Verify IKEv1 nonce size, send 32 byte nonces

[strongswan.git] / src / libcharon / encoding / payloads / nonce_payload.c

diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
index 58ef70a..3c5eeb5 100644 (file)
--- a/src/libcharon/encoding/payloads/nonce_payload.c
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -19,6 +19,7 @@
 
 #include "nonce_payload.h"
 
+#include <daemon.h>
 #include <encoding/payloads/encodings.h>
 
 typedef struct private_nonce_payload_t private_nonce_payload_t;
@@ -103,8 +104,26 @@ static encoding_rule_t encodings[] = {
 METHOD(payload_t, verify, status_t,
        private_nonce_payload_t *this)
 {
-       if (this->nonce.len < 16 || this->nonce.len > 256)
+       bool bad_length = FALSE;
+
+       if (this->nonce.len > 256)
+       {
+               bad_length = TRUE;
+       }
+       if (this->type == NONCE &&
+               this->nonce.len < 16)
+       {
+               bad_length = TRUE;
+       }
+       if (this->type == NONCE_V1 &&
+               this->nonce.len < 8)
+       {
+               bad_length = TRUE;
+       }
+       if (bad_length)
        {
+               DBG1(DBG_ENC, "%N payload has invalid length (%d bytes)",
+                        payload_type_names, this->type, this->nonce.len);
                return FAILED;
        }
        return SUCCESS;