From patchwork Wed Mar 24 13:01:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1661 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id uOBhHgrTW2D0BwAAIUCqbw (envelope-from ) for ; Wed, 24 Mar 2021 20:02:18 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id uEE9HgrTW2C6DQAAalYnBA (envelope-from ) for ; Wed, 24 Mar 2021 20:02:18 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id 8HADHgrTW2CebAAAgjf6aA (envelope-from ) for ; Wed, 24 Mar 2021 20:02:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5c9d37de-8cfd-11eb-a110-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:37834] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AE/72-12681-903DB506; Wed, 24 Mar 2021 20:02:18 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lPDRN-00059D-8t; Thu, 25 Mar 2021 00:01:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPDRK-00058m-E8 for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 00:01:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NQcXS/h6AlxIzIgrn23obgNRlt5SXwKC4X7eszMxd0s=; b=IdiwQv0dORkqrrtBlmj5C+qh5P DTvcYTe2jaMMK5+cOvSXb/v4gkgfVXZg0zXFkqgTWO6LpcdSpMRgTfVuouLcBZRllQKNIF6Y761dW aZDbtoEhtJeg8N2p5RBSrOLDSw8xGqZ6gTl78QRit8NKLuTOig30vbPlpoVCCLuWR/mA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NQcXS/h6AlxIzIgrn23obgNRlt5SXwKC4X7eszMxd0s=; b=F/pHsPBFOLcAX6h3abDm2vZvRn HORIJuihNWftSfnWURNf+VRy+YNnygGhfnmrteM9YwnroBlUUAEVDUaMORzn8Vm1L586WQjD78FKz ZmwvsiOee1wtG9sakV3Fmb8+PgdPDvqAB5i4oopiE0iiMXyo3+iR72Bq6Q/5bUNWaGpI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lPDRH-007QLR-TX for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 00:01:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lPDRB-000FBR-HB for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 01:01:21 +0100 Received: (nullmailer pid 10375 invoked by uid 10006); Thu, 25 Mar 2021 00:01:21 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Mar 2021 01:01:20 +0100 Message-Id: <20210325000121.10331-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lPDRH-007QLR-TX Subject: [Openvpn-devel] [PATCH 1/2] Deprecate non TLS mode in OpenVPN X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was introduce the advantages of TLS over non-tls were small but tls mode evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name a few). Today VPN that use --secret are mainly used because of its relative easy to setup and requiring to setup a PKI. This shortcoming of TLS mode should be addressed now with the peer-fingerprint option. Signed-off-by: Arne Schwabe --- doc/man-sections/protocol-options.rst | 2 +- src/openvpn/options.c | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 01789e58..4b6928c6 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -235,7 +235,7 @@ configured in a compatible way between both the local and remote side. disables cipher negotiation. --secret args - Enable Static Key encryption mode (non-TLS). Use pre-shared secret + **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret ``file`` which was generated with ``--genkey``. Valid syntaxes: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e52679f0..5b559edf 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -514,7 +514,7 @@ static const char usage_message[] = "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" - "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" + "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n" " Use shared secret file f, generate with --genkey.\n" " The optional d parameter controls key directionality.\n" " If d is specified, use separate keys for each\n" @@ -2564,6 +2564,15 @@ options_postprocess_verify_ce(const struct options *options, msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } + if (!options->tls_server || !options->tls_client) + { + msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in " + "configuration detected. OpenVPN 2.7 will remove the " + "functionality to run a VPN without TLS. " + "See the examples section in the manual page for " + "examples of a similar quick setup with peer-fingerprint."); + } + if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " @@ -7868,6 +7877,7 @@ add_option(struct options *options, } else if (streq(p[0], "secret") && p[1] && !p[3]) { + msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated. "); VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->shared_secret_file = p[1]; options->shared_secret_file_inline = is_inline; From patchwork Wed Mar 24 13:01:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1660 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4E4QNAfTW2C1UAAAIUCqbw (envelope-from ) for ; Wed, 24 Mar 2021 20:02:15 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id KPLeMwfTW2DqcAAAfY0hYg (envelope-from ) for ; Wed, 24 Mar 2021 20:02:15 -0400 Received: from smtp15.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTPS id YIeUMwfTW2BaGQAAAY1PeQ (envelope-from ) for ; Wed, 24 Mar 2021 20:02:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5b016e9a-8cfd-11eb-95c4-5254007ab6c8-1-1 Received: from [216.105.38.7] ([216.105.38.7:37816] helo=lists.sourceforge.net) by smtp15.