[Openvpn-devel,v3] crypto: unify key_type creation code

Message ID 20220217163159.7936-1-a@unstable.cc
State Accepted
Headers show
Series [Openvpn-devel,v3] crypto: unify key_type creation code | expand

Commit Message

Antonio Quartulli Feb. 17, 2022, 5:31 a.m. UTC
At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.

In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.

Signed-off-by: Antonio Quartulli <a@unstable.cc>

---

Changes from v1:
* added doc for optname param
Changes from v2:
* restore original helper functions and reduce their bodies to calling
  the generic create_kt(). This way users of those funcs are not harmed.
---
 src/openvpn/auth_token.c | 14 +-------------
 src/openvpn/crypto.h     | 31 +++++++++++++++++++++++++++++++
 src/openvpn/tls_crypt.c  | 17 +----------------
 3 files changed, 33 insertions(+), 29 deletions(-)

Comments

Gert Doering Feb. 20, 2022, 3:10 a.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Patch looks good, "make check" passes again :-)

Your patch has been applied to the master branch.

commit 2e7ec64fc40cb5d184fd5c47c875ce381ca1b8d3
Author: Antonio Quartulli
Date:   Thu Feb 17 17:31:59 2022 +0100

     crypto: unify key_type creation code

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20220217163159.7936-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 10c9dde6..9a85655f 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -33,21 +33,9 @@  const char *auth_token_pem_name = "OpenVPN auth-token server key";
 static struct key_type
 auth_token_kt(void)
 {
-    struct key_type kt = { 0 };
-    /* We do not encrypt our session tokens */
-    kt.cipher = "none";
-    kt.digest = "SHA256";
-
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("none", "SHA256", "auth-gen-token");
 }
 
-
 void
 add_session_token_env(struct tls_session *session, struct tls_multi *multi,
                       const struct user_pass *up)
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 6e505517..806632ed 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -547,4 +547,35 @@  key_ctx_bi_defined(const struct key_ctx_bi *key)
  */
 const char *print_key_filename(const char *str, bool is_inline);
 
+/**
+ * Creates and validates an instance of struct key_type with the provided
+ * algs.
+ *
+ * @param cipher    the cipher algorithm to use (must be a string literal)
+ * @param md        the digest algorithm to use (must be a string literal)
+ * @param optname   the name of the option requiring the key_type object
+ *
+ * @return          the initialized key_type instance
+ */
+static inline struct key_type
+create_kt(const char *cipher, const char *md, const char *optname)
+{
+    struct key_type kt;
+    kt.cipher = cipher;
+    kt.digest = md;
+
+    if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher);
+        return (struct key_type) { 0 };
+    }
+    if (md_defined(kt.digest) && !md_valid(kt.digest))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest);
+        return (struct key_type) { 0 };
+    }
+
+    return kt;
+}
+
 #endif /* CRYPTO_H */
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index aae2a917..88730a99 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -50,22 +50,7 @@  static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP      = 0x01;
 static struct key_type
 tls_crypt_kt(void)
 {
-    struct key_type kt;
-    kt.cipher = "AES-256-CTR";
-    kt.digest = "SHA256";
-
-    if (!cipher_valid(kt.cipher))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
-        return (struct key_type) { 0 };
-    }
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
 }
 
 int