Browse code
Add cipher name translation for OpenSSL.
This keeps naming consistent. For example, instead of id-aes128-GCM use
AES-128-GCM, which is more like AES-128-CBC.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-10-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11081
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2016/02/08 04:47:17Showing 5 changed files
- src/openvpn/crypto.c
- src/openvpn/crypto_backend.h
- src/openvpn/crypto_openssl.c
- src/openvpn/crypto_polarssl.c
- src/openvpn/options.c
| ... | ... |
@@ -792,7 +792,7 @@ init_key_ctx (struct key_ctx *ctx, struct key *key, |
| 792 | 792 |
|
| 793 | 793 |
msg (D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key", |
| 794 | 794 |
prefix, |
| 795 |
- cipher_kt_name(kt->cipher), |
|
| 795 |
+ translate_cipher_name_to_openvpn(cipher_kt_name(kt->cipher)), |
|
| 796 | 796 |
kt->cipher_length *8); |
| 797 | 797 |
|
| 798 | 798 |
dmsg (D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, |
| ... | ... |
@@ -1664,4 +1664,42 @@ get_random() |
| 1664 | 1664 |
return l; |
| 1665 | 1665 |
} |
| 1666 | 1666 |
|
| 1667 |
+static const cipher_name_pair * |
|
| 1668 |
+get_cipher_name_pair(const char *cipher_name) {
|
|
| 1669 |
+ const cipher_name_pair *pair; |
|
| 1670 |
+ size_t i = 0; |
|
| 1671 |
+ |
|
| 1672 |
+ /* Search for a cipher name translation */ |
|
| 1673 |
+ for (; i < cipher_name_translation_table_count; i++) |
|
| 1674 |
+ {
|
|
| 1675 |
+ pair = &cipher_name_translation_table[i]; |
|
| 1676 |
+ if (0 == strcmp (cipher_name, pair->openvpn_name) || |
|
| 1677 |
+ 0 == strcmp (cipher_name, pair->lib_name)) |
|
| 1678 |
+ return pair; |
|
| 1679 |
+ } |
|
| 1680 |
+ |
|
| 1681 |
+ /* Nothing found, return null */ |
|
| 1682 |
+ return NULL; |
|
| 1683 |
+} |
|
| 1684 |
+ |
|
| 1685 |
+const char * |
|
| 1686 |
+translate_cipher_name_from_openvpn (const char *cipher_name) {
|
|
| 1687 |
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
| 1688 |
+ |
|
| 1689 |
+ if (NULL == pair) |
|
| 1690 |
+ return cipher_name; |
|
| 1691 |
+ |
|
| 1692 |
+ return pair->lib_name; |
|
| 1693 |
+} |
|
| 1694 |
+ |
|
| 1695 |
+const char * |
|
| 1696 |
+translate_cipher_name_to_openvpn (const char *cipher_name) {
|
|
| 1697 |
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
| 1698 |
+ |
|
| 1699 |
+ if (NULL == pair) |
|
| 1700 |
+ return cipher_name; |
|
| 1701 |
+ |
|
| 1702 |
+ return pair->openvpn_name; |
|
| 1703 |
+} |
|
| 1704 |
+ |
|
| 1667 | 1705 |
#endif /* ENABLE_CRYPTO */ |
| ... | ... |
@@ -41,6 +41,16 @@ |
| 41 | 41 |
/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ |
| 42 | 42 |
#define OPENVPN_AEAD_TAG_LENGTH 16 |
| 43 | 43 |
|
| 44 |
+/** Struct used in cipher name translation table */ |
|
| 45 |
+typedef struct {
|
|
| 46 |
+ const char *openvpn_name; /**< Cipher name used by OpenVPN */ |
|
| 47 |
+ const char *lib_name; /**< Cipher name used by crypto library */ |
|
| 48 |
+} cipher_name_pair; |
|
| 49 |
+ |
|
| 50 |
