Download raw body.
diff: iked, identity check
On March 23, 2024 5:00:31 AM GMT+01:00, YASUOKA Masahiko <yasuoka@openbsd.org> wrote:
>On Sat, 23 Mar 2024 12:44:11 +0900 (JST)
>YASUOKA Masahiko <yasuoka@openbsd.org> wrote:
>> Hello,
>>
>> I am testing iked with Android native IKEv2 client. It sends an
>> identity response with length zero, but iked drops it. In RFC3748
>> length zero is valid.
>>
>> In https://datatracker.ietf.org/doc/html/rfc3748#section-5.1
>> | If the Identity is unknown, the Identity Response field should be
>> | zero bytes in length.
>>
>> ok?
>
>Let me update the diff.
>
>ok?
sounds correct. I haven't hit this before because I
avoid using eap when possible.
ok tobhe@
>
>Index: sbin/iked/eap.c
>===================================================================
>RCS file: /cvs/src/sbin/iked/eap.c,v
>diff -u -p -r1.25 eap.c
>--- sbin/iked/eap.c 18 Jul 2023 15:07:41 -0000 1.25
>+++ sbin/iked/eap.c 23 Mar 2024 03:58:03 -0000
>@@ -71,7 +71,12 @@ eap_validate_id_response(struct eap_mess
> len = betoh16(eap->eap_length) - sizeof(*eap);
> ptr += sizeof(*eap);
>
>- if (len == 0 || (str = get_string(ptr, len)) == NULL) {
>+ if (len == 0) {
>+ if ((str = strdup("")) == NULL) {
>+ log_warn("%s: strdup failed", __func__);
>+ return (NULL);
>+ }
>+ } else if ((str = get_string(ptr, len)) == NULL) {
> log_info("%s: invalid identity response, length %zu",
> __func__, len);
> return (NULL);
>
diff: iked, identity check