From patchwork Mon Jan 14 04:48:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 658 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net with LMTP id UND/JVe5PFxvRwAAIUCqbw for ; Mon, 14 Jan 2019 11:31:19 -0500 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.52]) by director7.mail.ord1d.rsapps.net with LMTP id 0P2CIle5PFxOLgAAovjBpQ ; Mon, 14 Jan 2019 11:31:19 -0500 Received: from smtp9.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTP id 2IsmG1e5PFzlHgAA8Zvu4w ; Mon, 14 Jan 2019 11:31:19 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: d1673958-1819-11e9-b63c-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:1997] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0F/85-32398-659BC3C5; Mon, 14 Jan 2019 11:31:18 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gj58Q-0006Sx-VP; Mon, 14 Jan 2019 16:30:46 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gj58Q-0006Sr-BO for openvpn-devel@lists.sourceforge.NET; Mon, 14 Jan 2019 16:30:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yr1P5d1IPx3y4u8MOl3P/ePc5HmoD4HgHwW1154SINA=; b=Z0Qia9tAuwOLpAKHEZLmAO0RPH UrP+xe4OGVvVk/1iQmWMTtRGEdsELSMV/wBaT8jC4ihyx4Pb7jysGYq9dZvZnoB/rcBBQene9f89H aZYGYTEtSo+kfiMeiYDbb7rhcyAz2kwrfkXKttlWvVmDzpep7pzpsHsOK2Eby1KajuuY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yr1P5d1IPx3y4u8MOl3P/ePc5HmoD4HgHwW1154SINA=; b=CV9ClQb3vyzNCfQzalnG57giaR q8sc11+M+fvoHSnI4oWzv3hCPsTWYVOUIpyHgyAntZx2tPomZLNqcVuCRrBNE+QZRgC6qpfYJ290w 2ci6u+iV3oSlVLylDOpv2Cr8i/yEZ+LWjRMWPkduN5TPNITAL1RdQaxKtvJR2OARkw/8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gj58M-001qoX-Oi for openvpn-devel@lists.sourceforge.NET; Mon, 14 Jan 2019 16:30:46 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gj4TL-000MiQ-Jf; Mon, 14 Jan 2019 16:48:19 +0100 Received: (nullmailer pid 6112 invoked by uid 10006); Mon, 14 Jan 2019 15:48:19 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 14 Jan 2019 16:48:15 +0100 Message-Id: <20190114154819.6064-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190114154819.6064-1-arne@rfc2549.org> References: <20190114154819.6064-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1gj58M-001qoX-Oi Subject: [Openvpn-devel] [PATCH 2/6] Refactor tls_crypt_v2_write_server_key_file into crypto.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arne Schwabe MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Arne Schwabe This allows the method to be resued for generating other types of keys that should also not be reused as tls-crypt/tls-auth keys. Acked-by: Steffan Karger --- src/openvpn/crypto.c | 34 ++++++++++++++++++++++++++++++++++ src/openvpn/crypto.h | 10 ++++++++++ src/openvpn/tls_crypt.c | 30 +----------------------------- 3 files changed, 45 insertions(+), 29 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index df6f36ca..19136799 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char *cipher_name) return pair->openvpn_name; } + +void +write_pem_key_file(const char *filename, const char *pem_name) +{ + struct gc_arena gc = gc_new(); + struct key server_key = { 0 }; + struct buffer server_key_buf = clear_buf(); + struct buffer server_key_pem = clear_buf(); + + if (!rand_bytes((void *)&server_key, sizeof(server_key))) + { + msg(M_NONFATAL, "ERROR: could not generate random key"); + goto cleanup; + } + buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); + if (!crypto_pem_encode(pem_name, &server_key_pem, + &server_key_buf, &gc)) + { + msg(M_WARN, "ERROR: could not PEM-encode key"); + goto cleanup; + } + + if (!buffer_write_file(filename, &server_key_pem)) + { + msg(M_ERR, "ERROR: could not write key file"); + goto cleanup; + } + +cleanup: + secure_memzero(&server_key, sizeof(server_key)); + buf_clear(&server_key_pem); + gc_free(&gc); + return; +} diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 1edde2e3..c0574ff6 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame, /** Return the worst-case OpenVPN crypto overhead (in bytes) */ unsigned int crypto_max_overhead(void); +/** + * Generate a server key with enough randomness to fill a key struct + * and write to file. + * + * @param filename Filename of the server key file to create. + * @param pem_name The name to use in the PEM header/footer. + */ +void +write_pem_key_file(const char *filename, const char *pem_name); + /* Minimum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MIN 16 diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 6bc2b7f8..eeac794b 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, void tls_crypt_v2_write_server_key_file(const char *filename) { - struct gc_arena gc = gc_new(); - struct key server_key = { 0 }; - struct buffer server_key_buf = clear_buf(); - struct buffer server_key_pem = clear_buf(); - - if (!rand_bytes((void *)&server_key, sizeof(server_key))) - { - msg(M_NONFATAL, "ERROR: could not generate random key"); - goto cleanup; - } - buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); - if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem, - &server_key_buf, &gc)) - { - msg(M_WARN, "ERROR: could not PEM-encode server key"); - goto cleanup; - } - - if (!buffer_write_file(filename, &server_key_pem)) - { - msg(M_ERR, "ERROR: could not write server key file"); - goto cleanup; - } - -cleanup: - secure_memzero(&server_key, sizeof(server_key)); - buf_clear(&server_key_pem); - gc_free(&gc); - return; + write_pem_key_file(filename, tls_crypt_v2_srv_pem_name); } void