From: YASUOKA Masahiko <yasuoka@openbsd.org>
Subject: diff: iked, identity check
To: tobhe@openbsd.org, tech@openbsd.org
Date: Sat, 23 Mar 2024 12:44:11 +0900

Hello,

I am testing iked with Android native IKEv2 client.  It sends an
identity response with length zero, but iked drops it.  In RFC3748
length zero is valid.

In https://datatracker.ietf.org/doc/html/rfc3748#section-5.1
| If the Identity is unknown, the Identity Response field should be
| zero bytes in length.  

ok?

Index: sbin/iked/eap.c
===================================================================
RCS file: /cvs/src/sbin/iked/eap.c,v
diff -u -p -r1.25 eap.c
--- sbin/iked/eap.c	18 Jul 2023 15:07:41 -0000	1.25
+++ sbin/iked/eap.c	23 Mar 2024 03:35:25 -0000
@@ -71,7 +71,9 @@ eap_validate_id_response(struct eap_mess
 	len = betoh16(eap->eap_length) - sizeof(*eap);
 	ptr += sizeof(*eap);
 
-	if (len == 0 || (str = get_string(ptr, len)) == NULL) {
+	if (len == 0)
+		str = strdup("");
+	else if ((str = get_string(ptr, len)) == NULL) {
 		log_info("%s: invalid identity response, length %zu",
 		    __func__, len);
 		return (NULL);