[Openswan dev] ESP-3DES no-auth
mcr at xelerance.com
mcr at xelerance.com
Mon May 10 19:35:08 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
There is a bug in ipsec_rcv.c when using ESP 3DES without
authentication.
{Doing such a thing is very dumb, but there are very stupid gateways out
there (okay, I'll name it. 3Com SuperStack!) that think it is a good
idea. This box also thinks that manually keying is a good idea too, and
has weird mobility extensions to make it easier to use manually keyed
connections. People using the box can likely trivially be DoS'ed, and
the box may in fact be useful for DOS'ing other people.}
The test case is east-spi-01/west-spi-01, since originally it looked
like it might be using the same SPI# for in and out.
This bug likely affects StrongSwan and all FreeSWAN 2.x.
The result is a kernel crash if unpatched. 3des_decrypt gets called with
a negative length.
Unless you manually configure such a connection, you are safe.
Pluto will never negotiate such a policy.
Some URLs with patches/info:
http://anoncvs.openswan.org/cgi-bin/viewcvs.cgi/openswan-2/linux/net/ipsec/ipsec_rcv.c
http://anoncvs.openswan.org/cgi-bin/viewcvs.cgi/openswan-2/linux/net/ipsec/ipsec_rcv.c.diff?r1=1.142&r2=1.143
http://anoncvs.openswan.org/cgi-bin/viewcvs.cgi/openswan-2/linux/net/ipsec/ipsec_rcv.c.diff?r1=1.142&r2=1.143&diff_format=u
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKADmYqHRg3pndX9AQGMlAP9Hnb7fT0ykNllIa0450fbIOXcKgNYe3wG
akSN/eozfzlR5E1nOGAeooNy2W9JXXKfbc/HQs6lqhNHsGmSvThstCDChEk6KU9A
uhdZdrsxcG52ZWuAY4zpG6nypMoYyksBaO1uupy/TBab4mWbuiF49gq0s/womHlk
LTalYx28XCo=
=bJ9x
-----END PGP SIGNATURE-----
===================================================================
RCS file: /public/cvs/openswan-2/linux/net/ipsec/ipsec_rcv.c,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -r1.142 -r1.143
--- openswan-2/linux/net/ipsec/ipsec_rcv.c 2004/05/10 22:25:57 1.142
+++ openswan-2/linux/net/ipsec/ipsec_rcv.c 2004/05/10 22:27:00 1.143
@@ -15,7 +15,7 @@
* for more details.
*/
-char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.142 2004/05/10 22:25:57 mcr Exp $";
+char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.143 2004/05/10 22:27:00 mcr Exp $";
#include <linux/config.h>
#include <linux/version.h>
@@ -489,6 +489,11 @@
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
case AH_NONE:
irs->authlen = 0;
+ irs->authfuncs = NULL;
+ irs->ictx = NULL;
+ irs->octx = NULL;
+ irs->ictx_len = 0;
+ irs->octx_len = 0;
break;
default:
irs->ipsp->ips_errs.ips_alg_errs += 1;
@@ -498,6 +503,18 @@
return IPSEC_RCV_BADAUTH;
}
+ irs->ilen = irs->len - iphlen - irs->authlen;
+ if(irs->ilen <= 0) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "runt %s packet with no data, dropping.\n",
+ (proto == IPPROTO_ESP ? "esp" : "ah"));
+ if(irs->stats) {
+ irs->stats->rx_dropped++;
+ }
+ return IPSEC_RCV_BADLEN;
+ }
+
#ifdef CONFIG_IPSEC_ALG
if(irs->authfuncs || ixt_a) {
#else
@@ -505,18 +522,6 @@
#endif
unsigned char *authenticator = NULL;
- irs->ilen = irs->len - iphlen - irs->authlen;
- if(irs->ilen <= 0) {
- KLIPS_PRINT(debug_rcv,
- "klips_debug:ipsec_rcv: "
- "runt %s packet with no data, dropping.\n",
- (proto == IPPROTO_ESP ? "esp" : "ah"));
- if(irs->stats) {
- irs->stats->rx_dropped++;
- }
- return IPSEC_RCV_BADLEN;
- }
-
if(proto_funcs->rcv_setup_auth) {
enum ipsec_rcv_value retval
= (*proto_funcs->rcv_setup_auth)(irs, skb,
@@ -1460,6 +1465,9 @@
/*
* $Log: ipsec_rcv.c,v $
+ * Revision 1.143 2004/05/10 22:27:00 mcr
+ * fix for ESP-3DES-noauth test case.
+ *
* Revision 1.142 2004/05/10 22:25:57 mcr
* reformat of calls to ipsec_lifetime_check().
*
More information about the Dev
mailing list