Bug 1375466

Summary: [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
Product: Red Hat Enterprise Linux 7 Reporter: Jianwen Ji <jiji>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED DUPLICATE QA Contact: Jianwen Ji <jiji>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-14 03:35:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
libreswan-3.15-6.pcap
none
libreswan-3.12-10.1.pcap none

Description Jianwen Ji 2016-09-13 08:29:48 UTC 
Test case link:
IKEv2.EN.R.1.1.6.7, Page 406 at
https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

Purpose: 
To verify an IKEv2 device properly handles a KE payload which has different D-H Group # from accepted D-H Group #. 

References: 
[RFC 4306] - Sections 2.7, 3.4 and 3.10.1 
[RFC 4718] - Sections 2.1 and 2.2 

Procedure:
NUT       TN1 
 
|          | 
|<---------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) 
|          | (Packet #1) 
|--------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
|          | (Judgment #1) 
|          | 
|<---------| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr}) 
|          | (Packet #2) 
|--------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N+, SAr2, TSi,TSr}) 
|          | (Judgment #2) 
|          | 
|<---------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA(DH#2, DH#14), Ni, KEi(DH#14), TSi, TSr})
|          | (Packet #3) 
|--------->| CREATE_CHILD_SA response (HDR, SK { N(INVALID_KE_PAYLOAD(DH#2)) }) 
|          | (Judgment #3) 
|          | 
|<---------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA(DH#2, DH#14), Ni, KEi(DH#2), TSi, TSr}) 
|          | (Packet #4) 
|--------->| CREATE_CHILD_SA response (HDR, SK {N+, SA(DH#2), Nr, KEr(DH#2), TSi, TSr}) 
|          | (Judgment #4) 
V          V 
N: REKEY_SA 
N+: USE_TRANSPORT_MODE 
It is possible to use DH#24 instead of DH#1


Version-Release number of selected component (if applicable):
libreswan-3.15-6.el7.x86_64

How reproducible:
always

Actual results:
We failed at Judgement #3

During the test, the device successfully completed the initial exchanges. After receiving a CREATE_CHILD_SA request with a DH Group that does not match the device under test’s configuration, the device transmits a clear text IKE_SA_INIT response containing a Notify payload indicating INVALID_KE_PAYLOAD without specifying the DH group..

According to RFC 4306 Section 1.3, “The CREATE_CHILD_SA exchange consists of a single request/response pair, and was referred to as a phase 2 exchange in IKEv1. It MAY be initiated by either end of the IKE_SA after the initial exchanges are completed. All messages following the initial exchanges are cryptographically protected using the cryptographic algorithms and keys negotiated in the first two messages of the IKE exchange.”

Also, according to RFC 4306 Section 3.10.1 regarding the INVALID_KE_PAYLOAD Notify Message type, “The D-H Group # field in the KE payload is not the group # selected by the responder for this exchange. There are two octets of data associated with this notification: the accepted D-H Group # in big endian order.”


Expected results:
The device under test should have sent a cryptographically protected
CREATE_CHILD_SA response containing a Notify payload indicating
INVALID_KE_PAYLOAD and specifying the accepted Diffie-Hellman Group

Additional info:
Comment 1 Jianwen Ji 2016-09-13 09:06:23 UTC 
(In reply to Ji Jianwen from comment #0)
> 
> 
> Version-Release number of selected component (if applicable):
> libreswan-3.15-6.el7.x86_64
> 
> How reproducible:
> always
> 
> Actual results:
> We failed at Judgement #3
> 
> During the test, the device successfully completed the initial exchanges.
> After receiving a CREATE_CHILD_SA request with a DH Group that does not
> match the device under test’s configuration, the device transmits a clear
> text IKE_SA_INIT response containing a Notify payload indicating
> INVALID_KE_PAYLOAD without specifying the DH group..
> 
> According to RFC 4306 Section 1.3, “The CREATE_CHILD_SA exchange consists of
> a single request/response pair, and was referred to as a phase 2 exchange in
> IKEv1. It MAY be initiated by either end of the IKE_SA after the initial
> exchanges are completed. All messages following the initial exchanges are
> cryptographically protected using the cryptographic algorithms and keys
> negotiated in the first two messages of the IKE exchange.”
> 
> Also, according to RFC 4306 Section 3.10.1 regarding the INVALID_KE_PAYLOAD
> Notify Message type, “The D-H Group # field in the KE payload is not the
> group # selected by the responder for this exchange. There are two octets of
> data associated with this notification: the accepted D-H Group # in big
> endian order.”
> 
> 
> Expected results:
> The device under test should have sent a cryptographically protected
> CREATE_CHILD_SA response containing a Notify payload indicating
> INVALID_KE_PAYLOAD and specifying the accepted Diffie-Hellman Group
> 
> Additional info:
Correct the libreswan version
1) Above actual result was caused by using libreswan-3.12-10.1.el7_1.x86_64.

2) When using libreswan-3.15-6.el7.x86_64, we failed at Judgement #2
RHEL received an IKE_SA_INIT request and successfully transmitted an
IKE_SA_INIT response. Upon receipt of a IKE_AUTH request, RHEL transmits an IKE_SA_INIT request.
Comment 2 Jianwen Ji 2016-09-13 09:08:23 UTC 
Created attachment 1200407 [details]
libreswan-3.15-6.pcap
Comment 3 Jianwen Ji 2016-09-13 09:12:22 UTC 
Created attachment 1200408 [details]
libreswan-3.12-10.1.pcap
Comment 4 Jianwen Ji 2016-09-14 03:35:02 UTC 

*** This bug has been marked as a duplicate of bug 1375779 ***