The --no-iv option was deprecated in OpenVPN 2.4 (commit 4969f0d6),
and promised to be remove in 2.5. This patch fulfills that promise.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1483362584-28452-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13798.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -77,7 +77,6 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, |
77 | 77 |
/* IV, packet-ID and implicit IV required for this mode. */ |
78 | 78 |
ASSERT(ctx->cipher); |
79 | 79 |
ASSERT(cipher_kt_mode_aead(cipher_kt)); |
80 |
- ASSERT(opt->flags & CO_USE_IV); |
|
81 | 80 |
ASSERT(packet_id_initialized(&opt->packet_id)); |
82 | 81 |
|
83 | 82 |
gc_init(&gc); |
... | ... |
@@ -190,10 +189,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, |
190 | 190 |
if (cipher_kt_mode_cbc(cipher_kt)) |
191 | 191 |
{ |
192 | 192 |
/* generate pseudo-random IV */ |
193 |
- if (opt->flags & CO_USE_IV) |
|
194 |
- { |
|
195 |
- prng_bytes(iv_buf, iv_size); |
|
196 |
- } |
|
193 |
+ prng_bytes(iv_buf, iv_size); |
|
197 | 194 |
|
198 | 195 |
/* Put packet ID in plaintext buffer */ |
199 | 196 |
if (packet_id_initialized(&opt->packet_id)) |
... | ... |
@@ -208,8 +204,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, |
208 | 208 |
struct packet_id_net pin; |
209 | 209 |
struct buffer b; |
210 | 210 |
|
211 |
- /* IV and packet-ID required for this mode. */ |
|
212 |
- ASSERT(opt->flags & CO_USE_IV); |
|
211 |
+ /* packet-ID required for this mode. */ |
|
213 | 212 |
ASSERT(packet_id_initialized(&opt->packet_id)); |
214 | 213 |
|
215 | 214 |
packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); |
... | ... |
@@ -222,11 +217,8 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, |
222 | 222 |
} |
223 | 223 |
|
224 | 224 |
/* set the IV pseudo-randomly */ |
225 |
- if (opt->flags & CO_USE_IV) |
|
226 |
- { |
|
227 |
- ASSERT(buf_write(&work, iv_buf, iv_size)); |
|
228 |
- dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); |
|
229 |
- } |
|
225 |
+ ASSERT(buf_write(&work, iv_buf, iv_size)); |
|
226 |
+ dmsg(D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); |
|
230 | 227 |
|
231 | 228 |
dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", |
232 | 229 |
format_hex(BPTR(buf), BLEN(buf), 80, &gc)); |
... | ... |
@@ -354,13 +346,13 @@ crypto_check_replay(struct crypto_options *opt, |
354 | 354 |
return ret; |
355 | 355 |
} |
356 | 356 |
|
357 |
-/* |
|
358 |
- * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. |
|
357 |
+/** |
|
358 |
+ * Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data |
|
359 |
+ * channel packets. |
|
359 | 360 |
* |
360 | 361 |
* Set buf->len to 0 and return false on decrypt error. |
361 | 362 |
* |
362 |
- * On success, buf is set to point to plaintext, true |
|
363 |
- * is returned. |
|
363 |
+ * On success, buf is set to point to plaintext, true is returned. |
|
364 | 364 |
*/ |
365 | 365 |
static bool |
366 | 366 |
openvpn_decrypt_aead(struct buffer *buf, struct buffer work, |
... | ... |
@@ -394,7 +386,6 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, |
394 | 394 |
|
395 | 395 |
/* IV and Packet ID required for this mode */ |
396 | 396 |
ASSERT(packet_id_initialized(&opt->packet_id)); |
397 |
- ASSERT(opt->flags & CO_USE_IV); |
|
398 | 397 |
|
399 | 398 |
/* Combine IV from explicit part from packet and implicit part from context */ |
400 | 399 |
{ |
... | ... |
@@ -503,12 +494,12 @@ error_exit: |
503 | 503 |
} |
504 | 504 |
|
505 | 505 |
/* |
506 |
- * If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet. |
|
506 |
+ * Unwrap (authenticate, decrypt and check replay protection) CBC, OFB or CFB |
