If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error. To prevent that, always set keysize=0 for NCP'd
ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session, |
1978 | 1978 |
{ |
1979 | 1979 |
msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", |
1980 | 1980 |
options->ciphername); |
1981 |
+ if (options->keysize) |
|
1982 |
+ { |
|
1983 |
+ msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default"); |
|
1984 |
+ options->keysize = 0; |
|
1985 |
+ } |
|
1981 | 1986 |
} |
1982 | 1987 |
|
1983 | 1988 |
init_key_type(&session->opt->key_type, options->ciphername, |