[Swan-dev] question about ikev2_calculate_ecdsa_hash

D. Hugh Redelmeier hugh at mimosa.com
Sun Feb 3 22:58:42 UTC 2019

TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to
its caller.  No caller makes such a request.  Why?

Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute 
hashes and then either emit the hash in a payload or return it as a chunk.  

(This feels like an awkward combination.  I separated these two functions 
of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.)

But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the 
chunk.  Why?

There are two calls to ikev2_calculate_rsa_hash that do ask to return
the chunk.  Both are in ikev2_calc_no_ppk_auth.  Should
ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?

PPK signifies Post-quantum Preshared Keys.  It sure would work better
for me if it were named PQPSK.

(PPK was the pistol that James Bond preferred.  Walther Polizeipistole 

PPK allows for a fallback to non PPK.  This is handled by an extra
Notification payload with the hash, excluding the actual PQPSK
material.  Those N payloads are emitted by ikev2_calc_no_ppk_auth by
using the chunk result of ikev2_calculate_rsa_hash.

This draft says that the PRF must have a key size of 256 bits or larger
but it doesn't seem to further constrain it.  Informational references

I'm guessing that any old IKEv2 auth method ought to work.  So ECDSA
ought to be included.  But maybe I'm wrong.

ikev2_calc_no_ppk_auth takes the chunk it gets from 
ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns 
the resulting chunk to its caller.  If AUTH_PSK is used, it instead 
generates the chunk by calling ikev2_create_psk_auth.

(Something I care about, but isn't the subject of this note: each of
these chunks has a small bound on its size and could be stored in an
auto buffer instead of the heap.  This would be an improvement.)

The only use of ikev2_calc_no_ppk_auth is a single call that deposits
the chunk in &pst->st_no_ppk_auth.

BUG: that call does not check if the result was failure.  I'll fix

PS: it would be nice if comments helped me reverse engineer this code.

More information about the Swan-dev mailing list