Bug #3160: No discarding of IKE_SA_INIT messages from responder with cookie with length > 64 octets - strongSwan

Bug #3160

No discarding of IKE_SA_INIT messages from responder with cookie with length > 64 octets

Added by Thomas Herlinghaus 3 months ago. Updated 3 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

libcharon

Target version:

5.8.1

Start date:

Due date:

Estimated time:

Affected version:

5.8.0

Resolution:

Fixed

Description

A preliminary examination of an acceptance test with an IKE/IPsec test suite (achelos GmbH, Paderborn) unfortunately leads to incorrect test results. Among others there is an error regarding RFC7296 chapter 2.6.

Test scenario: Verify that TOE ignores the COOKIE notification whose length is larger than 64. Here, the length of COOKIE notification is 65.
Result: The TOE responds with the long COOKIE instead of ignoring this one.

Can you confirm this behaviour?
Can you specify the location in the source code that makes the check?

Thanks in advance!

Attached you fill find the charon-log and the pcap-file

RFC7296_Kp.2.6_2-02.pcap (8.3 KB) RFC7296_Kp.2.6_2-02.pcap		Thomas Herlinghaus, 27.08.2019 15:55
charon.log (46.7 KB) charon.log		Thomas Herlinghaus, 27.08.2019 15:55

Associated revisions

Revision 902f38dd (diff)
Added by Tobias Brunner 3 months ago

ikev2: Check the length of received COOKIE notifies

As specified by RFC 7296, section 2.6, the data associated with COOKIE
notifications MUST be between 1 and 64 octets in length (inclusive).

Fixes #3160.

History

#1 Updated by Tobias Brunner 3 months ago

Tracker changed from Issue to Bug
Category set to libcharon
Status changed from New to Feedback
Target version set to 5.8.1

Can you confirm this behaviour?

Yes.

Can you specify the location in the source code that makes the check?

There is currently no check at all. Not sure why as the original IKEv2 RFC already had that restriction.

I pushed a fix to the 3160-cookie-len branch.

#2 Updated by Thomas Herlinghaus 3 months ago

I can confirm the fix.

Wed, 2019-08-28 06:55 12[NET] <iketest|1> received packet: from 192.168.221.116⁵⁰⁰ to 192.168.221.129⁵⁰⁰ (115 bytes)
Wed, 2019-08-28 06:55 12[ENC] <iketest|1> invalid notify data length for COOKIE (65)
Wed, 2019-08-28 06:55 12[ENC] <iketest|1> NOTIFY payload verification failed
Wed, 2019-08-28 06:55 12[IKE] <iketest|1> message verification failed
Wed, 2019-08-28 06:55 12[IKE] <iketest|1> IKE_SA_INIT response with message ID 0 processing failed

Many thanks for the prompt support!

#3 Updated by Tobias Brunner 3 months ago

Status changed from Feedback to Closed
Assignee set to Tobias Brunner
Resolution set to Fixed

Thanks for testing.

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues

New issues