diff -Naur openvpn-2.4.1.orig/doc/openvpn.8 openvpn-2.4.1/doc/openvpn.8
|
old
|
new
|
|
| 34 | 34 | .\" .ft -- normal face |
| 35 | 35 | .\" .in +|-{n} -- indent |
| 36 | 36 | .\" |
| 37 | | .TH openvpn 8 "25 August 2016" |
| | 37 | .TH openvpn 8 "28 March 2017" |
| 38 | 38 | .\"********************************************************* |
| 39 | 39 | .SH NAME |
| 40 | 40 | openvpn \- secure IP tunnel daemon. |
| … |
… |
|
| 4919 | 4919 | packets sent and received (disabled by default). |
| 4920 | 4920 | .\"********************************************************* |
| 4921 | 4921 | .TP |
| 4922 | | .B \-\-reneg\-sec n |
| | 4922 | .B \-\-reneg\-sec n [random] |
| 4923 | 4923 | Renegotiate data channel key after |
| 4924 | 4924 | .B n |
| 4925 | 4925 | seconds (default=3600). |
| 4926 | 4926 | |
| | 4927 | If the optional |
| | 4928 | .B random |
| | 4929 | parameter is specified, a per session pseudo-random component in the range of |
| | 4930 | .B 1 ... random |
| | 4931 | is added to the |
| | 4932 | .B n |
| | 4933 | seconds above (default=0). |
| | 4934 | |
| 4927 | 4935 | When using dual-factor authentication, note that this default value may |
| 4928 | 4936 | cause the end user to be challenged to reauthorize once per hour. |
| 4929 | 4937 | |
diff -Naur openvpn-2.4.1.orig/src/openvpn/init.c openvpn-2.4.1/src/openvpn/init.c
|
old
|
new
|
|
| 2592 | 2592 | to.renegotiate_bytes = options->renegotiate_bytes; |
| 2593 | 2593 | to.renegotiate_packets = options->renegotiate_packets; |
| 2594 | 2594 | to.renegotiate_seconds = options->renegotiate_seconds; |
| | 2595 | if (options->renegotiate_seconds_random) |
| | 2596 | { |
| | 2597 | to.renegotiate_seconds += max_int((int)(get_random() % options->renegotiate_seconds_random) + 1, 1); |
| | 2598 | } |
| 2595 | 2599 | to.single_session = options->single_session; |
| 2596 | 2600 | to.mode = options->mode; |
| 2597 | 2601 | to.pull = options->pull; |
diff -Naur openvpn-2.4.1.orig/src/openvpn/options.c openvpn-2.4.1/src/openvpn/options.c
|
old
|
new
|
|
| 603 | 603 | " if no ACK from remote within n seconds (default=%d).\n" |
| 604 | 604 | "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" |
| 605 | 605 | "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" |
| 606 | | "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" |
| | 606 | "--reneg-sec n [r] : Renegotiate data chan. key after n seconds (default=%d)\n" |
| | 607 | " and if r is specified, add a per session pseudo-random\n" |
| | 608 | " component in the range of 1 ... r to n (default=%d).\n" |
| 607 | 609 | "--hand-window n : Data channel key exchange must finalize within n seconds\n" |
| 608 | 610 | " of handshake initiation by any peer (default=%d).\n" |
| 609 | 611 | "--tran-window n : Transition window -- old key can live this many seconds\n" |
| … |
… |
|
| 1773 | 1775 | SHOW_INT(renegotiate_bytes); |
| 1774 | 1776 | SHOW_INT(renegotiate_packets); |
| 1775 | 1777 | SHOW_INT(renegotiate_seconds); |
| | 1778 | SHOW_INT(renegotiate_seconds_random); |
| 1776 | 1779 | |
| 1777 | 1780 | SHOW_INT(handshake_window); |
| 1778 | 1781 | SHOW_INT(transition_window); |
| … |
… |
|
| 2741 | 2744 | MUST_BE_UNDEF(renegotiate_bytes); |
| 2742 | 2745 | MUST_BE_UNDEF(renegotiate_packets); |
| 2743 | 2746 | MUST_BE_UNDEF(renegotiate_seconds); |
| | 2747 | MUST_BE_UNDEF(renegotiate_seconds_random); |
| 2744 | 2748 | MUST_BE_UNDEF(handshake_window); |
| 2745 | 2749 | MUST_BE_UNDEF(transition_window); |
| 2746 | 2750 | MUST_BE_UNDEF(tls_auth_file); |
| … |
… |
|
| 4091 | 4095 | o.authname, o.ciphername, |
| 4092 | 4096 | o.replay_window, o.replay_time, |
| 4093 | 4097 | o.tls_timeout, o.renegotiate_seconds, |
| | 4098 | o.renegotiate_seconds_random, |
| 4094 | 4099 | o.handshake_window, o.transition_window); |
| 4095 | 4100 | #else /* ifdef ENABLE_CRYPTO */ |
| 4096 | 4101 | fprintf(fp, usage_message, |
| … |
… |
|
| 7983 | 7988 | VERIFY_PERMISSION(OPT_P_TLS_PARMS); |
| 7984 | 7989 | options->renegotiate_packets = positive_atoi(p[1]); |
| 7985 | 7990 | } |
| 7986 | | else if (streq(p[0], "reneg-sec") && p[1] && !p[2]) |
| | 7991 | else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) |
| 7987 | 7992 | { |
| 7988 | 7993 | VERIFY_PERMISSION(OPT_P_TLS_PARMS); |
| 7989 | 7994 | options->renegotiate_seconds = positive_atoi(p[1]); |
| | 7995 | if (p[2]) |
| | 7996 | { |
| | 7997 | options->renegotiate_seconds_random = positive_atoi(p[2]); |
| | 7998 | } |
| 7990 | 7999 | } |
| 7991 | 8000 | else if (streq(p[0], "hand-window") && p[1] && !p[2]) |
| 7992 | 8001 | { |
diff -Naur openvpn-2.4.1.orig/src/openvpn/options.h openvpn-2.4.1/src/openvpn/options.h
|
old
|
new
|
|
| 545 | 545 | int renegotiate_bytes; |
| 546 | 546 | int renegotiate_packets; |
| 547 | 547 | int renegotiate_seconds; |
| | 548 | int renegotiate_seconds_random; |
| 548 | 549 | |
| 549 | 550 | /* Data channel key handshake must finalize |
| 550 | 551 | * within n seconds of handshake initiation. */ |
diff -Naur openvpn-2.4.1.orig/src/openvpn/ssl.c openvpn-2.4.1/src/openvpn/ssl.c
|
old
|
new
|
|
| 2719 | 2719 | || (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send)))) |
| 2720 | 2720 | { |
| 2721 | 2721 | msg(D_TLS_DEBUG_LOW, |
| 2722 | | "TLS: soft reset sec=%d |
| 2723 | | (int)(ks->established + session->opt->renegotiate_seconds - now), |
| | 2722 | "TLS: soft reset sec=%d/%d bytes=" counter_format "/%d pkts=" counter_format "/%d", |
| | 2723 | (int)(now - ks->established), (int)session->opt->renegotiate_seconds, |
| 2724 | 2724 | ks->n_bytes, session->opt->renegotiate_bytes, |
| 2725 | 2725 | ks->n_packets, session->opt->renegotiate_packets); |
| 2726 | 2726 | key_state_soft_reset(session); |
