[Swan-dev] dh and intermediate exchanges
Andrew Cagney
andrew.cagney at gmail.com
Mon Nov 9 15:07:40 UTC 2020
thanks!
As an aside. I'm currently cleaning up the crypto code by eliminating
the remaining pcr style crypto helpers. A likely side effect is that
the memory leak will disappear. The possibly unnecessary DH
calculation will remain, it just won't leak.
On Wed, 4 Nov 2020 at 16:22, Sahana Prasad <sahana.prasad07 at gmail.com> wrote:
>
> Hello Andrew,
> Thanks for the analysis.
>
> I'll get back to you on this one with more details.
>
> Thank you,
> Regards,
> Sahana Prasad
>
> On Wed, 4 Nov 2020, 20:56 Andrew Cagney, <andrew.cagney at gmail.com> wrote:
>>
>> The immediate problem is that the intermediate exchange is leaking the
>> local dh secret. However there seems to be more going on - someone
>> familiar with intermediate code should probably take a look.
>>
>> - the initiator, on receipt of an IKE_SA_INIT responce calls,
>> ikev2_parent_inR1outI2() which finishes with:
>>
>> /* If we seen the intermediate AND we are configured to use intermediate */
>> /* for now, do only one Intermediate Exchange round and proceed
>> with IKE_AUTH */
>> crypto_req_cont_func (*pcrc_func) = (ike->sa.st_seen_intermediate
>> && (md->pbs[PBS_v2N_INTERMEDIATE_EXCHANGE_SUPPORTED] != NULL) &&
>> !(md->hdr.isa_xchg == ISAKMP_v2_IKE_INTERMEDIATE)) ?
>> ikev2_parent_inR1outI2_continue : ikev2_parent_inR1outI2_continue;
>> submit_v2_dh_shared_secret(st, "ikev2_inR1outI2 KE",
>> SA_INITIATOR,
>> NULL, NULL, &st->st_ike_rekey_spis,
>> pcrc_func);
>> return STF_SUSPEND;
>>
>> so it submits a request to finish the DH calculation and compute
>> dh-shared-secret#1, and then since it is doing an intermediate change
>> chooses to continue with ikev2_parent_inR1out_intermediate(). This
>> presumably will send an encrypted IKE_INTERMEDATE request
>>
>> - the initiator, on receipt of an IKE_INTERMEDIATE response, also
>> calls ikev2_parent_inR1outI2(), which submits a request to compute
>> dh-shared-secret#2, but this time chooses to continue with
>> ikev2_parent_inR1outI2_continue(). This presumably will send an
>> encrypted IKE_AUTH request.
>>
>> It's this second continue that is leaking:
>> - ikev2_parent_inR1out_intermediate() calls
>> finish_v2_dh_shared_secret() unconditionally which saves
>> dh-shared-secret#1 in the state
>> - ikev2_parent_inR1outI2_continue(), only calls
>> finish_v2_dh_shared_secret() when the response isn't IKE_INTERMEDIATE
>> (and here it is) so doesn't save dh-shared-secret#2 leaking it
>> (you'll need to trace through a few calls or sprinkle some debug lines
>> to see this)
>>
>> So, does anyone know the back story, and what should be happening? Is
>> the DH needed for instance?
>>
>> Andrew
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list