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C5/8F-01558-703DB506; Wed, 24 Mar 2021 20:02:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lPDRN-000592-20; Thu, 25 Mar 2021 00:01:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPDRK-00058n-DT for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 00:01:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JPNBLzUsQ+dJ5Kwq2LG98/2m9ywP0d2crUOO1BsP6UU=; b=BvqJ9ktus7doqsw49GQw6GnCil ZnfWTrd4VUpPmihBYfnFhyWdfsEcBjNL5slY/zXnBvzR8hytPIlyZwPcWNrquB0+YXoFd6Oy6qxki Di9BK4kGBnnPjuUP2ZbL/+tglw7Ak79iIPlQrDUFltZGO4TCaeM87YsId59/livbM6BY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JPNBLzUsQ+dJ5Kwq2LG98/2m9ywP0d2crUOO1BsP6UU=; b=HlB4NZsjHg66/f9C/2hHklrt/K 5YTfYZO/IwHmjh09GDbBExakzwUY+qA7YWe0caUJZeQt7k+pnPrcs+G5Cke6/fyO2QsE4O93H+eor ja4khZeaOuROzYDMsyXdzTu+p9s9x0brViKv6F3A8vQgvxx1Ldf0Jsdf0Uqlk25QFXC8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lPDRI-00073A-0v for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 00:01:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lPDRB-000FBU-Km for openvpn-devel@lists.sourceforge.net; Thu, 25 Mar 2021 01:01:21 +0100 Received: (nullmailer pid 10378 invoked by uid 10006); Thu, 25 Mar 2021 00:01:21 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Mar 2021 01:01:21 +0100 Message-Id: <20210325000121.10331-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210325000121.10331-1-arne@rfc2549.org> References: <20210325000121.10331-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lPDRI-00073A-0v Subject: [Openvpn-devel] [PATCH 2/2] Remove deprecated option '--keysize' X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This option has been deprecated in OpenVPN 2.4 and the ciphers that allow using this option fall all into the SWEET32 category of ciphers with 64 bit block size. Signed-off-by: Arne Schwabe --- config-msvc.h | 1 - configure.ac | 2 +- src/openvpn/crypto.c | 6 +----- src/openvpn/crypto.h | 4 +--- src/openvpn/crypto_openssl.c | 4 ++-- src/openvpn/init.c | 5 ++--- src/openvpn/options.c | 33 ++------------------------------- src/openvpn/options.h | 2 -- src/openvpn/ssl.c | 7 +------ 9 files changed, 10 insertions(+), 54 deletions(-) diff --git a/config-msvc.h b/config-msvc.h index e430ca96..d0aa4438 100644 --- a/config-msvc.h +++ b/config-msvc.h @@ -49,7 +49,6 @@ #define HAVE_CHSIZE 1 #define HAVE_CPP_VARARG_MACRO_ISO 1 #define HAVE_CTIME 1 -#define HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH 1 #define HAVE_IN_PKTINFO 1 #define HAVE_MEMSET 1 #define HAVE_PUTENV 1 diff --git a/configure.ac b/configure.ac index 428bebed..bd592b3f 100644 --- a/configure.ac +++ b/configure.ac @@ -881,7 +881,7 @@ if test "${with_crypto_library}" = "openssl"; then ) fi - AC_CHECK_FUNCS([SSL_CTX_new EVP_CIPHER_CTX_set_key_length], + AC_CHECK_FUNCS([SSL_CTX_new], , [AC_MSG_ERROR([openssl check failed])] ) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 3a0bfbec..b042514b 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -739,7 +739,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher) */ void init_key_type(struct key_type *kt, const char *ciphername, - const char *authname, int keysize, bool tls_mode, bool warn) + const char *authname, bool tls_mode, bool warn) { bool aead_cipher = false; @@ -756,10 +756,6 @@ init_key_type(struct key_type *kt, const char *ciphername, } kt->cipher_length = cipher_kt_key_size(kt->cipher); - if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH) - { - kt->cipher_length = keysize; - } /* check legal cipher mode */ aead_cipher = cipher_kt_mode_aead(kt->cipher); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 1ad669ce..b8128c7f 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -301,14 +301,12 @@ int read_key(struct key *key, const struct key_type *kt, struct buffer *buf); * @param kt The struct key_type to initialize * @param ciphername The name of the cipher to use * @param authname The name of the HMAC digest to use - * @param keysize The length of the cipher key to use, in bytes. Only valid - * for ciphers that support variable length keys. * @param tls_mode Specifies whether we are running in TLS mode, which allows * more ciphers than static key mode. * @param warn Print warnings when null cipher / auth is used. */ void init_key_type(struct key_type *kt, const char *ciphername, - const char *authname, int keysize, bool tls_mode, bool warn); + const char *authname, bool tls_mode, bool warn); /* * Key context functions diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 573beaed..34decbb0 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -776,12 +776,12 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { crypto_msg(M_FATAL, "EVP cipher init #1"); } -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH + /* This serves as a check that the keylen is the correct as this fails + * when key_len and the fixed size of cipher disagree */ if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) { crypto_msg(M_FATAL, "EVP set key size"); } -#endif