If a peer has set --keysize, and NCP negotiates a cipher with a different
key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
"invalid key size" error. To prevent that, always set keysize=0 for NCP'd
ciphers.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index f868457e..a8418d37 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1976,6 +1976,7 @@ tls_session_update_crypto_params(struct tls_session
*session,
{
msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
options->ciphername);
+ options->keysize = 0; /* Always use default key size for NCP */
}
init_key_type(&session->opt->key_type, options->ciphername,
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
