From 336eac84eb7902eae212f05711ce06967b4d202c Mon Sep 17 00:00:00 2001 From: Filip Tehlar Date: Wed, 25 Mar 2020 02:46:28 +0000 Subject: ikev2: fix wrong usage of BN_bn2bin() This patch fixes 2 different crashes: 1) BN_bn2bin() returns bytes written, not actual key length. Use BN_bn2binpad() instead which adds padding. 2) Initiator may receive multiple sa-init responses for the same ispi which may result in crash. Remember first response and ignore any subsequent ones. Type: fix Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f Signed-off-by: Filip Tehlar --- src/plugins/ikev2/ikev2.c | 20 +++++++++++++---- src/plugins/ikev2/ikev2_crypto.c | 47 +++++++++++++++++++++++++++++++++------- src/plugins/ikev2/ikev2_priv.h | 1 + 3 files changed, 56 insertions(+), 12 deletions(-) diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 92a8ff8fe10..f288d4fcbec 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -380,6 +380,7 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai) ikev2_sa_transform_t *t = 0, *t2; ikev2_main_t *km = &ikev2_main; + sai->init_response_received = 1; /*move some data to the new SA */ #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;}) @@ -2445,10 +2446,18 @@ ikev2_node_fn (vlib_main_t * vm, ikev2_sa_t *sai = pool_elt_at_index (km->sais, p[0]); - ikev2_complete_sa_data (sa0, sai); - ikev2_calc_keys (sa0); - ikev2_sa_auth_init (sa0); - len = ikev2_generate_message (sa0, ike0, 0); + if (sai->init_response_received) + { + /* we've already processed sa-init response */ + sa0->state = IKEV2_STATE_UNKNOWN; + } + else + { + ikev2_complete_sa_data (sa0, sai); + ikev2_calc_keys (sa0); + ikev2_sa_auth_init (sa0); + len = ikev2_generate_message (sa0, ike0, 0); + } } } @@ -3889,6 +3898,9 @@ ikev2_process_pending_sa_init (ikev2_main_t * km) hash_foreach (ispi, sai, km->sa_by_ispi, ({ sa = pool_elt_at_index (km->sais, sai); + if (sa->init_response_received) + continue; + u32 bi0; if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1) return; diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c index 26ff43387e7..572bee8fc65 100644 --- a/src/plugins/ikev2/ikev2_crypto.c +++ b/src/plugins/ikev2/ikev2_crypto.c @@ -458,6 +458,23 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst) return out_len + bs; } +#ifndef BN_bn2binpad +int +BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen) +{ + int r = BN_bn2bin (a, to); + ASSERT (tolen >= r); + int pad = tolen - r; + if (pad) + { + vec_insert (to, pad, 0); + clib_memset (to, 0, pad); + _vec_len (to) -= pad; + } + return tolen; +} +#endif + void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) { @@ -486,13 +503,13 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_private_key = vec_new (u8, t->key_len); #if OPENSSL_VERSION_NUMBER >= 0x10100000L DH_get0_key (dh, &pub_key, &priv_key); - r = BN_bn2bin (pub_key, sa->i_dh_data); + r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len); ASSERT (r == t->key_len); - r = BN_bn2bin (priv_key, sa->dh_private_key); + r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len); #else - r = BN_bn2bin (dh->pub_key, sa->i_dh_data); + r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len); ASSERT (r == t->key_len); - r = BN_bn2bin (dh->priv_key, sa->dh_private_key); + r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len); #endif ASSERT (r == t->key_len); } @@ -501,9 +518,9 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->r_dh_data = vec_new (u8, t->key_len); #if OPENSSL_VERSION_NUMBER >= 0x10100000L DH_get0_key (dh, &pub_key, &priv_key); - r = BN_bn2bin (pub_key, sa->r_dh_data); + r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len); #else - r = BN_bn2bin (dh->pub_key, sa->r_dh_data); + r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len); #endif ASSERT (r == t->key_len); @@ -511,7 +528,14 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL); r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); + ASSERT (t->key_len >= r); + int pad = t->key_len - r; + if (pad) + { + vec_insert (sa->dh_shared_key, pad, 0); + clib_memset (sa->dh_shared_key, 0, pad); + _vec_len (sa->dh_shared_key) -= pad; + } BN_clear_free (ex); } DH_free (dh); @@ -630,7 +654,14 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t) sa->dh_shared_key = vec_new (u8, t->key_len); ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL); r = DH_compute_key (sa->dh_shared_key, ex, dh); - ASSERT (r == t->key_len); + ASSERT (t->key_len >= r); + int pad = t->key_len - r; + if (pad) + { + vec_insert (sa->dh_shared_key, pad, 0); + clib_memset (sa->dh_shared_key, 0, pad); + _vec_len (sa->dh_shared_key) -= pad; + } BN_clear_free (ex); DH_free (dh); } diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h index b0b867758cc..c5a632c12a5 100644 --- a/src/plugins/ikev2/ikev2_priv.h +++ b/src/plugins/ikev2/ikev2_priv.h @@ -431,6 +431,7 @@ typedef struct u32 current_remote_id_mask; u32 old_remote_id; u8 old_remote_id_present; + u8 init_response_received; ikev2_child_sa_t *childs; -- cgit 1.2.3-korg