From ddf5aeced0fddd692b54c83cbe602fe2d1303fea Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@cvs.openbsd.org>
Date: Fri, 2 Oct 2020 20:02:04 +0000
Subject: Send AUTH_FAILED in ikev2_ike_auth_recv() if the message did not
 contain an AUTH payload and the policy does not use EAP authentication.

ok patrick@
---
 sbin/iked/ikev2.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 0b1a7a505aa..005f268ba35 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.261 2020/09/24 13:16:52 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.262 2020/10/02 20:02:03 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -875,6 +875,19 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
 			return (-1);
 	}
 
+	/* AUTH payload is required for non-EAP */
+	if (!msg->msg_auth.id_type &&
+	    !sa->sa_policy->pol_auth.auth_eap) {
+		/* get dstid */
+		if (msg->msg_id.id_type) {
+			memcpy(id, &msg->msg_id, sizeof(*id));
+			bzero(&msg->msg_id, sizeof(msg->msg_id));
+		}
+		log_debug("%s: missing auth payload", SPI_SA(sa, __func__));
+		ikev2_send_auth_failed(env, sa);
+		return (-1);
+	}
+
 	if (msg->msg_id.id_type) {
 		memcpy(id, &msg->msg_id, sizeof(*id));
 		bzero(&msg->msg_id, sizeof(msg->msg_id));
-- 
cgit v1.2.3