This allows the method to be resued for generating other types of keys
that should also not be reused as tls-crypt/tls-auth keys.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190114154819.6064-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18090.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1848,3 +1848,37 @@ translate_cipher_name_to_openvpn(const char *cipher_name) |
1848 | 1848 |
|
1849 | 1849 |
return pair->openvpn_name; |
1850 | 1850 |
} |
1851 |
+ |
|
1852 |
+void |
|
1853 |
+write_pem_key_file(const char *filename, const char *pem_name) |
|
1854 |
+{ |
|
1855 |
+ struct gc_arena gc = gc_new(); |
|
1856 |
+ struct key server_key = { 0 }; |
|
1857 |
+ struct buffer server_key_buf = clear_buf(); |
|
1858 |
+ struct buffer server_key_pem = clear_buf(); |
|
1859 |
+ |
|
1860 |
+ if (!rand_bytes((void *)&server_key, sizeof(server_key))) |
|
1861 |
+ { |
|
1862 |
+ msg(M_NONFATAL, "ERROR: could not generate random key"); |
|
1863 |
+ goto cleanup; |
|
1864 |
+ } |
|
1865 |
+ buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); |
|
1866 |
+ if (!crypto_pem_encode(pem_name, &server_key_pem, |
|
1867 |
+ &server_key_buf, &gc)) |
|
1868 |
+ { |
|
1869 |
+ msg(M_WARN, "ERROR: could not PEM-encode key"); |
|
1870 |
+ goto cleanup; |
|
1871 |
+ } |
|
1872 |
+ |
|
1873 |
+ if (!buffer_write_file(filename, &server_key_pem)) |
|
1874 |
+ { |
|
1875 |
+ msg(M_ERR, "ERROR: could not write key file"); |
|
1876 |
+ goto cleanup; |
|
1877 |
+ } |
|
1878 |
+ |
|
1879 |
+cleanup: |
|
1880 |
+ secure_memzero(&server_key, sizeof(server_key)); |
|
1881 |
+ buf_clear(&server_key_pem); |
|
1882 |
+ gc_free(&gc); |
|
1883 |
+ return; |
|
1884 |
+} |
... | ... |
@@ -420,6 +420,16 @@ void crypto_adjust_frame_parameters(struct frame *frame, |
420 | 420 |
/** Return the worst-case OpenVPN crypto overhead (in bytes) */ |
421 | 421 |
unsigned int crypto_max_overhead(void); |
422 | 422 |
|
423 |
+/** |
|
424 |
+ * Generate a server key with enough randomness to fill a key struct |
|
425 |
+ * and write to file. |
|
426 |
+ * |
|
427 |
+ * @param filename Filename of the server key file to create. |
|
428 |
+ * @param pem_name The name to use in the PEM header/footer. |
|
429 |
+ */ |
|
430 |
+void |
|
431 |
+write_pem_key_file(const char *filename, const char *pem_name); |
|
432 |
+ |
|
423 | 433 |
/* Minimum length of the nonce used by the PRNG */ |
424 | 434 |
#define NONCE_SECRET_LEN_MIN 16 |
425 | 435 |
|
... | ... |
@@ -670,35 +670,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, |
670 | 670 |
void |
671 | 671 |
tls_crypt_v2_write_server_key_file(const char *filename) |
672 | 672 |
{ |
673 |
- struct gc_arena gc = gc_new(); |
|
674 |
- struct key server_key = { 0 }; |
|
675 |
- struct buffer server_key_buf = clear_buf(); |
|
676 |
- struct buffer server_key_pem = clear_buf(); |
|
677 |
- |
|
678 |
- if (!rand_bytes((void *)&server_key, sizeof(server_key))) |
|
679 |
- { |
|
680 |
- msg(M_NONFATAL, "ERROR: could not generate random key"); |
|
681 |
- goto cleanup; |
|
682 |
- } |
|
683 |
- buf_set_read(&server_key_buf, (void *)&server_key, sizeof(server_key)); |
|
684 |
- if (!crypto_pem_encode(tls_crypt_v2_srv_pem_name, &server_key_pem, |
|
685 |
- &server_key_buf, &gc)) |
|
686 |
- { |
|
687 |
- msg(M_WARN, "ERROR: could not PEM-encode server key"); |
|
688 |
- goto cleanup; |
|
689 |
- } |
|
690 |
- |
|
691 |
- if (!buffer_write_file(filename, &server_key_pem)) |
|
692 |
- { |
|
693 |
- msg(M_ERR, "ERROR: could not write server key file"); |
|
694 |
- goto cleanup; |
|
695 |
- } |
|
696 |
- |
|
697 |
-cleanup: |
|
698 |
- secure_memzero(&server_key, sizeof(server_key)); |
|
699 |
- buf_clear(&server_key_pem); |
|
700 |
- gc_free(&gc); |
|
701 |
- return; |
|
673 |
+ write_pem_key_file(filename, tls_crypt_v2_srv_pem_name); |
|
702 | 674 |
} |
703 | 675 |
|
704 | 676 |
void |