proposal: Don't specify key length for ChaCha20/Poly1305

This algorithm uses a fixed-length key and we MUST NOT send a key length attribute when proposing such algorithms. While we could accept transforms with key length this would only work as responder, as original initiator it wouldn't because we won't know if a peer requires the key length. And as exchange initiator (e.g. for rekeyings), while being original responder, we'd have to go to great lengths to store the condition and modify the sent proposal to patch in the key length. This doesn't seem worth it for only a partial fix. This means, however, that ChaCha20/Poly1305 can't be used with previous releases (5.3.3 an newer) that don't contain this fix. Fixes #2614. Fixes: 3232c0e64e ("Merge branch 'chapoly'")
2018-04-04 18:08:11 +02:00 · 2018-04-04 18:08:11 +02:00 · 5a7b0be294
parent b2163409cc
commit 5a7b0be294
4 changed files with 20 additions and 2 deletions
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg)
 	keylen_entry_t map[] = {
 		{ENCR_DES,					 64},
 		{ENCR_3DES,					192},
+		{ENCR_CHACHA20_POLY1305,	256},
 	};
 	int i;

--- a/src/libstrongswan/crypto/proposal/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@ -956,7 +956,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
 					break;
 				case ENCR_CHACHA20_POLY1305:
-					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
 					break;
 				default:
 					break;
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@ -78,7 +78,7 @@ aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
 aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
 aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
 aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
-chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256
+chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,    0
 blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192
--- a/src/libstrongswan/tests/suites/test_proposal.c
+++ b/src/libstrongswan/tests/suites/test_proposal.c
@ -281,6 +281,19 @@ START_TEST(test_unknown_transform_types_select_success)
 }
 END_TEST

+START_TEST(test_chacha20_poly1305_key_length)
+{
+	proposal_t *proposal;
+	uint16_t alg, ks;
+
+	proposal = proposal_create_from_string(PROTO_IKE, "chacha20poly1305-prfsha256-ecp256");
+	proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &ks);
+	ck_assert_int_eq(alg, ENCR_CHACHA20_POLY1305);
+	ck_assert_int_eq(ks, 0);
+	assert_proposal_eq(proposal, "IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_256/ECP_256");
+	proposal->destroy(proposal);
+}
+END_TEST


 Suite *proposal_suite_create()
@ -313,5 +326,9 @@ Suite *proposal_suite_create()
 	tcase_add_test(tc, test_unknown_transform_types_select_success);
 	suite_add_tcase(s, tc);

+	tc = tcase_create("chacha20/poly1305");
+	tcase_add_test(tc, test_chacha20_poly1305_key_length);
+	suite_add_tcase(s, tc);
+
 	return s;
 }