Re: [strongSwan] Signature verification failed

vivek bairathi Thu, 03 Sep 2009 05:38:56 -0700

Hi,

I just got the solution of my problem. Its actually the problem of
endianness as the endianness is not getting set in the sha1_hasher.c
and also the code on qnx is compiled using armbe which is big endian.
So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the
authentication is successful.


But now I am getting a new error, as soon as the CHILD_SA is created
the linux machine sends a delete request for the CHILD_SA to the qnx
machine. I don't know why this is happening. My ikeliftime, keylife
and rekeymargin are all in hours so how could this happen.

Can you tell me or give a possible condition because of which this is
happening and ofcourse if possible a solution also?

Thanks & Regards,
Vivek

On 9/3/09, vivek bairathi <bairathi.vi...@gmail.com> wrote:
> Hi,
>
> Thanks for your reply.
>
> I am trying to establish SA between two machines of which one is QNX
> machine and the other is Linux machine. I am able to transmit the
> IKE_SA_INIT request and response messages from one machine to another
> but when IKE_AUTH request is received by any of the machine it says
> that the "signature verification failed".
>
> Here are the logs of IKE_AUTH request message sent from QNX machine to
> linux machine:-
>
> IKE_AUTH request message sent by QNX machine:-
>
> (gdb) x/208b data.ptr
>
> 0x808c7c0:      0x67    0x41    0xc8    0xe9    0xb4    0x1f    0x51
> 0x61
>
> 0x808c7c8:      0x8c    0x41    0xa5    0x41    0x49    0xa0    0x5b
> 0x21
>
> 0x808c7d0:      0x2e    0x20    0x23    0x08    0x00    0x00    0x00
> 0x01
>
> 0x808c7d8:      0x00    0x00    0x00    0xdc    0x23    0x00    0x00
> 0xc0
>
> 0x808c7e0:      0x9f    0x80    0xd5    0x48    0x14    0x85    0x2a
> 0xe0
>
> 0x808c7e8:      0x21    0x5b    0x30    0x68    0xd3    0xf1    0xe6
> 0xff
>
> 0x808c7f0:      0xa4    0x41    0xfa    0x03    0x53    0x6c    0x9a
> 0xe9
>
> 0x808c7f8:      0x55    0xce    0x4b    0x32    0x89    0x04    0x27
> 0xc3
>
> 0x808c800:      0x27    0x08    0x1d    0xf5    0x88    0x2b    0x60
> 0xd1
>
> 0x808c808:      0xc7    0x74    0xe6    0x4e    0x13    0x47    0x06
> 0xf7
>
> 0x808c810:      0xdf    0xfe    0xb8    0x85    0xc1    0x30    0x65
> 0x91
>
> 0x808c818:      0x3e    0xef    0x12    0xce    0xda    0x07    0x7d
> 0xd6
>
> 0x808c820:      0x1a    0x9c    0xfe    0x28    0x84    0x42    0xa8
> 0x43
>
> 0x808c828:      0xd1    0x90    0x09    0xbe    0x2d    0xf3    0x61
> 0x8a
>
> 0x808c830:      0x3c    0xf5    0xa7    0x45    0x45    0x39    0x01
> 0x1b
>
> 0x808c838:      0x80    0x11    0xd5    0x7b    0xad    0x5c    0x09
> 0xef
>
> 0x808c840:      0xd1    0x07    0xab    0x33    0x45    0xd8    0xeb
> 0x9c
>
> 0x808c848:      0xe1    0xb3    0xc0    0xe8    0x83    0xb1    0x01
> 0x1f
>
> 0x808c850:      0x87    0xec    0xe8    0x19    0xeb    0xec    0xa3
> 0xf1
>
> 0x808c858:      0x78    0x57    0xa7    0x1b    0xfb    0x0b    0xba
> 0x2b
>
> 0x808c860:      0xce    0x0c    0xb4    0x63    0xd6    0xc0    0x46
> 0xa8
>
> 0x808c868:      0x89    0x06    0xec    0x16    0x8a    0xf5    0x16
> 0x2c
>
> 0x808c870:      0xf4    0xeb    0xb1    0xa0    0x64    0x07    0xc6
> 0x9b
>
> 0x808c878:      0x29    0x24    0x23    0xe8    0x35    0xcf    0xca
> 0x79
>
> 0x808c880:      0xd5    0x5a    0x2f    0x7e    0x7d    0x24    0x8d
> 0x7b
>
> 0x808c888:      0x08    0x56    0x0f    0xf8    0x59    0x99    0xe6
> 0xfc
>
>
>
>
> signature sent from QNX machine to the linux machine in the IKE_AUTH
> message:-
>
> (gdb) x/12b signature.ptr
>
> 0x808c890:      0xe7    0x53    0xd3    0x87    0x8b    0x16    0xe2
