In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9306
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped immediately without |
4609 | 4609 |
response. |
4610 | 4610 |
|
4611 | 4611 |
.B file |
4612 |
-(required) is a key file which can be in one of two formats: |
|
4613 |
- |
|
4614 |
-.B (1) |
|
4615 |
-An OpenVPN static key file generated by |
|
4612 |
+(required) is a file in OpenVPN static key format which can be generated by |
|
4616 | 4613 |
.B \-\-genkey |
4617 |
-(required if |
|
4618 |
-.B direction |
|
4619 |
-parameter is used). |
|
4620 |
- |
|
4621 |
-.B (2) |
|
4622 |
-A freeform passphrase file. In this case the HMAC key will |
|
4623 |
-be derived by taking a secure hash of this file, similar to |
|
4624 |
-the |
|
4625 |
-.BR md5sum (1) |
|
4626 |
-or |
|
4627 |
-.BR sha1sum (1) |
|
4628 |
-commands. |
|
4629 | 4614 |
|
4630 |
-OpenVPN will first try format (1), and if the file fails to parse as |
|
4631 |
-a static key file, format (2) will be used. |
|
4615 |
+Older versions (up to 2.3) supported a freeform passphrase file. |
|
4616 |
+This is no longer supported in newer versions (2.4+). |
|
4632 | 4617 |
|
4633 | 4618 |
See the |
4634 | 4619 |
.B \-\-secret |
... | ... |
@@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type, |
770 | 770 |
} |
771 | 771 |
else |
772 | 772 |
{ |
773 |
- int hash_size; |
|
774 |
- |
|
775 | 773 |
CLEAR (key2); |
776 | 774 |
|
777 |
- /* failed, now try to get hash from a freeform file */ |
|
778 |
- hash_size = read_passphrase_hash (passphrase_file, |
|
779 |
- kt.digest, |
|
780 |
- key2.keys[0].hmac, |
|
781 |
- MAX_HMAC_KEY_LENGTH); |
|
782 |
- ASSERT (hash_size == kt.hmac_length); |
|
783 |
- |
|
784 |
- /* suceeded */ |
|
785 |
- key2.n = 1; |
|
775 |
+ /* failed, now bail out */ |
|
786 | 776 |
|
787 |
- msg (M_INFO, |
|
788 |
- "Control Channel Authentication: using '%s' as a free-form passphrase file", |
|
777 |
+ msg (M_ERR, |
|
778 |
+ "Control Channel Authentication: File '%s' does not have OpenVPN Static Key format. " |
|
779 |
+ "Using free-form passphrase file is not supported anymore", |
|
789 | 780 |
passphrase_file); |
790 | 781 |
} |
791 | 782 |
} |
... | ... |
@@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
1012 | 1012 |
gc_free (&gc); |
1013 | 1013 |
} |
1014 | 1014 |
|
1015 |
-int |
|
1016 |
-read_passphrase_hash (const char *passphrase_file, |
|
1017 |
- const md_kt_t *digest, |
|
1018 |
- uint8_t *output, |
|
1019 |
- int len) |
|
1020 |
-{ |
|
1021 |
- md_ctx_t md; |
|
1022 |
- |
|
1023 |
- ASSERT (len >= md_kt_size(digest)); |
|
1024 |
- memset (output, 0, len); |
|
1025 |
- |
|
1026 |
- md_ctx_init(&md, digest); |
|
1027 |
- |
|
1028 |
- /* read passphrase file */ |
|
1029 |
- { |
|
1030 |
- const int min_passphrase_size = 8; |
|
1031 |
- uint8_t buf[64]; |
|
1032 |
- int total_size = 0; |
|
1033 |
- int fd = platform_open (passphrase_file, O_RDONLY, 0); |
|
1034 |
- |
|
1035 |
- if (fd == -1) |
|
1036 |
- msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file); |
|
1037 |
- |
|
1038 |
- for (;;) |
|
1039 |
- { |
|
1040 |
- int size = read (fd, buf, sizeof (buf)); |
|
1041 |
- if (size == 0) |
|
1042 |
- break; |
|
1043 |
- if (size == -1) |
|
1044 |
- msg (M_ERR, "Read error on passphrase file: '%s'", |
|
1045 |
- passphrase_file); |
|
1046 |
- md_ctx_update(&md, buf, size); |
|
1047 |
- total_size += size; |
|
1048 |
- } |
|
1049 |
- close (fd); |
|
1050 |
- |
|
1051 |
- warn_if_group_others_accessible (passphrase_file); |
|
1052 |
- |
|
1053 |
- if (total_size < min_passphrase_size) |
|
1054 |
- msg (M_FATAL, |
|
1055 |
- "Passphrase file '%s' is too small (must have at least %d characters)", |
|
1056 |
- passphrase_file, min_passphrase_size); |
|
1057 |
- } |
|
1058 |
- md_ctx_final(&md, output); |
|
1059 |
- md_ctx_cleanup(&md); |
|
1060 |
- return md_kt_size(digest); |
|
1061 |
-} |
|
1062 |
- |
|
1063 | 1015 |
/* |
1064 | 1016 |
* Write key to file, return number of random bits |
1065 | 1017 |
* written. |