ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonce

References #2377.
author: Tobias Brunner <tobias@strongswan.org> 2017-07-06 15:51:29 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2017-07-27 13:09:26 +0200
commit: 791cfe82a109100b4ff2e79f09b8a8e277f6fbae (patch)
tree: 18e9fb83c0a1c95c10a7c3f5e6f4a55abf71c405 /src/libcharon/sa/ikev2
parent: ed926a73dfa2cd5467b0a55f10ca3a52dcb53d54 (diff)
download: strongswan-791cfe82a109100b4ff2e79f09b8a8e277f6fbae.tar.bz2
strongswan-791cfe82a109100b4ff2e79f09b8a8e277f6fbae.tar.xz
1 files changed, 5 insertions, 2 deletions
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 70dacd1dc..0c41c68d0 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -342,10 +342,13 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	 * the nonces. */
 	switch (alg)
 	{
+		case PRF_AES128_CMAC:
+			/* while variable keys may be used according to RFC 4615, RFC 7296
+			 * explicitly limits the key size to 128 bit for this application */
 		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			/* while RFC 4434 defines variable keys for AES-XCBC, RFC 3664 does
 			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
+			 * derivation, which is also reinforced by RFC 7296 */
 		case PRF_CAMELLIA128_XCBC:
 			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
 			 * assume fixed key length. */
author	Tobias Brunner <tobias@strongswan.org>	2017-07-06 15:51:29 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2017-07-27 13:09:26 +0200
commit	791cfe82a109100b4ff2e79f09b8a8e277f6fbae (patch)
tree	18e9fb83c0a1c95c10a7c3f5e6f4a55abf71c405 /src/libcharon/sa/ikev2
parent	ed926a73dfa2cd5467b0a55f10ca3a52dcb53d54 (diff)
download	strongswan-791cfe82a109100b4ff2e79f09b8a8e277f6fbae.tar.bz2 strongswan-791cfe82a109100b4ff2e79f09b8a8e277f6fbae.tar.xz