if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 132d47e4..336da941 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2599,7 +2599,7 @@ do_init_crypto_static(struct context *c, const unsigned int flags) { /* Get cipher & hash algorithms */ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, - options->keysize, options->test_crypto, true); + options->test_crypto, true); /* Read cipher and hmac keys from shared secret file */ crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, @@ -2751,7 +2751,7 @@ do_init_crypto_tls_c1(struct context *c) || options->enable_ncp_fallback; /* Get cipher & hash algorithms */ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, - options->keysize, true, warn); + true, warn); /* Initialize PRNG with config-specified digest */ prng_init(options->prng_hash, options->prng_nonce_secret_len); @@ -4515,7 +4515,6 @@ inherit_context_child(struct context *dest, /* inherit pre-NCP ciphers */ dest->options.ciphername = src->options.ciphername; dest->options.authname = src->options.authname; - dest->options.keysize = src->options.keysize; /* inherit auth-token */ dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 5b559edf..7948f4a5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -531,10 +531,6 @@ static const char usage_message[] = "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH - "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n" - " If unspecified, defaults to cipher-specific default.\n" -#endif #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif @@ -1733,7 +1729,6 @@ show_settings(const struct options *o) SHOW_STR(authname); SHOW_STR(prng_hash); SHOW_INT(prng_nonce_secret_len); - SHOW_INT(keysize); #ifndef ENABLE_CRYPTO_MBEDTLS SHOW_BOOL(engine); #endif /* ENABLE_CRYPTO_MBEDTLS */ @@ -2540,11 +2535,6 @@ options_postprocess_verify_ce(const struct options *options, } } - if (options->keysize) - { - msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6"); - } - /* * Check consistency of replay options */ @@ -3619,7 +3609,6 @@ pre_pull_save(struct options *o) /* NCP related options that can be overwritten by a push */ o->pre_pull->ciphername = o->ciphername; o->pre_pull->authname = o->authname; - o->pre_pull->keysize = o->keysize; /* Ping related options should be reset to the config values on reconnect */ o->pre_pull->ping_rec_timeout = o->ping_rec_timeout; @@ -3675,7 +3664,6 @@ pre_pull_restore(struct options *o, struct gc_arena *gc) o->ciphername = pp->ciphername; o->authname = pp->authname; - o->keysize = pp->keysize; o->ping_rec_timeout = pp->ping_rec_timeout; o->ping_rec_timeout_action = pp->ping_rec_timeout_action; @@ -3704,8 +3692,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) { struct frame fake_frame = *frame; struct key_type fake_kt; - init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, - false); + init_key_type(&fake_kt, o->ciphername, o->authname, true, false); frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); @@ -3876,8 +3863,7 @@ options_string(const struct options *o, + (TLS_SERVER == true) <= 1); - init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, - false); + init_key_type(&kt, o->ciphername, o->authname, true, false); /* Only announce the cipher to our peer if we are willing to * support it */ const char *ciphername = cipher_kt_name(kt.cipher); @@ -8087,21 +8073,6 @@ add_option(struct options *options, } } #endif /* ENABLE_CRYPTO_MBEDTLS */ -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH - else if (streq(p[0], "keysize") && p[1] && !p[2]) - { - int keysize; - - VERIFY_PERMISSION(OPT_P_NCP); - keysize = atoi(p[1]) / 8; - if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH) - { - msg(msglevel, "Bad keysize: %s", p[1]); - goto err; - } - options->keysize = keysize; - } -#endif #ifdef ENABLE_PREDICTION_RESISTANCE else if (streq(p[0], "use-prediction-resistance") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d8e91fbc..5e924e1b 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -77,7 +77,6 @@ struct options_pre_pull const char* ciphername; const char* authname; - int keysize; int ping_send_timeout; int ping_rec_timeout; @@ -521,7 +520,6 @@ struct options bool ncp_enabled; const char *ncp_ciphers; const char *authname; - int keysize; const char *prng_hash; int prng_nonce_secret_len; const char *engine; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0daf19ad..d288d207 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1874,11 +1874,6 @@ tls_session_update_crypto_params(struct tls_session *session, { msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", options->ciphername); - if (options->keysize) - { - msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default"); - options->keysize = 0; - } } else { @@ -1889,7 +1884,7 @@ tls_session_update_crypto_params(struct tls_session *session, } init_key_type(&session->opt->key_type, options->ciphername, - options->authname, options->keysize, true, true); + options->authname, true, true); bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher); session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);