From patchwork Mon Jan 14 04:48:15 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 658
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.27.255.52])
	by backend30.mail.ord1d.rsapps.net with LMTP id UND/JVe5PFxvRwAAIUCqbw
	for <patchwork@openvpn.net>; Mon, 14 Jan 2019 11:31:19 -0500
Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.52])
	by director7.mail.ord1d.rsapps.net with LMTP id 0P2CIle5PFxOLgAAovjBpQ
	; Mon, 14 Jan 2019 11:31:19 -0500
Received: from smtp9.gate.iad3a ([172.27.255.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy4.mail.iad3a.rsapps.net with LMTP id 2IsmG1e5PFzlHgAA8Zvu4w
	; Mon, 14 Jan 2019 11:31:19 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp9.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: d1673958-1819-11e9-b63c-52540097fc8c-1-1
Received: from [216.105.38.7] ([216.105.38.7:1997] helo=lists.sourceforge.net)
	by smtp9.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 0F/85-32398-659BC3C5; Mon, 14 Jan 2019 11:31:18 -0500
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1gj58Q-0006Sx-VP; Mon, 14 Jan 2019 16:30:46 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <arne@kamera.blinkt.de>) id 1gj58Q-0006Sr-BO
 for openvpn-devel@lists.sourceforge.NET; Mon, 14 Jan 2019 16:30:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Yr1P5d1IPx3y4u8MOl3P/ePc5HmoD4HgHwW1154SINA=; b=Z0Qia9tAuwOLpAKHEZLmAO0RPH
 UrP+xe4OGVvVk/1iQmWMTtRGEdsELSMV/wBaT8jC4ihyx4Pb7jysGYq9dZvZnoB/rcBBQene9f89H
 aZYGYTEtSo+kfiMeiYDbb7rhcyAz2kwrfkXKttlWvVmDzpep7pzpsHsOK2Eby1KajuuY=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=Yr1P5d1IPx3y4u8MOl3P/ePc5HmoD4HgHwW1154SINA=; b=CV9ClQb3vyzNCfQzalnG57giaR
 q8sc11+M+fvoHSnI4oWzv3hCPsTWYVOUIpyHgyAntZx2tPomZLNqcVuCRrBNE+QZRgC6qpfYJ290w
 2ci6u+iV3oSlVLylDOpv2Cr8i/yEZ+LWjRMWPkduN5TPNITAL1RdQaxKtvJR2OARkw/8=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-4.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 id 1gj58M-001qoX-Oi
 for openvpn-devel@lists.sourceforge.NET; Mon, 14 Jan 2019 16:30:46 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>)
 id 1gj4TL-000MiQ-Jf; Mon, 14 Jan 2019 16:48:19 +0100
Received: (nullmailer pid 6112 invoked by uid 10006);
 Mon, 14 Jan 2019 15:48:19 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 14 Jan 2019 16:48:15 +0100
Message-Id: <20190114154819.6064-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190114154819.6064-1-arne@rfc2549.org>
References: <20190114154819.6064-1-arne@rfc2549.org>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
X-Headers-End: 1gj58M-001qoX-Oi
Subject: [Openvpn-devel] [PATCH 2/6] Refactor
 tls_crypt_v2_write_server_key_file into crypto.c
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Arne Schwabe <arne@openvpn.net>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Arne Schwabe <arne@openvpn.net>

This allows the method to be resued for generating other types of keys
that should also not be reused as tls-crypt/tls-auth keys.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
---
 src/openvpn/crypto.c    | 34 ++++++++++++++++++++++++++++++++++
 src/openvpn/crypto.h    | 10 ++++++++++
 src/openvpn/tls_crypt.c | 30 +-----------------------------
 3 files changed, 45 insertions(+), 29 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index df6f36ca..19136799 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char *cipher_name)
 
     return pair->openvpn_name;
 }
+
+void
+write_pem_key_file(const char *filename, const char *pem_name)
+{
+    struct gc_arena gc = gc_new();
+    struct key server_key = { 0 };
+    struct buffer server_key_buf = clear_buf();
+    struct buffer server_key_pem = clear_buf();
+
+    if (!rand_bytes((void *)&server_key, sizeof(server_key)))
+    {
+        msg(M_NONFATAL, "ERROR: could not generate random key");
+        goto cleanup;
+    }
+    buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key));
+    if (!crypto_pem_encode(pem_name, &server_key_pem,
+                           &server_key_buf, &gc))
+    {
+        msg(M_WARN, "ERROR: could not PEM-encode key");
+        goto cleanup;
+    }
+
+    if (!buffer_write_file(filename, &server_key_pem))
+    {
+        msg(M_ERR, "ERROR: could not write key file");
+        goto cleanup;
+    }
+
+cleanup:
+    secure_memzero(&server_key, sizeof(server_key));
+    buf_clear(&server_key_pem);
+    gc_free(&gc);
+    return;
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 1edde2e3..c0574ff6 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame,
 /** Return the worst-case OpenVPN crypto overhead (in bytes) */
 unsigned int crypto_max_overhead(void);
 
+/**
+ * Generate a server key with enough randomness to fill a key struct
+ * and write to file.
+ *
+ * @param filename          Filename of the server key file to create.
+ * @param pem_name          The name to use in the PEM header/footer.
+ */
+void
+write_pem_key_file(const char *filename, const char *pem_name);
+
 /* Minimum length of the nonce used by the PRNG */
 #define NONCE_SECRET_LEN_MIN 16
 
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 6bc2b7f8..eeac794b 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf,
 void
 tls_crypt_v2_write_server_key_file(const char *filename)
 {
-    struct gc_arena gc = gc_new();
-    struct key server_key = { 0 };
-    struct buffer server_key_buf = clear_buf();
-    struct buffer server_key_pem = clear_buf();
-
-    if (!rand_bytes((void *)&server_key, sizeof(server_key)))
-    {
-        msg(M_NONFATAL, "ERROR: could not generate random key");
-        goto cleanup;
-    }
-    buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key));
-    if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem,
-                           &server_key_buf, &gc))
-    {
-        msg(M_WARN, "ERROR: could not PEM-encode server key");
-        goto cleanup;
-    }
-
-    if (!buffer_write_file(filename, &server_key_pem))
-    {
-        msg(M_ERR, "ERROR: could not write server key file");
-        goto cleanup;
-    }
-
-cleanup:
-    secure_memzero(&server_key, sizeof(server_key));
-    buf_clear(&server_key_pem);
-    gc_free(&gc);
-    return;
+    write_pem_key_file(filename, tls_crypt_v2_srv_pem_name);
 }
 
 void