[src/netbsd-1-6]: src/crypto/dist/kame/racoon Pull up revisions 1.5-1.6 (requ...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/432cfd8203a2
branches:  netbsd-1-6
changeset: 531075:432cfd8203a2
user:      he <he%NetBSD.org@localhost>
date:      Mon Feb 09 12:49:35 2004 +0000

description:
Pull up revisions 1.5-1.6 (requested by itojun in ticket #1608):
  Validate hash on info exchange.
  Fix endian mismatch.

diffstat:

 crypto/dist/kame/racoon/isakmp_inf.c |  77 ++++++++++++++++++++++++++++++++++-
 1 files changed, 73 insertions(+), 4 deletions(-)

diffs (87 lines):

diff -r d28ae1c0da17 -r 432cfd8203a2 crypto/dist/kame/racoon/isakmp_inf.c
--- a/crypto/dist/kame/racoon/isakmp_inf.c      Mon Feb 09 12:32:50 2004 +0000
+++ b/crypto/dist/kame/racoon/isakmp_inf.c      Mon Feb 09 12:49:35 2004 +0000
@@ -136,10 +136,79 @@
 
        isakmp = (struct isakmp *)msg->v;
        gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
-       if (isakmp->np == ISAKMP_NPTYPE_HASH)
-               np = gen->np;
-       else
-               np = isakmp->np;
+
+       if (isakmp->np != ISAKMP_NPTYPE_HASH) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                   "ignore information because the message has no hash payload.\n");
+               goto end;
+       }
+
+       if (iph1->status != PHASE1ST_ESTABLISHED) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                   "ignore information because ISAKMP-SA has not been established yet.\n");
+               goto end;
+       }
+
+       np = gen->np;
+
+       {
+               void *p;
+               vchar_t *hash, *payload;
+               struct isakmp_gen *nd;
+
+               p = (caddr_t) gen + sizeof(struct isakmp_gen);
+               nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len));
+
+               /* nd length check */
+               if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) +
+                   ntohs(gen->len))) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                                "too long payload length (broken message?)\n");
+                       goto end;
+               }
+
+               payload = vmalloc(ntohs(nd->len));
+               if (payload == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                           "cannot allocate memory\n");
+                       goto end;
+               }
+
+               memcpy(payload->v, (caddr_t) nd, ntohs(nd->len));
+
+               /* compute HASH */
+               hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
+               if (hash == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                           "cannot compute hash\n");
+
+                       vfree(payload);
+                       goto end;
+               }
+               
+               if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                           "ignore information due to hash length mismatch\n");
+
+                       vfree(hash);
+                       vfree(payload);
+                       goto end;
+               }
+
+               if (memcmp(p, hash->v, hash->l) != 0) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                           "ignore information due to hash mismatch\n");
+
+                       vfree(hash);
+                       vfree(payload);
+                       goto end;
+               }
+
+               plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
+
+               vfree(hash);
+               vfree(payload);
+       }
                
        /* make sure the packet were encrypted. */
        if (!encrypted) {