proposal: Don't specify key length for ChaCha20/Poly1305
authorTobias Brunner <tobias@strongswan.org>
Wed, 4 Apr 2018 16:08:11 +0000 (18:08 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 12 Apr 2018 14:07:13 +0000 (16:07 +0200)
This algorithm uses a fixed-length key and we MUST NOT send a key length
attribute when proposing such algorithms.

While we could accept transforms with key length this would only work as
responder, as original initiator it wouldn't because we won't know if a
peer requires the key length.  And as exchange initiator (e.g. for
rekeyings), while being original responder, we'd have to go to great
lengths to store the condition and modify the sent proposal to patch in
the key length.  This doesn't seem worth it for only a partial fix.
This means, however, that ChaCha20/Poly1305 can't be used with previous
releases (5.3.3 an newer) that don't contain this fix.

Fixes #2614.

Fixes: 3232c0e64ed1 ("Merge branch 'chapoly'")

src/libcharon/sa/keymat.c
src/libstrongswan/crypto/proposal/proposal.c
src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
src/libstrongswan/tests/suites/test_proposal.c

index d1f6a1b..3eea19f 100644 (file)
@@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg)
        keylen_entry_t map[] = {
                {ENCR_DES,                                       64},
                {ENCR_3DES,                                     192},
+               {ENCR_CHACHA20_POLY1305,        256},
        };
        int i;
 
index 5252064..d671879 100644 (file)
@@ -956,7 +956,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                                        add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
                                        break;
                                case ENCR_CHACHA20_POLY1305:
-                                       add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+                                       add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
                                        break;
                                default:
                                        break;
index c44ed96..77dea33 100644 (file)
@@ -78,7 +78,7 @@ aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
 aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
 aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
 aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
-chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256
+chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,    0
 blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192
index 29621a8..938fa38 100644 (file)
@@ -281,6 +281,19 @@ START_TEST(test_unknown_transform_types_select_success)
 }
 END_TEST
 
+START_TEST(test_chacha20_poly1305_key_length)
+{
+       proposal_t *proposal;
+       uint16_t alg, ks;
+
+       proposal = proposal_create_from_string(PROTO_IKE, "chacha20poly1305-prfsha256-ecp256");
+       proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &ks);
+       ck_assert_int_eq(alg, ENCR_CHACHA20_POLY1305);
+       ck_assert_int_eq(ks, 0);
+       assert_proposal_eq(proposal, "IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_256/ECP_256");
+       proposal->destroy(proposal);
+}
+END_TEST
 
 
 Suite *proposal_suite_create()
@@ -313,5 +326,9 @@ Suite *proposal_suite_create()
        tcase_add_test(tc, test_unknown_transform_types_select_success);
        suite_add_tcase(s, tc);
 
+       tc = tcase_create("chacha20/poly1305");
+       tcase_add_test(tc, test_chacha20_poly1305_key_length);
+       suite_add_tcase(s, tc);
+
        return s;
 }