Hi,
On 14-01-19 16:48, Arne Schwabe wrote:
> From: Arne Schwabe <a...@openvpn.net>
>
> This allows the method to be resued for generating other types of keys
> that should also not be reused as tls-crypt/tls-auth keys.
> ---
> src/openvpn/crypto.c | 34 ++++++++++++++++++++++++++++++++++
> src/openvpn/crypto.h | 10 ++++++++++
> src/openvpn/tls_crypt.c | 30 +-----------------------------
> 3 files changed, 45 insertions(+), 29 deletions(-)
>
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index df6f36ca..19136799 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char
> *cipher_name)
>
> return pair->openvpn_name;
> }
> +
> +void
> +write_pem_key_file(const char *filename, const char *pem_name)
> +{
> + struct gc_arena gc = gc_new();
> + struct key server_key = { 0 };
> + struct buffer server_key_buf = clear_buf();
> + struct buffer server_key_pem = clear_buf();
> +
> + if (!rand_bytes((void *)&server_key, sizeof(server_key)))
> + {
> + msg(M_NONFATAL, "ERROR: could not generate random key");
> + goto cleanup;
> + }
> + buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key));
> + if (!crypto_pem_encode(pem_name, &server_key_pem,
> + &server_key_buf, &gc))
> + {
> + msg(M_WARN, "ERROR: could not PEM-encode key");
> + goto cleanup;
> + }
> +
> + if (!buffer_write_file(filename, &server_key_pem))
> + {
> + msg(M_ERR, "ERROR: could not write key file");
> + goto cleanup;
> + }
> +
> +cleanup:
> + secure_memzero(&server_key, sizeof(server_key));
> + buf_clear(&server_key_pem);
> + gc_free(&gc);
> + return;
> +}
> diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
> index 1edde2e3..c0574ff6 100644
> --- a/src/openvpn/crypto.h
> +++ b/src/openvpn/crypto.h
> @@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame,
> /** Return the worst-case OpenVPN crypto overhead (in bytes) */
> unsigned int crypto_max_overhead(void);
>
> +/**
> + * Generate a server key with enough randomness to fill a key struct
> + * and write to file.
> + *
> + * @param filename Filename of the server key file to create.
> + * @param pem_name The name to use in the PEM header/footer.
> + */
> +void
> +write_pem_key_file(const char *filename, const char *pem_name);
> +
> /* Minimum length of the nonce used by the PRNG */
> #define NONCE_SECRET_LEN_MIN 16
>
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index 6bc2b7f8..eeac794b 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf,
> void
> tls_crypt_v2_write_server_key_file(const char *filename)
> {
> - struct gc_arena gc = gc_new();
> - struct key server_key = { 0 };
> - struct buffer server_key_buf = clear_buf();
> - struct buffer server_key_pem = clear_buf();
> -
> - if (!rand_bytes((void *)&server_key, sizeof(server_key)))
> - {
> - msg(M_NONFATAL, "ERROR: could not generate random key");
> - goto cleanup;
> - }
> - buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key));
> - if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem,
> - &server_key_buf, &gc))
> - {
> - msg(M_WARN, "ERROR: could not PEM-encode server key");
> - goto cleanup;
> - }
> -
> - if (!buffer_write_file(filename, &server_key_pem))
> - {
> - msg(M_ERR, "ERROR: could not write server key file");
> - goto cleanup;
> - }
> -
> -cleanup:
> - secure_memzero(&server_key, sizeof(server_key));
> - buf_clear(&server_key_pem);
> - gc_free(&gc);
> - return;
> + write_pem_key_file(filename, tls_crypt_v2_srv_pem_name);
> }
>
> void
>
Makes sense, and does what it says on the tin.
Acked-by: Steffan Karger <steffan.kar...@fox-it.com>
-Steffan
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
