From 5a7b0be2949bc7a1ff68c097fe1cac3fac70184e Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 4 Apr 2018 18:08:11 +0200 Subject: [PATCH] proposal: Don't specify key length for ChaCha20/Poly1305 This algorithm uses a fixed-length key and we MUST NOT send a key length attribute when proposing such algorithms. While we could accept transforms with key length this would only work as responder, as original initiator it wouldn't because we won't know if a peer requires the key length. And as exchange initiator (e.g. for rekeyings), while being original responder, we'd have to go to great lengths to store the condition and modify the sent proposal to patch in the key length. This doesn't seem worth it for only a partial fix. This means, however, that ChaCha20/Poly1305 can't be used with previous releases (5.3.3 an newer) that don't contain this fix. Fixes #2614. Fixes: 3232c0e64ed1 ("Merge branch 'chapoly'") --- src/libcharon/sa/keymat.c | 1 + src/libstrongswan/crypto/proposal/proposal.c | 2 +- .../proposal/proposal_keywords_static.txt | 2 +- src/libstrongswan/tests/suites/test_proposal.c | 17 +++++++++++++++++ 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index d1f6a1bdc..3eea19f7d 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg) keylen_entry_t map[] = { {ENCR_DES, 64}, {ENCR_3DES, 192}, + {ENCR_CHACHA20_POLY1305, 256}, }; int i; diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c index 52520640c..d671879c0 100644 --- a/src/libstrongswan/crypto/proposal/proposal.c +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -956,7 +956,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); break; case ENCR_CHACHA20_POLY1305: - add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256); + add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0); break; default: break; diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt index c44ed96a0..77dea333a 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt @@ -78,7 +78,7 @@ aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256 aes128gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128 aes192gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192 aes256gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256 -chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 256 +chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 0 blowfish, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192 diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c index 29621a8d9..938fa38aa 100644 --- a/src/libstrongswan/tests/suites/test_proposal.c +++ b/src/libstrongswan/tests/suites/test_proposal.c @@ -281,6 +281,19 @@ START_TEST(test_unknown_transform_types_select_success) } END_TEST +START_TEST(test_chacha20_poly1305_key_length) +{ + proposal_t *proposal; + uint16_t alg, ks; + + proposal = proposal_create_from_string(PROTO_IKE, "chacha20poly1305-prfsha256-ecp256"); + proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &ks); + ck_assert_int_eq(alg, ENCR_CHACHA20_POLY1305); + ck_assert_int_eq(ks, 0); + assert_proposal_eq(proposal, "IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_256/ECP_256"); + proposal->destroy(proposal); +} +END_TEST Suite *proposal_suite_create() @@ -313,5 +326,9 @@ Suite *proposal_suite_create() tcase_add_test(tc, test_unknown_transform_types_select_success); suite_add_tcase(s, tc); + tc = tcase_create("chacha20/poly1305"); + tcase_add_test(tc, test_chacha20_poly1305_key_length); + suite_add_tcase(s, tc); + return s; }