[strongSwan] non-zero reserved fields in IKE_AUTH response.
richard Knight
rjknight at us.ibm.com
Tue Jun 29 05:51:11 CEST 2010
Hello All,
I running the TAHI test suite against an embeded linux system running strongswan
4.1.10.
One of the tests attempts to verify that the reserved fields in the IKE
message are ignored. Below is a breakdown of an IKE_AUTH response with all
the reserved fileds set to a non-zero value, this message fails PSK MAC
verification. For a sanity check I verified the test passes if I zero all
the reserved fields using the same method as setting them to non-zero values.
Could someone point me to where the calculation would start and end in the
message below? I would like to verify the test case as It is not clear to
me from RFC4306 which data areas are to be used in the calculaton of the
authentication data. There seems to be some discrepancy between the test case
implementation and the strongswan implementation.
<snip rfc4306> RFC 4306
For Responder, the octets to be signed start with the first octet of
the first SPI in the header of the second message and end with the last
octet of the last payload in the second message. Appended to this (for
purposes of computing the signature) are the initiator's nonce Ni
(just the value, not the payload containing it), and the value
prf(SK_pr,IDr') where IDr' is the responder's ID payload excluding
the fixed header. Note that neither the nonce Ni nor the value
prf(SK_pr,IDr') are transmitted.
I have included the breakdown of the failing message and the
strongswan debug trace below.
Thank you.
//////////////// IKE_AUTH fails PSK MAC verification ////////////////
IP Packet
| IP Header
| | Version = 6
| | Source Address = 2001:db8:f:1::1
| | Destination Address = 2001:db8:1:1::1234
| UDP Header
| | Source Port = 500
| | Destination Port = 500
| Internet Security Association and Key Management Protocol Payload
| | IKE Header
| | | IKE_SA Initiator's SPI = c3dfaad709d6bd4b
| | | IKE_SA Responder's SPI = fd546d59933dbe69
| | | Next Payload = 46 (E)
| | | Major Version = 2
| | | Minor Version = 0
| | | Exchange Type = 35 (IKE_AUTH)
| | | Flags = 73 (0b01001001)
| | | | Reserved (XX000000) = 64
| | | | Response (00R00000) = 0
| | | | Version (000V0000) = 0
| | | | Initiator (0000I000) = 1
| | | | Reserved (00000XXX) = 1
| | | Message ID = 1 (0x1)
| | | Length = 252 (0xfc)
| | | E Payload
| | | | Next Payload = 35 (IDi)
| | | | Critical = 1
| | | | Reserved = 1
| | | | Payload Length = 224 (0xe0)
| | | | Initialization Vector = 326312edfccf4497
| | | | Encrypted IKE Payloads
| | | | | IDi Payload
| | | | | | Next Payload = 39 (AUTH)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 24 (0x18)
| | | | | | ID Type = 5 (IPV6_ADDR)
| | | | | | RESERVED = 1
| | | | | | Identification Data = 20010db8000f00010000000000000001
(2001:db8:f:1::1)
| | | | | AUTH Payload
| | | | | | Next Payload = 41 (N)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 28 (0x1c)
| | | | | | Auth Method = 2 (SK_MIC)
| | | | | | RESERVED = 1
| | | | | | Authentication Data = 6336663432303532353837306332643932386533
| | | | | N Payload
| | | | | | Next Payload = 33 (SA)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 8 (0x8)
| | | | | | Protocol ID = 0 (no relation)
| | | | | | SPI Size = 0
| | | | | | Notify Message Type = 16391 (USE_TRANSPORT_MODE)
| | | | | SA Payload
| | | | | | Next Payload = 44 (TSi)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 40 (0x28)
| | | | | | Proposal #1
| | | | | | | Next Payload = 0 (last)
| | | | | | | RESERVED = 1
| | | | | | | Proposal Length = 36
| | | | | | | Proposal # = 1
| | | | | | | Proposal ID = ESP
| | | | | | | SPI Size = 4
| | | | | | | # of Transforms = 3
| | | | | | | SPI = cc502e6b
| | | | | | | Transfrom
| | | | | | | | Next Payload = 3 (Transform)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform Length = 8
