If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error. To prevent that, always set keysize=0 for NCP'd
ciphers.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
v2 - print log message when we override the user-set keysize
src/openvpn/ssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index b1c26b3..8440f27 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1976,6 +1976,11 @@ tls_session_update_crypto_params(struct tls_session
*session,
{
msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
options->ciphername);
+ if (options->keysize)
+ {
+ msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
+ options->keysize = 0;
+ }
}
init_key_type(&session->opt->key_type, options->ciphername,
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