> 0xda
>
> 0x808c898:      0x65    0x23    0xe3    0x45
>
>
>
>
>
> Here's the log on the Linux machine of the IKE_AUTH request received
> from QNX machine:-
>
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet => 252
> bytes @ 0xb5553e04
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]    0: 45 00 00 FC 0B 1C 00
> 00 40 11 B6 62 0A 76 D1 BA  e.......@..b.v..
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   16: 0A 76 D1 CC 11 94 11
> 94 00 E8 63 47 00 00 00 00  .v........cG....
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   32: 67 41 C8 E9 B4 1F 51
> 61 8C 41 A5 41 49 A0 5B 21  gA....Qa.A.AI.[!
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   48: 2E 20 23 08 00 00 00
> 01 00 00 00 DC 23 00 00 C0  . #.........#...
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   64: 9F 80 D5 48 14 85 2A
> E0 21 5B 30 68 D3 F1 E6 FF  ...H..*.![0h....
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   80: A4 41 FA 03 53 6C 9A
> E9 55 CE 4B 32 89 04 27 C3  .A..Sl..U.K2..'.
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]   96: 27 08 1D F5 88 2B 60
> D1 C7 74 E6 4E 13 47 06 F7  '....+`..t.N.G..
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]  112: DF FE B8 85 C1 30 65
> 91 3E EF 12 CE DA 07 7D D6  .....0e.>.....}.
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]  128: 1A 9C FE 28 84 42 A8
> 43 D1 90 09 BE 2D F3 61 8A  ...(.B.C....-.a.
>
> Sep  3 00:00:21 ggn-pg-001 charon: 07[NET]  144: 3C F5 A7 45 45 39 01
> 1B 80 11 D5 7B AD 5C 09 EF  <..EE9.....{.\..
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  160: D1 07 AB 33 45 D8 EB
> 9C E1 B3 C0 E8 83 B1 01 1F  ...3E...........
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  176: 87 EC E8 19 EB EC A3
> F1 78 57 A7 1B FB 0B BA 2B  ........xW.....+
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  192: CE 0C B4 63 D6 C0 46
> A8 89 06 EC 16 8A F5 16 2C  ...c..F........,
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  208: F4 EB B1 A0 64 07 C6
> 9B 29 24 23 E8 35 CF CA 79  ....d...)$#.5..y
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  224: D5 5A 2F 7E 7D 24 8D
> 7B 08 56 0F F8 59 99 E6 FC  .Z/~}$.{.V..Y...
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET]  240: E7 53 D3 87 8B 16 E2
> DA 65 23 E3 45              .S......e#.E
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET] received packet: from
> 10.118.209.186[4500] to 10.118.209.204[4500]
>
> Sep  3 00:00:23 ggn-pg-001 charon: 07[NET] waiting for data on raw sockets
>
> Sep  3 00:00:23 ggn-pg-001 charon: 09[MGR] ignoring request with ID 1,
> already processing
>
> Sep  3 01:45:46 ggn-pg-001 charon: 08[ENC] signature verification failed
>
> Sep  3 01:45:46 ggn-pg-001 charon: 08[ENC] encryption payload signature
> invalid
>
> Sep  3 01:45:46 ggn-pg-001 charon: 08[ENC] could not decrypt payloads
>
> Sep  3 01:45:46 ggn-pg-001 charon: 08[IKE] integrity check failed
>
> Sep  3 01:45:46 ggn-pg-001 charon: 08[IKE] IKE_AUTH request with
> message ID 1 processing failed
>
>
>
>
> As we see the IKE_AUTH request message received is correct but still
> its signature verification is failed. When i go through the code I
> found out that it calculates the mac of the whole IKE_AUTH message and
> compares it with the signature i.e. integrity checksum. So I was
> wondering why this comparison is failing?
>
> I am using PSK on both sides which I have checked is correct.
> So If you can help me in finding out or giving a hint that what is
> wrong at the time of signature verification?
>
> Is there a problem of endianness?
>
> Thanks & Regards,
> Vivek
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Signature verification failed

Reply via email to