ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonce
authorTobias Brunner <tobias@strongswan.org>
Thu, 6 Jul 2017 13:51:29 +0000 (15:51 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 27 Jul 2017 11:09:26 +0000 (13:09 +0200)
References #2377.

src/libcharon/sa/ikev2/keymat_v2.c

index 70dacd1..0c41c68 100644 (file)
@@ -342,10 +342,13 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
         * the nonces. */
        switch (alg)
        {
+               case PRF_AES128_CMAC:
+                       /* while variable keys may be used according to RFC 4615, RFC 7296
+                        * explicitly limits the key size to 128 bit for this application */
                case PRF_AES128_XCBC:
-                       /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+                       /* while RFC 4434 defines variable keys for AES-XCBC, RFC 3664 does
                         * not and therefore fixed key semantics apply to XCBC for key
-                        * derivation. */
+                        * derivation, which is also reinforced by RFC 7296 */
                case PRF_CAMELLIA128_XCBC:
                        /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
                         * assume fixed key length. */