Re: iked x509 negotiation problem with BlackBerry OS 10.3.1

Sat, 04 Jul 2015 01:28:50 -0700 

Stuart,
I've just added patch you've provided. The error about "cert request" disappeared but the connection freezes. 


The phone has been set to "Automatically determine algorithm". Does it 
affect or should I set the same algorithm on both ends?



ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 
0x00 length 5

ikev2_pld_certreq: type X509_CERT signatures length 0

ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 
0x00 length 36

ikev2_pld_cp: type REQUEST length 28
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: APPLICATION_VERSION 0x0007 length 0

ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 
0x00 length 8

ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT

ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 
0x00 length 8

ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED

ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 
0x00 length 8

ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO

ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 
length 92
ikev2_pld_sa: more 0 reserved 0 length 88 proposal #1 protoid ESP 
spisize 4 xforms 8 spi 0xf3268010

ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE

ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 
length 24

ikev2_pld_ts: count 1 length 16

ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535

ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255

ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 
length 24

ikev2_pld_ts: count 1 length 16

ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535

ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x00, require 0x00
ikev2_msg_auth: responder auth data length 357
ca_setauth: auth length 357
ikev2_sa_negotiate: score 7
config_free_proposals: free 0x203519780
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa
config_free_proposals: free 0x203519b80
ca_setauth: auth length 256

ikev2_getimsgdata: imsg 21 rspi 0xe580667dddd31820 ispi 
0x417f3816fccfc162 initiator 0 sa valid type 1 data length 256

ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0c -> 0x0c auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0c, require 0x0d cert,auth,sa

-----------------

Denis

On 03.07.2015 21:54, Stuart Henderson wrote:

On 2015-07-03, Stuart Henderson <[email protected]> wrote:

On 2015-07-02, Denis Lapshin <[email protected]> wrote:

ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message

iked doesn't accept an empte certreq (which appears to be valid), this affects
interop with Firebrick's implementation too.




On 2015/07/03 11:40, Denis Lapshin wrote:

Stuart,
What can be done to accept an empty certreq (or fill certreq) on server's
side and/or phone's side to obtain a connection?

You could try this diff, though I'm not sure whether it is correct,
I don't have a suitable IKEv2 implementation to test against myself.

Index: ikev2_pld.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.50
diff -u -p -r1.50 ikev2_pld.c
--- ikev2_pld.c 26 Mar 2015 19:52:35 -0000      1.50
+++ ikev2_pld.c 3 Jul 2015 09:19:29 -0000
@@ -916,7 +916,9 @@ ikev2_pld_certreq(struct iked *env, stru
                return (0);

  
  	if (cert.cert_type == IKEV2_CERT_X509_CERT) {

-               if (!len || (len % SHA_DIGEST_LENGTH) != 0) {
+               if (!len)
+                       return (0);
+               if ((len % SHA_DIGEST_LENGTH) != 0) {
                        log_debug("%s: invalid certificate request", __func__);
                        return (-1);
                }



--
Denis Lapshin
mailto: [email protected]























					Reply via email to