Added --prng option to control PRNG (pseudo-random

number generator) parameters.  In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash.  Now any OpenSSL hash may be used.  This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 27 insertions, 1 deletions

diff --git a/init.c b/init.c
index 455712a..903fda4 100644
--- a/init.c
+++ b/init.c
@@ -401,7 +401,7 @@ init_static (void)
   /* init PRNG used for IV generation */
   /* When forking, copy this to more places in the code to avoid fork
      random-state predictability */
-  prng_init ();
+  prng_init (NULL, 0);
 #endif
 
 #ifdef PID_TEST
@@ -473,6 +473,29 @@ init_static (void)
   }
 #endif
 
+#ifdef PRNG_TEST
+  {
+    struct gc_arena gc = gc_new ();
+    uint8_t rndbuf[8];
+    int i;
+    prng_init ("sha1", 16);
+    //prng_init (NULL, 0);
+    const int factor = 1;
+    for (i = 0; i < factor * 8; ++i)
+      {
+#if 1
+	prng_bytes (rndbuf, sizeof (rndbuf));
+#else
+	ASSERT(RAND_bytes (rndbuf, sizeof (rndbuf)));
+#endif
+	printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc));
+      }
+    gc_free (&gc);
+    prng_uninit ();
+    return false;
+  }
+#endif
+
   return true;
 }
 
@@ -1634,6 +1657,9 @@ do_init_crypto_tls_c1 (struct context *c)
 		     options->ciphername_defined, options->authname,
 		     options->authname_defined, options->keysize, true, true);
 
+      /* Initialize PRNG with config-specified digest */
+      prng_init (options->prng_hash, options->prng_nonce_secret_len);
+
       /* TLS handshake authentication (--tls-auth) */
       if (options->tls_auth_file)
 	{