|
507 |
+ * mode data channel packets. |
|
507 | 508 |
* |
508 | 509 |
* Set buf->len to 0 and return false on decrypt error. |
509 | 510 |
* |
510 |
- * On success, buf is set to point to plaintext, true |
|
511 |
- * is returned. |
|
511 |
+ * On success, buf is set to point to plaintext, true is returned. |
|
512 | 512 |
*/ |
513 | 513 |
static bool |
514 | 514 |
openvpn_decrypt_v1(struct buffer *buf, struct buffer work, |
... | ... |
@@ -568,22 +559,14 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, |
568 | 568 |
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ |
569 | 569 |
ASSERT(buf_init(&work, FRAME_HEADROOM_ADJ(frame, FRAME_HEADROOM_MARKER_DECRYPT))); |
570 | 570 |
|
571 |
- /* use IV if user requested it */ |
|
572 |
- if (opt->flags & CO_USE_IV) |
|
573 |
- { |
|
574 |
- if (buf->len < iv_size) |
|
575 |
- { |
|
576 |
- CRYPT_ERROR("missing IV info"); |
|
577 |
- } |
|
578 |
- memcpy(iv_buf, BPTR(buf), iv_size); |
|
579 |
- ASSERT(buf_advance(buf, iv_size)); |
|
580 |
- } |
|
581 |
- |
|
582 |
- /* show the IV's initial state */ |
|
583 |
- if (opt->flags & CO_USE_IV) |
|
571 |
+ /* read the IV from the packet */ |
|
572 |
+ if (buf->len < iv_size) |
|
584 | 573 |
{ |
585 |
- dmsg(D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); |
|
574 |
+ CRYPT_ERROR("missing IV info"); |
|
586 | 575 |
} |
576 |
+ memcpy(iv_buf, BPTR(buf), iv_size); |
|
577 |
+ ASSERT(buf_advance(buf, iv_size)); |
|
578 |
+ dmsg(D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex(iv_buf, iv_size, 0, &gc)); |
|
587 | 579 |
|
588 | 580 |
if (buf->len < 1) |
589 | 581 |
{ |
... | ... |
@@ -636,8 +619,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, |
636 | 636 |
{ |
637 | 637 |
struct buffer b; |
638 | 638 |
|
639 |
- /* IV and packet-ID required for this mode. */ |
|
640 |
- ASSERT(opt->flags & CO_USE_IV); |
|
639 |
+ /* packet-ID required for this mode. */ |
|
641 | 640 |
ASSERT(packet_id_initialized(&opt->packet_id)); |
642 | 641 |
|
643 | 642 |
buf_set_read(&b, iv_buf, iv_size); |
... | ... |
@@ -713,7 +695,6 @@ openvpn_decrypt(struct buffer *buf, struct buffer work, |
713 | 713 |
void |
714 | 714 |
crypto_adjust_frame_parameters(struct frame *frame, |
715 | 715 |
const struct key_type *kt, |
716 |
- bool use_iv, |
|
717 | 716 |
bool packet_id, |
718 | 717 |
bool packet_id_long_form) |
719 | 718 |
{ |
... | ... |
@@ -726,10 +707,7 @@ crypto_adjust_frame_parameters(struct frame *frame, |
726 | 726 |
|
727 | 727 |
if (kt->cipher) |
728 | 728 |
{ |
729 |
- if (use_iv) |
|
730 |
- { |
|
731 |
- crypto_overhead += cipher_kt_iv_size(kt->cipher); |
|
732 |
- } |
|
729 |
+ crypto_overhead += cipher_kt_iv_size(kt->cipher); |
|
733 | 730 |
|
734 | 731 |
if (cipher_kt_mode_aead(kt->cipher)) |
735 | 732 |
{ |
... | ... |
@@ -995,15 +973,14 @@ fixup_key(struct key *key, const struct key_type *kt) |
995 | 995 |
} |
996 | 996 |
|
997 | 997 |
void |
998 |
-check_replay_iv_consistency(const struct key_type *kt, bool packet_id, bool use_iv) |
|
998 |
+check_replay_consistency(const struct key_type *kt, bool packet_id) |
|
999 | 999 |
{ |
1000 | 1000 |
ASSERT(kt); |
1001 | 1001 |
|
1002 |
- if (!(packet_id && use_iv) && (cipher_kt_mode_ofb_cfb(kt->cipher) |
|
1003 |
- || cipher_kt_mode_aead(kt->cipher))) |
|
1002 |
+ if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) |
|
1003 |
+ || cipher_kt_mode_aead(kt->cipher))) |
|
1004 | 1004 |
{ |
1005 |
- msg(M_FATAL, "--no-replay or --no-iv cannot be used with a CFB, OFB or " |
|
1006 |
- "AEAD mode cipher"); |
|
1005 |
+ msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); |
|
1007 | 1006 |
} |
