In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
---
doc/openvpn.8 | 21 +++--------------
src/openvpn/crypto.c | 65 ++++------------------------------------------------
2 files changed, 7 insertions(+), 79 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 96ba555..532eda5 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped
immediately without
response.
.B file
-(required) is a key file which can be in one of two formats:
-
-.B (1)
-An OpenVPN static key file generated by
+(required) is a file in OpenVPN static key format which can be generated by
.B \-\-genkey
-(required if
-.B direction
-parameter is used).
-
-.B (2)
-A freeform passphrase file. In this case the HMAC key will
-be derived by taking a secure hash of this file, similar to
-the
-.BR md5sum (1)
-or
-.BR sha1sum (1)
-commands.
-OpenVPN will first try format (1), and if the file fails to parse as
-a static key file, format (2) will be used.
+Older versions (up to 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (2.4+).
See the
.B \-\-secret
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1..eaef964 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type,
}
else
{
- int hash_size;
-
CLEAR (key2);
- /* failed, now try to get hash from a freeform file */
- hash_size = read_passphrase_hash (passphrase_file,
- kt.digest,
- key2.keys[0].hmac,
- MAX_HMAC_KEY_LENGTH);
- ASSERT (hash_size == kt.hmac_length);
-
- /* suceeded */
- key2.n = 1;
+ /* failed, now bail out */
- msg (M_INFO,
- "Control Channel Authentication: using '%s' as a free-form
passphrase file",
+ msg (M_ERR,
+ "Control Channel Authentication: File '%s' does not have
OpenVPN Static Key format. "
+ "Using free-form passphrase file is not supported anymore",
passphrase_file);
}
}
@@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file,
const unsigned int flags)
gc_free (&gc);
}
-int
-read_passphrase_hash (const char *passphrase_file,
- const md_kt_t *digest,
- uint8_t *output,
- int len)
-{
- md_ctx_t md;
-
- ASSERT (len >= md_kt_size(digest));
- memset (output, 0, len);
-
- md_ctx_init(&md, digest);
-
- /* read passphrase file */
- {
- const int min_passphrase_size = 8;
- uint8_t buf[64];
- int total_size = 0;
- int fd = platform_open (passphrase_file, O_RDONLY, 0);
-
- if (fd == -1)
- msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
-
- for (;;)
- {
- int size = read (fd, buf, sizeof (buf));
- if (size == 0)
- break;
- if (size == -1)
- msg (M_ERR, "Read error on passphrase file: '%s'",
- passphrase_file);
- md_ctx_update(&md, buf, size);
- total_size += size;
- }
- close (fd);
-
- warn_if_group_others_accessible (passphrase_file);
-
- if (total_size < min_passphrase_size)
- msg (M_FATAL,
- "Passphrase file '%s' is too small (must have at least %d
characters)",
- passphrase_file, min_passphrase_size);
- }
- md_ctx_final(&md, output);
- md_ctx_cleanup(&md);
- return md_kt_size(digest);
-}
-
/*
* Write key to file, return number of random bits
* written.
--
1.9.3 (Apple Git-50)
