Always use default keysize for NCP'd ciphers

If a peer has set --keysize, and NCP negotiates a cipher with a different key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a "invalid key size" error. To prevent that, always set keysize=0 for NCP'd ciphers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html Signed-off-by: David Sommerseth <davids@openvpn.net>
2024-11-27 11:43:51 +08:00 · 2017-07-20 19:55:57 +02:00 · 2017-07-20 19:55:57 +02:00 · 956bb1c32f
commit 956bb1c32f
parent 72bcdfdc19
1 changed files with 5 additions and 0 deletions
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session,
    {
        msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
            options->ciphername);
+        if (options->keysize)
+        {
+            msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
+            options->keysize = 0;
+        }
    }

    init_key_type(&session->opt->key_type, options->ciphername,