From 19b9c9adff0cdeac5ce70c6796bf2dbfbf23d1dd Mon Sep 17 00:00:00 2001 From: tobhe Date: Wed, 20 Jan 2021 18:44:28 +0000 Subject: [PATCH] Make sure to enforce matching dstid as initiator. Use policy lookup to make sure the negotiated SA matches the selected policy. ok patrick@ --- sbin/iked/ikev2.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index c32c3a184fa..5a2a2c52dbe 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.294 2021/01/18 01:23:53 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.295 2021/01/20 18:44:28 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -911,6 +911,28 @@ ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa, } if (ikev2_handle_certreq(env, msg) != 0) return (-1); + } else if (sa->sa_hdr.sh_initiator) { + old = sa->sa_policy; + + /* verify policy on initiator */ + sa->sa_policy = NULL; + if (policy_lookup(env, msg, &sa->sa_proposals) != 0 || + msg->msg_policy != old) { + + /* get dstid */ + if (msg->msg_id.id_type) { + memcpy(id, &msg->msg_id, sizeof(*id)); + bzero(&msg->msg_id, sizeof(msg->msg_id)); + } + log_warnx("%s: policy mismatch", SPI_SA(sa, __func__)); + ikev2_send_auth_failed(env, sa); + TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry); + if (old->pol_flags & IKED_POLICY_REFCNT) + policy_unref(env, old); + return (-1); + } + /* restore */ + msg->msg_policy = sa->sa_policy = old; } /* AUTH payload is required for non-EAP */ -- 2.20.1