#define HAVE_CHDIR 1
#define HAVE_CHSIZE 1
#define HAVE_CTIME 1
-#define HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH 1
#define HAVE_IN_PKTINFO 1
#define HAVE_MEMSET 1
#define HAVE_PUTENV 1
)
fi
- AC_CHECK_FUNCS([SSL_CTX_new EVP_CIPHER_CTX_set_key_length],
+ AC_CHECK_FUNCS([SSL_CTX_new],
,
[AC_MSG_ERROR([openssl check failed])]
)
*/
void
init_key_type(struct key_type *kt, const char *ciphername,
- const char *authname, int keysize, bool tls_mode, bool warn)
+ const char *authname, bool tls_mode, bool warn)
{
bool aead_cipher = false;
}
kt->cipher_length = cipher_kt_key_size(kt->cipher);
- if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH)
- {
- kt->cipher_length = keysize;
- }
/* check legal cipher mode */
aead_cipher = cipher_kt_mode_aead(kt->cipher);
* @param kt The struct key_type to initialize
* @param ciphername The name of the cipher to use
* @param authname The name of the HMAC digest to use
- * @param keysize The length of the cipher key to use, in bytes. Only valid
- * for ciphers that support variable length keys.
* @param tls_mode Specifies whether we are running in TLS mode, which allows
* more ciphers than static key mode.
* @param warn Print warnings when null cipher / auth is used.
*/
void init_key_type(struct key_type *kt, const char *ciphername,
- const char *authname, int keysize, bool tls_mode, bool warn);
+ const char *authname, bool tls_mode, bool warn);
/*
* Key context functions
#ifndef ENABLE_SMALL
printf("The following ciphers and cipher modes are available for use\n"
"with " PACKAGE_NAME ". Each cipher shown below may be used as a\n"
- "parameter to the --data-ciphers (or --cipher) option. The\n"
- "default key size is shown as well as whether or not it can be\n"
- "changed with the --keysize directive. Using a GCM or CBC mode\n"
- "is recommended. In static key mode only CBC mode is allowed.\n\n");
+ "parameter to the --data-ciphers (or --cipher) option. In static \n"
+ "key mode only CBC mode is allowed.\n\n");
#endif
for (nid = 0; nid < 10000; ++nid)
{
crypto_msg(M_FATAL, "EVP cipher init #1");
}
-#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
- {
- crypto_msg(M_FATAL, "EVP set key size");
- }
-#endif
if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
{
crypto_msg(M_FATAL, "EVP cipher init #2");
{
/* Get cipher & hash algorithms */
init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
- options->keysize, options->test_crypto, true);
+ options->test_crypto, true);
/* Read cipher and hmac keys from shared secret file */
crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
/* Do not warn if the if the cipher is used only in OCC */
bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
- options->keysize, true, warn);
+ true, warn);
}
/* Initialize PRNG with config-specified digest */
prng_init(options->prng_hash, options->prng_nonce_secret_len);
/* inherit pre-NCP ciphers */
dest->options.ciphername = src->options.ciphername;
dest->options.authname = src->options.authname;
- dest->options.keysize = src->options.keysize;
/* inherit auth-token */
dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
"--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
-#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
- " If unspecified, defaults to cipher-specific default.\n"
-#endif
#ifndef ENABLE_CRYPTO_MBEDTLS
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
#endif
SHOW_STR(authname);
SHOW_STR(prng_hash);
SHOW_INT(prng_nonce_secret_len);
- SHOW_INT(keysize);
#ifndef ENABLE_CRYPTO_MBEDTLS
SHOW_BOOL(engine);
#endif /* ENABLE_CRYPTO_MBEDTLS */
}
}
- if (options->keysize)
- {
- msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
- }
-
/*
* Check consistency of replay options
*/
/* NCP related options that can be overwritten by a push */
o->pre_pull->ciphername = o->ciphername;
o->pre_pull->authname = o->authname;
- o->pre_pull->keysize = o->keysize;
/* Ping related options should be reset to the config values on reconnect */
o->pre_pull->ping_rec_timeout = o->ping_rec_timeout;
o->ciphername = pp->ciphername;
o->authname = pp->authname;
- o->keysize = pp->keysize;
o->ping_rec_timeout = pp->ping_rec_timeout;
o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
}
- init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
- false);
+ init_key_type(&fake_kt, ciphername, o->authname, true, false);
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
if (strcmp(o->ciphername, "BF-CBC") == 0)
{
- init_key_type(&kt, "none", o->authname, o->keysize, true,
- false);
+ init_key_type(&kt, "none", o->authname, true, false);
keysize = 128;
}
else
{
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
- false);
+ init_key_type(&kt, o->ciphername, o->authname, true, false);
ciphername = cipher_kt_name(kt.cipher);
keysize = kt.cipher_length * 8;
}
}
}
#endif /* ENABLE_CRYPTO_MBEDTLS */
-#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- else if (streq(p[0], "keysize") && p[1] && !p[2])
- {
- int keysize;
-
- VERIFY_PERMISSION(OPT_P_NCP);
- keysize = atoi(p[1]) / 8;
- if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
- {
- msg(msglevel, "Bad keysize: %s", p[1]);
- goto err;
- }
- options->keysize = keysize;
- }
-#endif
#ifdef ENABLE_PREDICTION_RESISTANCE
else if (streq(p[0], "use-prediction-resistance") && !p[1])
{
const char* ciphername;
const char* authname;
- int keysize;
int ping_send_timeout;
int ping_rec_timeout;
bool ncp_enabled;
const char *ncp_ciphers;
const char *authname;
- int keysize;
const char *prng_hash;
int prng_nonce_secret_len;
const char *engine;
{
msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
options->ciphername);
- if (options->keysize)
- {
- msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
- options->keysize = 0;
- }
}
else
{
}
init_key_type(&session->opt->key_type, options->ciphername,
- options->authname, options->keysize, true, true);
+ options->authname, true, true);
bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
projects / thirdparty / openvpn.git / commitdiff
