This keeps naming consistent. For example, instead of id-aes128-GCM use
AES-128-GCM, which is more like AES-128-CBC.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-10-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11081
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -792,7 +792,7 @@ init_key_ctx (struct key_ctx *ctx, struct key *key, |
792 | 792 |
|
793 | 793 |
msg (D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key", |
794 | 794 |
prefix, |
795 |
- cipher_kt_name(kt->cipher), |
|
795 |
+ translate_cipher_name_to_openvpn(cipher_kt_name(kt->cipher)), |
|
796 | 796 |
kt->cipher_length *8); |
797 | 797 |
|
798 | 798 |
dmsg (D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, |
... | ... |
@@ -1664,4 +1664,42 @@ get_random() |
1664 | 1664 |
return l; |
1665 | 1665 |
} |
1666 | 1666 |
|
1667 |
+static const cipher_name_pair * |
|
1668 |
+get_cipher_name_pair(const char *cipher_name) { |
|
1669 |
+ const cipher_name_pair *pair; |
|
1670 |
+ size_t i = 0; |
|
1671 |
+ |
|
1672 |
+ /* Search for a cipher name translation */ |
|
1673 |
+ for (; i < cipher_name_translation_table_count; i++) |
|
1674 |
+ { |
|
1675 |
+ pair = &cipher_name_translation_table[i]; |
|
1676 |
+ if (0 == strcmp (cipher_name, pair->openvpn_name) || |
|
1677 |
+ 0 == strcmp (cipher_name, pair->lib_name)) |
|
1678 |
+ return pair; |
|
1679 |
+ } |
|
1680 |
+ |
|
1681 |
+ /* Nothing found, return null */ |
|
1682 |
+ return NULL; |
|
1683 |
+} |
|
1684 |
+ |
|
1685 |
+const char * |
|
1686 |
+translate_cipher_name_from_openvpn (const char *cipher_name) { |
|
1687 |
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
1688 |
+ |
|
1689 |
+ if (NULL == pair) |
|
1690 |
+ return cipher_name; |
|
1691 |
+ |
|
1692 |
+ return pair->lib_name; |
|
1693 |
+} |
|
1694 |
+ |
|
1695 |
+const char * |
|
1696 |
+translate_cipher_name_to_openvpn (const char *cipher_name) { |
|
1697 |
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
1698 |
+ |
|
1699 |
+ if (NULL == pair) |
|
1700 |
+ return cipher_name; |
|
1701 |
+ |
|
1702 |
+ return pair->openvpn_name; |
|
1703 |
+} |
|
1704 |
+ |
|
1667 | 1705 |
#endif /* ENABLE_CRYPTO */ |
... | ... |
@@ -41,6 +41,16 @@ |
41 | 41 |
/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ |
42 | 42 |
#define OPENVPN_AEAD_TAG_LENGTH 16 |
43 | 43 |
|
44 |
+/** Struct used in cipher name translation table */ |
|
45 |
+typedef struct { |
|
46 |
+ const char *openvpn_name; /**< Cipher name used by OpenVPN */ |
|
47 |
+ const char *lib_name; /**< Cipher name used by crypto library */ |
|
48 |
+} cipher_name_pair; |
|
49 |
+ |
|
50 |
+/** Cipher name translation table */ |
|
51 |
+extern const cipher_name_pair cipher_name_translation_table[]; |
|
52 |
+extern const size_t cipher_name_translation_table_count; |
|
53 |
+ |
|
44 | 54 |
/* |
45 | 55 |
* This routine should have additional OpenSSL crypto library initialisations |
46 | 56 |
* used by both crypto and ssl components of OpenVPN. |
... | ... |
@@ -584,4 +594,24 @@ void hmac_ctx_update (hmac_ctx_t *ctx, const uint8_t *src, int src_len); |
584 | 584 |
*/ |
585 | 585 |
void hmac_ctx_final (hmac_ctx_t *ctx, uint8_t *dst); |
586 | 586 |
|
587 |
+/** |
|
588 |
+ * Translate an OpenVPN cipher name to a crypto library cipher name. |
|
589 |
+ * |
|
590 |
+ * @param cipher_name An OpenVPN cipher name |
|
591 |
+ * |
|
592 |
+ * @return The corresponding crypto library cipher name, or NULL |
|
593 |
+ * if no matching cipher name was found. |
|
594 |
+ */ |
|
595 |
+const char * translate_cipher_name_from_openvpn (const char *cipher_name); |
|
596 |
+ |
|
597 |
+/** |
|
598 |
+ * Translate a crypto library cipher name to an OpenVPN cipher name. |
|
599 |
+ * |
|
600 |
+ * @param cipher_name A crypto library cipher name |
|
601 |
+ * |
|
602 |
+ * @return The corresponding OpenVPN cipher name, or NULL if no |
|
603 |
+ * matching cipher name was found. |
|
604 |
+ */ |
|
605 |
+const char * translate_cipher_name_to_openvpn (const char *cipher_name); |
|
606 |
+ |
|
587 | 607 |
#endif /* CRYPTO_BACKEND_H_ */ |
... | ... |
@@ -240,17 +240,14 @@ crypto_init_dmalloc (void) |
240 | 240 |
} |
241 | 241 |
#endif /* DMALLOC */ |
