int
cipher_kt_tag_size (const EVP_CIPHER *cipher_kt)
{
if (cipher_kt_mode_aead(cipher_kt))
return OPENVPN_AEAD_TAG_LENGTH;
else
return 0;
}
void
show_available_ciphers(void)
{
int nid;
size_t i;
/* If we ever exceed this, we must be more selective */
const EVP_CIPHER *cipher_list[1000];
size_t num_ciphers = 0;
#ifndef ENABLE_SMALL
printf("The following ciphers and cipher modes are available for use\n"
"with " PACKAGE_NAME ". Each cipher shown below may be use as a\n"
"parameter to the --cipher option. The default key size is\n"
"shown as well as whether or not it can be changed with the\n"
"--keysize directive. Using a CBC or GCM mode is recommended.\n"
"In static key mode only CBC mode is allowed.\n\n");
#endif
for (nid = 0; nid < 10000; ++nid)
{
const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
if (cipher && (cipher_kt_mode_cbc(cipher)
#ifdef ENABLE_OFB_CFB_MODE
|| cipher_kt_mode_ofb_cfb(cipher)
#endif
#ifdef HAVE_AEAD_CIPHER_MODES
|| cipher_kt_mode_aead(cipher)
#endif
))
{
cipher_list[num_ciphers++] = cipher;
}
if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list)))
{
msg(M_WARN, "WARNING: Too many ciphers, not showing all");
break;
}
}
qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp);
for (i = 0; i < num_ciphers; i++) {
if (!cipher_kt_insecure(cipher_list[i]))
{
print_cipher(cipher_list[i]);
}
}
printf("\nThe following ciphers have a block size of less than 128 bits, \n"
"and are therefore deprecated. Do not use unless you have to.\n\n");
for (i = 0; i < num_ciphers; i++) {
if (cipher_kt_insecure(cipher_list[i]))
{
print_cipher(cipher_list[i]);
}
}
printf("\n");
}
int
cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt)
{
#ifdef HAVE_AEAD_CIPHER_MODES
if (cipher_kt && cipher_kt_mode_aead(cipher_kt))
{
return OPENVPN_AEAD_TAG_LENGTH;
}
#endif
return 0;
}
static void
print_cipher(const cipher_kt_t *info)
{
if (info && (cipher_kt_mode_cbc(info)
#ifdef HAVE_AEAD_CIPHER_MODES
|| cipher_kt_mode_aead(info)
#endif
))
{
const char *ssl_only = cipher_kt_mode_cbc(info) ?
"" : ", TLS client/server mode only";
const char *var_key_size = info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ?
" by default" : "";
printf("%s (%d bit key%s, %d bit block%s)\n",
cipher_kt_name(info), cipher_kt_key_size(info) * 8, var_key_size,
cipher_kt_block_size(info) * 8, ssl_only);
}
}
void
show_available_ciphers ()
{
int nid;
#ifndef ENABLE_SMALL
printf ("The following ciphers and cipher modes are available for use\n"
"with " PACKAGE_NAME ". Each cipher shown below may be use as a\n"
"parameter to the --cipher option. The default key size is\n"
"shown as well as whether or not it can be changed with the\n"
"--keysize directive. Using a CBC or GCM mode is recommended.\n"
"In static key mode only CBC mode is allowed.\n\n");
#endif
for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */
{
const EVP_CIPHER *cipher = EVP_get_cipherbynid (nid);
if (cipher)
{
if (cipher_kt_mode_cbc(cipher)
#ifdef ENABLE_OFB_CFB_MODE
|| cipher_kt_mode_ofb_cfb(cipher)
#endif
#ifdef HAVE_AEAD_CIPHER_MODES
|| cipher_kt_mode_aead(cipher)
#endif
)
{
const char *var_key_size =
(EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ?
"variable" : "fixed";
const char *ssl_only = cipher_kt_mode_cbc(cipher) ?
"" : " (TLS client/server mode)";
printf ("%s %d bit default key (%s)%s\n",
translate_cipher_name_to_openvpn(OBJ_nid2sn (nid)),
EVP_CIPHER_key_length (cipher) * 8, var_key_size, ssl_only);
}
}
}
printf ("\n");
}
