[strongSwan] non-zero reserved fields in IKE_AUTH response.
Tobias Brunner
tobias at strongswan.org
Wed Jun 30 10:45:06 CEST 2010
Hi Richard,
I found the reason for this failure. The only thing from the IKE_AUTH request,
that affects the computation of the AUTH value is the ID as in prf(Sk_px, IDx').
Now I somehow assumed IDx' is just the Identification Data of the IDx payload,
but it's not, IDx' is actually IDType | RESERVED | IDData. The problem is that
in build_tbs_octets ([1]) IDx' is built from the identification_t object, it's
not based on the actually received payload and there it is assumed that RESERVED
is zero. Fixing this properly would probably need quite some changes, I have to
discuss that with Martin first. To verify it you can set the three reserved
bytes in build_tbs_octets to the value sent by the initiator.
Regards,
Tobias
[1] src/charon/sa/authenticators/psk_authenticator.c
More information about the Users
mailing list