Menu
▾
▴
[Ipsec-tools-devel] Racoon IPSec Encryption Transform Key Length Negotiation Bug + Patch
|
From: Buddy V. <kur...@gm...> - 2006-03-24 01:07:42
|
In ipsec-tools-0.6.5 I have found a bug whereby it's possible that a
responder will accept a proposed SA with a keylength shorter than specified
by the local racoon.conf file. For example, if the initiator proposes
rijndael 128 and the responder is configured to accept rijndael 256, than
the responder will still accept the 128 key length and install an SA with a
key of that length.
The code currently implies that if they the initiator proposes a key length
longer than the responders configured key length, the responder should
accept the longer key for the purpose of interoperability. If that is the
case, then the patch is as follows. All feedback is welcome and appreciated=
.
--- ipsec-tools-0.6.5/src/racoon/proposal.c Wed Jul 27 22:05:52 2005
+++ proposal.c Thu Mar 23 17:01:10 2006
@@ -551,13 +551,17 @@
* At this moment for interoperability, the responder obey
* the initiator. It should be defined a notify message.
*/
- if (tr1->encklen > tr2->encklen) {
+ if (tr1->encklen >=3D tr2->encklen) {
plog(LLV_WARNING, LOCATION, NULL,
"less key length proposed, "
"mine:%d peer:%d. Use initiaotr's one.\n",
tr2->encklen, tr1->encklen);
/* FALLTHRU */
}
+ /* Do not allow a shorter key length to be processed. */
+ else{
+ return 1;
+ }
return 0;
}
|
