[strongSwan] incorrect notification data for critical invalid payload type
gowrishankar
gowrishankar.m at linux.vnet.ibm.com
Sun Jul 1 13:39:03 CEST 2012
Hi,
I am testing IKEv2 implementation for invalid but critical payload type.
strongswan seems to be sending notification payload of message type
"UNSUPPORTED_CRITICAL_PAYLOAD" as expected. But, notification data is
corrupted where as it should be a "one-octet payload type" as per
Section 2.5 of RFC 5996 (or 4306).
From charon.log:
Jun 30 22:45:07 16[ENC] payload type (100) is not supported, but its
critical!
Jun 30 22:45:07 16[IKE] critical unknown payloads found
Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
Jun 30 22:45:07 16[ENC] generating CREATE_CHILD_SA response 2 [ N(CRIT) ]
Jun 30 22:45:07 16[ENC] insert payload NOTIFY to encryption payload
...
..
Jun 30 22:45:07 16[ENC] generating payload of type NOTIFY
...
..
Jun 30 22:45:07 16[ENC] generating rule 14 NOTIFICATION_DATA
Jun 30 22:45:07 16[ENC] => => 1 bytes @ 0xad7005a8
Jun 30 22:45:07 16[ENC] 0:
2D -
Jun 30 22:45:07 16[ENC] generating NOTIFY payload finished
Also, I found this problem might have been fixed in 5.0.0 version (thou-
gh I have not yet tested), by a rework applied to handle variable
length of payload data.
http://wiki.strongswan.org/projects/strongswan/repository/revisions/95a26523afc0d2a997cd1d4f738c287ae045ae4e
Can someone confirm if this was already reported (if so, strongswan
bug id?) or I can open a defect to down-stream the patch in 4.6.x ?
Thanks,
Gowri Shankar
More information about the Users
mailing list