Instead of requiring users to do "--genkey --secret new.key", allow
them to just do "--genkey new.key". This has hit me often enough that I
decided to write a patch for it. Also, the upcoming tls-crypt-v2-genkey
uses a similar syntax and Antonio suggested we should make them consistent.
The documentation is updated to no longer mention the old syntax, but it is
still supported so people who are used to the old syntax can still use it.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20181005150032.16541-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -5674,20 +5674,22 @@ option. |
5674 | 5674 |
Used only for non\-TLS static key encryption mode. |
5675 | 5675 |
.\"********************************************************* |
5676 | 5676 |
.TP |
5677 |
-.B \-\-genkey |
|
5677 |
+.B \-\-genkey file |
|
5678 | 5678 |
(Standalone) |
5679 |
-Generate a random key to be used as a shared secret, |
|
5680 |
-for use with the |
|
5679 |
+Generate a random key to be used as a shared secret, for use with the |
|
5681 | 5680 |
.B \-\-secret |
5682 |
-option. This file must be shared with the |
|
5683 |
-peer over a pre\-existing secure channel such as |
|
5684 |
-.BR scp (1) |
|
5685 |
-. |
|
5686 |
-.\"********************************************************* |
|
5687 |
-.TP |
|
5688 |
-.B \-\-secret file |
|
5689 |
-Write key to |
|
5690 |
-.B file. |
|
5681 |
+, |
|
5682 |
+.B \-\-tls-auth |
|
5683 |
+or |
|
5684 |
+.B \-\-tls-crypt |
|
5685 |
+options. Stores the key in |
|
5686 |
+.B file\fR. |
|
5687 |
+ |
|
5688 |
+If using this for |
|
5689 |
+.B \-\-secret |
|
5690 |
+, this file must be shared with the peer over a pre\-existing secure channel |
|
5691 |
+such as |
|
5692 |
+.BR scp (1)\fR. |
|
5691 | 5693 |
.\"********************************************************* |
5692 | 5694 |
.SS TUN/TAP persistent tunnel config mode: |
5693 | 5695 |
Available with Linux 2.4.7+. These options comprise a standalone mode |
... | ... |
@@ -739,10 +739,8 @@ static const char usage_message[] = |
739 | 739 |
" to access TAP adapter.\n" |
740 | 740 |
#endif /* ifdef _WIN32 */ |
741 | 741 |
"\n" |
742 |
- "Generate a random key (only for non-TLS static key encryption mode):\n" |
|
743 |
- "--genkey : Generate a random key to be used as a shared secret,\n" |
|
744 |
- " for use with the --secret option.\n" |
|
745 |
- "--secret file : Write key to file.\n" |
|
742 |
+ "Generate a new key (for use with --secret, --tls-auth or --tls-crypt):\n" |
|
743 |
+ "--genkey file : Generate a new random key and write to file.\n" |
|
746 | 744 |
#ifdef ENABLE_FEATURE_TUN_PERSIST |
747 | 745 |
"\n" |
748 | 746 |
"Tun/tap config mode (available with linux 2.4+):\n" |
... | ... |
@@ -7518,10 +7516,14 @@ add_option(struct options *options, |
7518 | 7518 |
} |
7519 | 7519 |
options->shared_secret_file = p[1]; |
7520 | 7520 |
} |
7521 |
- else if (streq(p[0], "genkey") && !p[1]) |
|
7521 |
+ else if (streq(p[0], "genkey") && !p[2]) |
|
7522 | 7522 |
{ |
7523 | 7523 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7524 | 7524 |
options->genkey = true; |
7525 |
+ if (p[1]) |
|
7526 |
+ { |
|
7527 |
+ options->shared_secret_file = p[1]; |
|
7528 |
+ } |
|
7525 | 7529 |
} |
7526 | 7530 |
else if (streq(p[0], "auth") && p[1] && !p[2]) |
7527 | 7531 |
{ |