Remove cipher_kt_var_key_size and remaining --keysize documentation

Remove --keysize from the manual page and also remove mentioning
variable key size in output of ciphers as there is no longer a way to
change the keysize.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23275.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
index 7095b6f4d11bb829582b9b6dc273cab9a4977665..f4be6f984748b758fe6da4173d7c96a789040407 100644 (file)
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -183,17 +183,6 @@ configured in a compatible way between both the local and remote side.
   ``--tls-auth`` and ``--secret`` options. Useful when using inline files
   (See section on inline files).
 
---keysize n
-  **DEPRECATED** This option will be removed in OpenVPN 2.6.
-
-  Size of cipher key in bits (optional). If unspecified, defaults to
-  cipher-specific default. The ``--show-ciphers`` option (see below) shows
-  all available OpenSSL ciphers, their default key sizes, and whether the
-  key size can be changed. Use care in changing a cipher's default key
-  size. Many ciphers have not been extensively cryptanalyzed with
-  non-standard key lengths, and a larger key may offer no real guarantee
-  of greater security, or may even reduce security.
-
 --data-ciphers cipher-list
   Restrict the allowed ciphers to be negotiated to the ciphers in
   ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 270d83c5646468e980c7475eba00cae973ff6066..e5bfcd1a6dc8b661165443b53af01adeb6c45977 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1638,12 +1638,9 @@ get_random(void)
 void
 print_cipher(const cipher_kt_t *cipher)
 {
-    const char *var_key_size = cipher_kt_var_key_size(cipher) ?
-                               " by default" : "";
-
-    printf("%s  (%d bit key%s, ",
+    printf("%s  (%d bit key, ",
            cipher_kt_name(cipher),
-           cipher_kt_key_size(cipher) * 8, var_key_size);
+           cipher_kt_key_size(cipher) * 8);
 
     if (cipher_kt_block_size(cipher) == 1)
     {

diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index 758ab1b406ddda8bdec730ea799d8a2e6088a5cc..b2e9eceab616c988537d550798887aef07aa6070 100644 (file)
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -149,10 +149,4 @@ mbed_log_func_line_lite(unsigned int flags, int errval,
 #define mbed_ok(errval) \
     mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
 
-static inline bool
-cipher_kt_var_key_size(const cipher_kt_t *cipher)
-{
-    return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
-}
-
 #endif /* CRYPTO_MBEDTLS_H_ */

diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 446f085082c8096768285a44c7485a1568834a9d..6eb16a906e2f20d3648ce45d478ec12232f77e89 100644 (file)
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -114,12 +114,6 @@ void crypto_print_openssl_errors(const unsigned int flags);
         msg((flags), __VA_ARGS__); \
     } while (false)
 
-static inline bool
-cipher_kt_var_key_size(const cipher_kt_t *cipher)
-{
-    return EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH;
-}
-
 /**
  * Load a key file from an engine
  *