[Swan-dev] question about ikev2_calculate_ecdsa_hash

D. Hugh Redelmeier hugh at mimosa.com
Sun Feb 3 22:58:42 UTC 2019 

TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to
its caller.  No caller makes such a request.  Why?


Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute 
hashes and then either emit the hash in a payload or return it as a chunk.  

(This feels like an awkward combination.  I separated these two functions 
of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.)

But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the 
chunk.  Why?

There are two calls to ikev2_calculate_rsa_hash that do ask to return
the chunk.  Both are in ikev2_calc_no_ppk_auth.  Should
ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?

PPK signifies Post-quantum Preshared Keys.  It sure would work better
for me if it were named PQPSK.
<https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2>

(PPK was the pistol that James Bond preferred.  Walther Polizeipistole 
Kriminalmodell.)

PPK allows for a fallback to non PPK.  This is handled by an extra
Notification payload with the hash, excluding the actual PQPSK
material.  Those N payloads are emitted by ikev2_calc_no_ppk_auth by
using the chunk result of ikev2_calculate_rsa_hash.

This draft says that the PRF must have a key size of 256 bits or larger
but it doesn't seem to further constrain it.  Informational references
include
<https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-6>

I'm guessing that any old IKEv2 auth method ought to work.  So ECDSA
ought to be included.  But maybe I'm wrong.

ikev2_calc_no_ppk_auth takes the chunk it gets from 
ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns 
the resulting chunk to its caller.  If AUTH_PSK is used, it instead 
generates the chunk by calling ikev2_create_psk_auth.

(Something I care about, but isn't the subject of this note: each of
these chunks has a small bound on its size and could be stored in an
auto buffer instead of the heap.  This would be an improvement.)

The only use of ikev2_calc_no_ppk_auth is a single call that deposits
the chunk in &pst->st_no_ppk_auth.

BUG: that call does not check if the result was failure.  I'll fix
that.

PS: it would be nice if comments helped me reverse engineer this code.

More information about the Swan-dev mailing list