From 956bb1c32fa40ee184919b3ce569c90643a01b5b Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Thu, 20 Jul 2017 19:55:57 +0200
Subject: [PATCH] Always use default keysize for NCP'd ciphers

If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error.  To prevent that, always set keysize=0 for NCP'd
ciphers.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1500573357-20496-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15110.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 src/openvpn/ssl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 4ccc50c0f..2a4768001 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1978,6 +1978,11 @@ tls_session_update_crypto_params(struct tls_session *session,
     {
         msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
             options->ciphername);
+        if (options->keysize)
+        {
+            msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
+            options->keysize = 0;
+        }
     }
 
     init_key_type(&session->opt->key_type, options->ciphername,
-- 
2.47.2