diff options
| author | Steffan Karger <steffan@karger.me> | 2014-06-08 17:04:32 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-07-07 21:59:47 +0200 |
| commit | d344820faeae987f52e574e15812c86aa5c59ae6 (patch) | |
| tree | b35ae7f4fec508ec510ae08b40c39c0d47ac3908 /src | |
| parent | a4b27b6481c7496f2a8705c993edfe150a3541cb (diff) | |
| download | openvpn-d344820faeae987f52e574e15812c86aa5c59ae6.tar.gz openvpn-d344820faeae987f52e574e15812c86aa5c59ae6.tar.xz openvpn-d344820faeae987f52e574e15812c86aa5c59ae6.zip | |
Improve --show-ciphers to show if a cipher can be used in static key mode
Also remove the bulky warning from init_key_type() and add the information
to the --show-ciphers output.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BAEF65.2070509@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8852
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
| -rw-r--r-- | src/openvpn/crypto.c | 4 | ||||
| -rw-r--r-- | src/openvpn/crypto_openssl.c | 19 |
2 files changed, 13 insertions, 10 deletions
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 2a863b9..ef2bde1 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -434,11 +434,7 @@ init_key_type (struct key_type *kt, const char *ciphername, || (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif )) -#ifdef ENABLE_SMALL msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); -#else - msg (M_FATAL, "Cipher '%s' uses a mode not supported by " PACKAGE_NAME " in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when " PACKAGE_NAME " has been built with ALLOW_NON_CBC_CIPHERS.", ciphername); -#endif } } else diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1159299..0ac89a1 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -40,6 +40,7 @@ #include "basic.h" #include "buffer.h" #include "integer.h" +#include "crypto.h" #include "crypto_backend.h" #include <openssl/objects.h> #include <openssl/evp.h> @@ -253,7 +254,7 @@ show_available_ciphers () "used as a parameter to the --cipher option. The default\n" "key size is shown as well as whether or not it can be\n" "changed with the --keysize directive. Using a CBC mode\n" - "is recommended.\n\n"); + "is recommended. In static key mode only CBC mode is allowed.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */ @@ -266,11 +267,17 @@ show_available_ciphers () || cipher_kt_mode_ofb_cfb(cipher) #endif ) - printf ("%s %d bit default key (%s)\n", - OBJ_nid2sn (nid), - EVP_CIPHER_key_length (cipher) * 8, - ((EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? - "variable" : "fixed")); + { + const char *var_key_size = + (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? + "variable" : "fixed"; + const char *ssl_only = cipher_kt_mode_ofb_cfb(cipher) ? + " (TLS client/server mode)" : ""; + + printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid), + EVP_CIPHER_key_length (cipher) * 8, var_key_size, + ssl_only); + } } } printf ("\n"); |