EAP-IKEv2: Allow frag ack without integrity checksum

RFC 5106 is not exactly clear on the requirements for the "no data"
packet that is used to acknowledge a fragmented message. Allow it to be
processed without the integrity checksum data field since it is possible
to interpret the RFC as this not being included. This fixes reassembly
of fragmented frames after keys have been derived.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_ikev2.c b/src/eap_peer/eap_ikev2.c
index 2d7841dd01a23b97a6c433e586257bdd6ce7fbe5..45945fe7993f1a908e974fd54b8ffdbf490b38fb 100644 (file)
--- a/src/eap_peer/eap_ikev2.c
+++ b/src/eap_peer/eap_ikev2.c
@@ -251,7 +251,8 @@ static struct wpabuf * eap_ikev2_build_msg(struct eap_ikev2_data *data,
 
 static int eap_ikev2_process_icv(struct eap_ikev2_data *data,
                                 const struct wpabuf *reqData,
-                                u8 flags, const u8 *pos, const u8 **end)
+                                u8 flags, const u8 *pos, const u8 **end,
+                                int frag_ack)
 {
        if (flags & IKEV2_FLAGS_ICV_INCLUDED) {
                int icv_len = eap_ikev2_validate_icv(
@@ -261,7 +262,7 @@ static int eap_ikev2_process_icv(struct eap_ikev2_data *data,
                        return -1;
                /* Hide Integrity Checksum Data from further processing */
                *end -= icv_len;
-       } else if (data->keys_ready) {
+       } else if (data->keys_ready && !frag_ack) {
                wpa_printf(MSG_INFO, "EAP-IKEV2: The message should have "
                           "included integrity checksum");
                return -1;
@@ -351,7 +352,9 @@ static struct wpabuf * eap_ikev2_process(struct eap_sm *sm, void *priv,
        else
                flags = *pos++;
 
-       if (eap_ikev2_process_icv(data, reqData, flags, pos, &end) < 0) {
+       if (eap_ikev2_process_icv(data, reqData, flags, pos, &end,
+                                 data->state == WAIT_FRAG_ACK && len == 0) < 0)
+       {
                ret->ignore = TRUE;
                return NULL;
        }

diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c
index 1ada0c8a6d1e7a2d76134e4322d4a5e1048076f0..3e32cc90c6f481bf8c748200ba0a104adb1e8b20 100644 (file)
--- a/src/eap_server/eap_server_ikev2.c
+++ b/src/eap_server/eap_server_ikev2.c
@@ -256,7 +256,8 @@ static Boolean eap_ikev2_check(struct eap_sm *sm, void *priv,
 
 static int eap_ikev2_process_icv(struct eap_ikev2_data *data,
                                 const struct wpabuf *respData,
-                                u8 flags, const u8 *pos, const u8 **end)
+                                u8 flags, const u8 *pos, const u8 **end,
+                                int frag_ack)
 {
        if (flags & IKEV2_FLAGS_ICV_INCLUDED) {
                int icv_len = eap_ikev2_validate_icv(
@@ -266,7 +267,7 @@ static int eap_ikev2_process_icv(struct eap_ikev2_data *data,
                        return -1;
                /* Hide Integrity Checksum Data from further processing */
                *end -= icv_len;
-       } else if (data->keys_ready) {
+       } else if (data->keys_ready && !frag_ack) {
                wpa_printf(MSG_INFO, "EAP-IKEV2: The message should have "
                           "included integrity checksum");
                return -1;
@@ -365,7 +366,9 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv,
        } else
                flags = *pos++;
 
-       if (eap_ikev2_process_icv(data, respData, flags, pos, &end) < 0) {
+       if (eap_ikev2_process_icv(data, respData, flags, pos, &end,
+                                 data->state == WAIT_FRAG_ACK && len == 0) < 0)
+       {
                eap_ikev2_state(data, FAIL);
                return;
        }