diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-11-18 01:25:05 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-11-18 01:25:05 +0000 |
| commit | 03bfb228ffd95c37e135bb9a5a37160c247e28a9 (patch) | |
| tree | 62fe17de8cce142be0749cf4a07509246b02f48b /options.c | |
| parent | Version 2.1_rc14 (diff) | |
| download | openvpn-03bfb228ffd95c37e135bb9a5a37160c247e28a9.tar.xz | |
Added --prng option to control PRNG (pseudo-random
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'options.c')
| -rw-r--r-- | options.c | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -442,6 +442,8 @@ static const char usage_message[] = "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" + "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" + " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" @@ -717,6 +719,8 @@ init_options (struct options *o, const bool init_gc) o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true; + o->prng_hash = "SHA1"; + o->prng_nonce_secret_len = 16; o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; @@ -1272,6 +1276,8 @@ show_settings (const struct options *o) SHOW_STR (ciphername); SHOW_BOOL (authname_defined); SHOW_STR (authname); + SHOW_STR (prng_hash); + SHOW_INT (prng_nonce_secret_len); SHOW_INT (keysize); SHOW_BOOL (engine); SHOW_BOOL (replay); @@ -5158,6 +5164,28 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_CRYPTO); options->ciphername_defined = true; } + else if (streq (p[0], "prng") && p[1]) + { + VERIFY_PERMISSION (OPT_P_CRYPTO); + if (streq (p[1], "none")) + options->prng_hash = NULL; + else + options->prng_hash = p[1]; + if (p[2]) + { + const int sl = atoi (p[2]); + if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX) + { + options->prng_nonce_secret_len = sl; + } + else + { + msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d", + NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX); + goto err; + } + } + } else if (streq (p[0], "no-replay")) { VERIFY_PERMISSION (OPT_P_CRYPTO); |