[Openvpn-devel,v4,3/7] Add generate_ephemeral_key that allows a random ephermal key

Message ID 20190613134834.5709-2-arne@rfc2549.org
State Accepted
Delegated to: David Sommerseth
Headers show
Series
  • Untitled series #491
Related show

Commit Message

Arne Schwabe June 13, 2019, 1:48 p.m.
From: Arne Schwabe <arne@openvpn.net>

This is useful for features that can use enither a persistent
or an ephemeral key.

Patch V2: Move the functionality of generating a random key into a
          separate function that acts as wrapper for pem_read_key_file
Patch V4: Move wrapper functionality to caller and leave only generate
          epehermal key functionality in the new function
---
 src/openvpn/crypto.c | 14 ++++++++++++++
 src/openvpn/crypto.h | 12 +++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

Comments

David Sommerseth June 25, 2019, 8:08 p.m. | #1
On 13/06/2019 15:48, Arne Schwabe wrote:
> From: Arne Schwabe <arne@openvpn.net>
> 
> This is useful for features that can use enither a persistent
> or an ephemeral key.
> 
> Patch V2: Move the functionality of generating a random key into a
>           separate function that acts as wrapper for pem_read_key_file
> Patch V4: Move wrapper functionality to caller and leave only generate
>           epehermal key functionality in the new function
> ---
>  src/openvpn/crypto.c | 14 ++++++++++++++
>  src/openvpn/crypto.h | 12 +++++++++++-
>  2 files changed, 25 insertions(+), 1 deletion(-)

This looks good ... but one nit-pick, but can be fixed during commit:

> diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
> index c5947483..72244997 100644
> --- a/src/openvpn/crypto.h
> +++ b/src/openvpn/crypto.h
> @@ -428,7 +428,17 @@ unsigned int crypto_max_overhead(void);
[....]> +/**
> + * Generate ephermal key material  into the key structure or if
                                                             ^^^^^
This comment don't need those two last words, but that can be fixed during
commit time.

Acked-By: David Sommerseth <davids@openvpn.net>
Gert Doering July 5, 2019, 10:39 a.m. | #2
Your patch has been applied to the master branch.

I have adjusted the comment as David suggested.  Not much to test yet,
as the new code is not used yet.

commit fb4e8abca908d90faa98f20125e49a2590bccaa3
Author: Arne Schwabe
Date:   Thu Jun 13 15:48:30 2019 +0200

     Add generate_ephemeral_key that allows a random ephermal key

     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <20190613134834.5709-2-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18527.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 9a150fa2..69877d1d 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1892,6 +1892,20 @@  cleanup:
     return;
 }
 
+bool
+generate_ephemeral_key(struct buffer *key, const char *key_name)
+{
+    msg(M_INFO, "Using random %s.", key_name);
+    uint8_t rand[BCAP(key)];
+    if (!rand_bytes(rand, BCAP(key)))
+    {
+        msg(M_WARN, "ERROR: could not generate random key");
+        return false;
+    }
+    buf_write(key, rand, BCAP(key));
+    return true;
+}
+
 bool
 read_pem_key_file(struct buffer *key, const char *pem_name,
                   const char *key_file, const char *key_inline)
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index c5947483..72244997 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -428,7 +428,17 @@  unsigned int crypto_max_overhead(void);
  * @param pem_name          The name to use in the PEM header/footer.
  */
 void
-write_pem_key_file(const char *filename, const char *pem_name);
+write_pem_key_file(const char *filename, const char *key_name);
+
+/**
+ * Generate ephermal key material  into the key structure or if
+ *
+ * @param key           the key structure that will hold the key material
+ * @param pem_name      the name used for logging
+ * @return              true if key generation was successful
+ */
+bool
+generate_ephemeral_key(struct buffer *key, const char *pem_name);
 
 /**
  * Read key material from a PEM encoded files into the key structure