[Swan-dev] interop-ikev2-racoon-02-psk-responder test
Andrew Cagney
andrew.cagney at gmail.com
Mon Aug 31 23:00:25 EEST 2015
I concluded that racoon, for aes-cbc, was forgetting to add a
pad-length. Commit f2de5ef7 added the check :-; Commit d6e46094 just
clarified things a little adding tweaking the message and adding the
[sic:reguired] comment:
+ * Append optional "padding" and reguired "padding-length" byte.
+ *
+ * Some encryption modes, namely CBC, require things to be padded to
+ * the encryption block-size. While others, such as CTR, do not.
+ * Either way a "padding-length" byte is always appended.
+ *
+ * This code starts by appending a 0 pad-octet, and each subsequent
+ * octet is one larger. Thus the last octet always contains one less
+ * than the number of octets added i.e., the padding-length.
+ *
+ * Adding to the confusion, ESP requires a minimum of 4-byte alignment
+ * and IKE is free to use the ESP code for padding - we don't.
for instance, racoon sends us:
| payload after decryption:
| 29 00 00 0c 02 00 00 00 65 61 73 74 27 00 00 08
| 00 00 40 00 21 00 00 1c 02 00 00 00 2e 49 8a c0
| 19 e8 72 21 f4 f7 93 7b 62 af b8 39 38 ad 54 d2
| 2c 00 00 2c 00 00 00 28 01 03 04 03 03 6e 86 5c
| 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
| 03 00 00 02 00 00 00 08 05 00 00 00 2d 00 00 18
| 01 00 00 00 07 00 00 10 00 00 ff ff c0 00 01 00
| c0 00 01 ff 00 00 00 18 01 00 00 00 07 00 00 10
| 00 00 ff ff c0 00 02 00 c0 00 02 ff 3f 25 1b 2b
| ea bf b2 fc a0 51 07 dc b6 d6 ef 5d 82 29 ee 7f
| 67 31 34 58 e3 cf 5e 9e f9 5f 10 e4 b8 41 0f 23
"westnet-eastnet-ikev2" #2: invalid padding-length octet: 0x23
The last byte of the payload is the required pad length. With a 16
byte block, the largest valid pad length value is 15; 23 is larger
than that.
On 30 August 2015 at 14:40, Paul Wouters <paul at nohats.ca> wrote:
> On Sun, 30 Aug 2015, D. Hugh Redelmeier wrote:
>
>> Subject: [Swan-dev] interop-ikev2-racoon-02-psk-responder test
>>
>> I just ran the test suite to test some changes before committing them.
>> The only regression (i.e. the only test that passed yesterday but failed
>> today) is interop-ikev2-racoon-02-psk-responder.
>>
>> It fails with this message in the console log:
>> +002 "westnet-eastnet-ikev2" #2: invalid padding-length octet: 0x23
>>
>> I think that this is an oblique way of saying that the encrypted payload
>> is smells bad and will be rejected. If so, it isn't really user-friendly.
>
>
> This message has appeared a long time ago when Andrew redid our CBC-only
> crypto to CBC/CTR/GCM. We could never figure out why racoon did this. As
> other interop tests with stronswan worked fine. I think this might be a
> bug in racoon2. No one is really using or developing racoon2 AFAIK. In
> fact, racoon1 (aka ipsec-tools) sees more development still, but has no
> IKEv2 support.
More information about the Swan-dev
mailing list