]> git.ipfire.org Git - thirdparty/openvpn.git/commitdiff
projects / thirdparty / openvpn.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 72bcdfd)
Always use default keysize for NCP'd ciphers
authorSteffan Karger <steffan@karger.me>
Thu, 20 Jul 2017 17:55:57 +0000 (19:55 +0200)
committerDavid Sommerseth <davids@openvpn.net>
Mon, 14 Aug 2017 12:50:51 +0000 (14:50 +0200)
If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error.  To prevent that, always set keysize=0 for NCP'd
ciphers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
src/openvpn/ssl.c patch | blob | blame | history

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 4ccc50c0f3a7e699233eff31600554b19e2ffc31..2a4768001112d5455e49abdd321159ffa9acf8ad 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session,
     {
         msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
             options->ciphername);
+        if (options->keysize)
+        {
+            msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
+            options->keysize = 0;
+        }
     }
 
     init_key_type(&session->opt->key_type, options->ciphername,
Mirror of https://github.com/OpenVPN/openvpn.git