Pick cipher from PUSH_REPLY if present

TunnelKit/Sources/Core/SessionProxy.swift

@@ -1000,20 +1000,23 @@ public class SessionProxy {
     // Ruby: setup_keys
     private func setupEncryption() {
         guard let auth = authenticator else {
-            fatalError("Setting up keys without having authenticated")
+            fatalError("Setting up encryption without having authenticated")
         }
         guard let sessionId = sessionId else {
-            fatalError("Setting up keys without a local sessionId")
+            fatalError("Setting up encryption without a local sessionId")
         }
         guard let remoteSessionId = remoteSessionId else {
-            fatalError("Setting up keys without a remote sessionId")
+            fatalError("Setting up encryption without a remote sessionId")
         }
         guard let serverRandom1 = auth.serverRandom1, let serverRandom2 = auth.serverRandom2 else {
-            fatalError("Setting up keys without server randoms")
+            fatalError("Setting up encryption without server randoms")
         }
-        
+        guard let pushReply = pushReply else {
+            fatalError("Setting up encryption without a former PUSH_REPLY")
+        }
+
         if CoreConfiguration.logsSensitiveData {
-            log.debug("Setup keys from the following components:")
+            log.debug("Set up encryption from the following components:")
             log.debug("\tpreMaster: \(auth.preMaster.toHex())")
             log.debug("\trandom1: \(auth.random1.toHex())")
             log.debug("\trandom2: \(auth.random2.toHex())")
@@ -1022,13 +1025,18 @@ public class SessionProxy {
             log.debug("\tsessionId: \(sessionId.toHex())")
             log.debug("\tremoteSessionId: \(remoteSessionId.toHex())")
         } else {
-            log.debug("Setup keys")
+            log.debug("Set up encryption")
+        }
+        
+        let pushedCipher = pushReply.cipher
+        if let negCipher = pushedCipher {
+            log.debug("Negotiated cipher: \(negCipher.rawValue)")
         }
 
         let bridge: EncryptionBridge
         do {
             bridge = try EncryptionBridge(
-                configuration.cipher,
+                pushedCipher ?? configuration.cipher,
                 configuration.digest,
                 auth,
                 sessionId,
@@ -1042,7 +1050,7 @@ public class SessionProxy {
         negotiationKey.dataPath = DataPath(
             encrypter: bridge.encrypter(),
             decrypter: bridge.decrypter(),
-            peerId: pushReply?.peerId ?? PacketPeerIdDisabled,
+            peerId: pushReply.peerId ?? PacketPeerIdDisabled,
             compressionFraming: configuration.compressionFraming.native,
             maxPackets: link?.packetBufferSize ?? 200,
             usesReplayProtection: CoreConfiguration.usesReplayProtection