[Swan-dev] dh and intermediate exchanges

Andrew Cagney andrew.cagney at gmail.com
Wed Nov 4 19:55:57 UTC 2020 

The immediate problem is that the intermediate exchange is leaking the
local dh secret.  However there seems to be more going on - someone
familiar with intermediate code should probably take a look.

- the initiator, on receipt of an IKE_SA_INIT responce calls,
ikev2_parent_inR1outI2() which finishes with:

    /* If we seen the intermediate AND we are configured to use intermediate */
    /* for now, do only one Intermediate Exchange round and proceed
with IKE_AUTH */
    crypto_req_cont_func (*pcrc_func) = (ike->sa.st_seen_intermediate
&& (md->pbs[PBS_v2N_INTERMEDIATE_EXCHANGE_SUPPORTED] != NULL) &&
!(md->hdr.isa_xchg == ISAKMP_v2_IKE_INTERMEDIATE)) ?
            ikev2_parent_inR1outI2_continue : ikev2_parent_inR1outI2_continue;
    submit_v2_dh_shared_secret(st, "ikev2_inR1outI2 KE",
                   SA_INITIATOR,
                   NULL, NULL, &st->st_ike_rekey_spis,
                   pcrc_func);
    return STF_SUSPEND;

so it submits a request to finish the DH calculation and compute
dh-shared-secret#1, and then since it is doing an intermediate change
chooses to continue with ikev2_parent_inR1out_intermediate().  This
presumably will send an encrypted IKE_INTERMEDATE request

- the initiator, on receipt of an IKE_INTERMEDIATE response, also
calls ikev2_parent_inR1outI2(), which submits a request to compute
dh-shared-secret#2, but this time chooses to continue with
ikev2_parent_inR1outI2_continue().  This presumably will send an
encrypted IKE_AUTH request.

It's this second continue that is leaking:
- ikev2_parent_inR1out_intermediate() calls
finish_v2_dh_shared_secret() unconditionally which saves
dh-shared-secret#1 in the state
- ikev2_parent_inR1outI2_continue(), only calls
finish_v2_dh_shared_secret() when the response isn't IKE_INTERMEDIATE
(and here it is) so doesn't save dh-shared-secret#2 leaking it
(you'll need to trace through a few calls or sprinkle some debug lines
to see this)

So, does anyone know the back story, and what should be happening?  Is
the DH needed for instance?

Andrew

More information about the Swan-dev mailing list