Bug 1809637

Summary: NSS missing IKEv1 Quick Mode KDF
Product: Red Hat Enterprise Linux 8 Reporter: Paul Wouters <pwouters>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Ivan Nikolchev <inikolch>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: dueno, hkario, inikolch, pvrabec, rrelyea, ssorce, szidek, toneata
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.53.1-3.el8_2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-03 13:01:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1809549    
Bug Blocks: 1847532    
Attachments:
Description Flags
Update CKM_NSS_IKE1_APP_B_PRF_DERIVE to support quick mode. none

Description Paul Wouters 2020-03-03 15:27:51 UTC 
We found another KDF function in libreswan that is not using the NSS KDF API.

Unfortunately, it seems the existing IKE KDF's in NSS are not usable for the Quick Mode use.
 
The libreswan code is in compute_proto_keymat() and the specification is in  https://tools.ietf.org/html/rfc2409#section-5.5
 
 It needs:

   KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).
 
which an be thought of as:
 
  KEYMAT = prf(KEY, [KEY] | BYTES)
 
but with the kicker that it also does multiple rounds aka key expansion:
 
      KEYMAT = K1 | K2 | K3 | ...
 
      where
 
        K1 = prf(KEY, [KEY] | BYTES)
        K2 = prf(KEY, K1 | [KEY] | BYTES)
        K3 = prf(KEY, K1 | [KEY] | BYTES)
        etc.
 
to generate the needed keying material >PRF size
 
looking at NSS:

sftk_ike_prf() seems to be the closest; it can compute:
   2. prf(inKey, Ni|Nr); (bDataAsKkey=FALSE, bRekey=FALSE)
   3. prf(inKey, newKey | Ni | Nr); (bDataAsKey=FALSE, bRekey=TRUE) which look good except:
  - it doesn't do multiple rounds aka key expansion

sftk_ike1_prf() can compute:
     prf(inKey, gxyKey || CKYi || CKYr || key_number)

It's problems are:
  - key number byte isn't an option
  - the gxyKey isn't optional
  - it doesn't do multiple rounds aka key expansion (technically the RFC says it should, but I'm not sure it matters)

sftk_ike1_appendix_b_prf() can only compute:
  K1 = prf(K, 0x00)
  K2 = prf(K, K1)
so it cannot be used either (it does do multiple rounds but with wrong values)

sftk_ike_prf_plus() is like sftk_ike1_appendix_b_prf() - multiple
rounds but with wrong values so it too cannot be used.
Comment 6 Bob Relyea 2020-04-20 23:45:15 UTC 
Created attachment 1680397 [details]
Update CKM_NSS_IKE1_APP_B_PRF_DERIVE to support quick mode.
Comment 14 Simo Sorce 2020-06-25 12:10:46 UTC 
Bob, don't we need a Zstream clone for this one ?
Comment 27 errata-xmlrpc 2020-08-03 13:01:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3280