Message ID | 20190114154819.6064-2-arne@rfc2549.org |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/6] Fix loading inline tls-crypt-v2 keys with mbed TLS | expand |
Hi, On 14-01-19 16:48, Arne Schwabe wrote: > From: Arne Schwabe <arne@openvpn.net> > > This allows the method to be resued for generating other types of keys > that should also not be reused as tls-crypt/tls-auth keys. > --- > src/openvpn/crypto.c | 34 ++++++++++++++++++++++++++++++++++ > src/openvpn/crypto.h | 10 ++++++++++ > src/openvpn/tls_crypt.c | 30 +----------------------------- > 3 files changed, 45 insertions(+), 29 deletions(-) > > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index df6f36ca..19136799 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char *cipher_name) > > return pair->openvpn_name; > } > + > +void > +write_pem_key_file(const char *filename, const char *pem_name) > +{ > + struct gc_arena gc = gc_new(); > + struct key server_key = { 0 }; > + struct buffer server_key_buf = clear_buf(); > + struct buffer server_key_pem = clear_buf(); > + > + if (!rand_bytes((void *)&server_key, sizeof(server_key))) > + { > + msg(M_NONFATAL, "ERROR: could not generate random key"); > + goto cleanup; > + } > + buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); > + if (!crypto_pem_encode(pem_name, &server_key_pem, > + &server_key_buf, &gc)) > + { > + msg(M_WARN, "ERROR: could not PEM-encode key"); > + goto cleanup; > + } > + > + if (!buffer_write_file(filename, &server_key_pem)) > + { > + msg(M_ERR, "ERROR: could not write key file"); > + goto cleanup; > + } > + > +cleanup: > + secure_memzero(&server_key, sizeof(server_key)); > + buf_clear(&server_key_pem); > + gc_free(&gc); > + return; > +} > diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h > index 1edde2e3..c0574ff6 100644 > --- a/src/openvpn/crypto.h > +++ b/src/openvpn/crypto.h > @@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame, > /** Return the worst-case OpenVPN crypto overhead (in bytes) */ > unsigned int crypto_max_overhead(void); > > +/** > + * Generate a server key with enough randomness to fill a key struct > + * and write to file. > + * > + * @param filename Filename of the server key file to create. > + * @param pem_name The name to use in the PEM header/footer. > + */ > +void > +write_pem_key_file(const char *filename, const char *pem_name); > + > /* Minimum length of the nonce used by the PRNG */ > #define NONCE_SECRET_LEN_MIN 16 > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 6bc2b7f8..eeac794b 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, > void > tls_crypt_v2_write_server_key_file(const char *filename) > { > - struct gc_arena gc = gc_new(); > - struct key server_key = { 0 }; > - struct buffer server_key_buf = clear_buf(); > - struct buffer server_key_pem = clear_buf(); > - > - if (!rand_bytes((void *)&server_key, sizeof(server_key))) > - { > - msg(M_NONFATAL, "ERROR: could not generate random key"); > - goto cleanup; > - } > - buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); > - if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem, > - &server_key_buf, &gc)) > - { > - msg(M_WARN, "ERROR: could not PEM-encode server key"); > - goto cleanup; > - } > - > - if (!buffer_write_file(filename, &server_key_pem)) > - { > - msg(M_ERR, "ERROR: could not write server key file"); > - goto cleanup; > - } > - > -cleanup: > - secure_memzero(&server_key, sizeof(server_key)); > - buf_clear(&server_key_pem); > - gc_free(&gc); > - return; > + write_pem_key_file(filename, tls_crypt_v2_srv_pem_name); > } > > void > Makes sense, and does what it says on the tin. Acked-by: Steffan Karger <steffan.karger@fox-it.com> -Steffan
Your patch has been applied to the master branch. commit 801be382702f943c42784d26eb07605be8ba0a18 Author: Arne Schwabe Date: Mon Jan 14 16:48:15 2019 +0100 Refactor tls_crypt_v2_write_server_key_file into crypto.c Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20190114154819.6064-2-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18090.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index df6f36ca..19136799 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char *cipher_name) return pair->openvpn_name; } + +void +write_pem_key_file(const char *filename, const char *pem_name) +{ + struct gc_arena gc = gc_new(); + struct key server_key = { 0 }; + struct buffer server_key_buf = clear_buf(); + struct buffer server_key_pem = clear_buf(); + + if (!rand_bytes((void *)&server_key, sizeof(server_key))) + { + msg(M_NONFATAL, "ERROR: could not generate random key"); + goto cleanup; + } + buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); + if (!crypto_pem_encode(pem_name, &server_key_pem, + &server_key_buf, &gc)) + { + msg(M_WARN, "ERROR: could not PEM-encode key"); + goto cleanup; + } + + if (!buffer_write_file(filename, &server_key_pem)) + { + msg(M_ERR, "ERROR: could not write key file"); + goto cleanup; + } + +cleanup: + secure_memzero(&server_key, sizeof(server_key)); + buf_clear(&server_key_pem); + gc_free(&gc); + return; +} diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 1edde2e3..c0574ff6 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame, /** Return the worst-case OpenVPN crypto overhead (in bytes) */ unsigned int crypto_max_overhead(void); +/** + * Generate a server key with enough randomness to fill a key struct + * and write to file. + * + * @param filename Filename of the server key file to create. + * @param pem_name The name to use in the PEM header/footer. + */ +void +write_pem_key_file(const char *filename, const char *pem_name); + /* Minimum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MIN 16 diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 6bc2b7f8..eeac794b 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, void tls_crypt_v2_write_server_key_file(const char *filename) { - struct gc_arena gc = gc_new(); - struct key server_key = { 0 }; - struct buffer server_key_buf = clear_buf(); - struct buffer server_key_pem = clear_buf(); - - if (!rand_bytes((void *)&server_key, sizeof(server_key))) - { - msg(M_NONFATAL, "ERROR: could not generate random key"); - goto cleanup; - } - buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); - if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem, - &server_key_buf, &gc)) - { - msg(M_WARN, "ERROR: could not PEM-encode server key"); - goto cleanup; - } - - if (!buffer_write_file(filename, &server_key_pem)) - { - msg(M_ERR, "ERROR: could not write server key file"); - goto cleanup; - } - -cleanup: - secure_memzero(&server_key, sizeof(server_key)); - buf_clear(&server_key_pem); - gc_free(&gc); - return; + write_pem_key_file(filename, tls_crypt_v2_srv_pem_name); } void
From: Arne Schwabe <arne@openvpn.net> This allows the method to be resued for generating other types of keys that should also not be reused as tls-crypt/tls-auth keys. --- src/openvpn/crypto.c | 34 ++++++++++++++++++++++++++++++++++ src/openvpn/crypto.h | 10 ++++++++++ src/openvpn/tls_crypt.c | 30 +----------------------------- 3 files changed, 45 insertions(+), 29 deletions(-)