chiark
/
gitweb
/
~mdw
/
tripe
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
svc: Peer management services.
[tripe]
/
server
/
keymgmt.c
diff --git
a/server/keymgmt.c
b/server/keymgmt.c
index 601f42ed3db2ce1a8e861e1c39f90e7ad9fd22b7..ce0d4561d7384cab066caf758121bd86cf188ede 100644
(file)
--- a/
server/keymgmt.c
+++ b/
server/keymgmt.c
@@
-247,7
+247,8
@@
static const char *algs_check(algswitch *a, const group *g)
/* --- Derive the key sizes --- *
*
* Must ensure that we have non-empty keys. This isn't ideal, but it
/* --- Derive the key sizes --- *
*
* Must ensure that we have non-empty keys. This isn't ideal, but it
- * provides a handy sanity check.
+ * provides a handy sanity check. Also must be based on a 64- or 128-bit
+ * block cipher or we can't do the data expiry properly.
*/
a->hashsz = a->h->hashsz;
*/
a->hashsz = a->h->hashsz;
@@
-256,6
+257,11
@@
static const char *algs_check(algswitch *a, const group *g)
if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
return ("no key size found for MAC");
if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
return ("no key size found for MAC");
+ /* --- Derive the data limit --- */
+
+ if (a->c->blksz < 16) a->expsz = MEG(64);
+ else a->expsz = MEG(2048);
+
/* --- Ensure that the tag size is sane --- */
if (a->tagsz > a->m->hashsz) return ("tag length too large");
/* --- Ensure that the tag size is sane --- */
if (a->tagsz > a->m->hashsz) return ("tag length too large");