nts: don't connect to server if missing AES-SIV-CMAC-256

author Miroslav Lichvar <mlichvar@redhat.com>

Tue, 11 Oct 2022 08:35:19 +0000 (10:35 +0200)

committer Miroslav Lichvar <mlichvar@redhat.com>

Wed, 19 Oct 2022 13:50:39 +0000 (15:50 +0200)
author Miroslav Lichvar <mlichvar@redhat.com>
Tue, 11 Oct 2022 08:35:19 +0000 (10:35 +0200)
committer Miroslav Lichvar <mlichvar@redhat.com>
Wed, 19 Oct 2022 13:50:39 +0000 (15:50 +0200)
diff --git a/nts_ke_client.c b/nts_ke_client.c

index c22b0eb13fc22b711ff34a685800c358366c8234..2ad810672b9117084c9f13a76e304fccc83139a7 100644 (file)
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -370,6 +370,13 @@ NKC_Start(NKC_Instance inst)
      return 0;
    }
  
+  /* Don't try to connect if missing the algorithm which all servers
+     are required to support */
+  if (SIV_GetKeyLength(AEAD_AES_SIV_CMAC_256) <= 0) {
+    LOG(LOGS_ERR, "Missing AES-SIV-CMAC-256");
+    return 0;
+  }
+
    /* Follow the bindacqaddress and bindacqdevice settings */
    CNF_GetBindAcquisitionAddress(inst->address.ip_addr.family, &local_addr.ip_addr);
    local_addr.port = 0;
author	Miroslav Lichvar <mlichvar@redhat.com>
	Tue, 11 Oct 2022 08:35:19 +0000 (10:35 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Wed, 19 Oct 2022 13:50:39 +0000 (15:50 +0200)