242 | 242 |
|
243 |
-const char * |
|
244 |
-translate_cipher_name_from_openvpn (const char *cipher_name) { |
|
245 |
- // OpenSSL doesn't require any translation |
|
246 |
- return cipher_name; |
|
247 |
-} |
|
243 |
+const cipher_name_pair cipher_name_translation_table[] = { |
|
244 |
+ { "AES-128-GCM", "id-aes128-GCM" }, |
|
245 |
+ { "AES-192-GCM", "id-aes192-GCM" }, |
|
246 |
+ { "AES-256-GCM", "id-aes256-GCM" }, |
|
247 |
+}; |
|
248 |
+const size_t cipher_name_translation_table_count = |
|
249 |
+ sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); |
|
248 | 250 |
|
249 |
-const char * |
|
250 |
-translate_cipher_name_to_openvpn (const char *cipher_name) { |
|
251 |
- // OpenSSL doesn't require any translation |
|
252 |
- return cipher_name; |
|
253 |
-} |
|
254 | 251 |
|
255 | 252 |
void |
256 | 253 |
show_available_ciphers () |
... | ... |
@@ -286,9 +283,9 @@ show_available_ciphers () |
286 | 286 |
const char *ssl_only = cipher_kt_mode_cbc(cipher) ? |
287 | 287 |
"" : " (TLS client/server mode)"; |
288 | 288 |
|
289 |
- printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid), |
|
290 |
- EVP_CIPHER_key_length (cipher) * 8, var_key_size, |
|
291 |
- ssl_only); |
|
289 |
+ printf ("%s %d bit default key (%s)%s\n", |
|
290 |
+ translate_cipher_name_to_openvpn(OBJ_nid2sn (nid)), |
|
291 |
+ EVP_CIPHER_key_length (cipher) * 8, var_key_size, ssl_only); |
|
292 | 292 |
} |
293 | 293 |
} |
294 | 294 |
} |
... | ... |
@@ -121,52 +121,15 @@ crypto_init_dmalloc (void) |
121 | 121 |
} |
122 | 122 |
#endif /* DMALLOC */ |
123 | 123 |
|
124 |
-typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair; |
|
125 |
-cipher_name_pair cipher_name_translation_table[] = { |
|
124 |
+const cipher_name_pair cipher_name_translation_table[] = { |
|
126 | 125 |
{ "BF-CBC", "BLOWFISH-CBC" }, |
127 | 126 |
{ "BF-CFB", "BLOWFISH-CFB64" }, |
128 | 127 |
{ "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" }, |
129 | 128 |
{ "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" }, |
130 | 129 |
{ "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" } |
131 | 130 |
}; |
132 |
- |
|
133 |
-const cipher_name_pair * |
|
134 |
-get_cipher_name_pair(const char *cipher_name) { |
|
135 |
- cipher_name_pair *pair; |
|
136 |
- size_t i = 0; |
|
137 |
- |
|
138 |
- /* Search for a cipher name translation */ |
|
139 |
- for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++) |
|
140 |
- { |
|
141 |
- pair = &cipher_name_translation_table[i]; |
|
142 |
- if (0 == strcmp (cipher_name, pair->openvpn_name) || |
|
143 |
- 0 == strcmp (cipher_name, pair->polarssl_name)) |
|
144 |
- return pair; |
|
145 |
- } |
|
146 |
- |
|
147 |
- /* Nothing found, return null */ |
|
148 |
- return NULL; |
|
149 |
-} |
|
150 |
- |
|
151 |
-const char * |
|
152 |
-translate_cipher_name_from_openvpn (const char *cipher_name) { |
|
153 |
- const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
154 |
- |
|
155 |
- if (NULL == pair) |
|
156 |
- return cipher_name; |
|
157 |
- |
|
158 |
- return pair->polarssl_name; |
|
159 |
-} |
|
160 |
- |
|
161 |
-const char * |
|
162 |
-translate_cipher_name_to_openvpn (const char *cipher_name) { |
|
163 |
- const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); |
|
164 |
- |
|
165 |
- if (NULL == pair) |
|
166 |
- return cipher_name; |
|
167 |
- |
|
168 |
- return pair->openvpn_name; |
|
169 |
-} |
|
131 |
+const size_t cipher_name_translation_table_count = |
|
132 |
+ sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); |
|
170 | 133 |
|
171 | 134 |
void |
172 | 135 |
show_available_ciphers () |
... | ... |
@@ -3039,7 +3039,8 @@ options_string (const struct options *o, |
3039 | 3039 |
o->authname, o->authname_defined, |
3040 | 3040 |
o->keysize, true, false); |
3041 | 3041 |
|
3042 |
- buf_printf (&out, ",cipher %s", cipher_kt_name (kt.cipher)); |
|
3042 |
+ buf_printf (&out, ",cipher %s", |
|
3043 |
+ translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher))); |
|
3043 | 3044 |
buf_printf (&out, ",auth %s", md_kt_name (kt.digest)); |
3044 | 3045 |
buf_printf (&out, ",keysize %d", kt.cipher_length * 8); |
3045 | 3046 |
if (o->shared_secret_file) |