Re: SCTP, possible bug in peer authentication key

Thu, 29 Jan 2009 09:43:12 -0800 

There's a corresponding change that is needed for pulling the auth info
out of the cookie for the other direction (i.e. server side handling). I've 
committed that into the SCTP project repo, and should also get in with
Randall's next commit.

--peter

On Jan 29, 2009, at 2:23 AM, Michael Tüxen wrote:


Hi Yann,

very good catch! You are right.

I have committed your patch to Randalls repository, so it will
show up in the FreeBSD sources soon (next time he syncs them)...

Best regards
Michael

On Jan 28, 2009, at 8:51 PM, Yann WANWANSCAPPEL wrote:


Hi all,

I think I found a bug in the SCTP authentication code, in
sctp_load_addresses_from_init() in sctp_pcb.c
keylen = sizeof(*p_random) + random_len + sizeof(*chunks) + num_chunks + 
sizeof(*hmacs) + hmacs_len;

The keylen calculation assumes the Chunk List Parameter (CHUNKS)
vl-param was present in the received INIT packet, which can be false if peer SCTP does not require any chunk to be authenticated (this typically 
occurs if peer does not support ASCONF).


From RFC 4895, 6.1


* An SCTP endpoint has a list of chunks it only accepts if they are
* received in an authenticated way. This list is included in the INIT 
* and INIT-ACK, and MAY be omitted if it is empty.  Since this list
* does not change during the lifetime of the SCTP endpoint there is no 
* problem in case of INIT collision.

This case is properly handled later in the build of the key

        /* append in the AUTH chunks */
        if (chunks != NULL) {
        .....
        }

I think the calculated keylen should be something like this :

keylen = sizeof(*p_random) + random_len + sizeof(*hmacs) + hmacs_len;

if (chunks != NULL) {
 keylen += sizeof(*chunks) + num_chunks
}
This problem results in authenticated packets sent from peer SCTP to be 
discarded.

The problem does not occurs if peer SCTP is modified to send an empty
Chunk List Parameter, (eg num_chunks = 0 in the decoding).

Br,
Yann









_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net- unsubscr...@freebsd.org" 



_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to