diff -Naur openvpn-2.4.1.orig/doc/openvpn.8 openvpn-2.4.1/doc/openvpn.8
old
|
new
|
|
34 | 34 | .\" .ft -- normal face |
35 | 35 | .\" .in +|-{n} -- indent |
36 | 36 | .\" |
37 | | .TH openvpn 8 "25 August 2016" |
| 37 | .TH openvpn 8 "28 March 2017" |
38 | 38 | .\"********************************************************* |
39 | 39 | .SH NAME |
40 | 40 | openvpn \- secure IP tunnel daemon. |
… |
… |
|
4919 | 4919 | packets sent and received (disabled by default). |
4920 | 4920 | .\"********************************************************* |
4921 | 4921 | .TP |
4922 | | .B \-\-reneg\-sec n |
| 4922 | .B \-\-reneg\-sec n [random] |
4923 | 4923 | Renegotiate data channel key after |
4924 | 4924 | .B n |
4925 | 4925 | seconds (default=3600). |
4926 | 4926 | |
| 4927 | If the optional |
| 4928 | .B random |
| 4929 | parameter is specified, a per session random component in the range of |
| 4930 | .B 1 ... random |
| 4931 | is added to the |
| 4932 | .B n |
| 4933 | seconds above (default=0). |
| 4934 | |
4927 | 4935 | When using dual-factor authentication, note that this default value may |
4928 | 4936 | cause the end user to be challenged to reauthorize once per hour. |
4929 | 4937 | |
diff -Naur openvpn-2.4.1.orig/src/openvpn/init.c openvpn-2.4.1/src/openvpn/init.c
old
|
new
|
|
2592 | 2592 | to.renegotiate_bytes = options->renegotiate_bytes; |
2593 | 2593 | to.renegotiate_packets = options->renegotiate_packets; |
2594 | 2594 | to.renegotiate_seconds = options->renegotiate_seconds; |
| 2595 | if (options->renegotiate_seconds_random) |
| 2596 | { |
| 2597 | to.renegotiate_seconds += (get_random() % options->renegotiate_seconds_random) + 1; |
| 2598 | } |
2595 | 2599 | to.single_session = options->single_session; |
2596 | 2600 | to.mode = options->mode; |
2597 | 2601 | to.pull = options->pull; |
diff -Naur openvpn-2.4.1.orig/src/openvpn/options.c openvpn-2.4.1/src/openvpn/options.c
old
|
new
|
|
603 | 603 | " if no ACK from remote within n seconds (default=%d).\n" |
604 | 604 | "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" |
605 | 605 | "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" |
606 | | "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" |
| 606 | "--reneg-sec n [r] : Renegotiate data chan. key after n seconds (default=%d)\n" |
| 607 | " and if r is specified, add a per session random component\n" |
| 608 | " in the range of 1 ... r to n (default=%d).\n" |
607 | 609 | "--hand-window n : Data channel key exchange must finalize within n seconds\n" |
608 | 610 | " of handshake initiation by any peer (default=%d).\n" |
609 | 611 | "--tran-window n : Transition window -- old key can live this many seconds\n" |
… |
… |
|
1773 | 1775 | SHOW_INT(renegotiate_bytes); |
1774 | 1776 | SHOW_INT(renegotiate_packets); |
1775 | 1777 | SHOW_INT(renegotiate_seconds); |
| 1778 | SHOW_INT(renegotiate_seconds_random); |
1776 | 1779 | |
1777 | 1780 | SHOW_INT(handshake_window); |
1778 | 1781 | SHOW_INT(transition_window); |
… |
… |
|
2741 | 2744 | MUST_BE_UNDEF(renegotiate_bytes); |
2742 | 2745 | MUST_BE_UNDEF(renegotiate_packets); |
2743 | 2746 | MUST_BE_UNDEF(renegotiate_seconds); |
| 2747 | MUST_BE_UNDEF(renegotiate_seconds_random); |
2744 | 2748 | MUST_BE_UNDEF(handshake_window); |
2745 | 2749 | MUST_BE_UNDEF(transition_window); |
2746 | 2750 | MUST_BE_UNDEF(tls_auth_file); |
… |
… |
|
4091 | 4095 | o.authname, o.ciphername, |
4092 | 4096 | o.replay_window, o.replay_time, |
4093 | 4097 | o.tls_timeout, o.renegotiate_seconds, |
| 4098 | o.renegotiate_seconds_random, |
4094 | 4099 | o.handshake_window, o.transition_window); |
4095 | 4100 | #else /* ifdef ENABLE_CRYPTO */ |
4096 | 4101 | fprintf(fp, usage_message, |
… |
… |
|
7983 | 7988 | VERIFY_PERMISSION(OPT_P_TLS_PARMS); |
7984 | 7989 | options->renegotiate_packets = positive_atoi(p[1]); |
7985 | 7990 | } |
7986 | | else if (streq(p[0], "reneg-sec") && p[1] && !p[2]) |
| 7991 | else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) |
7987 | 7992 | { |
7988 | 7993 | VERIFY_PERMISSION(OPT_P_TLS_PARMS); |
7989 | 7994 | options->renegotiate_seconds = positive_atoi(p[1]); |
| 7995 | if (p[2]) |
| 7996 | { |
| 7997 | options->renegotiate_seconds_random = positive_atoi(p[2]); |
| 7998 | } |
7990 | 7999 | } |
7991 | 8000 | else if (streq(p[0], "hand-window") && p[1] && !p[2]) |
7992 | 8001 | { |
diff -Naur openvpn-2.4.1.orig/src/openvpn/options.h openvpn-2.4.1/src/openvpn/options.h
old
|
new
|
|
545 | 545 | int renegotiate_bytes; |
546 | 546 | int renegotiate_packets; |
547 | 547 | int renegotiate_seconds; |
| 548 | int renegotiate_seconds_random; |
548 | 549 | |
549 | 550 | /* Data channel key handshake must finalize |
550 | 551 | * within n seconds of handshake initiation. */ |
diff -Naur openvpn-2.4.1.orig/src/openvpn/ssl.c openvpn-2.4.1/src/openvpn/ssl.c
old
|
new
|
|
2719 | 2719 | || (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send)))) |
2720 | 2720 | { |
2721 | 2721 | msg(D_TLS_DEBUG_LOW, |
2722 | | "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d", |
2723 | | (int)(ks->established + session->opt->renegotiate_seconds - now), |
| 2722 | "TLS: soft reset sec=%d/%d bytes=" counter_format "/%d pkts=" counter_format "/%d", |
| 2723 | (int)(now - ks->established), (int)session->opt->renegotiate_seconds, |
2724 | 2724 | ks->n_bytes, session->opt->renegotiate_bytes, |
2725 | 2725 | ks->n_packets, session->opt->renegotiate_packets); |
2726 | 2726 | key_state_soft_reset(session); |