[Swan-dev] interop-ikev2-racoon-02-psk-responder test
Andrew Cagney
andrew.cagney at gmail.com
Tue Sep 1 22:21:49 EEST 2015
It turns out out that the reason racoon appears to be sending us
random padding and pad-length is because racoon is deliberately
sending us random padding and pad-length! Here's a tentative way of
dealing with it:
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 28e93b0..9f2a581 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -1707,15 +1707,19 @@ static stf_status
ikev2_verify_and_decrypt_sk_payload(struct msg_digest *md,
enc_start, enc_size + integ_size));
}
-
- u_char padlen = enc_start[enc_size - 1] + 1;
- if (padlen > enc_blocksize || padlen > enc_size) {
- libreswan_log("invalid padding-length octet: 0x%2x", padlen - 1);
+ u_int8_t padlen = enc_start[enc_size - 1] + 1;
+ if (padlen > enc_size) {
+ libreswan_log("ignoring invalid packet: padding-length %d
(octet 0x%02x) larger than the %zd octets of encoded data",
+ padlen, padlen - 1, enc_size);
return STF_FAIL;
}
+ if (padlen > enc_blocksize) {
+ libreswan_log("padding-length %d (octet 0x%2x) is larger than
%zd octet encoded block size but smaller than %zd octets of encoded
data",
+ padlen, padlen - 1, enc_blocksize, enc_size);
+ }
/* don't bother to check any other pad octets */
- DBG(DBG_CRYPT, DBG_log("striping %u bytes as pad", padlen));
+ DBG(DBG_CRYPT, DBG_log("stripping %u octets as pad", padlen));
setchunk(*chunk, enc_start, enc_size - padlen);
return STF_OK;
Below is the racoon code; notice the emphasis on the word "SHOULD" in
the comment ...
random_pad = ikev2_random_pad_content(ike_sa->rmconf);
random_padlen = ikev2_random_padlen(ike_sa->rmconf);
max_padlen = ikev2_max_padlen(ike_sa->rmconf);
if (max_padlen > UINT8_MAX)
max_padlen = UINT8_MAX;
/* (draft-17)
* The sender SHOULD set the Pad Length to the minimum value that makes
* the combination of the Payloads, the Padding, and the Pad
* Length a multiple of the block size
*/
{
int n;
block_len = encryptor_block_length(ike_sa->encryptor);
pad_len = block_len - ((payloads->l + 1) % block_len);
if (pad_len == block_len)
pad_len = 0;
n = 0;
if (max_padlen > 0 && max_padlen - pad_len > block_len)
n = (max_padlen - pad_len) / block_len;
if (random_padlen != RCT_BOOL_OFF) {
if (max_padlen == 0)
n = (UINT8_MAX - pad_len) / block_len;
n = eay_random_uint32() % (n + 1);
}
pad_len += n * block_len;
assert(pad_len >= 0 && pad_len <= UINT8_MAX);
}
/* generate initialization vector */
iv_len = encryptor_iv_length(ike_sa->encryptor);
ivbuf = random_bytes(iv_len);
if (!ivbuf)
goto fail;
/* add trailing pad */
plaintext = rc_vmalloc(payloads->l + pad_len + 1);
memcpy(plaintext->v, payloads->v, payloads->l);
if (random_pad != RCT_BOOL_OFF) {
rc_vchar_t *rpad = random_bytes(pad_len);
if (!rpad)
goto fail;
memcpy(&plaintext->v[plaintext->l - pad_len - 1], rpad->v,
pad_len);
rc_vfree(rpad);
} else {
for (i = 1; i <= pad_len; ++i) {
plaintext->v[plaintext->l - i - 1] = i;
}
}
plaintext->v[plaintext->l - 1] = pad_len;
More information about the Swan-dev
mailing list