int cipher_kt_tag_size (const EVP_CIPHER *cipher_kt) { if (cipher_kt_mode_aead(cipher_kt)) return OPENVPN_AEAD_TAG_LENGTH; else return 0; }
void show_available_ciphers(void) { int nid; size_t i; /* If we ever exceed this, we must be more selective */ const EVP_CIPHER *cipher_list[1000]; size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be use as a\n" "parameter to the --cipher option. The default key size is\n" "shown as well as whether or not it can be changed with the\n" "--keysize directive. Using a CBC or GCM mode is recommended.\n" "In static key mode only CBC mode is allowed.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) { const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); if (cipher && (cipher_kt_mode_cbc(cipher) #ifdef ENABLE_OFB_CFB_MODE || cipher_kt_mode_ofb_cfb(cipher) #endif #ifdef HAVE_AEAD_CIPHER_MODES || cipher_kt_mode_aead(cipher) #endif )) { cipher_list[num_ciphers++] = cipher; } if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { msg(M_WARN, "WARNING: Too many ciphers, not showing all"); break; } } qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); for (i = 0; i < num_ciphers; i++) { if (!cipher_kt_insecure(cipher_list[i])) { print_cipher(cipher_list[i]); } } printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); for (i = 0; i < num_ciphers; i++) { if (cipher_kt_insecure(cipher_list[i])) { print_cipher(cipher_list[i]); } } printf("\n"); }
int cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt) { #ifdef HAVE_AEAD_CIPHER_MODES if (cipher_kt && cipher_kt_mode_aead(cipher_kt)) { return OPENVPN_AEAD_TAG_LENGTH; } #endif return 0; }
static void print_cipher(const cipher_kt_t *info) { if (info && (cipher_kt_mode_cbc(info) #ifdef HAVE_AEAD_CIPHER_MODES || cipher_kt_mode_aead(info) #endif )) { const char *ssl_only = cipher_kt_mode_cbc(info) ? "" : ", TLS client/server mode only"; const char *var_key_size = info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ? " by default" : ""; printf("%s (%d bit key%s, %d bit block%s)\n", cipher_kt_name(info), cipher_kt_key_size(info) * 8, var_key_size, cipher_kt_block_size(info) * 8, ssl_only); } }
void show_available_ciphers () { int nid; #ifndef ENABLE_SMALL printf ("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be use as a\n" "parameter to the --cipher option. The default key size is\n" "shown as well as whether or not it can be changed with the\n" "--keysize directive. Using a CBC or GCM mode is recommended.\n" "In static key mode only CBC mode is allowed.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */ { const EVP_CIPHER *cipher = EVP_get_cipherbynid (nid); if (cipher) { if (cipher_kt_mode_cbc(cipher) #ifdef ENABLE_OFB_CFB_MODE || cipher_kt_mode_ofb_cfb(cipher) #endif #ifdef HAVE_AEAD_CIPHER_MODES || cipher_kt_mode_aead(cipher) #endif ) { const char *var_key_size = (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? "variable" : "fixed"; const char *ssl_only = cipher_kt_mode_cbc(cipher) ? "" : " (TLS client/server mode)"; printf ("%s %d bit default key (%s)%s\n", translate_cipher_name_to_openvpn(OBJ_nid2sn (nid)), EVP_CIPHER_key_length (cipher) * 8, var_key_size, ssl_only); } } } printf ("\n"); }