Browse code
Always use default keysize for NCP'd ciphers
If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error. To prevent that, always set keysize=0 for NCP'd
ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2017/07/21 02:55:57Showing 1 changed files
| ... | ... |
@@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session, |
| 1978 | 1978 |
{
|
| 1979 | 1979 |
msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", |
| 1980 | 1980 |
options->ciphername); |
| 1981 |
+ if (options->keysize) |
|
| 1982 |
+ {
|
|
| 1983 |
+ msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default"); |
|
| 1984 |
+ options->keysize = 0; |
|
| 1985 |
+ } |
|
| 1981 | 1986 |
} |
| 1982 | 1987 |
|
| 1983 | 1988 |
init_key_type(&session->opt->key_type, options->ciphername, |