On Feb 3, 2019, at 17:58, D. Hugh Redelmeier <[email protected]> wrote: > > TL;DR: ikev2_calculate_ecdsa_hash, on request, can return a chunk to > its caller. No caller makes such a request. Why? > > > Both ikev2_calculate_ecdsa_hash and ikev2_calculate_rsa_hash compute > hashes and then either emit the hash in a payload or return it as a chunk. > > (This feels like an awkward combination. I separated these two functions > of ikev2_create_psk_auth in d7b480e2290cf9cfe6dbca6d62bd1b90062f6a90.) > > But even odder: no caller of ikev2_calculate_ecdsa_hash asks to return the > chunk. Why? > > There are two calls to ikev2_calculate_rsa_hash that do ask to return > the chunk. Both are in ikev2_calc_no_ppk_auth. Should > ikev2_calc_no_ppk_auth also call ikev2_calculate_ecdsa_hash?
Yes. These two projects were developed in parallel. So yes ECDSA can now get PPK support too :) > PPK signifies Post-quantum Preshared Keys. It sure would work better > for me if it were named PQPSK. > <https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr- The draft calls it PPK. > (PPK was the pistol that James Bond preferred. Walther Polizeipistole > Kriminalmodell.) Which James Bond? 😜 > > PPK allows for a fallback to non PPK. This is handled by an extra > Notification payload with the hash, excluding the actual PQPSK > material. Those N payloads are emitted by ikev2_calc_no_ppk_auth by > using the chunk result of ikev2_calculate_rsa_hash. > > This draft says that the PRF must have a key size of 256 bits or larger > but it doesn't seem to further constrain it. Informational references > include > <https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-6> > > I'm guessing that any old IKEv2 auth method ought to work. So ECDSA > ought to be included. But maybe I'm wrong. ECDSA is not an old IKEv2 algorithm. We only support it using the new RFC 7427 :) > > ikev2_calc_no_ppk_auth takes the chunk it gets from > ikev2_calculate_rsa_hash, sometimes prepends an ASN.1 blob, and returns > the resulting chunk to its caller. If AUTH_PSK is used, it instead > generates the chunk by calling ikev2_create_psk_auth. It should do the same for ECDSA. As Andrew said, these code paths should converge again. > Something I care about, but isn't the subject of this note: each of > these chunks has a small bound on its size and could be stored in an > auto buffer instead of the heap. This would be an improvement.) Sure :) > The only use of ikev2_calc_no_ppk_auth is a single call that deposits > the chunk in &pst->st_no_ppk_auth. > > BUG: that call does not check if the result was failure. I'll fix > that Ok :) Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
