Secnet progress
Mark Wooding
mdw at distorted.org.uk
Sat Sep 28 17:08:20 BST 2019
Mark Wooding <mdw at distorted.org.uk> writes:
> * The `ECDH, early capabilities, etc.' discussion ended with a
> resolution to make new DH group elements on the wire be plain
> binary. I did that, though maybe the buffer-protocol work
> (discussed below) will change how that works.
Less discussed than I hoped :-/. Oops. Let me try again.
I started looking at this, but it's a little tricky. Currently, `dh_if'
is stateless, but I don't see a conceptual problem with changing that --
`hash_if' is stateful, for example.
So: my initial rough plan was to have three operations:
* `generate': make up a new ephemeral private key, clobbering any
previous one, and calculate the corresponding public key;
* `appendpublic': append the current public key to a given buffer; and
* `makeshared': unprepend a public key from a buffer, calculate the
shared secret from this public key and our private key, and write
that to some other buffer.
Alas, this doesn't work. Combining parsing and key-agreement is a
mistake because parsing is done on the message prior to verification,
and we probably don't want to spin the CPU doing key-agreement if the
signature is wrong. (Note: RSA signature verification is extremely
cheap.)
So, we need to split parsing from agreement; but this means that we need
to put the parsed public key somewhere so that, if we do decide to
proceed with agreement, we can find it again. The current code just
remembers some pointers into the input buffer. I /could/ just decree
that the input buffer that a notional `unprependpublic' reads must
survive until `makeshared', if you ever get around to calling that, but
it seems a rather dirty trick. Also, either `unprependpublic' needs to
remember whatever things it needs as part of its `dh_if' state, or dump
them its caller to stuff back into `makeshared' when the time comes.
The former seems rather grim conceptually (but easy to program); the
latter will involve either decreeing that the bundle of parsed stuff
either has some common form (a pointer and a length, say), or allocating
and freeing an opaque wossname.
None of these options really appeals. :-/
-- [mdw]
More information about the sgo-software-discuss
mailing list