[strongSwan] incorrect notification data for critical invalid payload type

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Sun Jul 1 13:39:03 CEST 2012


Hi,

I am testing IKEv2 implementation for invalid but critical payload type.
strongswan seems to be sending notification payload of message type
"UNSUPPORTED_CRITICAL_PAYLOAD" as expected. But, notification data is
corrupted where as it should be a "one-octet payload type" as per
Section 2.5 of RFC 5996 (or 4306).

 From charon.log:

Jun 30 22:45:07 16[ENC] payload type (100) is not supported, but its 
critical!
Jun 30 22:45:07 16[IKE] critical unknown payloads found
Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
Jun 30 22:45:07 16[ENC] added payload of type NOTIFY to message
Jun 30 22:45:07 16[ENC] generating CREATE_CHILD_SA response 2 [ N(CRIT) ]
Jun 30 22:45:07 16[ENC] insert payload NOTIFY to encryption payload
...
..
Jun 30 22:45:07 16[ENC] generating payload of type NOTIFY
...
..
Jun 30 22:45:07 16[ENC]   generating rule 14 NOTIFICATION_DATA
Jun 30 22:45:07 16[ENC]    => => 1 bytes @ 0xad7005a8
Jun 30 22:45:07 16[ENC]    0: 
2D                                               -
Jun 30 22:45:07 16[ENC] generating NOTIFY payload finished

Also, I found this problem might have been fixed in 5.0.0 version (thou-
gh I have not yet tested), by a rework applied to handle variable
length of payload data.

http://wiki.strongswan.org/projects/strongswan/repository/revisions/95a26523afc0d2a997cd1d4f738c287ae045ae4e

Can someone confirm if this was already reported (if so, strongswan
bug id?) or I can open a defect to down-stream the patch in 4.6.x ?

Thanks,
Gowri Shankar





More information about the Users mailing list