[strongSwan-dev] Issue in IKEv2 IKE_AUTH EAP identity parsing

tiio vossi tottiviljami at gmail.com
Mon Nov 2 13:54:45 CET 2020


Hi,

using Strongswan 5.9.0 as server and iOS clients with IKEv2 and
eap-radius.Not pasting server configurations here as they don't seem
important for this finding.

Found issue with EAP identity parsing where parsing fails if identity is
for example following:

"0105cccc-aaaa-bbbb-aaaa-ccccbbbbaaaa at asomething.com"

Strongswan seems to treat this as ASN.1 encoded data because two start
bytes match with ASN.1 sequence start

30 31 30 35 63 ...

30 (asn sequence start)
31 (49 bytes rest of the data)

Here's log:


2020-11-02T08:10:32.454970+00:00 test-server charon: 03[ENC] parsed a
IKE_AUTH request header
2020-11-02T08:10:32.455074+00:00 test-server charon: 08[NET] received
packet: from <client ip anonymized>[4500] to <server ip anonymized>[4500]
(128 bytes)
2020-11-02T08:10:32.455171+00:00 test-server charon: 08[ENC] parsing body
of message, first payload is ENCRYPTED
2020-11-02T08:10:32.455299+00:00 test-server charon: 08[ENC] starting
parsing a ENCRYPTED payload
2020-11-02T08:10:32.455544+00:00 test-server charon: 08[ENC] parsing
ENCRYPTED payload, 100 bytes left
2020-11-02T08:10:32.455654+00:00 test-server charon: 08[ENC] parsing
payload from => 100 bytes @ 0x7fe898001e80
2020-11-02T08:10:32.455752+00:00 test-server charon: 08[ENC]    0: 30 00 00
64 33 E7 9B C4 4A 8B 4A E7 E6 9A 61 0A  0..d3...J.J...a.
2020-11-02T08:10:32.455849+00:00 test-server charon: 08[ENC]   16: 68 2C C0
CC 7B 07 0A 1A 44 43 37 A6 97 4D D0 9C  h,..{...DC7..M..
2020-11-02T08:10:32.455946+00:00 test-server charon: 08[ENC]   32: 0B 3B 06
29 55 83 87 48 11 0C 97 8B D8 7B D6 FC  .;.)U..H.....{..
2020-11-02T08:10:32.456044+00:00 test-server charon: 08[ENC]   48: E6 D8 AE
25 C1 36 20 4E A5 FC 1F 84 05 EB E8 70  ...%.6 N.......p
2020-11-02T08:10:32.456140+00:00 test-server charon: 08[ENC]   64: CE BC 61
8C A9 72 AC 3E FA 3B B3 C1 D6 E0 22 40  ..a..r.>.;...."@
2020-11-02T08:10:32.456237+00:00 test-server charon: 08[ENC]   80: E5 F4 D8
27 14 B6 12 4A 0D D2 43 54 4E 25 02 3B  ...'...J..CTN%.;
2020-11-02T08:10:32.456334+00:00 test-server charon: 08[ENC]   96: C4 84 F1
8E                                      ....
2020-11-02T08:10:32.456431+00:00 test-server charon: 08[ENC]   parsing rule
0 U_INT_8
2020-11-02T08:10:32.456553+00:00 test-server charon: 08[ENC]    => 48
2020-11-02T08:10:32.456654+00:00 test-server charon: 08[ENC]   parsing rule
1 U_INT_8
2020-11-02T08:10:32.456809+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.457006+00:00 test-server charon: 08[ENC]   parsing rule
2 PAYLOAD_LENGTH
2020-11-02T08:10:32.457112+00:00 test-server charon: 08[ENC]    => 100
2020-11-02T08:10:32.457212+00:00 test-server charon: 08[ENC]   parsing rule
3 CHUNK_DATA
2020-11-02T08:10:32.457310+00:00 test-server charon: 08[ENC]    => 96 bytes
@ 0x7fe86c0008c0
