Subject: racoon and respecting verify_identifier
To: None <tech-security@NetBSD.org>
From: Greg Troxel <gdt@NetBSD.org>
List: tech-security
Date: 03/24/2006 10:07:20 
I use transport-mode IPsec to protect coda, and am newly using dynamic
addresses more often.  I tried to configure my coda server to not
fail the SA setup because the IP address in the cert differs from the
one in use:

remote anonymous
{
        exchange_mode main;

        my_identifier address;
        peers_identifier address;
        verify_identifier off;
        certificate_type x509
                "my.crt"
                "local.key";

But, I still got

Mar 24 09:30:35 claude racoon: ERROR: ID mismatched with subjectAltName.
Mar 24 09:30:35 claude racoon: ERROR: no peer's CERT payload found.

It seems like a bug to me to fail the exchange because the IP address
of the peer doesn't match the IP address in the packet when
verify_identifier is off.  I made the following change (locally),
which results in SAs being created as I intend.  A similar if
statement already exists in a few places in the code.

1) Is this ok to commit from a technical correctness viewpoint?

2) Is this ok to commit from an upstream relationship viewpoint?
   Should I send the patch to ipsec-tools-devel@lists.sourceforge.net
   (instead? also?)


Index: crypto/dist/ipsec-tools/src/racoon/oakley.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/oakley.c,v
retrieving revision 1.7
diff -u -r1.7 oakley.c
--- crypto/dist/ipsec-tools/src/racoon/oakley.c	21 Nov 2005 14:20:29 -0000	1.7
+++ crypto/dist/ipsec-tools/src/racoon/oakley.c	24 Mar 2006 14:47:22 -0000
@@ -1800,7 +1800,8 @@
 		if (error != 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"ID mismatched with subjectAltName.\n");
-			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+			if (iph1->rmconf->verify_identifier)
+				return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 		}
 		return 0;
 	case IPSECDOI_ID_IPV4_ADDR:
@@ -1870,7 +1871,8 @@
 		if (error != 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"ID mismatched with subjectAltName.\n");
-			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+			if (iph1->rmconf->verify_identifier)
+				return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 		}
 		return 0;
 	}