Bug in iked

Sibar Soumi Wed, 22 Jun 2022 07:24:07 -0700

Dear OpenBSD developers


I would like to report an error in iked.

 

The error occurs with the processing logic in case of simultaneous Child SA 
rekeying. That is, by simultaneous rekeying, two Child SAs are created and “the 
SA created with the lowest of the four nonces used in the two exchanges SHOULD 
be closed by the endpoint that created it” (RFC7296 section 2.8.1).

 

This decision is made in the iked implementation in ikev2.c in the if block 
from L4390 
<https://github.com/openbsd/src/blob/a990b40e6d87ee721e36986e60fe36b7a033729c/sbin/iked/ikev2.c#L4390>
  until L4407 
<https://github.com/openbsd/src/blob/a990b40e6d87ee721e36986e60fe36b7a033729c/sbin/iked/ikev2.c#L4407>
 .

 

But nr is not set to the minimum nonce for exchange initiated by peer but by 
us, and ni which comes from sa->sa_simulat is already set to the minimum nonce 
for exchange initiated by peer.

 

Therefore, the comment in line 4393 shall be corrected and the comparison in 
line 4402 shall be “ikev2_nonce_cmp(nr, ni) < 0” instead of 
“ikev2_nonce_cmp(ni, nr) < 0” because the SA that has just been created by us 
shall be deleted, if nr<ni.

 

Best regards

 

 

Sibar Soumi

Software Developer

 

achelos GmbH | Vattmannstraße 1 | 33100 Paderborn | GERMANY 

[email protected] <mailto:[email protected]>  | www.achelos.de 
<https://www.achelos.de/>  | www.iot.achelos.com <https://www.iot.achelos.com/> 
 | Follow us: LinkedIn <https://www.linkedin.com/company/achelos-gmbh>  | XING 
<https://www.xing.com/companies/achelosgmbh/updates>   | YouTube 
<https://www.youtube.com/channel/UCK1g0YpxJexVGYvUtr2IHUg> 

 

Die achelos GmbH ist nach ISO 9001 und ISO 27001 zertifiziert. | achelos GmbH 
is certified according to ISO 9001 and ISO 27001.

Geschäftsführung | Executive Board: Kathrin Asmuth, Thomas Freitag

Registergericht | register court: Paderborn, HRB 8817 | USt-IdNr. | VAT ID 
number: DE260414872

 

Diese Mitteilung ist vertraulich. Wenn Sie nicht der beabsichtigte Empfänger 
sind, ist jegliche Verwendung, Beeinträchtigung, 

Offenlegung oder Vervielfältigung dieses Materials unautorisiert und verboten. 
Bitte informieren Sie uns umgehend und 

vernichten Sie die E-Mail. | This communication is confidential. If you are not 
the intended recipient, any use, interference with, 

disclosure or copying of this material is unauthorised and prohibited. Please 
inform us immediately and destroy the email.

openpgp-digital-signature.asc
Description: PGP signature

Bug in iked

Reply via email to