;
 			TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 67d0b8baa31..3a05d947927 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.57 2020/03/10 18:54:52 tobhe Exp $	*/
+/*	$OpenBSD: policy.c,v 1.58 2020/04/04 20:36:34 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -81,7 +81,7 @@ policy_lookup(struct iked *env, struct iked_message *msg,
 	if (msg->msg_sa != NULL && msg->msg_sa->sa_policy != NULL) {
 		/* Existing SA with policy */
 		msg->msg_policy = msg->msg_sa->sa_policy;
-		goto found;
+		return (0);
 	}
 
 	bzero(&pol, sizeof(pol));
@@ -102,17 +102,14 @@ policy_lookup(struct iked *env, struct iked_message *msg,
 
 	/* Try to find a matching policy for this message */
 	if ((msg->msg_policy = policy_test(env, &pol)) != NULL)
-		goto found;
+		return (0);
 
 	/* No matching policy found, try the default */
 	if ((msg->msg_policy = env->sc_defaultcon) != NULL)
-		goto found;
+		return (0);
 
 	/* No policy found */
 	return (-1);
-
- found:
-	return (0);
 }
 
 /*
@@ -164,6 +161,7 @@ policy_test(struct iked *env, struct iked_policy *key)
 			}
 			/* make sure the peer ID matches */
 			if (key->pol_peerid.id_type &&
+			    p->pol_peerid.id_type &&
 			    (key->pol_peerid.id_type != p->pol_peerid.id_type ||
 			    memcmp(key->pol_peerid.id_data,
 			    p->pol_peerid.id_data,
-- 
cgit v1.2.3