From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 6 Jul 2017 13:51:29 +0000 (+0200)
Subject: ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonce
X-Git-Tag: 5.6.0dr4~13
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=791cfe82a109100b4ff2e79f09b8a8e277f6fbae;p=thirdparty%2Fstrongswan.git

ikev2: AES-CMAC-PRF-128 only uses the first 64 bits of each nonce

References #2377.
---

diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 70dacd1dcf..0c41c68d01 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -342,10 +342,13 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	 * the nonces. */
 	switch (alg)
 	{
+		case PRF_AES128_CMAC:
+			/* while variable keys may be used according to RFC 4615, RFC 7296
+			 * explicitly limits the key size to 128 bit for this application */
 		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			/* while RFC 4434 defines variable keys for AES-XCBC, RFC 3664 does
 			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
+			 * derivation, which is also reinforced by RFC 7296 */
 		case PRF_CAMELLIA128_XCBC:
 			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
 			 * assume fixed key length. */