From 4baf999cc30b992f5cf7de7dcb5ec08ac5e61af6 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 11 Oct 2022 10:35:19 +0200 Subject: [PATCH] nts: don't connect to server if missing AES-SIV-CMAC-256 Avoid wasting server resources if the client doesn't support AES-SIV-CMAC-256 (the only algorithm required on servers). --- nts_ke_client.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nts_ke_client.c b/nts_ke_client.c index c22b0eb..2ad8106 100644 --- a/nts_ke_client.c +++ b/nts_ke_client.c @@ -370,6 +370,13 @@ NKC_Start(NKC_Instance inst) return 0; } + /* Don't try to connect if missing the algorithm which all servers + are required to support */ + if (SIV_GetKeyLength(AEAD_AES_SIV_CMAC_256) <= 0) { + LOG(LOGS_ERR, "Missing AES-SIV-CMAC-256"); + return 0; + } + /* Follow the bindacqaddress and bindacqdevice settings */ CNF_GetBindAcquisitionAddress(inst->address.ip_addr.family, &local_addr.ip_addr); local_addr.port = 0;