From owner-freebsd-net@FreeBSD.ORG Fri Jan 30 01:55:48 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CA5C106566C for ; Fri, 30 Jan 2009 01:55:48 +0000 (UTC) (envelope-from Matt.Muggeridge@hp.com) Received: from g4t0017.houston.hp.com (g4t0017.houston.hp.com [15.201.24.20]) by mx1.freebsd.org (Postfix) with ESMTP id 56AC98FC14 for ; Fri, 30 Jan 2009 01:55:48 +0000 (UTC) (envelope-from Matt.Muggeridge@hp.com) Received: from G6W0640.americas.hpqcorp.net (g6w0640.atlanta.hp.com [16.230.34.76]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by g4t0017.houston.hp.com (Postfix) with ESMTPS id CE66B3830B; Fri, 30 Jan 2009 01:38:46 +0000 (UTC) Received: from G3W0628.americas.hpqcorp.net (16.233.58.53) by G6W0640.americas.hpqcorp.net (16.230.34.76) with Microsoft SMTP Server (TLS) id 8.1.336.0; Fri, 30 Jan 2009 01:37:50 +0000 Received: from GVW1160EXB.americas.hpqcorp.net ([16.232.35.123]) by G3W0628.americas.hpqcorp.net ([16.233.58.53]) with mapi; Fri, 30 Jan 2009 01:37:50 +0000 From: "Muggeridge, Matt" To: =?iso-8859-1?Q?=27Michael_T=FCxen=27?= , Yann WANWANSCAPPEL Date: Fri, 30 Jan 2009 01:37:49 +0000 Thread-Topic: SCTP, possible bug in peer authentication key Thread-Index: AcmCCT1I61AOdmJOTIi/KakFiuoKsQAcaGWw Message-ID: References: <4980B747.7070400@free.fr> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-net@freebsd.org" Subject: RE: SCTP, possible bug in peer authentication key X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2009 01:55:48 -0000 > I think I found a bug in the SCTP authentication code, in > sctp_load_addresses_from_init() in sctp_pcb.c I noticed the same calculation appears in sctp_auth.c:sctp_auth_get_cookie_= params(). Does this fix also need to be applied there? Cheers, Matt. -----Original Message----- From: Michael T=FCxen [mailto:Michael.Tuexen@lurchi.franken.de]=20 Sent: Thursday, 29 January 2009 6:23 PM To: Yann WANWANSCAPPEL Cc: freebsd-net@freebsd.org Subject: Re: SCTP, possible bug in peer authentication key Hi Yann, very good catch! You are right. I have committed your patch to Randalls repository, so it will show up in t= he FreeBSD sources soon (next time he syncs them)... Best regards Michael On Jan 28, 2009, at 8:51 PM, Yann WANWANSCAPPEL wrote: > Hi all, > > I think I found a bug in the SCTP authentication code, in > sctp_load_addresses_from_init() in sctp_pcb.c > > keylen =3D sizeof(*p_random) + random_len + sizeof(*chunks) + num_chunks= =20 > + > sizeof(*hmacs) + hmacs_len; > > The keylen calculation assumes the Chunk List Parameter (CHUNKS)=20 > vl-param was present in the received INIT packet, which can be false=20 > if peer SCTP does not require any chunk to be authenticated (this=20 > typically occurs if peer does not support ASCONF). > >> From RFC 4895, 6.1 > > * An SCTP endpoint has a list of chunks it only accepts if they are > * received in an authenticated way. This list is included in the INIT > * and INIT-ACK, and MAY be omitted if it is empty. Since this list > * does not change during the lifetime of the SCTP endpoint there is no > * problem in case of INIT collision. > > This case is properly handled later in the build of the key > > /* append in the AUTH chunks */ > if (chunks !=3D NULL) { > ..... > } > > I think the calculated keylen should be something like this : > > keylen =3D sizeof(*p_random) + random_len + sizeof(*hmacs) + hmacs_len; > > if (chunks !=3D NULL) { > keylen +=3D sizeof(*chunks) + num_chunks } > > This problem results in authenticated packets sent from peer SCTP to=20 > be discarded. > > The problem does not occurs if peer SCTP is modified to send an empty=20 > Chunk List Parameter, (eg num_chunks =3D 0 in the decoding). > > Br, > Yann > > > > > > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >