X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/e04c2d50fd96f3f31bc96851c55c6efecc10469c..3cbd2d89482ab48adea16aef781b191b793d9a26:/server/keymgmt.c

diff --git a/server/keymgmt.c b/server/keymgmt.c
index 422b01fe..ce0d4561 100644
--- a/server/keymgmt.c
+++ b/server/keymgmt.c
@@ -1,6 +1,4 @@
 /* -*-c-*-
- *
- * $Id$
  *
  * Key loading and storing
  *
@@ -249,7 +247,8 @@ static const char *algs_check(algswitch *a, const group *g)
   /* --- Derive the key sizes --- *
    *
    * Must ensure that we have non-empty keys.  This isn't ideal, but it
-   * provides a handy sanity check.
+   * provides a handy sanity check.  Also must be based on a 64- or 128-bit
+   * block cipher or we can't do the data expiry properly.
    */
 
   a->hashsz = a->h->hashsz;
@@ -258,6 +257,11 @@ static const char *algs_check(algswitch *a, const group *g)
   if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
     return ("no key size found for MAC");
 
+  /* --- Derive the data limit --- */
+
+  if (a->c->blksz < 16) a->expsz = MEG(64);
+  else a->expsz = MEG(2048);
+
   /* --- Ensure that the tag size is sane --- */
 
   if (a->tagsz > a->m->hashsz) return ("tag length too large");