Hi, using Strongswan 5.9.0 as server and iOS clients with IKEv2 and eap-radius.Not pasting server configurations here as they don't seem important for this finding.
Found issue with EAP identity parsing where parsing fails if identity is for example following: "[email protected]" Strongswan seems to treat this as ASN.1 encoded data because two start bytes match with ASN.1 sequence start 30 31 30 35 63 ... 30 (asn sequence start) 31 (49 bytes rest of the data) Here's log: 2020-11-02T08:10:32.454970+00:00 test-server charon: 03[ENC] parsed a IKE_AUTH request header 2020-11-02T08:10:32.455074+00:00 test-server charon: 08[NET] received packet: from <client ip anonymized>[4500] to <server ip anonymized>[4500] (128 bytes) 2020-11-02T08:10:32.455171+00:00 test-server charon: 08[ENC] parsing body of message, first payload is ENCRYPTED 2020-11-02T08:10:32.455299+00:00 test-server charon: 08[ENC] starting parsing a ENCRYPTED payload 2020-11-02T08:10:32.455544+00:00 test-server charon: 08[ENC] parsing ENCRYPTED payload, 100 bytes left 2020-11-02T08:10:32.455654+00:00 test-server charon: 08[ENC] parsing payload from => 100 bytes @ 0x7fe898001e80 2020-11-02T08:10:32.455752+00:00 test-server charon: 08[ENC] 0: 30 00 00 64 33 E7 9B C4 4A 8B 4A E7 E6 9A 61 0A 0..d3...J.J...a. 2020-11-02T08:10:32.455849+00:00 test-server charon: 08[ENC] 16: 68 2C C0 CC 7B 07 0A 1A 44 43 37 A6 97 4D D0 9C h,..{...DC7..M.. 2020-11-02T08:10:32.455946+00:00 test-server charon: 08[ENC] 32: 0B 3B 06 29 55 83 87 48 11 0C 97 8B D8 7B D6 FC .;.)U..H.....{.. 2020-11-02T08:10:32.456044+00:00 test-server charon: 08[ENC] 48: E6 D8 AE 25 C1 36 20 4E A5 FC 1F 84 05 EB E8 70 ...%.6 N.......p 2020-11-02T08:10:32.456140+00:00 test-server charon: 08[ENC] 64: CE BC 61 8C A9 72 AC 3E FA 3B B3 C1 D6 E0 22 40 ..a..r.>.;...."@ 2020-11-02T08:10:32.456237+00:00 test-server charon: 08[ENC] 80: E5 F4 D8 27 14 B6 12 4A 0D D2 43 54 4E 25 02 3B ...'...J..CTN%.; 2020-11-02T08:10:32.456334+00:00 test-server charon: 08[ENC] 96: C4 84 F1 8E .... 2020-11-02T08:10:32.456431+00:00 test-server charon: 08[ENC] parsing rule 0 U_INT_8 2020-11-02T08:10:32.456553+00:00 test-server charon: 08[ENC] => 48 2020-11-02T08:10:32.456654+00:00 test-server charon: 08[ENC] parsing rule 1 U_INT_8 2020-11-02T08:10:32.456809+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.457006+00:00 test-server charon: 08[ENC] parsing rule 2 PAYLOAD_LENGTH 2020-11-02T08:10:32.457112+00:00 test-server charon: 08[ENC] => 100 2020-11-02T08:10:32.457212+00:00 test-server charon: 08[ENC] parsing rule 3 CHUNK_DATA 2020-11-02T08:10:32.457310+00:00 test-server charon: 08[ENC] => 96 bytes @ 0x7fe86c0008c0 2020-11-02T08:10:32.457406+00:00 test-server charon: 08[ENC] 0: 33 E7 9B C4 4A 8B 4A E7 E6 9A 61 0A 68 2C C0 CC 3...J.J...a.h,.. 2020-11-02T08:10:32.457503+00:00 test-server charon: 08[ENC] 16: 7B 07 0A 1A 44 43 37 A6 97 4D D0 9C 0B 3B 06 29 {...DC7..M...;.) 2020-11-02T08:10:32.457603+00:00 test-server charon: 08[ENC] 32: 55 83 87 48 11 0C 97 8B D8 7B D6 FC E6 D8 AE 25 U..H.....{.....% 2020-11-02T08:10:32.457700+00:00 test-server charon: 08[ENC] 48: C1 36 20 4E A5 FC 1F 84 05 EB E8 70 CE BC 61 8C .6 N.......p..a. 2020-11-02T08:10:32.457796+00:00 test-server charon: 08[ENC] 64: A9 72 AC 3E FA 3B B3 C1 D6 E0 22 40 E5 F4 D8 27 .r.>.;...."@...' 2020-11-02T08:10:32.457892+00:00 test-server charon: 08[ENC] 80: 14 B6 12 4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E ...J..CTN%.;.... 