2020-11-02T08:10:32.457406+00:00 test-server charon: 08[ENC]    0: 33 E7 9B
C4 4A 8B 4A E7 E6 9A 61 0A 68 2C C0 CC  3...J.J...a.h,..
2020-11-02T08:10:32.457503+00:00 test-server charon: 08[ENC]   16: 7B 07 0A
1A 44 43 37 A6 97 4D D0 9C 0B 3B 06 29  {...DC7..M...;.)
2020-11-02T08:10:32.457603+00:00 test-server charon: 08[ENC]   32: 55 83 87
48 11 0C 97 8B D8 7B D6 FC E6 D8 AE 25  U..H.....{.....%
2020-11-02T08:10:32.457700+00:00 test-server charon: 08[ENC]   48: C1 36 20
4E A5 FC 1F 84 05 EB E8 70 CE BC 61 8C  .6 N.......p..a.
2020-11-02T08:10:32.457796+00:00 test-server charon: 08[ENC]   64: A9 72 AC
3E FA 3B B3 C1 D6 E0 22 40 E5 F4 D8 27  .r.>.;...."@...'
2020-11-02T08:10:32.457892+00:00 test-server charon: 08[ENC]   80: 14 B6 12
4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E  ...J..CTN%.;....
2020-11-02T08:10:32.457989+00:00 test-server charon: 08[ENC] parsing
ENCRYPTED payload finished
2020-11-02T08:10:32.458086+00:00 test-server charon: 08[ENC] verifying
payload of type ENCRYPTED
2020-11-02T08:10:32.458182+00:00 test-server charon: 08[ENC] ENCRYPTED
payload verified, adding to payload list
2020-11-02T08:10:32.458278+00:00 test-server charon: 08[ENC] ENCRYPTED
payload found, stop parsing
2020-11-02T08:10:32.458374+00:00 test-server charon: 08[ENC] process
payload of type ENCRYPTED
2020-11-02T08:10:32.458470+00:00 test-server charon: 08[ENC] found an
encrypted payload
2020-11-02T08:10:32.458566+00:00 test-server charon: 08[ENC] encrypted
payload decryption:
2020-11-02T08:10:32.458662+00:00 test-server charon: 08[ENC] IV => 16 bytes
@ 0x7fe86c0008c0
2020-11-02T08:10:32.458758+00:00 test-server charon: 08[ENC]    0: 33 E7 9B
C4 4A 8B 4A E7 E6 9A 61 0A 68 2C C0 CC  3...J.J...a.h,..
2020-11-02T08:10:32.458853+00:00 test-server charon: 08[ENC] encrypted =>
80 bytes @ 0x7fe86c0008d0
2020-11-02T08:10:32.458949+00:00 test-server charon: 08[ENC]    0: 7B 07 0A
1A 44 43 37 A6 97 4D D0 9C 0B 3B 06 29  {...DC7..M...;.)
2020-11-02T08:10:32.459045+00:00 test-server charon: 08[ENC]   16: 55 83 87
48 11 0C 97 8B D8 7B D6 FC E6 D8 AE 25  U..H.....{.....%
2020-11-02T08:10:32.459141+00:00 test-server charon: 08[ENC]   32: C1 36 20
4E A5 FC 1F 84 05 EB E8 70 CE BC 61 8C  .6 N.......p..a.
2020-11-02T08:10:32.459268+00:00 test-server charon: 08[ENC]   48: A9 72 AC
3E FA 3B B3 C1 D6 E0 22 40 E5 F4 D8 27  .r.>.;...."@...'
2020-11-02T08:10:32.459369+00:00 test-server charon: 08[ENC]   64: 14 B6 12
4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E  ...J..CTN%.;....
2020-11-02T08:10:32.459466+00:00 test-server charon: 08[ENC] ICV => 16
bytes @ 0x7fe86c000910
2020-11-02T08:10:32.459562+00:00 test-server charon: 08[ENC]    0: 14 B6 12
4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E  ...J..CTN%.;....
2020-11-02T08:10:32.459659+00:00 test-server charon: 08[ENC] assoc => 32
bytes @ 0x7fe86c000b50
2020-11-02T08:10:32.459756+00:00 test-server charon: 08[ENC]    0: 0B 5F C7
0E D8 CB 48 43 5D 2A 43 9E 9B D8 8B 94  ._....HC]*C.....
