[PATCH 38/43] secnet.8: Describe capability negotiation in its own section. [and 1 more messages]

Mark Wooding mdw at distorted.org.uk
Mon May 1 02:42:20 BST 2017 

Mark Wooding <mdw at distorted.org.uk> writes:

> Suppose Bob is configured to use trad-DH, Serpent-EAX, Serpent256-CBC,
> and ChaCha20/Poly1305 because he's from the future.  He'll set cap bit 8
> (Serpent256-CBC), 9 (Serpent-EAX), 16 (ChaCha20/Poly1305), and 15
> (because he wants his peer to notice cap bit 16), but won't view any of
> them as early (because he has a chance of interoperating with an ancient
> Secnet).
>
> It so happens that Bob opens this exchange.  He has no early caps to
> send, so he sends a backwards-compatible MSG1.  Alice responds with her
> caps in MSG2.  Bob decides on Serpent-EAX and trad-DH, and sends those
> back as MSG3TER.  Alice receives this -- and then rejects it because it
> has bits 15 and 11 set, and in her mind these are early bits that Bob
> should have sent in MSG1 but didn't.

[...]

> I rather agree, but this seems not to be compatible with both the picky
> checking and interoperating with old versions.  Earliness is not a
> property of a cap that you can necessarily discern by looking at it in
> isolation: it depends on the other caps around it, particularly for caps
> 10 and 15.  I think the picky checking has to go.  Do you agree?

Other, more complicated plan.  Alice can just about reverse-engineer
Bob's thought process.  She can tell that the only overlapping DH group
she shares with Bob is TRADZP, and that therefore his motivation for
setting EXPLICIT was to include CHACHA20POLY1305, so therefore neither
TRADZP nor EXPLICIT needed to be sent early.

The general case:

  * Let MYDH be the set of the DH groups I support.  Let MYXFORM be the
    set of the transforms I support.  If MYDH - { TRADZP } is not empty
    TRADZP, then set MYEARLY = MYDH | { EXPLICIT }, and MYCAPS = MYXFORM
    | MYEARLY.  Otherwise, set MYEARLY = 0; if MYDH | MYXFORM does not
    only have bits 0..15 set, and set MYCAPS = MYXFORM | MYDH |
    { EXPLICIT }; else set MYCAPS = MYXFORM | MYDH.

  * Let YOURCAPS be the caps set you sent in your MSG3 variant.  Let
    YOURDH = YOURCAPS & MYDH.  If YOURDH - { TRADZP } is not empty, then
    set YOUREARLY = YOURDH | { EXPLICIT }; otherwise, set YOUREARLY =
    0.  Now complain if YOURCAPS & YOUREARLY are not the caps set sent
    in MSG1.

This does seem awfully fiddly, and prone to break in some future
version.  I loathe it with a rare passion.

-- [mdw]

More information about the sgo-software-discuss mailing list