git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Sun, 22 Jan 2017 16:04:41 +0000 (17:04 +0100)
committer	David Sommerseth <davids@openvpn.net>
	Mon, 23 Jan 2017 00:20:21 +0000 (01:20 +0100)
commit	5b48e8c9f85442936f744c3c550d9d41fe8c7b60
tree	791184dc51e757ea93127409f17f82706033471d	tree
parent	d14b3c60c7796736e07bc3cddb0ab3a58475793e	commit \| diff

Use SHA256 for the internal digest, instead of MD5

Our internal options digest uses MD5 hashes to store the state, instead of
storing the full options string. There's nothing wrong with that, but it
would still be better to use SHA256 because:
* That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5)
* We don't have to explain anymore that MD5 is fine too

The slightly less bytes for the digest (16 instead of 32) and operations
per connection setup are not worth sticking to MD5.

Note that might SHA256 not be available in de crypto lib, OpenVPN will
refuse to start and shout "Message hash algorithm 'SHA256' not found".

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1485101081-9784-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

src/openvpn/crypto.h		diff \| blob \| blame \| history
src/openvpn/crypto_mbedtls.h		diff \| blob \| blame \| history
src/openvpn/crypto_openssl.h		diff \| blob \| blame \| history
src/openvpn/init.c		diff \| blob \| blame \| history
src/openvpn/openvpn.h		diff \| blob \| blame \| history
src/openvpn/push.c		diff \| blob \| blame \| history