| Message ID | 20200510140017.16837-1-a@unstable.cc |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] tls-crypt-v2: fix testing of inline key | expand |
On 10/05/2020 16:00, Antonio Quartulli wrote: > The inline logic was recently changed by commit > ("convert *_inline attributes to bool"), however the code testing a > newly created tls-crypt-v2 client key was not adapted. > > Adapt tls-crypt-v2 test routine by properly signaling when the passed > key is inlined or not. > > Signed-off-by: Antonio Quartulli <a@unstable.cc> > --- > src/openvpn/tls_crypt.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 484d4d46..a3894d66 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -697,14 +697,14 @@ tls_crypt_v2_write_client_key_file(const char *filename, > goto cleanup; > } > > - const char *client_filename = filename; > - const char *client_inline = NULL; > + const char *client_file = filename; > + bool client_inline = false; > > if (!filename || streq(filename, "")) > { > printf("%s\n", BPTR(&client_key_pem)); > - client_filename = INLINE_FILE_TAG; > - client_inline = (const char *)BPTR(&client_key_pem); > + client_file = (const char *)BPTR(&client_key_pem); > + client_inline = true; > } > else if (!buffer_write_file(filename, &client_key_pem)) > { > @@ -717,7 +717,7 @@ tls_crypt_v2_write_client_key_file(const char *filename, > struct buffer test_wrapped_client_key; > msg(D_GENKEY, "Testing client-side key loading..."); > tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key, > - client_filename, client_inline); > + client_file, client_inline); > free_key_ctx_bi(&test_client_key); > > /* Sanity check: unwrap and load client key (as "server") */ > This looks good. Without this patch, generating tls-crypt-v2-client keys fails. -------------------------------------------------------------- $ ./src/openvpn/openvpn --tls-crypt-v2 tv2-srv --genkey tls-crypt-v2-client -----BEGIN OpenVPN tls-crypt-v2 client key----- OCvS/y1ZC/jDJ6wSkVMITJ7t5kI4XRLRikUP8TTukOtXlLHVwVbkL5Sw7cO+ChAf RcngI8Zzglk2u3fYmlsfU9W6aBouUeBxjixPamA0Yr4xg15eb30HZU2i6YPkJVIL iiSU+IlfR694fSEWM/j/+Yy3dOid6/kqUpw6Py5wpGuwMJ2ZKBYq+OQhwQ+HBZvF ftYMJ1W21wx4hWiNT4EyqlC/WYJJFsOpW67eLHQ6L61tMxrQBdSEMTfrP0vlC8lj anQMIfaDg7RHVq4oiXiTvrA7EgVJi0dra3DND/OXrtk5SyiDfJ1V2VuQ8fs6IoYf PHXXGuWYCAfBT+0A/ZQ9Agc1jtvRbyYJxkebCid5xCOV8sDSEBCP/PivP+Mysysk 3kptpJQhJx4FHf65xxvVdxio9VW2fyw5NawYdX1XFtVzro486f++8q32Ma8HtD4V ZCy39QdjK5SzNXKO3Q1Vun3IVtrCA6TMfoyHMkTYcnWkr0a4t47u9tefIJmcwmF5 iBMvKGoEQqjM+Xll9Vqi1FmW35JaQXz9gE8YXi+CC2vB3jrW07W9Xg+m9E6qhxv7 x3wTWRvHDeGaCJlQOO3QVClQMcsryLmBe7Dev8ido54JEAGVHkf0kfC/7E+yFgDq PMFg99QKQph2HlLS8NOUg5RTgRGkg0VWj+paaOQ7Vej77io9M/1yR4TtyDxovfgN AZFUlRNuCd7sGHDmwHKA0giaAgvfDpCodQEr -----END OpenVPN tls-crypt-v2 client key----- Mon May 11 14:16:24 2020 crypto_pem_decode: PEM decode failed Mon May 11 14:16:24 2020 ERROR: OpenVPN tls-crypt-v2 client key pem decode failed Mon May 11 14:16:24 2020 ERROR: invalid tls-crypt-v2 client key format Mon May 11 14:16:24 2020 Exiting due to fatal error -------------------------------------------------------------- With this patch, the error messages below the generated key is gone. And since the code changes are not surprising, this is good to go. Acked-by: David Sommerseth <davids@openvpn.net>
Your patch has been applied to the master branch.
David beat me with the ACK - I had just advanced through my daily interrupt
load enough to be able to reproduce the problem ("testing the patch next!")
when the ACK arrived. Thanks anyway :-))
JFTR, after having created a tls-crypt-v2 server-key (in /tmp/s.key)
$ ./openvpn --tls-crypt-v2 /tmp/s.key --genkey tls-crypt-v2-client
this command ("print to stdout") fails without the patch at hand, while
it nicely works with the patch. So, functionality confirmed.
We need some sort of test framework for the tls-crypt(-v2) and/or inline
blob handling.
commit d7e26a34319495e39b8e23a5717304d28a417c30
Author: Antonio Quartulli
Date: Sun May 10 16:00:17 2020 +0200
tls-crypt-v2: fix testing of inline key
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200510140017.16837-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19870.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 484d4d46..a3894d66 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -697,14 +697,14 @@ tls_crypt_v2_write_client_key_file(const char *filename, goto cleanup; } - const char *client_filename = filename; - const char *client_inline = NULL; + const char *client_file = filename; + bool client_inline = false; if (!filename || streq(filename, "")) { printf("%s\n", BPTR(&client_key_pem)); - client_filename = INLINE_FILE_TAG; - client_inline = (const char *)BPTR(&client_key_pem); + client_file = (const char *)BPTR(&client_key_pem); + client_inline = true; } else if (!buffer_write_file(filename, &client_key_pem)) { @@ -717,7 +717,7 @@ tls_crypt_v2_write_client_key_file(const char *filename, struct buffer test_wrapped_client_key; msg(D_GENKEY, "Testing client-side key loading..."); tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key, - client_filename, client_inline); + client_file, client_inline); free_key_ctx_bi(&test_client_key); /* Sanity check: unwrap and load client key (as "server") */
The inline logic was recently changed by commit ("convert *_inline attributes to bool"), however the code testing a newly created tls-crypt-v2 client key was not adapted. Adapt tls-crypt-v2 test routine by properly signaling when the passed key is inlined or not. Signed-off-by: Antonio Quartulli <a@unstable.cc> --- src/openvpn/tls_crypt.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)