+/** Cipher name translation table */ |
|
| 51 |
+extern const cipher_name_pair cipher_name_translation_table[]; |
|
| 52 |
+extern const size_t cipher_name_translation_table_count; |
|
| 53 |
+ |
|
| 44 | 54 |
/* |
| 45 | 55 |
* This routine should have additional OpenSSL crypto library initialisations |
| 46 | 56 |
* used by both crypto and ssl components of OpenVPN. |
| ... | ... |
@@ -584,4 +594,24 @@ void hmac_ctx_update (hmac_ctx_t *ctx, const uint8_t *src, int src_len); |
| 584 | 584 |
*/ |
| 585 | 585 |
void hmac_ctx_final (hmac_ctx_t *ctx, uint8_t *dst); |
| 586 | 586 |
|
| 587 |
+/** |
|
| 588 |
+ * Translate an OpenVPN cipher name to a crypto library cipher name. |
|
| 589 |
+ * |
|
| 590 |
+ * @param cipher_name An OpenVPN cipher name |
|
| 591 |
+ * |
|
| 592 |
+ * @return The corresponding crypto library cipher name, or NULL |
|
| 593 |
+ * if no matching cipher name was found. |
|
| 594 |
+ */ |
|
| 595 |
+const char * translate_cipher_name_from_openvpn (const char *cipher_name); |
|
| 596 |
+ |
|
| 597 |
+/** |
|
| 598 |
+ * Translate a crypto library cipher name to an OpenVPN cipher name. |
|
| 599 |
+ * |
|
| 600 |
+ * @param cipher_name A crypto library cipher name |
|
| 601 |
+ * |
|
| 602 |
+ * @return The corresponding OpenVPN cipher name, or NULL if no |
|
| 603 |
+ * matching cipher name was found. |
|
| 604 |
+ */ |
|
| 605 |
+const char * translate_cipher_name_to_openvpn (const char *cipher_name); |
|
| 606 |
+ |
|
| 587 | 607 |
#endif /* CRYPTO_BACKEND_H_ */ |
| ... | ... |
@@ -240,17 +240,14 @@ crypto_init_dmalloc (void) |
| 240 | 240 |
} |
| 241 | 241 |
#endif /* DMALLOC */ |
| 242 | 242 |
|
| 243 |
-const char * |
|
| 244 |
-translate_cipher_name_from_openvpn (const char *cipher_name) {
|
|
| 245 |
- // OpenSSL doesn't require any translation |
|
| 246 |
- return cipher_name; |
|
| 247 |
-} |
|
| 243 |
+const cipher_name_pair cipher_name_translation_table[] = {
|
|
| 244 |
+ { "AES-128-GCM", "id-aes128-GCM" },
|
|
| 245 |
+ { "AES-192-GCM", "id-aes192-GCM" },
|
|
| 246 |
+ { "AES-256-GCM", "id-aes256-GCM" },
|
|
| 247 |
+}; |
|
| 248 |
+const size_t cipher_name_translation_table_count = |
|
| 249 |
+ sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); |
|
| 248 | 250 |
|
| 249 |
-const char * |
|
| 250 |
-translate_cipher_name_to_openvpn (const char *cipher_name) {
|
|
| 251 |
- // OpenSSL doesn't require any translation |
|
| 252 |
- return cipher_name; |
|
| 253 |
-} |
|
| 254 | 251 |
|
| 255 | 252 |
void |
| 256 | 253 |
show_available_ciphers () |
| ... | ... |
@@ -286,9 +283,9 @@ show_available_ciphers () |
| 286 | 286 |
const char *ssl_only = cipher_kt_mode_cbc(cipher) ? |
| 287 | 287 |
"" : " (TLS client/server mode)"; |
| 288 | 288 |
|
| 289 |
- printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid),
|
|
| 290 |
- EVP_CIPHER_key_length (cipher) * 8, var_key_size, |
|
| 291 |
- ssl_only); |
|
| 289 |
+ printf ("%s %d bit default key (%s)%s\n",
|
|
| 290 |
+ translate_cipher_name_to_openvpn(OBJ_nid2sn (nid)), |