1008 | 1007 |
} |
1009 | 1008 |
|
... | ... |
@@ -39,8 +39,7 @@ |
39 | 39 |
* - \b HMAC, covering the ciphertext IV + ciphertext. The HMAC size depends |
40 | 40 |
* on the \c \-\-auth option. If \c \-\-auth \c none is specified, there is no |
41 | 41 |
* HMAC at all. |
42 |
- * - \b Ciphertext \b IV, if not disabled by \c \-\-no-iv. The IV size depends on |
|
43 |
- * the \c \-\-cipher option. |
|
42 |
+ * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. |
|
44 | 43 |
* - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay |
45 | 44 |
* protection (if not disabled by \c \-\-no-replay). |
46 | 45 |
* - \b Timestamp, a 32-bit timestamp of the current time. |
... | ... |
@@ -249,17 +248,13 @@ struct crypto_options |
249 | 249 |
#define CO_PACKET_ID_LONG_FORM (1<<0) |
250 | 250 |
/**< Bit-flag indicating whether to use |
251 | 251 |
* OpenVPN's long packet ID format. */ |
252 |
-#define CO_USE_IV (1<<1) |
|
253 |
- /**< Bit-flag indicating whether to |
|
254 |
- * generate a pseudo-random IV for each |
|
255 |
- * packet being encrypted. */ |
|
256 |
-#define CO_IGNORE_PACKET_ID (1<<2) |
|
252 |
+#define CO_IGNORE_PACKET_ID (1<<1) |
|
257 | 253 |
/**< Bit-flag indicating whether to ignore |
258 | 254 |
* the packet ID of a received packet. |
259 | 255 |
* This flag is used during processing |
260 | 256 |
* of the first packet received from a |
261 | 257 |
* client. */ |
262 |
-#define CO_MUTE_REPLAY_WARNINGS (1<<3) |
|
258 |
+#define CO_MUTE_REPLAY_WARNINGS (1<<2) |
|
263 | 259 |
/**< Bit-flag indicating not to display |
264 | 260 |
* replay warnings. */ |
265 | 261 |
unsigned int flags; /**< Bit-flags determining behavior of |
... | ... |
@@ -288,7 +283,7 @@ int read_passphrase_hash(const char *passphrase_file, |
288 | 288 |
|
289 | 289 |
void generate_key_random(struct key *key, const struct key_type *kt); |
290 | 290 |
|
291 |
-void check_replay_iv_consistency(const struct key_type *kt, bool packet_id, bool use_iv); |
|
291 |
+void check_replay_consistency(const struct key_type *kt, bool packet_id); |
|
292 | 292 |
|
293 | 293 |
bool check_key(struct key *key, const struct key_type *kt); |
294 | 294 |
|
... | ... |
@@ -418,7 +413,6 @@ bool crypto_check_replay(struct crypto_options *opt, |
418 | 418 |
/** Calculate crypto overhead and adjust frame to account for that */ |
419 | 419 |
void crypto_adjust_frame_parameters(struct frame *frame, |
420 | 420 |
const struct key_type *kt, |
421 |
- bool use_iv, |
|
422 | 421 |
bool packet_id, |
423 | 422 |
bool packet_id_long_form); |
424 | 423 |
|
... | ... |
@@ -2351,11 +2351,6 @@ do_init_crypto_static(struct context *c, const unsigned int flags) |
2351 | 2351 |
init_crypto_pre(c, flags); |
2352 | 2352 |
|
2353 | 2353 |
/* Initialize flags */ |
2354 |
- if (c->options.use_iv) |
|
2355 |
- { |
|
2356 |
- c->c2.crypto_options.flags |= CO_USE_IV; |
|
2357 |
- } |
|
2358 |
- |
|
2359 | 2354 |
if (c->options.mute_replay_warnings) |
2360 | 2355 |
{ |
2361 | 2356 |
c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; |
... | ... |
@@ -2396,13 +2391,11 @@ do_init_crypto_static(struct context *c, const unsigned int flags) |
2396 | 2396 |
c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; |
2397 | 2397 |
|
2398 | 2398 |
/* Compute MTU parameters */ |
2399 |
- crypto_adjust_frame_parameters(&c->c2.frame, |
|
2400 |
- &c->c1.ks.key_type, |
|
2401 |
- options->use_iv, options->replay, true); |
|
2399 |
+ crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, |
|
2400 |
+ options->replay, true); |
|
2402 | 2401 |
|
2403 |
- /* Sanity check on IV, sequence number, and cipher mode options */ |
|
2404 |
