Clean up get_tls_handhake_key()

This function has *much* more code than required.  This commit cleans up
the function:
 * Merge the handling of inline and non-inline code.
 * Don't double-check key.2, since must_have_n_keys() already does that
   (but keep the message about dropped passphrase support in 2.4).
 * Remove stale references to 'passphrase' - we no longer support those

This commit should not change any behaviour except for log messages.

v2: Leave message about dropped passphrase support in place - this option
    was dropped in 2.4, so it is indeed better to be clear about it.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1456151046-16047-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11238
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 6d9c119414c1fc4628d837751f7ed0229df3bd8b..bd866799b37523649c0e695409d4a2f11e09f246 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1080,57 +1080,35 @@ test_crypto (struct crypto_options *co, struct frame* frame)
 void
 get_tls_handshake_key (const struct key_type *key_type,
                       struct key_ctx_bi *ctx,
-                      const char *passphrase_file,
+                      const char *key_file,
                       const int key_direction,
                       const unsigned int flags)
 {
-  if (passphrase_file && key_type->hmac_length)
+  if (key_file)
     {
       struct key2 key2;
       struct key_direction_state kds;
 
       if (flags & GHK_INLINE)
        {
-         /* key was specified inline, key text is in passphrase_file */
-         read_key_file (&key2, passphrase_file, RKF_INLINE|RKF_MUST_SUCCEED);
-
-         /* succeeded? */
-         if (key2.n == 2)
-           msg (M_INFO, "Control Channel Authentication: tls-auth using INLINE static key file");
-         else
-           msg (M_FATAL, "INLINE tls-auth file lacks the requisite 2 keys");
+         read_key_file (&key2, key_file, RKF_INLINE|RKF_MUST_SUCCEED);
        }
       else
-      {
-       /* first try to parse as an OpenVPN static key file */
-       read_key_file (&key2, passphrase_file, 0);
+       {
+         read_key_file (&key2, key_file, RKF_MUST_SUCCEED);
+       }
 
-       /* succeeded? */
-       if (key2.n == 2)
+       if (key2.n != 2)
          {
-           msg (M_INFO,
-                "Control Channel Authentication: using '%s' as a " PACKAGE_NAME " static key file",
-                passphrase_file);
+           msg (M_ERR, "Control Channel Authentication: File '%s' does not "
+               "have OpenVPN Static Key format.  Using free-form passphrase "
+               "file is not supported anymore.", key_file);
          }
-       else
-         {
-           CLEAR (key2);
-
-           /* failed, now bail out */
-
-           msg (M_ERR,
-                "Control Channel Authentication: File '%s' does not have OpenVPN Static Key format. "
-                "Using free-form passphrase file is not supported anymore",
-                passphrase_file);
-         }
-      }
       /* handle key direction */
-
       key_direction_state_init (&kds, key_direction);
-      must_have_n_keys (passphrase_file, "tls-auth", &key2, kds.need_keys);
-
-      /* initialize hmac key in both directions */
+      must_have_n_keys (key_file, "tls-auth", &key2, kds.need_keys);
 
+      /* initialize key in both directions */
       init_key_ctx (&ctx->encrypt, &key2.keys[kds.out_key], key_type, OPENVPN_OP_ENCRYPT,
                    "Outgoing Control Channel Authentication");
       init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, OPENVPN_OP_DECRYPT,