plaisthos has uploaded a new patch set (#2). ( http://gerrit.openvpn.net/c/openvpn/+/1435?usp=email )
Change subject: Allow test-crypto to work without --secret argument ...................................................................... Allow test-crypto to work without --secret argument The --test-crypto still requires the --secret argument. Since --secret will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove the dependency of test-crypto on --static. Instead we will just generate a random key for this selftest method. Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe <[email protected]> --- M Changes.rst M doc/man-sections/generic-options.rst M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/options.c M tests/t_lpback.sh 7 files changed, 75 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/35/1435/2 diff --git a/Changes.rst b/Changes.rst index 32efbe7..1a92b94 100644 --- a/Changes.rst +++ b/Changes.rst @@ -338,6 +338,9 @@ (force egress = ingress interface) can be achieved with the new ``--multihome same-interface`` sub-option. +- The ``test-crypto`` option no longer requires a ``--secret`` argument and + will automatically generate a random key. + Deprecated features ------------------- ``--opt-verify`` feature removed diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 882cf28..b6e513d 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -439,13 +439,13 @@ The typical usage of ``--test-crypto`` would be something like this: :: - openvpn --test-crypto --secret key + openvpn --test-crypto or :: - openvpn --test-crypto --secret key --verb 9 + openvpn --test-crypto --verb 9 This option is very useful to test OpenVPN after it has been ported to a new platform, or to isolate problems in the compiler, OpenSSL crypto @@ -453,6 +453,10 @@ problems with encryption and authentication can be debugged independently of network and tunnel issues. + Older versions of OpenVPN used the ``--secret`` argument to specify a + static key for this test. Newer version generate a random key for the + test. + --tmp-dir dir Specify a directory ``dir`` for temporary files instead of the default :code:`TMPDIR` (or "/tmp" if unset). Note that it must be writable by the main diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index e43bc6c..ddf3c17 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1325,6 +1325,18 @@ secure_memzero(&key2, sizeof(key2)); } +void +generate_test_crypto_random_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_name) +{ + struct key2 key2; + key2.n = 2; + generate_key_random(&key2.keys[0]); + generate_key_random(&key2.keys[1]); + init_key_ctx_bi(ctx, &key2, KEY_DIRECTION_BIDIRECTIONAL, key_type, key_name); +} + + /* header and footer for static key file */ static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----"; static const char static_key_foot[] = "-----END OpenVPN Static key V1-----"; diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 9424fd7..6670deb 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -632,6 +632,13 @@ const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata); +/** + * Generate a random key and initialise ctx to be used the in the crypto random + * test + */ +void generate_test_crypto_random_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_name); + /* * Inline functions */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index fc079e1..2b7cfc2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2997,6 +2997,33 @@ #endif } + +static void +do_init_crypto_test(struct context *c, const unsigned int flags) +{ + const struct options *options = &c->options; + ASSERT(options->test_crypto); + + init_crypto_pre(c, flags); + + /* Initialize packet ID tracking */ + // packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time, + // "STATIC", 0); + c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; + + ASSERT(!key_ctx_bi_defined(&c->c1.ks.static_key)); + + /* Init cipher and hash algorithm */ + init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, + options->test_crypto, true); + + generate_test_crypto_random_key(&c->c1.ks.key_type, &c->c1.ks.static_key, + "test crypto key"); + + /* Get key schedule */ + c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; +} + /* * Static Key Mode (using a pre-shared key) */ @@ -3004,7 +3031,7 @@ do_init_crypto_static(struct context *c, const unsigned int flags) { const struct options *options = &c->options; - ASSERT(options->shared_secret_file); + ASSERT(options->shared_secret_file || options->test_crypto); init_crypto_pre(c, flags); @@ -3027,10 +3054,18 @@ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, options->test_crypto, true); - /* Read cipher and hmac keys from shared secret file */ - crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, - options->shared_secret_file, options->shared_secret_file_inline, - options->key_direction, "Static Key Encryption", "secret", NULL); + if (!options->shared_secret_file && options->test_crypto) + { + generate_test_crypto_random_key(&c->c1.ks.key_type, &c->c1.ks.static_key, + "test crypto key"); + } + else + { + /* Read cipher and hmac keys from shared secret file */ + crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, + options->shared_secret_file, options->shared_secret_file_inline, + options->key_direction, "Static Key Encryption", "secret", NULL); + } } else { @@ -3501,6 +3536,10 @@ { do_init_crypto_static(c, flags); } + else if (c->options.test_crypto) + { + do_init_crypto_test(c, flags); + } else if (c->options.tls_server || c->options.tls_client) { do_init_crypto_tls(c, flags); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2d1f740..b430065 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2283,11 +2283,7 @@ init_options(&defaults, true); - if (options->test_crypto) - { - notnull(options->shared_secret_file, "key file (--secret)"); - } - else + if (!options->test_crypto) { notnull(options->dev, "TUN/TAP device (--dev)"); } @@ -2701,7 +2697,7 @@ msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } - if (!options->tls_server && !options->tls_client) + if (!options->tls_server && !options->tls_client && !options->test_crypto) { msglvl_t msglevel = M_USAGE; if (options->allow_deprecated_insecure_static_crypto) diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 8ab3973..eb6a72f 100755 --- a/tests/t_lpback.sh +++ b/tests/t_lpback.sh @@ -95,7 +95,7 @@ for cipher in ${CIPHERS} do test_start "Testing cipher ${cipher}... " - ( "${openvpn}" --test-crypto --secret key.$$ --allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$ 2>&1 + ( "${openvpn}" --test-crypto --cipher ${cipher} ) >log.$$ 2>&1 test_end $? log.$$ done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1435?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Gerrit-Change-Number: 1435 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
