Refactor static/tls-auth key loading

Remove duplicate code, in preparation for adding --tls-crypt, which otherwise would have to duplicate this code again. This should be equivalent to the old code, except for two things: * The log lines for static key initialization change slightly, from "Static Encrypt/Decrypt" to "Incoming/Outgoing Static Key Encryption" * We also 'check and fix highly unlikely key problems' for tls-auth keys (boils down to a sanity-check for an all-zero key). Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1478636302-9678-2-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12969.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2016-11-08 21:18:18 +01:00 · 2016-11-08 21:18:18 +01:00 · 28c115e401
commit 28c115e401
parent 11eedcd007
3 changed files with 45 additions and 80 deletions
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@ -1103,48 +1103,45 @@ test_crypto (struct crypto_options *co, struct frame* frame)
 }

 void
-get_tls_handshake_key (const struct key_type *key_type,
-		       struct key_ctx_bi *ctx,
-		       const char *key_file,
-		       const int key_direction,
-		       const unsigned int flags)
+crypto_read_openvpn_key (const struct key_type *key_type,
+	struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
+	const int key_direction, const char *key_name, const char *opt_name)
 {
-  if (key_file)
+  struct key2 key2;
+  struct key_direction_state kds;
+  char log_prefix[128] = { 0 };
+
+  if (key_inline)
    {
-      struct key2 key2;
-      struct key_direction_state kds;
-
-      if (flags & GHK_INLINE)
-	{
-	  read_key_file (&key2, key_file, RKF_INLINE|RKF_MUST_SUCCEED);
-	}
-      else
-	{
-	  read_key_file (&key2, key_file, RKF_MUST_SUCCEED);
-	}
-
-	if (key2.n != 2)
-	  {
-	    msg (M_ERR, "Control Channel Authentication: File '%s' does not "
-		"have OpenVPN Static Key format.  Using free-form passphrase "
-		"file is not supported anymore.", key_file);
-	  }
-      /* handle key direction */
-      key_direction_state_init (&kds, key_direction);
-      must_have_n_keys (key_file, "tls-auth", &key2, kds.need_keys);
-
-      /* initialize key in both directions */
-      init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type, OPENVPN_OP_ENCRYPT,
-		    "Outgoing Control Channel Authentication");
-      init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, OPENVPN_OP_DECRYPT,
-		    "Incoming Control Channel Authentication");
-
-      CLEAR (key2);
+      read_key_file (&key2, key_inline, RKF_MUST_SUCCEED|RKF_INLINE);
    }
  else
    {
-      CLEAR (*ctx);
+      read_key_file (&key2, key_file, RKF_MUST_SUCCEED);
    }
+
+  if (key2.n != 2)
+    {
+      msg (M_ERR, "File '%s' does not have OpenVPN Static Key format.  Using "
+	   "free-form passphrase file is not supported anymore.", key_file);
+    }
+
+  /* check for and fix highly unlikely key problems */
+  verify_fix_key2 (&key2, key_type, key_file);
+
+  /* handle key direction */
+  key_direction_state_init (&kds, key_direction);
+  must_have_n_keys (key_file, opt_name, &key2, kds.need_keys);
+
+  /* initialize key in both directions */
+  openvpn_snprintf (log_prefix, sizeof (log_prefix), "Outgoing %s", key_name);
+  init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type,
+		OPENVPN_OP_ENCRYPT, log_prefix);
+  openvpn_snprintf (log_prefix, sizeof (log_prefix), "Incoming %s", key_name);
+  init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type,
+		OPENVPN_OP_DECRYPT, log_prefix);
+
+  CLEAR (key2);
 }

 /* header and footer for static key file */
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@ -465,12 +465,9 @@ void key2_print (const struct key2* k,
 		 const char* prefix0,
 		 const char* prefix1);

-#define GHK_INLINE  (1<<0)
-void get_tls_handshake_key (const struct key_type *key_type,
-			    struct key_ctx_bi *ctx,
-			    const char *passphrase_file,
-			    const int key_direction,
-			    const unsigned int flags);
+void crypto_read_openvpn_key (const struct key_type *key_type,
+	struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
+	const int key_direction, const char *key_name, const char *opt_name);

 /*
 * Inline functions
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@ -2147,33 +2147,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
 		     options->keysize, options->test_crypto, true);

      /* Read cipher and hmac keys from shared secret file */
-      {
-	unsigned int rkf_flags = RKF_MUST_SUCCEED;
-	const char *rkf_file = options->shared_secret_file;
-
-	if (options->shared_secret_file_inline)
-	  {
-	    rkf_file = options->shared_secret_file_inline;
-	    rkf_flags |= RKF_INLINE;
-	  }
-	read_key_file (&key2, rkf_file, rkf_flags);
-      }
-
-      /* Check for and fix highly unlikely key problems */
-      verify_fix_key2 (&key2, &c->c1.ks.key_type,
-		       options->shared_secret_file);
-
-      /* Initialize OpenSSL key objects */
-      key_direction_state_init (&kds, options->key_direction);
-      must_have_n_keys (options->shared_secret_file, "secret", &key2,
-			kds.need_keys);
-      init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
-		    &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt");
-      init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
-		    &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt");
-
-      /* Erase the temporary copy of key */
-      CLEAR (key2);
+      crypto_read_openvpn_key (&c->c1.ks.key_type, &c->c1.ks.static_key,
+			       options->shared_secret_file,
+			       options->shared_secret_file_inline,
+			       options->key_direction, "Static Key Encryption",
+			       "secret");
    }
  else
    {
@ -2242,15 +2220,6 @@ do_init_crypto_tls_c1 (struct context *c)
      /* TLS handshake authentication (--tls-auth) */
      if (options->tls_auth_file)
 	{
-	  unsigned int flags = 0;
-	  const char *file = options->tls_auth_file;
-
-	  if (options->tls_auth_file_inline)
-	    {
-	      flags |= GHK_INLINE;
-	      file = options->tls_auth_file_inline;
-	    }
-
 	  /* Initialize key_type for tls-auth with auth only */
 	  CLEAR (c->c1.ks.tls_auth_key_type);
 	  if (!streq (options->authname, "none"))
@ -2265,8 +2234,10 @@ do_init_crypto_tls_c1 (struct context *c)
 		  "algorithm specified ('%s')", options->authname);
 	    }

-	  get_tls_handshake_key (&c->c1.ks.tls_auth_key_type,
-	      &c->c1.ks.tls_auth_key, file, options->key_direction, flags);
+	  crypto_read_openvpn_key (&c->c1.ks.tls_auth_key_type,
+	      &c->c1.ks.tls_auth_key, options->tls_auth_file,
+	      options->tls_auth_file_inline, options->key_direction,
+	      "Control Channel Authentication", "tls-auth");
 	}

      c->c1.ciphername = options->ciphername;