| | | | | | | | Transform Type = 1 (ENCR)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform ID = 3 (3DES)
| | | | | | | Transfrom
| | | | | | | | Next Payload = 3 (Transform)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform Length = 8
| | | | | | | | Transform Type = 3 (INTEG)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform ID = 2 (HMAC_SHA1_96)
| | | | | | | Transfrom
| | | | | | | | Next Payload = 0 (last)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform Length = 8
| | | | | | | | Transform Type = 5 (ESN)
| | | | | | | | RESERVED = 1
| | | | | | | | Transform ID = 0 (No ESN)
| | | | | TSi Payload
| | | | | | Next Payload = 45 (TSr)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 48 (0x30)
| | | | | | Number of TSs = 1
| | | | | | RESERVED = 1
| | | | | | Traffic Selector
| | | | | | | TS Type = 8 (IPV6_ADDR_RANGE)
| | | | | | | IP Protocol ID = 0 (any)
| | | | | | | Selector Length = 40
| | | | | | | Start Port = 0
| | | | | | | End Port = 65535
| | | | | | | Starting Address = 20010db8000f00010000000000000001
| | | | | | | Ending Address = 20010db8000f00010000000000000001
| | | | | TSr Payload
| | | | | | Next Payload = 0 (0)
| | | | | | Critical = 1
| | | | | | Reserved = 1
| | | | | | Payload Length = 48 (0x30)
| | | | | | Number of TSs = 1
| | | | | | RESERVED = 1
| | | | | | Traffic Selector
| | | | | | | TS Type = 8 (IPV6_ADDR_RANGE)
| | | | | | | IP Protocol ID = 0 (any)
| | | | | | | Selector Length = 40
| | | | | | | Start Port = 0
| | | | | | | End Port = 65535
| | | | | | | Starting Address = 20010db8000100010000000000001234
| | | | | | | Ending Address = 20010db8000100010000000000001234
| | | | Integrity Checksum Data = e0172b343cbdab20ed884e32
///////////////////// strongswan debug trace for IKE and ENC //////////////
09[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(USE_TRANSP) SA TSi TSr ]
09[IKE] octets = message + nonce + prf(Sk_px, IDx') => 317 bytes @ 0x10063398
09[IKE] 0: CF B9 0A AB 05 DB A9 95 00 00 00 00 00 00 00 00 ................
09[IKE] 16: 21 20 22 08 00 00 00 00 00 00 01 19 22 00 00 2C ! "........."..,
09[IKE] 32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03 ...(............
09[IKE] 48: 03 00 00 08 02 00 00 02 03 00 00 08 03 00 00 02 ................
09[IKE] 64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00 ........(.......
09[IKE] 80: 29 78 64 01 01 B8 E0 9E 7B 42 51 59 16 91 A9 CA )xd.....{BQY....
09[IKE] 96: FB 7D A8 88 4D 5D 9F AE DD E1 B8 F7 8E 21 BA 32 .}..M].......!.2
09[IKE] 112: 7E 24 12 78 5E A0 4C AB 34 97 AE F4 91 E8 92 2A ~$.x^.L.4......*
09[IKE] 128: A3 C0 2B B5 E4 C5 6B 23 ED 80 32 41 92 20 C6 B9 ..+...k#..2A. ..
09[IKE] 144: D3 3E D1 58 CE DB E8 BC 24 5A 06 40 6A 4B B4 1E .>.X....$Z. at jK..
09[IKE] 160: 5A F1 DB 8E 48 A6 C5 CD B3 EE 77 FE E5 7E 05 41 Z...H.....w..~.A
09[IKE] 176: A7 FC F1 AC 0A 42 8D 69 EA 74 27 32 92 E6 DF 20 .....B.i.t'2...
09[IKE] 192: 9D 11 38 07 37 5A D7 F2 F3 75 EE 89 62 F0 12 D1 ..8.7Z...u..b...
09[IKE] 208: 00 00 00 49 E4 C0 E5 35 C4 62 0E D8 D7 B2 39 98 ...I...5.b....9.
09[IKE] 224: C5 3E DC C0 19 74 31 A5 D1 AF D2 DE 1F 56 9C 30 .>...t1......V.0
09[IKE] 240: DA AF AE B9 44 55 29 CD DE AA 3A 95 94 1F B3 35 ....DU)...:....5
09[IKE] 256: 99 E8 1B 7F 60 4F E1 C5 BC F8 AD 1C A5 6C 41 9C ....`O.......lA.
09[IKE] 272: F9 1C C2 C2 45 10 EE C3 59 39 E8 1B 87 1A 07 E6 ....E...Y9......
09[IKE] 288: 90 EC B1 8C D6 09 55 15 FA DF 86 3F 70 6F CA 0D ......U....?po..
09[IKE] 304: 65 86 4E 26 E8 F7 87 D8 DA F5 2A E0 D5 e.N&......*..
09[IKE] secret => 16 bytes @ 0x100619d0
09[IKE] 0: 49 4B 45 54 45 53 54 31 32 33 34 35 36 37 38 21 IKETEST12345678!
09[IKE] keypad => 17 bytes @ 0x1004494c
09[IKE] 0: 4B 65 79 20 50 61 64 20 66 6F 72 20 49 4B 45 76 Key Pad for IKEv
09[IKE] 16: 32 2
09[IKE] prf(secret, keypad) => 20 bytes @ 0x10061b00
09[IKE] 0: 39 CF C8 93 0C 25 CB 0E 02 CC 09 14 9E 4E 66 EA 9....%.......Nf.
09[IKE] 16: 6B 6A A6 1E kj..