2020-11-02T08:10:32.457989+00:00 test-server charon: 08[ENC] parsing ENCRYPTED payload finished 2020-11-02T08:10:32.458086+00:00 test-server charon: 08[ENC] verifying payload of type ENCRYPTED 2020-11-02T08:10:32.458182+00:00 test-server charon: 08[ENC] ENCRYPTED payload verified, adding to payload list 2020-11-02T08:10:32.458278+00:00 test-server charon: 08[ENC] ENCRYPTED payload found, stop parsing 2020-11-02T08:10:32.458374+00:00 test-server charon: 08[ENC] process payload of type ENCRYPTED 2020-11-02T08:10:32.458470+00:00 test-server charon: 08[ENC] found an encrypted payload 2020-11-02T08:10:32.458566+00:00 test-server charon: 08[ENC] encrypted payload decryption: 2020-11-02T08:10:32.458662+00:00 test-server charon: 08[ENC] IV => 16 bytes @ 0x7fe86c0008c0 2020-11-02T08:10:32.458758+00:00 test-server charon: 08[ENC] 0: 33 E7 9B C4 4A 8B 4A E7 E6 9A 61 0A 68 2C C0 CC 3...J.J...a.h,.. 2020-11-02T08:10:32.458853+00:00 test-server charon: 08[ENC] encrypted => 80 bytes @ 0x7fe86c0008d0 2020-11-02T08:10:32.458949+00:00 test-server charon: 08[ENC] 0: 7B 07 0A 1A 44 43 37 A6 97 4D D0 9C 0B 3B 06 29 {...DC7..M...;.) 2020-11-02T08:10:32.459045+00:00 test-server charon: 08[ENC] 16: 55 83 87 48 11 0C 97 8B D8 7B D6 FC E6 D8 AE 25 U..H.....{.....% 2020-11-02T08:10:32.459141+00:00 test-server charon: 08[ENC] 32: C1 36 20 4E A5 FC 1F 84 05 EB E8 70 CE BC 61 8C .6 N.......p..a. 2020-11-02T08:10:32.459268+00:00 test-server charon: 08[ENC] 48: A9 72 AC 3E FA 3B B3 C1 D6 E0 22 40 E5 F4 D8 27 .r.>.;...."@...' 2020-11-02T08:10:32.459369+00:00 test-server charon: 08[ENC] 64: 14 B6 12 4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E ...J..CTN%.;.... 2020-11-02T08:10:32.459466+00:00 test-server charon: 08[ENC] ICV => 16 bytes @ 0x7fe86c000910 2020-11-02T08:10:32.459562+00:00 test-server charon: 08[ENC] 0: 14 B6 12 4A 0D D2 43 54 4E 25 02 3B C4 84 F1 8E ...J..CTN%.;.... 2020-11-02T08:10:32.459659+00:00 test-server charon: 08[ENC] assoc => 32 bytes @ 0x7fe86c000b50 2020-11-02T08:10:32.459756+00:00 test-server charon: 08[ENC] 0: 0B 5F C7 0E D8 CB 48 43 5D 2A 43 9E 9B D8 8B 94 ._....HC]*C..... 2020-11-02T08:10:32.459912+00:00 test-server charon: 08[ENC] 16: 2E 20 23 08 00 00 00 02 00 00 00 80 30 00 00 64 . #.........0..d 2020-11-02T08:10:32.460080+00:00 test-server charon: 08[ENC] plain => 60 bytes @ 0x7fe86c0008d0 2020-11-02T08:10:32.460188+00:00 test-server charon: 08[ENC] 0: 00 00 00 3C 02 00 00 38 01 30 31 30 35 63 63 63 ...<...8.0105ccc 2020-11-02T08:10:32.460294+00:00 test-server charon: 08[ENC] 16: 63 2D 61 61 61 61 2D 62 62 62 62 2D 61 61 61 61 c-aaaa-bbbb-aaaa 2020-11-02T08:10:32.460400+00:00 test-server charon: 08[ENC] 32: 2D 63 63 63 63 62 62 62 62 61 61 61 61 40 61 73 -ccccbbbbaaaa@as 2020-11-02T08:10:32.460504+00:00 test-server charon: 08[ENC] 48: 6F 6D 65 74 68 69 6E 67 2E 63 6F 6D omething.com 2020-11-02T08:10:32.460610+00:00 test-server charon: 08[ENC] padding => 4 bytes @ 0x7fe86c00090c 2020-11-02T08:10:32.460715+00:00 test-server charon: 08[ENC] 0: 00 00 00 03 2020-11-02T08:10:32.460820+00:00 test-server charon: 08[ENC] parsing EAP payload, 60 bytes left 2020-11-02T08:10:32.460925+00:00 test-server charon: 08[ENC] parsing payload from => 60 bytes @ 0x7fe86c0008d0 2020-11-02T08:10:32.461030+00:00 test-server charon: 08[ENC] 0: 00 00 00 3C 02 00 00 38 01 30 31 30 35 63 63 63 ...<...8.0105ccc 2020-11-02T08:10:32.461134+00:00 test-server charon: 08[ENC] 16: 63 2D 61 61 61 61 2D 62 62 62 62 2D 61 61 61 61 c-aaaa-bbbb-aaaa 2020-11-02T08:10:32.461239+00:00 test-server charon: 08[ENC] 32: 2D 63 63 63 63 62 62 62 62 61 61 61 61 40 61 73 -ccccbbbbaaaa@as 2020-11-02T08:10:32.461344+00:00 test-server charon: 08[ENC] 48: 6F 6D 65 74 68 69 6E 67 2E 63 6F 6D omething.com 2020-11-02T08:10:32.461450+00:00 test-server charon: 08[ENC] parsing rule 0 U_INT_8 2020-11-02T08:10:32.461612+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.461772+00:00 test-server charon: 08[ENC] parsing rule 1 FLAG 