Hi, > noticed that it uses too short a nonce for PRF HMAC-SHA2-384 and > HMAC-SHA2-512 in the IKE_SA_INIT exchange
Yes, this is true. I already had this on my TODO list, but didn't look at it in detail yet. > I notice charon is hardwired to use a 16 byte nonce which pretty much > restricts it to using PRFs with a key length <= 256.. It would be > better to always choose a nonce length of half the chosen prf or half > the longest PRF offered. While choosing a nonce size dynamically sounds reasonable, I think it's better to use a fixed nonce. As initiator, you'll most likely end up with 32 bytes nonces, as SHA512 is in the default proposal list. And as the nonces are not in IKE_AUTH, it will not result in more likely packet fragmentation when using larger nonces. I see problems with some corner cases when using dynamic nonce sizes, e.g. during rekeying. Some implementation might use the old PRF, others use the new negotiated PRF to choose a nonce size. I don't expect new PRFs with larger key sizes, but we can change this behavior if such an algorithms shows up. I've increased the nonce to 32 bytes, changeset http://trac.strongswan.org/changeset/4819 Thanks Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