- check_replay_iv_consistency(&c->c1.ks.key_type, options->replay, |
|
2405 |
- options->use_iv); |
|
2402 |
+ /* Sanity check on sequence number, and cipher mode options */ |
|
2403 |
+ check_replay_consistency(&c->c1.ks.key_type, options->replay); |
|
2406 | 2404 |
} |
2407 | 2405 |
|
2408 | 2406 |
/* |
... | ... |
@@ -2529,9 +2522,8 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) |
2529 | 2529 |
return; |
2530 | 2530 |
} |
2531 | 2531 |
|
2532 |
- /* Sanity check on IV, sequence number, and cipher mode options */ |
|
2533 |
- check_replay_iv_consistency(&c->c1.ks.key_type, options->replay, |
|
2534 |
- options->use_iv); |
|
2532 |
+ /* Sanity check on sequence number, and cipher mode options */ |
|
2533 |
+ check_replay_consistency(&c->c1.ks.key_type, options->replay); |
|
2535 | 2534 |
|
2536 | 2535 |
/* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ |
2537 | 2536 |
packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); |
... | ... |
@@ -2545,18 +2537,13 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) |
2545 | 2545 |
else |
2546 | 2546 |
{ |
2547 | 2547 |
crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, |
2548 |
- options->use_iv, options->replay, packet_id_long_form); |
|
2548 |
+ options->replay, packet_id_long_form); |
|
2549 | 2549 |
} |
2550 | 2550 |
tls_adjust_frame_parameters(&c->c2.frame); |
2551 | 2551 |
|
2552 | 2552 |
/* Set all command-line TLS-related options */ |
2553 | 2553 |
CLEAR(to); |
2554 | 2554 |
|
2555 |
- if (options->use_iv) |
|
2556 |
- { |
|
2557 |
- to.crypto_flags |= CO_USE_IV; |
|
2558 |
- } |
|
2559 |
- |
|
2560 | 2555 |
if (options->mute_replay_warnings) |
2561 | 2556 |
{ |
2562 | 2557 |
to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; |
... | ... |
@@ -2692,9 +2679,8 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) |
2692 | 2692 |
to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; |
2693 | 2693 |
to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; |
2694 | 2694 |
to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; |
2695 |
- crypto_adjust_frame_parameters(&to.frame, |
|
2696 |
- &c->c1.ks.tls_auth_key_type, |
|
2697 |
- false, true, true); |
|
2695 |
+ crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, |
|
2696 |
+ true, true); |
|
2698 | 2697 |
} |
2699 | 2698 |
|
2700 | 2699 |
/* TLS handshake encryption (--tls-crypt) */ |
... | ... |
@@ -2980,10 +2966,6 @@ do_option_warnings(struct context *c) |
2980 | 2980 |
{ |
2981 | 2981 |
msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); |
2982 | 2982 |
} |
2983 |
- if (!o->use_iv) |
|
2984 |
- { |
|
2985 |
- msg(M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); |
|
2986 |
- } |
|
2987 | 2983 |
|
2988 | 2984 |
if (o->tls_server) |
2989 | 2985 |
{ |
... | ... |
@@ -551,7 +551,6 @@ static const char usage_message[] = |
551 | 551 |
"--replay-window n [t] : Use a replay protection sliding window of size n\n" |
552 | 552 |
" and a time window of t seconds.\n" |
553 | 553 |
" Default n=%d t=%d\n" |
554 |
- "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n" |
|
555 | 554 |
"--replay-persist file : Persist replay-protection state across sessions\n" |
556 | 555 |
" using file.\n" |
557 | 556 |
"--test-crypto : Run a self-test of crypto features enabled.\n" |
... | ... |
@@ -863,7 +862,6 @@ init_options(struct options *o, const bool init_gc) |
863 | 863 |
o->replay = true; |
864 | 864 |
o->replay_window = DEFAULT_SEQ_BACKTRACK; |
865 | 865 |
o->replay_time = DEFAULT_TIME_BACKTRACK; |
866 |
- o->use_iv = true; |
|
867 | 866 |
o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; |
