ikev2: fix wrong usage of BN_bn2bin()

This patch fixes 2 different crashes:

1) BN_bn2bin() returns bytes written, not actual key length. Use
  BN_bn2binpad() instead which adds padding.
2) Initiator may receive multiple sa-init responses for the same ispi
  which may result in crash. Remember first response and ignore any
  subsequent ones.

Type: fix

Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 92a8ff8..f288d4f 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -380,6 +380,7 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai)
   ikev2_sa_transform_t *t = 0, *t2;
   ikev2_main_t *km = &ikev2_main;
 
+  sai->init_response_received = 1;
 
   /*move some data to the new SA */
 #define _(A) ({void* __tmp__ = (A); (A) = 0; __tmp__;})
@@ -2445,10 +2446,18 @@ ikev2_node_fn (vlib_main_t * vm,
                          ikev2_sa_t *sai =
                            pool_elt_at_index (km->sais, p[0]);
 
-                         ikev2_complete_sa_data (sa0, sai);
-                         ikev2_calc_keys (sa0);
-                         ikev2_sa_auth_init (sa0);
-                         len = ikev2_generate_message (sa0, ike0, 0);
+                         if (sai->init_response_received)
+                           {
+                             /* we've already processed sa-init response */
+                             sa0->state = IKEV2_STATE_UNKNOWN;
+                           }
+                         else
+                           {
+                             ikev2_complete_sa_data (sa0, sai);
+                             ikev2_calc_keys (sa0);
+                             ikev2_sa_auth_init (sa0);
+                             len = ikev2_generate_message (sa0, ike0, 0);
+                           }
                        }
                    }
 
@@ -3889,6 +3898,9 @@ ikev2_process_pending_sa_init (ikev2_main_t * km)
   hash_foreach (ispi, sai, km->sa_by_ispi,
   ({
     sa = pool_elt_at_index (km->sais, sai);
+    if (sa->init_response_received)
+      continue;
+
     u32 bi0;
     if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1)
       return;

diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c
index 26ff433..572bee8 100644 (file)
--- a/src/plugins/ikev2/ikev2_crypto.c
+++ b/src/plugins/ikev2/ikev2_crypto.c
@@ -458,6 +458,23 @@ ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst)
   return out_len + bs;
 }
 
+#ifndef BN_bn2binpad
+int
+BN_bn2binpad (const BIGNUM * a, unsigned char *to, int tolen)
+{
+  int r = BN_bn2bin (a, to);
+  ASSERT (tolen >= r);
+  int pad = tolen - r;
+  if (pad)
+    {
+      vec_insert (to, pad, 0);
+      clib_memset (to, 0, pad);
+      _vec_len (to) -= pad;
+    }
+  return tolen;
+}
+#endif
+
 void
 ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
 {
@@ -486,13 +503,13 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
          sa->dh_private_key = vec_new (u8, t->key_len);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
          DH_get0_key (dh, &pub_key, &priv_key);
-         r = BN_bn2bin (pub_key, sa->i_dh_data);
+         r = BN_bn2binpad (pub_key, sa->i_dh_data, t->key_len);
          ASSERT (r == t->key_len);
-         r = BN_bn2bin (priv_key, sa->dh_private_key);
+         r = BN_bn2binpad (priv_key, sa->dh_private_key, t->key_len);
 #else
-         r = BN_bn2bin (dh->pub_key, sa->i_dh_data);
+         r = BN_bn2binpad (dh->pub_key, sa->i_dh_data, t->key_len);
          ASSERT (r == t->key_len);
-         r = BN_bn2bin (dh->priv_key, sa->dh_private_key);
+         r = BN_bn2binpad (dh->priv_key, sa->dh_private_key, t->key_len);
 #endif
          ASSERT (r == t->key_len);
        }
@@ -501,9 +518,9 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
          sa->r_dh_data = vec_new (u8, t->key_len);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
          DH_get0_key (dh, &pub_key, &priv_key);
-         r = BN_bn2bin (pub_key, sa->r_dh_data);
+         r = BN_bn2binpad (pub_key, sa->r_dh_data, t->key_len);
 #else
-         r = BN_bn2bin (dh->pub_key, sa->r_dh_data);
+         r = BN_bn2binpad (dh->pub_key, sa->r_dh_data, t->key_len);
 #endif
          ASSERT (r == t->key_len);
 
@@ -511,7 +528,14 @@ ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
          sa->dh_shared_key = vec_new (u8, t->key_len);
          ex = BN_bin2bn (sa->i_dh_data, vec_len (sa->i_dh_data), NULL);
          r = DH_compute_key (sa->dh_shared_key, ex, dh);
-         ASSERT (r == t->key_len);
+         ASSERT (t->key_len >= r);
+         int pad = t->key_len - r;
+         if (pad)
+           {
+             vec_insert (sa->dh_shared_key, pad, 0);
+             clib_memset (sa->dh_shared_key, 0, pad);
+             _vec_len (sa->dh_shared_key) -= pad;
+           }
          BN_clear_free (ex);
        }
       DH_free (dh);
@@ -630,7 +654,14 @@ ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t)
       sa->dh_shared_key = vec_new (u8, t->key_len);
       ex = BN_bin2bn (sa->r_dh_data, vec_len (sa->r_dh_data), NULL);
       r = DH_compute_key (sa->dh_shared_key, ex, dh);
-      ASSERT (r == t->key_len);
+      ASSERT (t->key_len >= r);
+      int pad = t->key_len - r;
+      if (pad)
+       {
+         vec_insert (sa->dh_shared_key, pad, 0);
+         clib_memset (sa->dh_shared_key, 0, pad);
+         _vec_len (sa->dh_shared_key) -= pad;
+       }
       BN_clear_free (ex);
       DH_free (dh);
     }

diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h
index b0b8677..c5a632c 100644 (file)
--- a/src/plugins/ikev2/ikev2_priv.h
+++ b/src/plugins/ikev2/ikev2_priv.h
@@ -431,6 +431,7 @@ typedef struct
   u32 current_remote_id_mask;
   u32 old_remote_id;
   u8 old_remote_id_present;
+  u8 init_response_received;
 
   ikev2_child_sa_t *childs;