2020-11-02T08:10:32.461919+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.462028+00:00 test-server charon: 08[ENC] parsing rule 2 RESERVED_BIT 2020-11-02T08:10:32.462134+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.462239+00:00 test-server charon: 08[ENC] parsing rule 3 RESERVED_BIT 2020-11-02T08:10:32.462345+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.462451+00:00 test-server charon: 08[ENC] parsing rule 4 RESERVED_BIT 2020-11-02T08:10:32.462556+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.462653+00:00 test-server charon: 08[ENC] parsing rule 5 RESERVED_BIT 2020-11-02T08:10:32.462825+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.462939+00:00 test-server charon: 08[ENC] parsing rule 6 RESERVED_BIT 2020-11-02T08:10:32.463048+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.463272+00:00 test-server charon: 08[ENC] parsing rule 7 RESERVED_BIT 2020-11-02T08:10:32.463416+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.463525+00:00 test-server charon: 08[ENC] parsing rule 8 RESERVED_BIT 2020-11-02T08:10:32.463630+00:00 test-server charon: 08[ENC] => 0 2020-11-02T08:10:32.463747+00:00 test-server charon: 08[ENC] parsing rule 9 PAYLOAD_LENGTH 2020-11-02T08:10:32.463943+00:00 test-server charon: 08[ENC] => 60 2020-11-02T08:10:32.464054+00:00 test-server charon: 08[ENC] parsing rule 10 CHUNK_DATA 2020-11-02T08:10:32.464219+00:00 test-server charon: 08[ENC] => 56 bytes @ 0x7fe86c000c90 2020-11-02T08:10:32.464389+00:00 test-server charon: 08[ENC] 0: 02 00 00 38 01 30 31 30 35 63 63 63 63 2D 61 61 ...8.0105cccc-aa 2020-11-02T08:10:32.464509+00:00 test-server charon: 08[ENC] 16: 61 61 2D 62 62 62 62 2D 61 61 61 61 2D 63 63 63 aa-bbbb-aaaa-ccc 2020-11-02T08:10:32.464615+00:00 test-server charon: 08[ENC] 32: 63 62 62 62 62 61 61 61 61 40 61 73 6F 6D 65 74 cbbbbaaaa@asomet 2020-11-02T08:10:32.464720+00:00 test-server charon: 08[ENC] 48: 68 69 6E 67 2E 63 6F 6D hing.com 2020-11-02T08:10:32.464824+00:00 test-server charon: 08[ENC] parsing EAP payload finished 2020-11-02T08:10:32.464934+00:00 test-server charon: 08[ENC] parsed content of encrypted payload 2020-11-02T08:10:32.465039+00:00 test-server charon: 08[ENC] insert decrypted payload of type EAP at end of list 2020-11-02T08:10:32.465205+00:00 test-server charon: 08[ENC] verifying message structure 2020-11-02T08:10:32.465313+00:00 test-server charon: 08[ENC] found payload of type EAP 2020-11-02T08:10:32.465418+00:00 test-server charon: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] 2020-11-02T08:10:32.465522+00:00 test-server charon: 08[IKE] received EAP identity '' identity starting with "0" might be quite common but in this case it is unfortunate the length of the data matches with the second character value here. Unfortunately, cannot change the client's identity anymore. On code level things happen in here: https://github.com/strongswan/strongswan/blob/7257ba3b44906eef301945947642040cfc69e6dd/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c#L299 https://github.com/strongswan/strongswan/blob/770f4ccee12d4777216628d46ed3b14237708ec5/src/libstrongswan/utils/identification.c#L1712 https://github.com/strongswan/strongswan/blob/a4279fcc386c9bb396d1d1fc46d6c14b2f37cec4/src/libstrongswan/asn1/asn1.c#L698 Based on specs: https://tools.ietf.org/html/rfc5106#section-8.6 (identification payload) https://tools.ietf.org/html/rfc4306#section-3.5 There is also ID Type in the identification payload. iOS seems to always use ID Type 2 (FQDN) and not ASN.1 encoding. Should Strongswan parse also this type info and only treat identity as ans.1 encoded if type is 9 or 10. Or perhaps treat as plain string as fallback if asn.1 decoding results in empty identity. BR, Totti
