[Swan-dev] question about ikev2_calculate_ecdsa_hash
D. Hugh Redelmeier
hugh at mimosa.com
Sun Feb 3 22:58:42 UTC 2019
TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to
its caller. No caller makes such a request. Why?
Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute
hashes and then either emit the hash in a payload or return it as a chunk.
(This feels like an awkward combination. I separated these two functions
of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.)
But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the
chunk. Why?
There are two calls to ikev2_calculate_rsa_hash that do ask to return
the chunk. Both are in ikev2_calc_no_ppk_auth. Should
ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?
PPK signifies Post-quantum Preshared Keys. It sure would work better
for me if it were named PQPSK.
<https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2>
(PPK was the pistol that James Bond preferred. Walther Polizeipistole
Kriminalmodell.)
PPK allows for a fallback to non PPK. This is handled by an extra
Notification payload with the hash, excluding the actual PQPSK
material. Those N payloads are emitted by ikev2_calc_no_ppk_auth by
using the chunk result of ikev2_calculate_rsa_hash.
This draft says that the PRF must have a key size of 256 bits or larger
but it doesn't seem to further constrain it. Informational references
include
<https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-6>
I'm guessing that any old IKEv2 auth method ought to work. So ECDSA
ought to be included. But maybe I'm wrong.
ikev2_calc_no_ppk_auth takes the chunk it gets from
ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns
the resulting chunk to its caller. If AUTH_PSK is used, it instead
generates the chunk by calling ikev2_create_psk_auth.
(Something I care about, but isn't the subject of this note: each of
these chunks has a small bound on its size and could be stored in an
auto buffer instead of the heap. This would be an improvement.)
The only use of ikev2_calc_no_ppk_auth is a single call that deposits
the chunk in &pst->st_no_ppk_auth.
BUG: that call does not check if the result was failure. I'll fix
that.
PS: it would be nice if comments helped me reverse engineer this code.
More information about the Swan-dev
mailing list