Attention is currently required from: cron2, flichtenheld.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1435?usp=email
to look at the new patch set (#5).
Change subject: Allow test-crypto to work without the --secret argument
......................................................................
Allow test-crypto to work without the --secret argument
The --test-crypto still requires the --secret argument. Since --secret
will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove
the dependency of test-crypto on --static.
Instead we will just generate a random key for this selftest method.
Also remove the call to do_init_crypto_static in test_crypto_thread. We
already call do_init_crypto beforehand.
Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de
Signed-off-by: Arne Schwabe <[email protected]>
---
M Changes.rst
M doc/man-sections/generic-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/init.c
M src/openvpn/options.c
M tests/t_lpback.sh
7 files changed, 60 insertions(+), 12 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/35/1435/5
diff --git a/Changes.rst b/Changes.rst
index 32efbe7..1a92b94 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -338,6 +338,9 @@
(force egress = ingress interface) can be achieved with the new
``--multihome same-interface`` sub-option.
+- The ``test-crypto`` option no longer requires a ``--secret`` argument and
+ will automatically generate a random key.
+
Deprecated features
-------------------
``--opt-verify`` feature removed
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index 882cf28..b6e513d 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -439,13 +439,13 @@
The typical usage of ``--test-crypto`` would be something like this:
::
- openvpn --test-crypto --secret key
+ openvpn --test-crypto
or
::
- openvpn --test-crypto --secret key --verb 9
+ openvpn --test-crypto --verb 9
This option is very useful to test OpenVPN after it has been ported to a
new platform, or to isolate problems in the compiler, OpenSSL crypto
@@ -453,6 +453,10 @@
problems with encryption and authentication can be debugged
independently of network and tunnel issues.
+ Older versions of OpenVPN used the ``--secret`` argument to specify a
+ static key for this test. Newer version generate a random key for the
+ test.
+
--tmp-dir dir
Specify a directory ``dir`` for temporary files instead of the default
:code:`TMPDIR` (or "/tmp" if unset). Note that it must be writable by the
main
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e43bc6c..ddf3c17 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1325,6 +1325,18 @@
secure_memzero(&key2, sizeof(key2));
}
+void
+generate_test_crypto_random_key(const struct key_type *key_type, struct
key_ctx_bi *ctx,
+ const char *key_name)
+{
+ struct key2 key2;
+ key2.n = 2;
+ generate_key_random(&key2.keys[0]);
+ generate_key_random(&key2.keys[1]);
+ init_key_ctx_bi(ctx, &key2, KEY_DIRECTION_BIDIRECTIONAL, key_type,
key_name);
+}
+
+
/* header and footer for static key file */
static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----";
static const char static_key_foot[] = "-----END OpenVPN Static key V1-----";
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9424fd7..6670deb 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -632,6 +632,13 @@
const char *key_file, bool key_inline, const int
key_direction,
const char *key_name, const char *opt_name,
struct key2 *keydata);
+/**
+ * Generate a random key and initialise ctx to be used the in the crypto random
+ * test
+ */
+void generate_test_crypto_random_key(const struct key_type *key_type, struct
key_ctx_bi *ctx,
+ const char *key_name);
+
/*
* Inline functions
*/
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index fc079e1..5197c54 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2997,6 +2997,30 @@
#endif
}
+
+static void
+do_init_crypto_test(struct context *c, const unsigned int flags)
+{
+ const struct options *options = &c->options;
+ ASSERT(options->test_crypto);
+
+ init_crypto_pre(c, flags);
+
+ c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
+
+ ASSERT(!key_ctx_bi_defined(&c->c1.ks.static_key));
+
+ /* Init cipher and hash algorithm */
+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->test_crypto, true);
+
+ generate_test_crypto_random_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
+ "test crypto key");
+
+ /* Get key schedule */
+ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
+}
+
/*
* Static Key Mode (using a pre-shared key)
*/
@@ -3501,6 +3525,10 @@
{
do_init_crypto_static(c, flags);
}
+ else if (c->options.test_crypto)
+ {
+ do_init_crypto_test(c, flags);
+ }
else if (c->options.tls_server || c->options.tls_client)
{
do_init_crypto_tls(c, flags);
@@ -5045,7 +5073,6 @@
init_verb_mute(c, IVM_LEVEL_1);
context_init_1(c);
next_connection_entry(c);
- do_init_crypto_static(c, 0);
frame_finalize_options(c, options);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2d1f740..b430065 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2283,11 +2283,7 @@
init_options(&defaults, true);
- if (options->test_crypto)
- {
- notnull(options->shared_secret_file, "key file (--secret)");
- }
- else
+ if (!options->test_crypto)
{
notnull(options->dev, "TUN/TAP device (--dev)");
}
@@ -2701,7 +2697,7 @@
msg(M_USAGE, "specify only one of --tls-server, --tls-client, or
--secret");
}
- if (!options->tls_server && !options->tls_client)
+ if (!options->tls_server && !options->tls_client && !options->test_crypto)
{
msglvl_t msglevel = M_USAGE;
if (options->allow_deprecated_insecure_static_crypto)
diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
index 8ab3973..6802506 100755
--- a/tests/t_lpback.sh
+++ b/tests/t_lpback.sh
@@ -89,13 +89,12 @@
# Also test cipher 'none'
CIPHERS=${CIPHERS}$(printf "\nnone")
-"${openvpn}" --genkey secret key.$$
set +e
for cipher in ${CIPHERS}
do
test_start "Testing cipher ${cipher}... "
- ( "${openvpn}" --test-crypto --secret key.$$
--allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$ 2>&1
+ ( "${openvpn}" --test-crypto --cipher ${cipher} ) >log.$$ 2>&1
test_end $? log.$$
done
@@ -126,6 +125,6 @@
echo "$0: tests passed: $tests_passed failed: $tests_failed"
fi
-rm key.$$ tc-server-key.$$ tc-client-key.$$ log.$$
+rm tc-server-key.$$ tc-client-key.$$ log.$$
trap 0
exit $e
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1435?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de
Gerrit-Change-Number: 1435
Gerrit-PatchSet: 5
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: cron2 <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: cron2 <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
