MC's Journal

Progress in the BTNS project: Raw RSA key in CERT payload

Edit to correct language.

Edit to add BTNS working.

Sickness has delayed the BTNS project. I apologise if someone out there is holding their breath. Please exhale. This will take the time it takes.

I am, however, very pleased to announce the following:

sa_state: VALID -> ESTABLISHED from 10.0.0.6:500 to 10.0.0.4:500 policy 'policy1'

What you see is OpenBSD's iked telling us that is established a Security Association with a peer. Nothing unusual in that. However, this time it is preceeded by:

MC!!!!! ca_getcert: type RSA key

MC: validate_pubkey: id_type: 2, len: 270
ca_validate_pubkey: looking up pubkeys/fqdn/ipsec3.hack.org
MC: Found the key on file.
MC: The public keys are the same.

which means that iked is not using the ordinary X.509 certificates. Instead, it's using raw RSA public keys in the CERT payload.

You can find my incredibly crude first patch linked on the project page.

If you apply that patch iked will validate the raw RSA key in the CERT payload against a file with the peer's public key. If you apply a small patch to ignore the key validation you have Better-Than-Nothing Security! Hardcoded and incredible crude, but working.