[Swan-dev] question about ikev2_calculate_ecdsa_hash

Paul Wouters paul at nohats.ca
Sun Feb 3 23:14:10 UTC 2019

On Feb 3, 2019, at 17:58, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to
> its caller.  No caller makes such a request.  Why?
> Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute 
> hashes and then either emit the hash in a payload or return it as a chunk.  
> (This feels like an awkward combination.  I separated these two functions 
> of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.)
> But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the 
> chunk.  Why?
> There are two calls to ikev2_calculate_rsa_hash that do ask to return
> the chunk.  Both are in ikev2_calc_no_ppk_auth.  Should
> ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?

Yes. These two projects were developed in parallel. So yes ECDSA can now get PPK support too :)

> PPK signifies Post-quantum Preshared Keys.  It sure would work better
> for me if it were named PQPSK.
> <https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-

The draft calls it PPK.

> (PPK was the pistol that James Bond preferred.  Walther Polizeipistole 
> Kriminalmodell.)

Which James Bond? 😜

> PPK allows for a fallback to non PPK.  This is handled by an extra
> Notification payload with the hash, excluding the actual PQPSK
> material.  Those N payloads are emitted by ikev2_calc_no_ppk_auth by
> using the chunk result of ikev2_calculate_rsa_hash.
> This draft says that the PRF must have a key size of 256 bits or larger
> but it doesn't seem to further constrain it.  Informational references
> include
> <https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-6>
> I'm guessing that any old IKEv2 auth method ought to work.  So ECDSA
> ought to be included.  But maybe I'm wrong.

ECDSA is not an old IKEv2 algorithm. We only support it using the new RFC 7427 :)

> ikev2_calc_no_ppk_auth takes the chunk it gets from 
> ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns 
> the resulting chunk to its caller.  If AUTH_PSK is used, it instead 
> generates the chunk by calling ikev2_create_psk_auth.

It should do the same for ECDSA. As Andrew said, these code paths should converge again.

> Something I care about, but isn't the subject of this note: each of
> these chunks has a small bound on its size and could be stored in an
> auto buffer instead of the heap.  This would be an improvement.)

Sure :)

> The only use of ikev2_calc_no_ppk_auth is a single call that deposits
> the chunk in &pst->st_no_ppk_auth.
> BUG: that call does not check if the result was failure.  I'll fix
> that

Ok :)


More information about the Swan-dev mailing list