ACK -Steffan
On 06-12-14 14:22, Arne Schwabe wrote: > In older version OpenVPN would hash a --tls-auth file > if it does not conform to the expected format > --- > doc/openvpn.8 | 21 +++-------------- > src/openvpn/crypto.c | 65 > ++++------------------------------------------------ > 2 files changed, 7 insertions(+), 79 deletions(-) > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index 96ba555..532eda5 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped > immediately without > response. > > .B file > -(required) is a key file which can be in one of two formats: > - > -.B (1) > -An OpenVPN static key file generated by > +(required) is a file in OpenVPN static key format which can be generated by > .B \-\-genkey > -(required if > -.B direction > -parameter is used). > - > -.B (2) > -A freeform passphrase file. In this case the HMAC key will > -be derived by taking a secure hash of this file, similar to > -the > -.BR md5sum (1) > -or > -.BR sha1sum (1) > -commands. > > -OpenVPN will first try format (1), and if the file fails to parse as > -a static key file, format (2) will be used. > +Older versions (up to 2.3) supported a freeform passphrase file. > +This is no longer supported in newer versions (2.4+). > > See the > .B \-\-secret > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index ef2bde1..eaef964 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type, > } > else > { > - int hash_size; > - > CLEAR (key2); > > - /* failed, now try to get hash from a freeform file */ > - hash_size = read_passphrase_hash (passphrase_file, > - kt.digest, > - key2.keys[0].hmac, > - MAX_HMAC_KEY_LENGTH); > - ASSERT (hash_size == kt.hmac_length); > - > - /* suceeded */ > - key2.n = 1; > + /* failed, now bail out */ > > - msg (M_INFO, > - "Control Channel Authentication: using '%s' as a free-form > passphrase file", > + msg (M_ERR, > + "Control Channel Authentication: File '%s' does not have > OpenVPN Static Key format. " > + "Using free-form passphrase file is not supported anymore", > passphrase_file); > } > } > @@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file, > const unsigned int flags) > gc_free (&gc); > } > > -int > -read_passphrase_hash (const char *passphrase_file, > - const md_kt_t *digest, > - uint8_t *output, > - int len) > -{ > - md_ctx_t md; > - > - ASSERT (len >= md_kt_size(digest)); > - memset (output, 0, len); > - > - md_ctx_init(&md, digest); > - > - /* read passphrase file */ > - { > - const int min_passphrase_size = 8; > - uint8_t buf[64]; > - int total_size = 0; > - int fd = platform_open (passphrase_file, O_RDONLY, 0); > - > - if (fd == -1) > - msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file); > - > - for (;;) > - { > - int size = read (fd, buf, sizeof (buf)); > - if (size == 0) > - break; > - if (size == -1) > - msg (M_ERR, "Read error on passphrase file: '%s'", > - passphrase_file); > - md_ctx_update(&md, buf, size); > - total_size += size; > - } > - close (fd); > - > - warn_if_group_others_accessible (passphrase_file); > - > - if (total_size < min_passphrase_size) > - msg (M_FATAL, > - "Passphrase file '%s' is too small (must have at least %d > characters)", > - passphrase_file, min_passphrase_size); > - } > - md_ctx_final(&md, output); > - md_ctx_cleanup(&md); > - return md_kt_size(digest); > -} > - > /* > * Write key to file, return number of random bits > * written. >