[Swan-dev] question about ikev2_calculate_ecdsa_hash
paul at nohats.ca
Sun Feb 3 23:14:10 UTC 2019
On Feb 3, 2019, at 17:58, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to
> its caller. No caller makes such a request. Why?
> Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute
> hashes and then either emit the hash in a payload or return it as a chunk.
> (This feels like an awkward combination. I separated these two functions
> of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.)
> But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the
> chunk. Why?
> There are two calls to ikev2_calculate_rsa_hash that do ask to return
> the chunk. Both are in ikev2_calc_no_ppk_auth. Should
> ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?
Yes. These two projects were developed in parallel. So yes ECDSA can now get PPK support too :)
> PPK signifies Post-quantum Preshared Keys. It sure would work better
> for me if it were named PQPSK.
The draft calls it PPK.
> (PPK was the pistol that James Bond preferred. Walther Polizeipistole
Which James Bond? 😜
> PPK allows for a fallback to non PPK. This is handled by an extra
> Notification payload with the hash, excluding the actual PQPSK
> material. Those N payloads are emitted by ikev2_calc_no_ppk_auth by
> using the chunk result of ikev2_calculate_rsa_hash.
> This draft says that the PRF must have a key size of 256 bits or larger
> but it doesn't seem to further constrain it. Informational references
> I'm guessing that any old IKEv2 auth method ought to work. So ECDSA
> ought to be included. But maybe I'm wrong.
ECDSA is not an old IKEv2 algorithm. We only support it using the new RFC 7427 :)
> ikev2_calc_no_ppk_auth takes the chunk it gets from
> ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns
> the resulting chunk to its caller. If AUTH_PSK is used, it instead
> generates the chunk by calling ikev2_create_psk_auth.
It should do the same for ECDSA. As Andrew said, these code paths should converge again.
> Something I care about, but isn't the subject of this note: each of
> these chunks has a small bound on its size and could be stored in an
> auto buffer instead of the heap. This would be an improvement.)
> The only use of ikev2_calc_no_ppk_auth is a single call that deposits
> the chunk in &pst->st_no_ppk_auth.
> BUG: that call does not check if the result was failure. I'll fix
More information about the Swan-dev