09[IKE] AUTH = prf(prf(secret, keypad), octets) => 20 bytes @ 0x100634e0
09[IKE] 0: 17 D1 BF 90 D0 F8 0F BB 57 A1 89 1A 7E D5 A3 A3 ........W...~...
09[IKE] 16: B5 7C 42 34 .|B4
09[IKE] PSK MAC verification failed
09[AUD] authentication of '2001:db8:f:1::1' with pre-shared key failed
09[AUD] authentication of '2001:db8:f:1::1' with pre-shared key failed
09[CFG] found matching config "host-host": 2001:db8:1:1::1234...2001:db8:f:1::1,
prio 112
09[ENC] added payload of type ID_RESPONDER to message
09[IKE] authentication of '2001:db8:1:1::1234' (myself) with pre-shared key
09[IKE] octets = message + nonce + prf(Sk_px, IDx') => 342 bytes @ 0x100636b0
09[IKE] 0: CF B9 0A AB 05 DB A9 95 C7 FE 12 99 E1 E9 AD B7 ................
09[IKE] 16: 21 20 22 20 00 00 00 00 00 00 00 FD 22 00 00 2C ! " ........"..,
09[IKE] 32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03 ...(............
09[IKE] 48: 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 ................
09[IKE] 64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00 ........(.......
09[IKE] 80: 68 C3 CC 81 FD C0 8F 39 8B 24 4A 85 5D 58 9C FE h......9.$J.]X..
09[IKE] 96: EA 26 F5 7E FF 66 21 2E 14 85 2B 88 8B C0 01 78 .&.~.f!...+....x
09[IKE] 112: 5D 20 C1 6B E2 47 4C EF 88 D9 D2 BB EE BB EA CF ] .k.GL.........
09[IKE] 128: E2 33 E7 FD 69 1B 59 50 38 4F C3 28 A3 41 DC AB .3..i.YP8O.(.A..
09[IKE] 144: 0C 63 3F 0C BD 71 2E A7 41 0B B9 77 86 E2 E2 F1 .c?..q..A..w....
09[IKE] 160: BE BE 00 E8 E6 51 A9 C2 8F CC 6E 37 00 37 0E 43 .....Q....n7.7.C
09[IKE] 176: 02 D6 69 86 33 9F B2 9A FB 46 CD 24 20 B1 97 54 ..i.3....F.$ ..T
09[IKE] 192: 9C A9 31 71 1F 7F 02 DA 87 F7 1C ED A2 CA 07 2E ..1q............
09[IKE] 208: 26 00 00 14 39 E8 1B 87 1A 07 E6 90 EC B1 8C D6 &...9...........
09[IKE] 224: 09 55 15 FA 00 00 00 19 04 59 BF 9A E8 86 08 31 .U.......Y.....1
09[IKE] 240: 81 6A 50 D0 FA D7 31 21 2D EB 83 07 1C E4 C0 E5 .jP...1!-.......
09[IKE] 256: 35 C4 62 0E D8 D7 B2 39 98 C5 3E DC C0 19 74 31 5.b....9..>...t1
09[IKE] 272: A5 D1 AF D2 DE 1F 56 9C 30 DA AF AE B9 44 55 29 ......V.0....DU)
09[IKE] 288: CD DE AA 3A 95 94 1F B3 35 99 E8 1B 7F 60 4F E1 ...:....5....`O.
09[IKE] 304: C5 BC F8 AD 1C A5 6C 41 9C F9 1C C2 C2 45 10 EE ......lA.....E..
09[IKE] 320: C3 59 BA 6B 56 A0 08 9C 55 96 8D 93 7A EA D9 5A .Y.kV...U...z..Z
09[IKE] 336: 19 25 20 59 DD 9C .% Y..
09[IKE] secret => 16 bytes @ 0x10061708
09[IKE] 0: 49 4B 45 54 45 53 54 31 32 33 34 35 36 37 38 21 IKETEST12345678!
09[IKE] keypad => 17 bytes @ 0x1004494c
09[IKE] 0: 4B 65 79 20 50 61 64 20 66 6F 72 20 49 4B 45 76 Key Pad for IKEv
09[IKE] 16: 32 2
09[IKE] prf(secret, keypad) => 20 bytes @ 0x10060690
09[IKE] 0: 39 CF C8 93 0C 25 CB 0E 02 CC 09 14 9E 4E 66 EA 9....%.......Nf.
09[IKE] 16: 6B 6A A6 1E kj..
09[IKE] AUTH = prf(prf(secret, keypad), octets) => 20 bytes @ 0x10060678
09[IKE] 0: 81 B8 E8 F3 20 16 22 3A 1B 6B F5 A5 3C B6 F3 B5 .... .":.k..<...
09[IKE] 16: 74 3B B9 67 t;.g
09[IKE] successfully created shared key MAC
09[ENC] added payload of type AUTHENTICATION to message
09[ENC] added payload of type NOTIFY to message
09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
09[ENC] copy all payloads to a temporary list
More information about the Users
mailing list