New upstream version 5.6.0

author: Yves-Alexis Perez <corsac@corsac.net> 2017-09-01 17:21:25 +0200
committer: Yves-Alexis Perez <corsac@corsac.net> 2017-09-01 17:21:25 +0200
commit: 11d6b62db969bdd808d0f56706cb18f113927a31 (patch)
tree: 8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /src/libcharon/sa/ikev2/keymat_v2.c
parent: bba25e2ff6c4a193acb54560ea4417537bd2954e (diff)
download: vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz
vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 70dacd1dc..0c41c68d0 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -342,10 +342,13 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	 * the nonces. */
 	switch (alg)
 	{
+		case PRF_AES128_CMAC:
+			/* while variable keys may be used according to RFC 4615, RFC 7296
+			 * explicitly limits the key size to 128 bit for this application */
 		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			/* while RFC 4434 defines variable keys for AES-XCBC, RFC 3664 does
 			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
+			 * derivation, which is also reinforced by RFC 7296 */
 		case PRF_CAMELLIA128_XCBC:
 			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
 			 * assume fixed key length. */
author	Yves-Alexis Perez <corsac@corsac.net>	2017-09-01 17:21:25 +0200
committer	Yves-Alexis Perez <corsac@corsac.net>	2017-09-01 17:21:25 +0200
commit	11d6b62db969bdd808d0f56706cb18f113927a31 (patch)
tree	8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /src/libcharon/sa/ikev2/keymat_v2.c
parent	bba25e2ff6c4a193acb54560ea4417537bd2954e (diff)
download	vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip