[Openvpn-devel] tls-crypt-v2: fix testing of inline key

Message ID 20200510140017.16837-1-a@unstable.cc
State Accepted
Headers show
Series
  • [Openvpn-devel] tls-crypt-v2: fix testing of inline key
Related show

Commit Message

Antonio Quartulli May 10, 2020, 2 p.m.
The inline logic was recently changed by commit
("convert *_inline attributes to bool"), however the code testing a
newly created tls-crypt-v2 client key was not adapted.

Adapt tls-crypt-v2 test routine by properly signaling when the passed
key is inlined or not.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/tls_crypt.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

David Sommerseth May 11, 2020, 12:20 p.m. | #1
On 10/05/2020 16:00, Antonio Quartulli wrote:
> The inline logic was recently changed by commit
> ("convert *_inline attributes to bool"), however the code testing a
> newly created tls-crypt-v2 client key was not adapted.
> 
> Adapt tls-crypt-v2 test routine by properly signaling when the passed
> key is inlined or not.
> 
> Signed-off-by: Antonio Quartulli <a@unstable.cc>
> ---
>  src/openvpn/tls_crypt.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index 484d4d46..a3894d66 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -697,14 +697,14 @@ tls_crypt_v2_write_client_key_file(const char *filename,
>          goto cleanup;
>      }
>  
> -    const char *client_filename = filename;
> -    const char *client_inline = NULL;
> +    const char *client_file = filename;
> +    bool client_inline = false;
>  
>      if (!filename || streq(filename, ""))
>      {
>          printf("%s\n", BPTR(&client_key_pem));
> -        client_filename = INLINE_FILE_TAG;
> -        client_inline = (const char *)BPTR(&client_key_pem);
> +        client_file = (const char *)BPTR(&client_key_pem);
> +        client_inline = true;
>      }
>      else if (!buffer_write_file(filename, &client_key_pem))
>      {
> @@ -717,7 +717,7 @@ tls_crypt_v2_write_client_key_file(const char *filename,
>      struct buffer test_wrapped_client_key;
>      msg(D_GENKEY, "Testing client-side key loading...");
>      tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key,
> -                                 client_filename, client_inline);
> +                                 client_file, client_inline);
>      free_key_ctx_bi(&test_client_key);
>  
>      /* Sanity check: unwrap and load client key (as "server") */
> 

This looks good.

Without this patch, generating tls-crypt-v2-client keys fails.

--------------------------------------------------------------
$ ./src/openvpn/openvpn --tls-crypt-v2 tv2-srv --genkey tls-crypt-v2-client
-----BEGIN OpenVPN tls-crypt-v2 client key-----
OCvS/y1ZC/jDJ6wSkVMITJ7t5kI4XRLRikUP8TTukOtXlLHVwVbkL5Sw7cO+ChAf
RcngI8Zzglk2u3fYmlsfU9W6aBouUeBxjixPamA0Yr4xg15eb30HZU2i6YPkJVIL
iiSU+IlfR694fSEWM/j/+Yy3dOid6/kqUpw6Py5wpGuwMJ2ZKBYq+OQhwQ+HBZvF
ftYMJ1W21wx4hWiNT4EyqlC/WYJJFsOpW67eLHQ6L61tMxrQBdSEMTfrP0vlC8lj
anQMIfaDg7RHVq4oiXiTvrA7EgVJi0dra3DND/OXrtk5SyiDfJ1V2VuQ8fs6IoYf
PHXXGuWYCAfBT+0A/ZQ9Agc1jtvRbyYJxkebCid5xCOV8sDSEBCP/PivP+Mysysk
3kptpJQhJx4FHf65xxvVdxio9VW2fyw5NawYdX1XFtVzro486f++8q32Ma8HtD4V
ZCy39QdjK5SzNXKO3Q1Vun3IVtrCA6TMfoyHMkTYcnWkr0a4t47u9tefIJmcwmF5
iBMvKGoEQqjM+Xll9Vqi1FmW35JaQXz9gE8YXi+CC2vB3jrW07W9Xg+m9E6qhxv7
x3wTWRvHDeGaCJlQOO3QVClQMcsryLmBe7Dev8ido54JEAGVHkf0kfC/7E+yFgDq
PMFg99QKQph2HlLS8NOUg5RTgRGkg0VWj+paaOQ7Vej77io9M/1yR4TtyDxovfgN
AZFUlRNuCd7sGHDmwHKA0giaAgvfDpCodQEr
-----END OpenVPN tls-crypt-v2 client key-----

Mon May 11 14:16:24 2020 crypto_pem_decode: PEM decode failed
Mon May 11 14:16:24 2020 ERROR: OpenVPN tls-crypt-v2 client key pem decode failed
Mon May 11 14:16:24 2020 ERROR: invalid tls-crypt-v2 client key format
Mon May 11 14:16:24 2020 Exiting due to fatal error
--------------------------------------------------------------

With this patch, the error messages below the generated key is gone.  And
since the code changes are not surprising, this is good to go.


Acked-by: David Sommerseth <davids@openvpn.net>
Gert Doering May 11, 2020, 12:33 p.m. | #2
Your patch has been applied to the master branch.

David beat me with the ACK - I had just advanced through my daily interrupt
load enough to be able to reproduce the problem ("testing the patch next!")
when the ACK arrived.  Thanks anyway :-))

JFTR, after having created a tls-crypt-v2 server-key (in /tmp/s.key)

  $ ./openvpn --tls-crypt-v2 /tmp/s.key --genkey tls-crypt-v2-client

this command ("print to stdout") fails without the patch at hand, while
it nicely works with the patch.  So, functionality confirmed.

We need some sort of test framework for the tls-crypt(-v2) and/or inline
blob handling.


commit d7e26a34319495e39b8e23a5717304d28a417c30
Author: Antonio Quartulli
Date:   Sun May 10 16:00:17 2020 +0200

     tls-crypt-v2: fix testing of inline key

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <20200510140017.16837-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19870.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 484d4d46..a3894d66 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -697,14 +697,14 @@  tls_crypt_v2_write_client_key_file(const char *filename,
         goto cleanup;
     }
 
-    const char *client_filename = filename;
-    const char *client_inline = NULL;
+    const char *client_file = filename;
+    bool client_inline = false;
 
     if (!filename || streq(filename, ""))
     {
         printf("%s\n", BPTR(&client_key_pem));
-        client_filename = INLINE_FILE_TAG;
-        client_inline = (const char *)BPTR(&client_key_pem);
+        client_file = (const char *)BPTR(&client_key_pem);
+        client_inline = true;
     }
     else if (!buffer_write_file(filename, &client_key_pem))
     {
@@ -717,7 +717,7 @@  tls_crypt_v2_write_client_key_file(const char *filename,
     struct buffer test_wrapped_client_key;
     msg(D_GENKEY, "Testing client-side key loading...");
     tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key,
-                                 client_filename, client_inline);
+                                 client_file, client_inline);
     free_key_ctx_bi(&test_client_key);
 
     /* Sanity check: unwrap and load client key (as "server") */