2020-11-02T08:10:32.459912+00:00 test-server charon: 08[ENC]   16: 2E 20 23
08 00 00 00 02 00 00 00 80 30 00 00 64  . #.........0..d
2020-11-02T08:10:32.460080+00:00 test-server charon: 08[ENC] plain => 60
bytes @ 0x7fe86c0008d0
2020-11-02T08:10:32.460188+00:00 test-server charon: 08[ENC]    0: 00 00 00
3C 02 00 00 38 01 30 31 30 35 63 63 63  ...<...8.0105ccc
2020-11-02T08:10:32.460294+00:00 test-server charon: 08[ENC]   16: 63 2D 61
61 61 61 2D 62 62 62 62 2D 61 61 61 61  c-aaaa-bbbb-aaaa
2020-11-02T08:10:32.460400+00:00 test-server charon: 08[ENC]   32: 2D 63 63
63 63 62 62 62 62 61 61 61 61 40 61 73  -ccccbbbbaaaa at as
2020-11-02T08:10:32.460504+00:00 test-server charon: 08[ENC]   48: 6F 6D 65
74 68 69 6E 67 2E 63 6F 6D              omething.com
2020-11-02T08:10:32.460610+00:00 test-server charon: 08[ENC] padding => 4
bytes @ 0x7fe86c00090c
2020-11-02T08:10:32.460715+00:00 test-server charon: 08[ENC]    0: 00 00 00
03
2020-11-02T08:10:32.460820+00:00 test-server charon: 08[ENC] parsing EAP
payload, 60 bytes left
2020-11-02T08:10:32.460925+00:00 test-server charon: 08[ENC] parsing
payload from => 60 bytes @ 0x7fe86c0008d0
2020-11-02T08:10:32.461030+00:00 test-server charon: 08[ENC]    0: 00 00 00
3C 02 00 00 38 01 30 31 30 35 63 63 63  ...<...8.0105ccc
2020-11-02T08:10:32.461134+00:00 test-server charon: 08[ENC]   16: 63 2D 61
61 61 61 2D 62 62 62 62 2D 61 61 61 61  c-aaaa-bbbb-aaaa
2020-11-02T08:10:32.461239+00:00 test-server charon: 08[ENC]   32: 2D 63 63
63 63 62 62 62 62 61 61 61 61 40 61 73  -ccccbbbbaaaa at as
2020-11-02T08:10:32.461344+00:00 test-server charon: 08[ENC]   48: 6F 6D 65
74 68 69 6E 67 2E 63 6F 6D              omething.com
2020-11-02T08:10:32.461450+00:00 test-server charon: 08[ENC]   parsing rule
0 U_INT_8
2020-11-02T08:10:32.461612+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.461772+00:00 test-server charon: 08[ENC]   parsing rule
1 FLAG
2020-11-02T08:10:32.461919+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.462028+00:00 test-server charon: 08[ENC]   parsing rule
2 RESERVED_BIT
2020-11-02T08:10:32.462134+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.462239+00:00 test-server charon: 08[ENC]   parsing rule
3 RESERVED_BIT
2020-11-02T08:10:32.462345+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.462451+00:00 test-server charon: 08[ENC]   parsing rule
4 RESERVED_BIT
2020-11-02T08:10:32.462556+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.462653+00:00 test-server charon: 08[ENC]   parsing rule
5 RESERVED_BIT
2020-11-02T08:10:32.462825+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.462939+00:00 test-server charon: 08[ENC]   parsing rule
6 RESERVED_BIT
2020-11-02T08:10:32.463048+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.463272+00:00 test-server charon: 08[ENC]   parsing rule
7 RESERVED_BIT
2020-11-02T08:10:32.463416+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.463525+00:00 test-server charon: 08[ENC]   parsing rule
