Bug #3160
No discarding of IKE_SA_INIT messages from responder with cookie with length > 64 octets
Description
A preliminary examination of an acceptance test with an IKE/IPsec test suite (achelos GmbH, Paderborn) unfortunately leads to incorrect test results. Among others there is an error regarding RFC7296 chapter 2.6.
Test scenario: Verify that TOE ignores the COOKIE notification whose length is larger than 64. Here, the length of COOKIE notification is 65.
Result: The TOE responds with the long COOKIE instead of ignoring this one.
Can you confirm this behaviour?
Can you specify the location in the source code that makes the check?
Thanks in advance!
Attached you fill find the charon-log and the pcap-file
Associated revisions
History
#1 Updated by Tobias Brunner over 1 year ago
- Tracker changed from Issue to Bug
- Category set to libcharon
- Status changed from New to Feedback
- Target version set to 5.8.1
Can you confirm this behaviour?
Yes.
Can you specify the location in the source code that makes the check?
There is currently no check at all. Not sure why as the original IKEv2 RFC already had that restriction.
I pushed a fix to the 3160-cookie-len branch.
#2 Updated by Thomas Herlinghaus over 1 year ago
I can confirm the fix.
Wed, 2019-08-28 06:55 12[NET] <iketest|1> received packet: from 192.168.221.116500 to 192.168.221.129500 (115 bytes)
Wed, 2019-08-28 06:55 12[ENC] <iketest|1> invalid notify data length for COOKIE (65)
Wed, 2019-08-28 06:55 12[ENC] <iketest|1> NOTIFY payload verification failed
Wed, 2019-08-28 06:55 12[IKE] <iketest|1> message verification failed
Wed, 2019-08-28 06:55 12[IKE] <iketest|1> IKE_SA_INIT response with message ID 0 processing failed
Many thanks for the prompt support!
#3 Updated by Tobias Brunner over 1 year ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Fixed
Thanks for testing.
ikev2: Check the length of received COOKIE notifies
As specified by RFC 7296, section 2.6, the data associated with COOKIE
notifications MUST be between 1 and 64 octets in length (inclusive).
Fixes #3160.