From patchwork Tue Jan 22 04:03:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 671 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id aErHKwkxR1y2AgAAIUCqbw for ; Tue, 22 Jan 2019 10:04:41 -0500 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id gIqSKwkxR1wAGwAApN4f7A ; Tue, 22 Jan 2019 10:04:41 -0500 Received: from smtp20.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTP id wLk8KwkxR1zxHAAA7WKfLA ; Tue, 22 Jan 2019 10:04:41 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp20.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 0b0b3d4c-1e57-11e9-a15a-525400b8bfda-1-1 Received: from [216.105.38.7] ([216.105.38.7:2405] helo=lists.sourceforge.net) by smtp20.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E9/D8-23896-901374C5; Tue, 22 Jan 2019 10:04:41 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1glxas-0005WK-59; Tue, 22 Jan 2019 15:04:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1glxaq-0005W0-QH for openvpn-devel@lists.sourceforge.NET; Tue, 22 Jan 2019 15:04:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2FdWnFSru2WGKL5z5kjfbB4QnPuyHRw/dmrODVm3QSM=; b=QK2DP9kGP0ktE1MxzY+JTN/tYp XrdOpf+NSGYaHq9SHKQuyEFzTndSLkCWPwWNpSYfjdPF+e7EunjkNpTVeou8lJFqxHY1qijSfl5j5 4/z4l6TVstBY8aYGpwo41Q41guE6AzdGkHiynXlx1u0jv4BCT6P7iIwvhqEYBAjDj3ww=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2FdWnFSru2WGKL5z5kjfbB4QnPuyHRw/dmrODVm3QSM=; b=jHbycGS6wN7dU0kTV7GC1T4vf0 S7vjl69w0DSZUmm8tomOFQxAQ87O51A9qw5xBx4+sSQyqKd2GomHtsVoXwfMabNbl44sK6/9oNwg7 g3vBblX4UxzD3QyYApO381xvuPwjhymRJN6cVkeBH2fh9YfKsVaE61qpIcb/zBC7Lfjk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1glxaW-005NgQ-JG for openvpn-devel@lists.sourceforge.NET; Tue, 22 Jan 2019 15:04:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1glxaP-000IMd-KD; Tue, 22 Jan 2019 16:03:33 +0100 Received: (nullmailer pid 1106 invoked by uid 10006); Tue, 22 Jan 2019 15:03:33 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 22 Jan 2019 16:03:28 +0100 Message-Id: <20190122150333.1061-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1glxaW-005NgQ-JG Subject: [Openvpn-devel] [PATCH v2 1/6] Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arne Schwabe MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Arne Schwabe The function is fairly generic and to avoid duplicating the same functionality move the function to crypto.c and change fixed string to be the same as the pem_name parameter. Acked-by: Gert Doering --- src/openvpn/crypto.c | 39 ++++++++++++++++++++++++++++++++++ src/openvpn/crypto.h | 12 +++++++++++ src/openvpn/ssl.h | 1 - src/openvpn/tls_crypt.c | 47 ++++------------------------------------- 4 files changed, 55 insertions(+), 44 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 19136799..ff9dbfdc 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1882,3 +1882,42 @@ cleanup: gc_free(&gc); return; } + +bool +read_pem_key_file(struct buffer *key, const char *pem_name, + const char *key_file, const char *key_inline) +{ + bool ret = false; + struct buffer key_pem = { 0 }; + struct gc_arena gc = gc_new(); + + if (strcmp(key_file, INLINE_FILE_TAG)) + { + key_pem = buffer_read_from_file(key_file, &gc); + if (!buf_valid(&key_pem)) + { + msg(M_WARN, "ERROR: failed to read %s file (%s)", + pem_name, key_file); + goto cleanup; + } + } + else + { + buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline) + 1); + } + + if (!crypto_pem_decode(pem_name, key, &key_pem)) + { + msg(M_WARN, "ERROR: %s pem decode failed", pem_name); + goto cleanup; + } + + ret = true; +cleanup: + if (strcmp(key_file, INLINE_FILE_TAG)) + { + buf_clear(&key_pem); + } + gc_free(&gc); + return ret; +} diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index c0574ff6..09f7bb25 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -430,6 +430,18 @@ unsigned int crypto_max_overhead(void); void write_pem_key_file(const char *filename, const char *pem_name); +/** + * Read key material from a PEM encoded files into the key structure + * @param key the key structure that will hold the key material + * @param pem_name the name used in the pem encoding start/end lines + * @param key_file name of the file to read + * @param key_inline a string holding the data in case of an inline key + * @return true if reading into key was successful + */ +bool +read_pem_key_file(struct buffer *key, const char *pem_name, + const char *key_file, const char *key_inline); + /* Minimum length of the nonce used by the PRNG */ #define NONCE_SECRET_LEN_MIN 16 diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index eafb235e..660e9eb4 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -634,5 +634,4 @@ void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile); - #endif /* ifndef OPENVPN_SSL_H */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index eeac794b..d6a82252 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -278,45 +278,6 @@ error_exit: return false; } -static inline bool -tls_crypt_v2_read_keyfile(struct buffer *key, const char *pem_name, - const char *key_file, const char *key_inline) -{ - bool ret = false; - struct buffer key_pem = { 0 }; - struct gc_arena gc = gc_new(); - - if (strcmp(key_file, INLINE_FILE_TAG)) - { - key_pem = buffer_read_from_file(key_file, &gc); - if (!buf_valid(&key_pem)) - { - msg(M_WARN, "ERROR: failed to read tls-crypt-v2 key file (%s)", - key_file); - goto cleanup; - } - } - else - { - buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline) + 1); - } - - if (!crypto_pem_decode(pem_name, key, &key_pem)) - { - msg(M_WARN, "ERROR: tls-crypt-v2 pem decode failed"); - goto cleanup; - } - - ret = true; -cleanup: - if (strcmp(key_file, INLINE_FILE_TAG)) - { - buf_clear(&key_pem); - } - gc_free(&gc); - return ret; -} - static inline void tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server) @@ -339,8 +300,8 @@ tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_MAX_WKC_LEN); - if (!tls_crypt_v2_read_keyfile(&client_key, tls_crypt_v2_cli_pem_name, - key_file, key_inline)) + if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name, + key_file, key_inline)) { msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format"); } @@ -365,8 +326,8 @@ tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, struct buffer srv_key_buf; buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key)); - if (!tls_crypt_v2_read_keyfile(&srv_key_buf, tls_crypt_v2_srv_pem_name, - key_file, key_inline)) + if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name, + key_file, key_inline)) { msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format"); }