upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Refactor static/tls-auth key loading

Browse source 
Remove duplicate code, in preparation for adding --tls-crypt, which
otherwise would have to duplicate this code again.

This should be equivalent to the old code, except for two things:
* The log lines for static key initialization change slightly, from
  "Static Encrypt/Decrypt" to "Incoming/Outgoing Static Key Encryption"
* We also 'check and fix highly unlikely key problems' for tls-auth
  keys (boils down to a sanity-check for an all-zero key).

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1478636302-9678-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12969.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Steffan Karger 2016-11-08 21:18:18 +01:00 committed by Gert Doering
parent 11eedcd007
commit 28c115e401
3 changed files with 45 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
src/openvpn/crypto.c
View file

@ -1103,48 +1103,45 @@ test_crypto (struct crypto_options *co, struct frame* frame)
} }
void void
get_tls_handshake_key (const struct key_type *key_type, crypto_read_openvpn_key (const struct key_type *key_type,
struct key_ctx_bi *ctx, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
const char *key_file, const int key_direction, const char *key_name, const char *opt_name)
const int key_direction,
const unsigned int flags)
{ {
if (key_file) struct key2 key2;
struct key_direction_state kds;
char log_prefix[128] = { 0 };
if (key_inline)
{ {
struct key2 key2; read_key_file (&key2, key_inline, RKF_MUST_SUCCEED|RKF_INLINE);
struct key_direction_state kds;
if (flags & GHK_INLINE)
{
read_key_file (&key2, key_file, RKF_INLINE|RKF_MUST_SUCCEED);
}
else
{
read_key_file (&key2, key_file, RKF_MUST_SUCCEED);
}
if (key2.n != 2)
{
msg (M_ERR, "Control Channel Authentication: File '%s' does not "
"have OpenVPN Static Key format. Using free-form passphrase "
"file is not supported anymore.", key_file);
}
/* handle key direction */
key_direction_state_init (&kds, key_direction);
must_have_n_keys (key_file, "tls-auth", &key2, kds.need_keys);
/* initialize key in both directions */
init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type, OPENVPN_OP_ENCRYPT,
"Outgoing Control Channel Authentication");
init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, OPENVPN_OP_DECRYPT,
"Incoming Control Channel Authentication");
CLEAR (key2);
} }
else else
{ {
CLEAR (*ctx); read_key_file (&key2, key_file, RKF_MUST_SUCCEED);
} }
if (key2.n != 2)
{
msg (M_ERR, "File '%s' does not have OpenVPN Static Key format. Using "
"free-form passphrase file is not supported anymore.", key_file);
}
/* check for and fix highly unlikely key problems */
verify_fix_key2 (&key2, key_type, key_file);
/* handle key direction */
key_direction_state_init (&kds, key_direction);
must_have_n_keys (key_file, opt_name, &key2, kds.need_keys);
/* initialize key in both directions */
openvpn_snprintf (log_prefix, sizeof (log_prefix), "Outgoing %s", key_name);
init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type,
OPENVPN_OP_ENCRYPT, log_prefix);
openvpn_snprintf (log_prefix, sizeof (log_prefix), "Incoming %s", key_name);
init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type,
OPENVPN_OP_DECRYPT, log_prefix);
CLEAR (key2);
} }
/* header and footer for static key file */ /* header and footer for static key file */

9
src/openvpn/crypto.h
View file

@ -465,12 +465,9 @@ void key2_print (const struct key2* k,
const char* prefix0, const char* prefix0,
const char* prefix1); const char* prefix1);
#define GHK_INLINE (1<<0) void crypto_read_openvpn_key (const struct key_type *key_type,
void get_tls_handshake_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
struct key_ctx_bi *ctx, const int key_direction, const char *key_name, const char *opt_name);
const char *passphrase_file,
const int key_direction,
const unsigned int flags);
/* /*
* Inline functions * Inline functions

47
src/openvpn/init.c
View file

@ -2147,33 +2147,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
options->keysize, options->test_crypto, true); options->keysize, options->test_crypto, true);
/* Read cipher and hmac keys from shared secret file */ /* Read cipher and hmac keys from shared secret file */
{ crypto_read_openvpn_key (&c->c1.ks.key_type, &c->c1.ks.static_key,
unsigned int rkf_flags = RKF_MUST_SUCCEED; options->shared_secret_file,
const char *rkf_file = options->shared_secret_file; options->shared_secret_file_inline,
options->key_direction, "Static Key Encryption",
if (options->shared_secret_file_inline) "secret");
{
rkf_file = options->shared_secret_file_inline;
rkf_flags |= RKF_INLINE;
}
read_key_file (&key2, rkf_file, rkf_flags);
}
/* Check for and fix highly unlikely key problems */
verify_fix_key2 (&key2, &c->c1.ks.key_type,
options->shared_secret_file);
/* Initialize OpenSSL key objects */
key_direction_state_init (&kds, options->key_direction);
must_have_n_keys (options->shared_secret_file, "secret", &key2,
kds.need_keys);
init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
&c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt");
init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
&c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt");
/* Erase the temporary copy of key */
CLEAR (key2);
} }
else else
{ {
@ -2242,15 +2220,6 @@ do_init_crypto_tls_c1 (struct context *c)
/* TLS handshake authentication (--tls-auth) */ /* TLS handshake authentication (--tls-auth) */
if (options->tls_auth_file) if (options->tls_auth_file)
{ {
unsigned int flags = 0;
const char *file = options->tls_auth_file;
if (options->tls_auth_file_inline)
{
flags |= GHK_INLINE;
file = options->tls_auth_file_inline;
}
/* Initialize key_type for tls-auth with auth only */ /* Initialize key_type for tls-auth with auth only */
CLEAR (c->c1.ks.tls_auth_key_type); CLEAR (c->c1.ks.tls_auth_key_type);
if (!streq (options->authname, "none")) if (!streq (options->authname, "none"))
@ -2265,8 +2234,10 @@ do_init_crypto_tls_c1 (struct context *c)
"algorithm specified ('%s')", options->authname); "algorithm specified ('%s')", options->authname);
} }
get_tls_handshake_key (&c->c1.ks.tls_auth_key_type, crypto_read_openvpn_key (&c->c1.ks.tls_auth_key_type,
&c->c1.ks.tls_auth_key, file, options->key_direction, flags); &c->c1.ks.tls_auth_key, options->tls_auth_file,
options->tls_auth_file_inline, options->key_direction,
"Control Channel Authentication", "tls-auth");
} }
c->c1.ciphername = options->ciphername; c->c1.ciphername = options->ciphername;