[Openvpn-devel,v3] crypto: unify key_type creation code

Message ID	20220217163159.7936-1-a@unstable.cc
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Antonio Quartulli <a@unstable.cc> To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 17:31:59 +0100 Message-Id: <20220217163159.7936-1-a@unstable.cc> In-Reply-To: <20220217143241.18766-1-a@unstable.cc> References: <20220217143241.18766-1-a@unstable.cc> MIME-Version: 1.0 preview: At the moment we have tls_crypt_kt() and auth_token_kt that basically do the same thing, but with different algorithms used to initialise the structure. In order to avoid code duplication and copy/paste errors, unify code and make it parametric, so that it can be re-used in various places. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. Subject: [Openvpn-devel] [PATCH v3] crypto: unify key_type creation code Precedence: list Cc: Antonio Quartulli <a@unstable.cc> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v3] crypto: unify key_type creation code \| expand [Openvpn-devel,v3] crypto: unify key_type creation code

Message ID

20220217163159.7936-1-a@unstable.cc

State

Accepted

Headers

From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 17 Feb 2022 17:31:59 +0100
Message-Id: <20220217163159.7936-1-a@unstable.cc>
In-Reply-To: <20220217143241.18766-1-a@unstable.cc>
References: <20220217143241.18766-1-a@unstable.cc>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH v3] crypto: unify key_type creation code
Precedence: list
Cc: Antonio Quartulli <a@unstable.cc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v3] crypto: unify key_type creation code | expand

Commit Message

Antonio Quartulli Feb. 17, 2022, 5:31 a.m. UTC

At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.

In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.

Signed-off-by: Antonio Quartulli <a@unstable.cc>

---

Changes from v1:
* added doc for optname param
Changes from v2:
* restore original helper functions and reduce their bodies to calling
  the generic create_kt(). This way users of those funcs are not harmed.
---
 src/openvpn/auth_token.c | 14 +-------------
 src/openvpn/crypto.h     | 31 +++++++++++++++++++++++++++++++
 src/openvpn/tls_crypt.c  | 17 +----------------
 3 files changed, 33 insertions(+), 29 deletions(-)

Comments

Gert Doering Feb. 20, 2022, 3:10 a.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

Patch looks good, "make check" passes again :-)

Your patch has been applied to the master branch.

commit 2e7ec64fc40cb5d184fd5c47c875ce381ca1b8d3
Author: Antonio Quartulli
Date:   Thu Feb 17 17:31:59 2022 +0100

     crypto: unify key_type creation code

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20220217163159.7936-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 10c9dde6..9a85655f 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -33,21 +33,9 @@  const char *auth_token_pem_name = "OpenVPN auth-token server key";
 static struct key_type
 auth_token_kt(void)
 {
-    struct key_type kt = { 0 };
-    /* We do not encrypt our session tokens */
-    kt.cipher = "none";
-    kt.digest = "SHA256";
-
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("none", "SHA256", "auth-gen-token");
 }
 
-
 void
 add_session_token_env(struct tls_session *session, struct tls_multi *multi,
                       const struct user_pass *up)
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 6e505517..806632ed 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -547,4 +547,35 @@  key_ctx_bi_defined(const struct key_ctx_bi *key)
  */
 const char *print_key_filename(const char *str, bool is_inline);
 
+/**
+ * Creates and validates an instance of struct key_type with the provided
+ * algs.
+ *
+ * @param cipher    the cipher algorithm to use (must be a string literal)
+ * @param md        the digest algorithm to use (must be a string literal)
+ * @param optname   the name of the option requiring the key_type object
+ *
+ * @return          the initialized key_type instance
+ */
+static inline struct key_type
+create_kt(const char *cipher, const char *md, const char *optname)
+{
+    struct key_type kt;
+    kt.cipher = cipher;
+    kt.digest = md;
+
+    if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher);
+        return (struct key_type) { 0 };
+    }
+    if (md_defined(kt.digest) && !md_valid(kt.digest))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest);
+        return (struct key_type) { 0 };
+    }
+
+    return kt;
+}
+
 #endif /* CRYPTO_H */
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index aae2a917..88730a99 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -50,22 +50,7 @@  static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP      = 0x01;
 static struct key_type
 tls_crypt_kt(void)
 {
-    struct key_type kt;
-    kt.cipher = "AES-256-CTR";
-    kt.digest = "SHA256";
-
-    if (!cipher_valid(kt.cipher))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
-        return (struct key_type) { 0 };
-    }
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
 }
 
 int