868 | 867 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
869 | 868 |
o->use_prediction_resistance = false; |
... | ... |
@@ -1715,7 +1713,6 @@ show_settings(const struct options *o) |
1715 | 1715 |
SHOW_INT(replay_window); |
1716 | 1716 |
SHOW_INT(replay_time); |
1717 | 1717 |
SHOW_STR(packet_id_file); |
1718 |
- SHOW_BOOL(use_iv); |
|
1719 | 1718 |
SHOW_BOOL(test_crypto); |
1720 | 1719 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
1721 | 1720 |
SHOW_BOOL(use_prediction_resistance); |
... | ... |
@@ -2476,14 +2473,6 @@ options_postprocess_verify_ce(const struct options *options, const struct connec |
2476 | 2476 |
{ |
2477 | 2477 |
msg(M_USAGE, "NCP cipher list contains unsupported ciphers."); |
2478 | 2478 |
} |
2479 |
- if (options->ncp_enabled && !options->use_iv) |
|
2480 |
- { |
|
2481 |
- msg(M_USAGE, "--no-iv not allowed when NCP is enabled."); |
|
2482 |
- } |
|
2483 |
- if (!options->use_iv) |
|
2484 |
- { |
|
2485 |
- msg(M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5"); |
|
2486 |
- } |
|
2487 | 2479 |
|
2488 | 2480 |
/* |
2489 | 2481 |
* Check consistency of replay options |
... | ... |
@@ -3447,8 +3436,8 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) |
3447 | 3447 |
init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, |
3448 | 3448 |
false); |
3449 | 3449 |
frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead())); |
3450 |
- crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv, |
|
3451 |
- o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); |
|
3450 |
+ crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, |
|
3451 |
+ cipher_kt_mode_ofb_cfb(fake_kt.cipher)); |
|
3452 | 3452 |
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, |
3453 | 3453 |
o->ce.tun_mtu_defined, o->ce.tun_mtu); |
3454 | 3454 |
msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, |
... | ... |
@@ -3493,7 +3482,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) |
3493 | 3493 |
* --keysize |
3494 | 3494 |
* --secret |
3495 | 3495 |
* --no-replay |
3496 |
- * --no-iv |
|
3497 | 3496 |
* |
3498 | 3497 |
* SSL Options: |
3499 | 3498 |
* |
... | ... |
@@ -3627,10 +3615,6 @@ options_string(const struct options *o, |
3627 | 3627 |
{ |
3628 | 3628 |
buf_printf(&out, ",no-replay"); |
3629 | 3629 |
} |
3630 |
- if (!o->use_iv) |
|
3631 |
- { |
|
3632 |
- buf_printf(&out, ",no-iv"); |
|
3633 |
- } |
|
3634 | 3630 |
|
3635 | 3631 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
3636 | 3632 |
if (o->use_prediction_resistance) |
... | ... |
@@ -7560,8 +7544,8 @@ add_option(struct options *options, |
7560 | 7560 |
} |
7561 | 7561 |
else if (streq(p[0], "no-iv") && !p[1]) |
7562 | 7562 |
{ |
7563 |
- VERIFY_PERMISSION(OPT_P_GENERAL); |
|
7564 |
- options->use_iv = false; |
|
7563 |
+ msg(msglevel, |
|
7564 |
+ "--no-iv is no longer supported. Remove it from client and server configs."); |
|
7565 | 7565 |
} |
7566 | 7566 |
else if (streq(p[0], "replay-persist") && p[1] && !p[2]) |
7567 | 7567 |
{ |
... | ... |
@@ -1967,7 +1967,7 @@ tls_session_update_crypto_params(struct tls_session *session, |
1967 | 1967 |
/* Update frame parameters: undo worst-case overhead, add actual overhead */ |
1968 | 1968 |
frame_add_to_extra_frame(frame, -(crypto_max_overhead())); |
1969 | 1969 |
crypto_adjust_frame_parameters(frame, &session->opt->key_type, |
1970 |
- options->use_iv, options->replay, packet_id_long_form); |
|
1970 |
+ options->replay, packet_id_long_form); |
|
1971 | 1971 |
frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, |
1972 | 1972 |
options->ce.tun_mtu_defined, options->ce.tun_mtu); |
1973 | 1973 |
frame_init_mssfix(frame, options); |