From: Steffan Karger <steffan@karger.me>
Date: Thu, 20 Jul 2017 17:55:57 +0000 (+0200)
Subject: Always use default keysize for NCP'd ciphers
X-Git-Tag: v2.5_beta1~617
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=956bb1c32fa40ee184919b3ce569c90643a01b5b;p=thirdparty%2Fopenvpn.git

Always use default keysize for NCP'd ciphers

If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error.  To prevent that, always set keysize=0 for NCP'd
ciphers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 4ccc50c0f..2a4768001 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session,
     {
         msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
             options->ciphername);
+        if (options->keysize)
+        {
+            msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
+            options->keysize = 0;
+        }
     }
 
     init_key_type(&session->opt->key_type, options->ciphername,