Also remove the bulky warning from init_key_type() and add the information
to the --show-ciphers output.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BAEF65.2070509@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8852
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -434,11 +434,7 @@ init_key_type (struct key_type *kt, const char *ciphername, |
434 | 434 |
|| (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher)) |
435 | 435 |
#endif |
436 | 436 |
)) |
437 |
-#ifdef ENABLE_SMALL |
|
438 | 437 |
msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); |
439 |
-#else |
|
440 |
- msg (M_FATAL, "Cipher '%s' uses a mode not supported by " PACKAGE_NAME " in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when " PACKAGE_NAME " has been built with ALLOW_NON_CBC_CIPHERS.", ciphername); |
|
441 |
-#endif |
|
442 | 438 |
} |
443 | 439 |
} |
444 | 440 |
else |
... | ... |
@@ -40,6 +40,7 @@ |
40 | 40 |
#include "basic.h" |
41 | 41 |
#include "buffer.h" |
42 | 42 |
#include "integer.h" |
43 |
+#include "crypto.h" |
|
43 | 44 |
#include "crypto_backend.h" |
44 | 45 |
#include <openssl/objects.h> |
45 | 46 |
#include <openssl/evp.h> |
... | ... |
@@ -253,7 +254,7 @@ show_available_ciphers () |
253 | 253 |
"used as a parameter to the --cipher option. The default\n" |
254 | 254 |
"key size is shown as well as whether or not it can be\n" |
255 | 255 |
"changed with the --keysize directive. Using a CBC mode\n" |
256 |
- "is recommended.\n\n"); |
|
256 |
+ "is recommended. In static key mode only CBC mode is allowed.\n\n"); |
|
257 | 257 |
#endif |
258 | 258 |
|
259 | 259 |
for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */ |
... | ... |
@@ -266,11 +267,17 @@ show_available_ciphers () |
266 | 266 |
|| cipher_kt_mode_ofb_cfb(cipher) |
267 | 267 |
#endif |
268 | 268 |
) |
269 |
- printf ("%s %d bit default key (%s)\n", |
|
270 |
- OBJ_nid2sn (nid), |
|
271 |
- EVP_CIPHER_key_length (cipher) * 8, |
|
272 |
- ((EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? |
|
273 |
- "variable" : "fixed")); |
|
269 |
+ { |
|
270 |
+ const char *var_key_size = |
|
271 |
+ (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? |
|
272 |
+ "variable" : "fixed"; |
|
273 |
+ const char *ssl_only = cipher_kt_mode_ofb_cfb(cipher) ? |
|
274 |
+ " (TLS client/server mode)" : ""; |
|
275 |
+ |
|
276 |
+ printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid), |
|
277 |
+ EVP_CIPHER_key_length (cipher) * 8, var_key_size, |
|
278 |
+ ssl_only); |
|
279 |
+ } |
|
274 | 280 |
} |
275 | 281 |
} |
276 | 282 |
printf ("\n"); |