From: Tobias Heider <tobias.heider@stusta.de>
Subject: Re: diff: iked, identity check
To: tech@openbsd.org, YASUOKA Masahiko <yasuoka@openbsd.org>, tobhe@openbsd.org
Date: Sun, 24 Mar 2024 00:38:58 +0100



On March 23, 2024 5:00:31 AM GMT+01:00, YASUOKA Masahiko <yasuoka@openbsd.org> wrote:
>On Sat, 23 Mar 2024 12:44:11 +0900 (JST)
>YASUOKA Masahiko <yasuoka@openbsd.org> wrote:
>> Hello,
>> 
>> I am testing iked with Android native IKEv2 client.  It sends an
>> identity response with length zero, but iked drops it.  In RFC3748
>> length zero is valid.
>> 
>> In https://datatracker.ietf.org/doc/html/rfc3748#section-5.1
>> | If the Identity is unknown, the Identity Response field should be
>> | zero bytes in length.  
>> 
>> ok?
>
>Let me update the diff.
>
>ok?

sounds correct. I haven't hit this before because I
avoid using eap when possible.

ok tobhe@

>
>Index: sbin/iked/eap.c
>===================================================================
>RCS file: /cvs/src/sbin/iked/eap.c,v
>diff -u -p -r1.25 eap.c
>--- sbin/iked/eap.c	18 Jul 2023 15:07:41 -0000	1.25
>+++ sbin/iked/eap.c	23 Mar 2024 03:58:03 -0000
>@@ -71,7 +71,12 @@ eap_validate_id_response(struct eap_mess
> 	len = betoh16(eap->eap_length) - sizeof(*eap);
> 	ptr += sizeof(*eap);
> 
>-	if (len == 0 || (str = get_string(ptr, len)) == NULL) {
>+	if (len == 0) {
>+		if ((str = strdup("")) == NULL) {
>+			log_warn("%s: strdup failed", __func__);
>+			return (NULL);
>+		}
>+	} else if ((str = get_string(ptr, len)) == NULL) {
> 		log_info("%s: invalid identity response, length %zu",
> 		    __func__, len);
> 		return (NULL);
>