ACK
-Steffan
On 06-12-14 14:22, Arne Schwabe wrote:
> In older version OpenVPN would hash a --tls-auth file
> if it does not conform to the expected format
> ---
> doc/openvpn.8 | 21 +++--------------
> src/openvpn/crypto.c | 65
> ++++------------------------------------------------
> 2 files changed, 7 insertions(+), 79 deletions(-)
>
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 96ba555..532eda5 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped
> immediately without
> response.
>
> .B file
> -(required) is a key file which can be in one of two formats:
> -
> -.B (1)
> -An OpenVPN static key file generated by
> +(required) is a file in OpenVPN static key format which can be generated by
> .B \-\-genkey
> -(required if
> -.B direction
> -parameter is used).
> -
> -.B (2)
> -A freeform passphrase file. In this case the HMAC key will
> -be derived by taking a secure hash of this file, similar to
> -the
> -.BR md5sum (1)
> -or
> -.BR sha1sum (1)
> -commands.
>
> -OpenVPN will first try format (1), and if the file fails to parse as
> -a static key file, format (2) will be used.
> +Older versions (up to 2.3) supported a freeform passphrase file.
> +This is no longer supported in newer versions (2.4+).
>
> See the
> .B \-\-secret
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index ef2bde1..eaef964 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type,
> }
> else
> {
> - int hash_size;
> -
> CLEAR (key2);
>
> - /* failed, now try to get hash from a freeform file */
> - hash_size = read_passphrase_hash (passphrase_file,
> - kt.digest,
> - key2.keys[0].hmac,
> - MAX_HMAC_KEY_LENGTH);
> - ASSERT (hash_size == kt.hmac_length);
> -
> - /* suceeded */
> - key2.n = 1;
> + /* failed, now bail out */
>
> - msg (M_INFO,
> - "Control Channel Authentication: using '%s' as a free-form
> passphrase file",
> + msg (M_ERR,
> + "Control Channel Authentication: File '%s' does not have
> OpenVPN Static Key format. "
> + "Using free-form passphrase file is not supported anymore",
> passphrase_file);
> }
> }
> @@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file,
> const unsigned int flags)
> gc_free (&gc);
> }
>
> -int
> -read_passphrase_hash (const char *passphrase_file,
> - const md_kt_t *digest,
> - uint8_t *output,
> - int len)
> -{
> - md_ctx_t md;
> -
> - ASSERT (len >= md_kt_size(digest));
> - memset (output, 0, len);
> -
> - md_ctx_init(&md, digest);
> -
> - /* read passphrase file */
> - {
> - const int min_passphrase_size = 8;
> - uint8_t buf[64];
> - int total_size = 0;
> - int fd = platform_open (passphrase_file, O_RDONLY, 0);
> -
> - if (fd == -1)
> - msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
> -
> - for (;;)
> - {
> - int size = read (fd, buf, sizeof (buf));
> - if (size == 0)
> - break;
> - if (size == -1)
> - msg (M_ERR, "Read error on passphrase file: '%s'",
> - passphrase_file);
> - md_ctx_update(&md, buf, size);
> - total_size += size;
> - }
> - close (fd);
> -
> - warn_if_group_others_accessible (passphrase_file);
> -
> - if (total_size < min_passphrase_size)
> - msg (M_FATAL,
> - "Passphrase file '%s' is too small (must have at least %d
> characters)",
> - passphrase_file, min_passphrase_size);
> - }
> - md_ctx_final(&md, output);
> - md_ctx_cleanup(&md);
> - return md_kt_size(digest);
> -}
> -
> /*
> * Write key to file, return number of random bits
> * written.
>
