From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 11 Oct 2022 08:35:19 +0000 (+0200)
Subject: nts: don't connect to server if missing AES-SIV-CMAC-256
X-Git-Tag: 4.4-pre1~74
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4baf999cc30b992f5cf7de7dcb5ec08ac5e61af6;p=thirdparty%2Fchrony.git

nts: don't connect to server if missing AES-SIV-CMAC-256

Avoid wasting server resources if the client doesn't support
AES-SIV-CMAC-256 (the only algorithm required on servers).
---

diff --git a/nts_ke_client.c b/nts_ke_client.c
index c22b0eb1..2ad81067 100644
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -370,6 +370,13 @@ NKC_Start(NKC_Instance inst)
     return 0;
   }
 
+  /* Don't try to connect if missing the algorithm which all servers
+     are required to support */
+  if (SIV_GetKeyLength(AEAD_AES_SIV_CMAC_256) <= 0) {
+    LOG(LOGS_ERR, "Missing AES-SIV-CMAC-256");
+    return 0;
+  }
+
   /* Follow the bindacqaddress and bindacqdevice settings */
   CNF_GetBindAcquisitionAddress(inst->address.ip_addr.family, &local_addr.ip_addr);
   local_addr.port = 0;