[Swan-dev] calculate DH response _after_ checking entire policy

[Andrew Cagney]

Per earlier e-mail, I've been updating the default policies for IKEv2.
Along with a few, lets say, quirks, I found this, er, feature:

Given the initator's request containing:

- a modp-group and DH material
- initator's policies (algorithms et.al.)

the responder checks the modp-group as follows:

First there's what I've been calling the fast path:

- check that the modp-group is known; if not, send back invalid_ke
- check that the modp-group is found in the responder's policy set; if
not, send back invalid_ke

And then, if that passes, it goes onto what I'll call the slow path:

- calculate local DH material based on initiator's modp-group (hence slow)
- chooses a policy using the initiator's and the responder's policies,
if not ...
- check that initiator's modp-group matches the chosen policy, if not
send back an invalid_ke with that policy's modp-group as a suggestion

Notice how, when the modp-group doesn't match, there can be wasted DH
calculation.

I'm guessing that the code should look something like:

- check that the modp-group is known
- check that the modp-group is in the resonder's policy set
- choose a policy
- check that the modp-group matches the policy

if any fail, send back invalid_ke with a suggestion

- and then calculate the DH

I can't see any benefit in doing the DH calculation midway through the
modp-group check.  It perhaps slows down an attacker trying to figure
out the server's policy, but not my much, and at the expense of more
server load.

Andrew

PS: I suspect this is something to address after libevent is merged in.