Added --prng option to control PRNG (pseudo-random

number generator) parameters.  In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash.  Now any OpenSSL hash may be used.  This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 15 insertions, 0 deletions

diff --git a/openvpn.8 b/openvpn.8
index c45f839..bbec354 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -3616,6 +3616,21 @@ larger key may offer no real guarantee of greater
 security, or may even reduce security.
 .\"*********************************************************
 .TP
+.B --prng alg [nsl]
+(Advanced) For PRNG (Pseudo-random number generator),
+use digest algorithm
+.B alg
+(default=sha1), and set
+.B nsl
+(default=16)
+to the size in bytes of the nonce secret length (between 16 and 64).
+
+Set
+.B alg=none
+to disable the PRNG and use the OpenSSL RAND_bytes function
+instead for all of OpenVPN's pseudo-random number needs.
+.\"*********************************************************
+.TP
 .B --engine [engine-name]
 Enable OpenSSL hardware-based crypto engine functionality.