|
| 291 |
+ EVP_CIPHER_key_length (cipher) * 8, var_key_size, ssl_only); |
|
| 292 | 292 |
} |
| 293 | 293 |
} |
| 294 | 294 |
} |
| ... | ... |
@@ -121,52 +121,15 @@ crypto_init_dmalloc (void) |
| 121 | 121 |
} |
| 122 | 122 |
#endif /* DMALLOC */ |
| 123 | 123 |
|
| 124 |
-typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair;
|
|
| 125 |
-cipher_name_pair cipher_name_translation_table[] = {
|
|
| 124 |
+const cipher_name_pair cipher_name_translation_table[] = {
|
|
| 126 | 125 |
{ "BF-CBC", "BLOWFISH-CBC" },
|
| 127 | 126 |
{ "BF-CFB", "BLOWFISH-CFB64" },
|
| 128 | 127 |
{ "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" },
|
| 129 | 128 |
{ "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" },
|
| 130 | 129 |
{ "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" }
|
| 131 | 130 |
}; |
| 132 |
- |
|
| 133 |
-const cipher_name_pair * |
|
| 134 |
-get_cipher_name_pair(const char *cipher_name) {
|
|
| 135 |
- cipher_name_pair *pair; |
|
| 136 |
- size_t i = 0; |
|
| 137 |
- |
|
| 138 |
- /* Search for a cipher name translation */ |
|
| 139 |
- for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++) |
|
| 140 |
- {
|
|
| 141 |
- pair = &cipher_name_translation_table[i]; |
|
| 142 |
- if (0 == strcmp (cipher_name, pair->openvpn_name) || |
|
| 143 |
- 0 == strcmp (cipher_name, pair->polarssl_name)) |
|
| 144 |
- return pair; |
|
| 145 |
- } |
|
| 146 |
- |
|
| 147 |
- /* Nothing found, return null */ |
|
| 148 |
- return NULL; |
|
| 149 |
-} |
|
| 150 |
- |
|
| 151 |
-const char * |
|
| 152 |
-translate_cipher_name_from_openvpn (const char *cipher_name) {
|
|
| 153 |
- const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
| 154 |
- |
|
| 155 |
- if (NULL == pair) |
|
| 156 |
- return cipher_name; |
|
| 157 |
- |
|
| 158 |
- return pair->polarssl_name; |
|
| 159 |
-} |
|
| 160 |
- |
|
| 161 |
-const char * |
|
| 162 |
-translate_cipher_name_to_openvpn (const char *cipher_name) {
|
|
| 163 |
- const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
| 164 |
- |
|
| 165 |
- if (NULL == pair) |
|
| 166 |
- return cipher_name; |
|
| 167 |
- |
|
| 168 |
- return pair->openvpn_name; |
|
| 169 |
-} |
|
| 131 |
+const size_t cipher_name_translation_table_count = |
|
| 132 |
+ sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); |
|
| 170 | 133 |
|
| 171 | 134 |
void |
| 172 | 135 |
show_available_ciphers () |
| ... | ... |
@@ -3039,7 +3039,8 @@ options_string (const struct options *o, |
| 3039 | 3039 |
o->authname, o->authname_defined, |
| 3040 | 3040 |
o->keysize, true, false); |
| 3041 | 3041 |
|
| 3042 |
- buf_printf (&out, ",cipher %s", cipher_kt_name (kt.cipher)); |
|
| 3042 |
+ buf_printf (&out, ",cipher %s", |
|
| 3043 |
+ translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher))); |
|
| 3043 | 3044 |
buf_printf (&out, ",auth %s", md_kt_name (kt.digest)); |
| 3044 | 3045 |
buf_printf (&out, ",keysize %d", kt.cipher_length * 8); |
| 3045 | 3046 |
if (o->shared_secret_file) |