diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2012-04-02 09:28:03 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2012-04-27 23:33:27 +0200 |
commit | 0f25d2969f09ba4263dc37944e1f10405a2df461 (patch) | |
tree | 14cd353b6ed7f02b70f1b3636fa65bdde79a7518 /src/openvpn/options.c | |
parent | 6efeaa2e4462bc10f395d8aceed363c3e77b35a3 (diff) | |
download | openvpn-0f25d2969f09ba4263dc37944e1f10405a2df461.tar.gz openvpn-0f25d2969f09ba4263dc37944e1f10405a2df461.tar.xz openvpn-0f25d2969f09ba4263dc37944e1f10405a2df461.zip |
Added a configuration option to enable prediction resistance in the PolarSSL random number generator.
Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com>
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1333351687-3732-2-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6213
Signed-off-by: David Sommerseth <davids@redhat.com>
Notes
Notes:
This patch was ACKed by James Yonan in an IRC meeting March 29, 2012.
Currently, the meeting minutes have not been made public.
(David Sommerseth, Fri Apr 27 21:36:04 UTC 2012)
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r-- | src/openvpn/options.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 33fcb87..019be57 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,6 +545,10 @@ static const char usage_message[] = " using file.\n" "--test-crypto : Run a self-test of crypto features enabled.\n" " For debugging only.\n" +#ifdef ENABLE_PREDICTION_RESISTANCE + "--use-prediction-resistance: Enable prediction resistance on the random\n" + " number generator.\n" +#endif #ifdef ENABLE_SSL "\n" "TLS Key Negotiation Options:\n" @@ -837,6 +841,9 @@ init_options (struct options *o, const bool init_gc) o->replay_time = DEFAULT_TIME_BACKTRACK; o->use_iv = true; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; +#ifdef ENABLE_PREDICTION_RESISTANCE + o->use_prediction_resistance = false; +#endif #ifdef ENABLE_SSL o->key_method = 2; o->tls_timeout = 2; @@ -1581,6 +1588,9 @@ show_settings (const struct options *o) SHOW_STR (packet_id_file); SHOW_BOOL (use_iv); SHOW_BOOL (test_crypto); +#ifdef ENABLE_PREDICTION_RESISTANCE + SHOW_BOOL (use_prediction_resistance); +#endif #ifdef ENABLE_SSL SHOW_BOOL (tls_server); @@ -3018,6 +3028,11 @@ options_string (const struct options *o, buf_printf (&out, ",no-replay"); if (!o->use_iv) buf_printf (&out, ",no-iv"); + +#ifdef ENABLE_PREDICTION_RESISTANCE + if (o->use_prediction_resistance) + buf_printf (&out, ",use-prediction-resistance"); +#endif } #ifdef ENABLE_SSL @@ -6416,6 +6431,13 @@ add_option (struct options *options, options->keysize = keysize; } #endif +#ifdef ENABLE_PREDICTION_RESISTANCE + else if (streq (p[0], "use-prediction-resistance")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->use_prediction_resistance = true; + } +#endif #ifdef ENABLE_SSL else if (streq (p[0], "show-tls")) { |