Remove possibility of using --tls-auth with non OpenVPN Static key files

In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9306

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 96ba5554aa3f9489af5bf5c5a32c704914108fac..532eda5c1e4a3501941001eebdc401de72cca95c 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4609,26 +4609,11 @@ bearing an incorrect HMAC signature can be dropped immediately without
 response.
 
 .B file
-(required) is a key file which can be in one of two formats:
-
-.B (1)
-An OpenVPN static key file generated by
+(required) is a file in OpenVPN static key format which can be generated by
 .B \-\-genkey
-(required if
-.B direction
-parameter is used).
-
-.B (2)
-A freeform passphrase file.  In this case the HMAC key will
-be derived by taking a secure hash of this file, similar to
-the
-.BR md5sum (1)
-or
-.BR sha1sum (1)
-commands.
 
-OpenVPN will first try format (1), and if the file fails to parse as
-a static key file, format (2) will be used.
+Older versions (up to 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (2.4+).
 
 See the
 .B \-\-secret

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1d57a990707bd4f79e55c7a23f91d4befe..eaef96438b3e7b3164dee6d2da3ee6a47819302c 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -770,22 +770,13 @@ get_tls_handshake_key (const struct key_type *key_type,
          }
        else
          {
-           int hash_size;
-
            CLEAR (key2);
 
-           /* failed, now try to get hash from a freeform file */
-           hash_size = read_passphrase_hash (passphrase_file,
-                                             kt.digest,
-                                             key2.keys[0].hmac,
-                                             MAX_HMAC_KEY_LENGTH);
-           ASSERT (hash_size == kt.hmac_length);
-
-           /* suceeded */
-           key2.n = 1;
+           /* failed, now bail out */
 
-           msg (M_INFO,
-                "Control Channel Authentication: using '%s' as a free-form passphrase file",
+           msg (M_ERR,
+                "Control Channel Authentication: File '%s' does not have OpenVPN Static Key format. "
+                "Using free-form passphrase file is not supported anymore",
                 passphrase_file);
          }
       }
@@ -1012,54 +1003,6 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags)
   gc_free (&gc);
 }
 
-int
-read_passphrase_hash (const char *passphrase_file,
-                     const md_kt_t *digest,
-                     uint8_t *output,
-                     int len)
-{
-  md_ctx_t md;
-
-  ASSERT (len >= md_kt_size(digest));
-  memset (output, 0, len);
-
-  md_ctx_init(&md, digest);
-
-  /* read passphrase file */
-  {
-    const int min_passphrase_size = 8;
-    uint8_t buf[64];
-    int total_size = 0;
-    int fd = platform_open (passphrase_file, O_RDONLY, 0);
-
-    if (fd == -1)
-      msg (M_ERR, "Cannot open passphrase file: '%s'", passphrase_file);
-
-    for (;;)
-      {
-       int size = read (fd, buf, sizeof (buf));
-       if (size == 0)
-         break;
-       if (size == -1)
-         msg (M_ERR, "Read error on passphrase file: '%s'",
-              passphrase_file);
-       md_ctx_update(&md, buf, size);
-       total_size += size;
-      }
-    close (fd);
-
-    warn_if_group_others_accessible (passphrase_file);
-
-    if (total_size < min_passphrase_size)
-      msg (M_FATAL,
-          "Passphrase file '%s' is too small (must have at least %d characters)",
-          passphrase_file, min_passphrase_size);
-  }
-  md_ctx_final(&md, output);
-  md_ctx_cleanup(&md);
-  return md_kt_size(digest);
-}
-
 /*
  * Write key to file, return number of random bits
  * written.