proposal: Don't specify key length for ChaCha20/Poly1305

This algorithm uses a fixed-length key and we MUST NOT send a key length
attribute when proposing such algorithms.

While we could accept transforms with key length this would only work as
responder, as original initiator it wouldn't because we won't know if a
peer requires the key length.  And as exchange initiator (e.g. for
rekeyings), while being original responder, we'd have to go to great
lengths to store the condition and modify the sent proposal to patch in
the key length.  This doesn't seem worth it for only a partial fix.
This means, however, that ChaCha20/Poly1305 can't be used with previous
releases (5.3.3 an newer) that don't contain this fix.

Fixes #2614.

Fixes: 3232c0e64ed1 ("Merge branch 'chapoly'")

diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index d1f6a1bdc5060c83b959dbcf5f4e739f62c6f501..3eea19f7d4f6a3b9096d30d69bec612a7095cbd6 100644 (file)
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg)
        keylen_entry_t map[] = {
                {ENCR_DES,                                       64},
                {ENCR_3DES,                                     192},
+               {ENCR_CHACHA20_POLY1305,        256},
        };
        int i;
 

diff --git a/src/libstrongswan/crypto/proposal/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c
index 52520640cd3b69e21f077c596fe3725792c48f28..d671879c084590fc4154b8ebea1e3d42354f21c8 100644 (file)
--- a/src/libstrongswan/crypto/proposal/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@@ -956,7 +956,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                                        add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
                                        break;
                                case ENCR_CHACHA20_POLY1305:
-                                       add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+                                       add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
                                        break;
                                default:
                                        break;

diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index c44ed96a0420b3e74b34702af077d8ae2b5e1091..77dea333a4aac75c56f8dbff04ece86bd9fc63b6 100644 (file)
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -78,7 +78,7 @@ aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
 aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
 aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
 aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
-chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,  256
+chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305,    0
 blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
 blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192

diff --git a/src/libstrongswan/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c
index 29621a8d915debc13f08a76146f036001a592fd5..938fa38aa8c2f50e01e6d7c2771132021283f3ce 100644 (file)
--- a/src/libstrongswan/tests/suites/test_proposal.c
+++ b/src/libstrongswan/tests/suites/test_proposal.c
@@ -281,6 +281,19 @@ START_TEST(test_unknown_transform_types_select_success)
 }
 END_TEST
 
+START_TEST(test_chacha20_poly1305_key_length)
+{
+       proposal_t *proposal;
+       uint16_t alg, ks;
+
+       proposal = proposal_create_from_string(PROTO_IKE, "chacha20poly1305-prfsha256-ecp256");
+       proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &ks);
+       ck_assert_int_eq(alg, ENCR_CHACHA20_POLY1305);
+       ck_assert_int_eq(ks, 0);
+       assert_proposal_eq(proposal, "IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_256/ECP_256");
+       proposal->destroy(proposal);
+}
+END_TEST
 
 
 Suite *proposal_suite_create()
@@ -313,5 +326,9 @@ Suite *proposal_suite_create()
        tcase_add_test(tc, test_unknown_transform_types_select_success);
        suite_add_tcase(s, tc);
 
+       tc = tcase_create("chacha20/poly1305");
+       tcase_add_test(tc, test_chacha20_poly1305_key_length);
+       suite_add_tcase(s, tc);
+
        return s;
 }