In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
---
 doc/openvpn.8        | 21 +++--------------
 src/openvpn/crypto.c | 65 ++++------------------------------------------------
 2 files changed, 7 insertions(+), 79 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 96ba555..532eda5 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped 
immediately without
 response.

 .B file
-(required) is a key file which can be in one of two formats:
-
-.B (1)
-An OpenVPN static key file generated by
+(required) is a file in OpenVPN static key format which can be generated by
 .B \-\-genkey
-(required if
-.B direction
-parameter is used).
-
-.B (2)
-A freeform passphrase file.  In this case the HMAC key will
-be derived by taking a secure hash of this file, similar to
-the
-.BR md5sum (1)
-or
-.BR sha1sum (1)
-commands.

-OpenVPN will first try format (1), and if the file fails to parse as
-a static key file, format (2) will be used.
+Older versions (up to 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (2.4+).

 See the
 .B \-\-secret
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1..eaef964 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type,
          }
        else
          {
-           int hash_size;
-
            CLEAR (key2);

-           /* failed, now try to get hash from a freeform file */
-           hash_size = read_passphrase_hash (passphrase_file,
-                                             kt.digest,
-                                             key2.keys[0].hmac,
-                                             MAX_HMAC_KEY_LENGTH);
-           ASSERT (hash_size == kt.hmac_length);
-
-           /* suceeded */
-           key2.n = 1;
+           /* failed, now bail out */

-           msg (M_INFO,
-                "Control Channel Authentication: using '%s' as a free-form 
passphrase file",
+           msg (M_ERR,
+                "Control Channel Authentication: File '%s' does not have 
OpenVPN Static Key format. "
+                "Using free-form passphrase file is not supported anymore",
                 passphrase_file);
          }
       }
@@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file, 
const unsigned int flags)
   gc_free (&gc);
 }

-int
-read_passphrase_hash (const char *passphrase_file,
-                     const md_kt_t *digest,
-                     uint8_t *output,
-                     int len)
-{
-  md_ctx_t md;
-
-  ASSERT (len >= md_kt_size(digest));
-  memset (output, 0, len);
-
-  md_ctx_init(&md, digest);
-
-  /* read passphrase file */
-  {
-    const int min_passphrase_size = 8;
-    uint8_t buf[64];
-    int total_size = 0;
-    int fd = platform_open (passphrase_file, O_RDONLY, 0);
-
-    if (fd == -1)
-      msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
-
-    for (;;)
-      {
-       int size = read (fd, buf, sizeof (buf));
-       if (size == 0)
-         break;
-       if (size == -1)
-         msg (M_ERR, "Read error on passphrase file: '%s'",
-              passphrase_file);
-       md_ctx_update(&md, buf, size);
-       total_size += size;
-      }
-    close (fd);
-
-    warn_if_group_others_accessible (passphrase_file);
-
-    if (total_size < min_passphrase_size)
-      msg (M_FATAL,
-          "Passphrase file '%s' is too small (must have at least %d 
characters)",
-          passphrase_file, min_passphrase_size);
-  }
-  md_ctx_final(&md, output);
-  md_ctx_cleanup(&md);
-  return md_kt_size(digest);
-}
-
 /*
  * Write key to file, return number of random bits
  * written.
-- 
1.9.3 (Apple Git-50)


Reply via email to