Date: Mon, 9 Feb 2009 15:23:41 -0500 From: Randall Stewart <rrs@lakerest.net> To: Peter Lei <peter.lei@ieee.org> Cc: =?ISO-8859-1?Q?Michael_T=FCxen?= <Michael.Tuexen@lurchi.franken.de>, Yann WANWANSCAPPEL <yann.wanwanscappel@free.fr>, freebsd-net@freebsd.org Subject: Re: SCTP, possible bug in peer authentication key Message-ID: <C9D7467B-2400-4DA5-B584-C4FB44AFC47A@lakerest.net> In-Reply-To: <0EEEB325-C7AF-468F-9374-EFED1BD3B3E4@ieee.org> References: <4980B747.7070400@free.fr> <A36412A3-53FA-4738-A875-8DFB78C8FE58@lurchi.franken.de> <0EEEB325-C7AF-468F-9374-EFED1BD3B3E4@ieee.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Note that all of these changes are now in Head.. however
I am not sure of the likely-hood of them moving into 7 since
the xsctp_xxxx changes for the mib (rwnd and assoc_id) break
ABI compatability. I have now (in head) padded up the structures
at the end (in case we need to add more). But in general this
means I cannot commit to stable many changes. I will go back and
see what can be done :-(
I may be able to do some "ifdef" and other magic so I can
pull in the changes that have went on.. not sure.
R
On Jan 29, 2009, at 12:29 PM, Peter Lei wrote:
> There's a corresponding change that is needed for pulling the auth =20
> info
> out of the cookie for the other direction (i.e. server side =20
> handling). I've
> committed that into the SCTP project repo, and should also get in with
> Randall's next commit.
>
> --peter
>
> On Jan 29, 2009, at 2:23 AM, Michael T=FCxen wrote:
>
>> Hi Yann,
>>
>> very good catch! You are right.
>>
>> I have committed your patch to Randalls repository, so it will
>> show up in the FreeBSD sources soon (next time he syncs them)...
>>
>> Best regards
>> Michael
>>
>> On Jan 28, 2009, at 8:51 PM, Yann WANWANSCAPPEL wrote:
>>
>>> Hi all,
>>>
>>> I think I found a bug in the SCTP authentication code, in
>>> sctp_load_addresses_from_init() in sctp_pcb.c
>>>
>>> keylen =3D sizeof(*p_random) + random_len + sizeof(*chunks) + =20
>>> num_chunks +
>>> sizeof(*hmacs) + hmacs_len;
>>>
>>> The keylen calculation assumes the Chunk List Parameter (CHUNKS)
>>> vl-param was present in the received INIT packet, which can be =20
>>> false if
>>> peer SCTP does not require any chunk to be authenticated (this =20
>>> typically
>>> occurs if peer does not support ASCONF).
>>>
>>>> =46rom RFC 4895, 6.1
>>>
>>> * An SCTP endpoint has a list of chunks it only accepts if they are
>>> * received in an authenticated way. This list is included in the =20=
>>> INIT
>>> * and INIT-ACK, and MAY be omitted if it is empty. Since this list
>>> * does not change during the lifetime of the SCTP endpoint there =20
>>> is no
>>> * problem in case of INIT collision.
>>>
>>> This case is properly handled later in the build of the key
>>>
>>> /* append in the AUTH chunks */
>>> if (chunks !=3D NULL) {
>>> .....
>>> }
>>>
>>> I think the calculated keylen should be something like this :
>>>
>>> keylen =3D sizeof(*p_random) + random_len + sizeof(*hmacs) + =20
>>> hmacs_len;
>>>
>>> if (chunks !=3D NULL) {
>>> keylen +=3D sizeof(*chunks) + num_chunks
>>> }
>>>
>>> This problem results in authenticated packets sent from peer SCTP =20=
>>> to be
>>> discarded.
>>>
>>> The problem does not occurs if peer SCTP is modified to send an =20
>>> empty
>>> Chunk List Parameter, (eg num_chunks =3D 0 in the decoding).
>>>
>>> Br,
>>> Yann
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org=20
>>> "
>>>
>>
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-=20
>> unsubscribe@freebsd.org"
>
------------------------------
Randall Stewart
803-317-4952 (cell)
803-345-0391(direct)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C9D7467B-2400-4DA5-B584-C4FB44AFC47A>