8 RESERVED_BIT
2020-11-02T08:10:32.463630+00:00 test-server charon: 08[ENC]    => 0
2020-11-02T08:10:32.463747+00:00 test-server charon: 08[ENC]   parsing rule
9 PAYLOAD_LENGTH
2020-11-02T08:10:32.463943+00:00 test-server charon: 08[ENC]    => 60
2020-11-02T08:10:32.464054+00:00 test-server charon: 08[ENC]   parsing rule
10 CHUNK_DATA
2020-11-02T08:10:32.464219+00:00 test-server charon: 08[ENC]    => 56 bytes
@ 0x7fe86c000c90
2020-11-02T08:10:32.464389+00:00 test-server charon: 08[ENC]    0: 02 00 00
38 01 30 31 30 35 63 63 63 63 2D 61 61  ...8.0105cccc-aa
2020-11-02T08:10:32.464509+00:00 test-server charon: 08[ENC]   16: 61 61 2D
62 62 62 62 2D 61 61 61 61 2D 63 63 63  aa-bbbb-aaaa-ccc
2020-11-02T08:10:32.464615+00:00 test-server charon: 08[ENC]   32: 63 62 62
62 62 61 61 61 61 40 61 73 6F 6D 65 74  cbbbbaaaa at asomet
2020-11-02T08:10:32.464720+00:00 test-server charon: 08[ENC]   48: 68 69 6E
67 2E 63 6F 6D                          hing.com
2020-11-02T08:10:32.464824+00:00 test-server charon: 08[ENC] parsing EAP
payload finished
2020-11-02T08:10:32.464934+00:00 test-server charon: 08[ENC] parsed content
of encrypted payload
2020-11-02T08:10:32.465039+00:00 test-server charon: 08[ENC] insert
decrypted payload of type EAP at end of list
2020-11-02T08:10:32.465205+00:00 test-server charon: 08[ENC] verifying
message structure
2020-11-02T08:10:32.465313+00:00 test-server charon: 08[ENC] found payload
of type EAP
2020-11-02T08:10:32.465418+00:00 test-server charon: 08[ENC] parsed
IKE_AUTH request 2 [ EAP/RES/ID ]
2020-11-02T08:10:32.465522+00:00 test-server charon: 08[IKE] received EAP
identity ''

identity starting with "0" might be quite common but in this case it is
unfortunate the length of the data matches with the second character value
here. Unfortunately, cannot change the client's identity anymore. On code
level things happen in here:

https://github.com/strongswan/strongswan/blob/7257ba3b44906eef301945947642040cfc69e6dd/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c#L299
https://github.com/strongswan/strongswan/blob/770f4ccee12d4777216628d46ed3b14237708ec5/src/libstrongswan/utils/identification.c#L1712
https://github.com/strongswan/strongswan/blob/a4279fcc386c9bb396d1d1fc46d6c14b2f37cec4/src/libstrongswan/asn1/asn1.c#L698

Based on specs:

https://tools.ietf.org/html/rfc5106#section-8.6 (identification payload)
https://tools.ietf.org/html/rfc4306#section-3.5

There is also ID Type in the identification payload. iOS seems to always
use ID Type 2 (FQDN) and not ASN.1 encoding. Should Strongswan parse also
this type info and only treat identity as ans.1 encoded if type is 9 or 10.
Or perhaps treat as plain string as fallback if asn.1 decoding results in
empty identity.

BR,
Totti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20201102/0e7d5dd0/attachment.html>


More information about the Dev mailing list