crypto: unify key_type creation code

At the moment we have tls_crypt_kt() and auth_token_kt that basically do
the same thing, but with different algorithms used to initialise the
structure.

In order to avoid code duplication and copy/paste errors, unify code and
make it parametric, so that it can be re-used in various places.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220217163159.7936-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23831.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 10c9dde6c521d824cb6b5ac4f59375677e4449a1..9a85655f7a8bc43adcb819d5e445919a3dfad5ca 100644 (file)
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -33,21 +33,9 @@ const char *auth_token_pem_name = "OpenVPN auth-token server key";
 static struct key_type
 auth_token_kt(void)
 {
-    struct key_type kt = { 0 };
-    /* We do not encrypt our session tokens */
-    kt.cipher = "none";
-    kt.digest = "SHA256";
-
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("none", "SHA256", "auth-gen-token");
 }
 
-
 void
 add_session_token_env(struct tls_session *session, struct tls_multi *multi,
                       const struct user_pass *up)

diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 6e505517b79bf0f88bea8c59250e5d0c63655a28..806632edf44b283133517a272d323ce3cd8bde88 100644 (file)
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -547,4 +547,35 @@ key_ctx_bi_defined(const struct key_ctx_bi *key)
  */
 const char *print_key_filename(const char *str, bool is_inline);
 
+/**
+ * Creates and validates an instance of struct key_type with the provided
+ * algs.
+ *
+ * @param cipher    the cipher algorithm to use (must be a string literal)
+ * @param md        the digest algorithm to use (must be a string literal)
+ * @param optname   the name of the option requiring the key_type object
+ *
+ * @return          the initialized key_type instance
+ */
+static inline struct key_type
+create_kt(const char *cipher, const char *md, const char *optname)
+{
+    struct key_type kt;
+    kt.cipher = cipher;
+    kt.digest = md;
+
+    if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher);
+        return (struct key_type) { 0 };
+    }
+    if (md_defined(kt.digest) && !md_valid(kt.digest))
+    {
+        msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest);
+        return (struct key_type) { 0 };
+    }
+
+    return kt;
+}
+
 #endif /* CRYPTO_H */

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index aae2a9170432cb47ed032c69ea0a6aee379f21d7..88730a9944e640699596820ab5e7fdff85d0dd7e 100644 (file)
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -50,22 +50,7 @@ static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP      = 0x01;
 static struct key_type
 tls_crypt_kt(void)
 {
-    struct key_type kt;
-    kt.cipher = "AES-256-CTR";
-    kt.digest = "SHA256";
-
-    if (!cipher_valid(kt.cipher))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
-        return (struct key_type) { 0 };
-    }
-    if (!md_valid(kt.digest))
-    {
-        msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
-        return (struct key_type) { 0 };
-    }
-
-    return kt;
+    return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
 }
 
 int