| Message ID | 20181010142527.27025-1-arne@rfc2549.org |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | None | expand |
Hi, On 10-10-18 16:25, Arne Schwabe wrote: > These defines are always defined when management is enabled. > > We still have --disable-management as configure option, so we need > to replace these with ENABLE_MANAGEMENT in some cases. > Very nice, cleans up a lot of cruft. > PATCH v3: Rebase directly on master > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > src/openvpn/init.c | 4 ++-- > src/openvpn/manage.c | 38 +++----------------------------------- > src/openvpn/manage.h | 10 ---------- > src/openvpn/misc.c | 14 ++++++-------- > src/openvpn/misc.h | 6 +++--- > src/openvpn/options.c | 24 ++++++++++++------------ > src/openvpn/options.h | 2 +- > src/openvpn/push.c | 2 +- > src/openvpn/ssl.c | 16 ++++++++-------- > src/openvpn/ssl.h | 3 ++- > src/openvpn/ssl_backend.h | 4 ++-- > src/openvpn/ssl_common.h | 2 +- > src/openvpn/ssl_mbedtls.c | 4 ++-- > src/openvpn/ssl_openssl.c | 4 ++-- > src/openvpn/syshead.h | 22 ---------------------- > 15 files changed, 45 insertions(+), 110 deletions(-) > > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index 52c64da4..1b9f19d0 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -540,7 +540,7 @@ init_query_passwords(const struct context *c) > /* Auth user/pass input */ > if (c->options.auth_user_pass_file) > { > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); > #else > auth_user_pass_setup(c->options.auth_user_pass_file, NULL); > @@ -2800,7 +2800,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) > to.x509_track = options->x509_track; > > #if P2MP > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > to.sci = &options->sc_info; > #endif > #endif > diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c > index ed981ab9..8b633f20 100644 > --- a/src/openvpn/manage.c > +++ b/src/openvpn/manage.c > @@ -110,14 +110,12 @@ man_help(void) > msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); > #endif > #endif > -#ifdef MANAGMENT_EXTERNAL_KEY > msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); > msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); > msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); > msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); > msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); > msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); > -#endif > msg(M_CLIENT, "signal s : Send signal s to daemon,"); > msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); > msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history."); > @@ -847,8 +845,6 @@ man_hold(struct management *man, const char *cmd) > } > } > > -#ifdef MANAGEMENT_IN_EXTRA > - > #define IER_RESET 0 > #define IER_NEW 1 > > @@ -936,7 +932,6 @@ in_extra_dispatch(struct management *man) > break; > > #endif /* ifdef MANAGEMENT_PF */ > -#ifdef MANAGMENT_EXTERNAL_KEY > case IEC_PK_SIGN: > man->connection.ext_key_state = EKS_READY; > buffer_list_free(man->connection.ext_key_input); > @@ -950,13 +945,10 @@ in_extra_dispatch(struct management *man) > man->connection.ext_cert_input = man->connection.in_extra; > man->connection.in_extra = NULL; > return; > -#endif > } > in_extra_reset(&man->connection, IER_RESET); > } > > -#endif /* MANAGEMENT_IN_EXTRA */ > - > #ifdef MANAGEMENT_DEF_AUTH > > static bool > @@ -1102,8 +1094,6 @@ man_client_pf(struct management *man, const char *cid_str) > #endif /* MANAGEMENT_PF */ > #endif /* MANAGEMENT_DEF_AUTH */ > > -#ifdef MANAGMENT_EXTERNAL_KEY > - > static void > man_pk_sig(struct management *man, const char *cmd_name) > { > @@ -1136,8 +1126,6 @@ man_certificate(struct management *man) > } > } > > -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ > - > static void > man_load_stats(struct management *man) > { > @@ -1526,7 +1514,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha > } > #endif > #endif /* ifdef MANAGEMENT_DEF_AUTH */ > -#ifdef MANAGMENT_EXTERNAL_KEY > else if (streq(p[0], "rsa-sig")) > { > man_pk_sig(man, "rsa-sig"); > @@ -1539,7 +1526,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha > { > man_certificate(man); > } > -#endif > #ifdef ENABLE_PKCS11 > else if (streq(p[0], "pkcs11-id-count")) > { > @@ -1928,9 +1914,7 @@ man_reset_client_socket(struct management *man, const bool exiting) > man->connection.state = MS_INITIAL; > command_line_reset(man->connection.in); > buffer_list_reset(man->connection.out); > -#ifdef MANAGEMENT_IN_EXTRA > in_extra_reset(&man->connection, IER_RESET); > -#endif > msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected"); > } > if (!exiting) > @@ -1972,9 +1956,7 @@ man_process_command(struct management *man, const char *line) > > CLEAR(parms); > so = status_open(NULL, 0, -1, &man->persist.vout, 0); > -#ifdef MANAGEMENT_IN_EXTRA > in_extra_reset(&man->connection, IER_RESET); > -#endif > > if (man_password_needed(man)) > { > @@ -2212,7 +2194,6 @@ man_read(struct management *man) > const char *line; > while ((line = command_line_get(man->connection.in))) > { > -#ifdef MANAGEMENT_IN_EXTRA > if (man->connection.in_extra) > { > if (!strcmp(line, "END")) > @@ -2225,8 +2206,9 @@ man_read(struct management *man) > } > } > else > -#endif > - man_process_command(man, (char *) line); > + { > + man_process_command(man, (char *) line); > + } > if (man->connection.halt) > { > break; > @@ -2572,12 +2554,8 @@ man_connection_close(struct management *man) > { > buffer_list_free(mc->out); > } > -#ifdef MANAGEMENT_IN_EXTRA > in_extra_reset(&man->connection, IER_RESET); > -#endif > -#ifdef MANAGMENT_EXTERNAL_KEY > buffer_list_free(mc->ext_key_input); > -#endif > man_connection_clear(mc); > } > > @@ -3412,9 +3390,7 @@ management_query_user_pass(struct management *man, > const char *alert_type = NULL; > const char *prefix = NULL; > unsigned int up_query_mode = 0; > -#ifdef ENABLE_CLIENT_CR > const char *sc = NULL; > -#endif > ret = true; > man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ > man->persist.special_state_msg = NULL; > @@ -3444,12 +3420,10 @@ management_query_user_pass(struct management *man, > up_query_mode = UP_QUERY_USER_PASS; > prefix = "PASSWORD"; > alert_type = "username/password"; > -#ifdef ENABLE_CLIENT_CR > if (static_challenge) > { > sc = static_challenge; > } > -#endif > } > buf_printf(&alert_msg, ">%s:Need '%s' %s", > prefix, > @@ -3461,14 +3435,12 @@ management_query_user_pass(struct management *man, > buf_printf(&alert_msg, " MSG:%s", up->username); > } > > -#ifdef ENABLE_CLIENT_CR > if (sc) > { > buf_printf(&alert_msg, " SC:%d,%s", > BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), > sc); > } > -#endif > > man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT); > if (signal_received) > @@ -3531,8 +3503,6 @@ management_query_user_pass(struct management *man, > return ret; > } > > -#ifdef MANAGMENT_EXTERNAL_KEY > - > static int > management_query_multiline(struct management *man, > const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) > @@ -3699,8 +3669,6 @@ management_query_cert(struct management *man, const char *cert_name) > return result; > } > > -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ > - > /* > * Return true if management_hold() would block > */ > diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h > index ff143fc1..d24abe09 100644 > --- a/src/openvpn/manage.h > +++ b/src/openvpn/manage.h > @@ -275,7 +275,6 @@ struct man_connection { > struct command_line *in; > struct buffer_list *out; > > -#ifdef MANAGEMENT_IN_EXTRA > #define IEC_UNDEF 0 > #define IEC_CLIENT_AUTH 1 > #define IEC_CLIENT_PF 2 > @@ -288,7 +287,6 @@ struct man_connection { > unsigned long in_extra_cid; > unsigned int in_extra_kid; > #endif > -#ifdef MANAGMENT_EXTERNAL_KEY > #define EKS_UNDEF 0 > #define EKS_SOLICIT 1 > #define EKS_INPUT 2 > @@ -297,8 +295,6 @@ struct man_connection { > struct buffer_list *ext_key_input; > int ext_cert_state; > struct buffer_list *ext_cert_input; > -#endif > -#endif /* ifdef MANAGEMENT_IN_EXTRA */ > struct event_set *es; > int env_filter_level; > > @@ -346,9 +342,7 @@ struct management *management_init(void); > #define MF_CLIENT_PF (1<<7) > #endif > #define MF_UNIX_SOCK (1<<8) > -#ifdef MANAGMENT_EXTERNAL_KEY > #define MF_EXTERNAL_KEY (1<<9) > -#endif > #define MF_UP_DOWN (1<<10) > #define MF_QUERY_REMOTE (1<<11) > #define MF_QUERY_PROXY (1<<12) > @@ -436,14 +430,10 @@ void management_learn_addr(struct management *management, > > #endif > > -#ifdef MANAGMENT_EXTERNAL_KEY > - > char *management_query_pk_sig(struct management *man, const char *b64_data); > > char *management_query_cert(struct management *man, const char *cert_name); > > -#endif > - > static inline bool > management_connected(const struct management *man) > { > diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c > index 2759d98d..d75b7685 100644 > --- a/src/openvpn/misc.c > +++ b/src/openvpn/misc.c > @@ -157,12 +157,10 @@ get_user_pass_cr(struct user_pass *up, > management_auth_failure(management, prefix, "previous auth credentials failed"); > } > > -#ifdef ENABLE_CLIENT_CR > if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)) > { > sc = auth_challenge; > } > -#endif > if (!management_query_user_pass(management, up, prefix, flags, sc)) > { > if ((flags & GET_USER_PASS_NOFATAL) != 0) > @@ -272,7 +270,7 @@ get_user_pass_cr(struct user_pass *up, > */ > if (username_from_stdin || password_from_stdin || response_from_stdin) > { > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) > { > struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc); > @@ -299,7 +297,7 @@ get_user_pass_cr(struct user_pass *up, > } > } > else > -#endif /* ifdef ENABLE_CLIENT_CR */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > { > struct buffer user_prompt = alloc_buf_gc(128, &gc); > struct buffer pass_prompt = alloc_buf_gc(128, &gc); > @@ -333,7 +331,7 @@ get_user_pass_cr(struct user_pass *up, > } > } > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) > { > char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); > @@ -361,7 +359,7 @@ get_user_pass_cr(struct user_pass *up, > string_clear(resp64); > free(resp64); > } > -#endif /* ifdef ENABLE_CLIENT_CR */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > } > } > > @@ -380,7 +378,7 @@ get_user_pass_cr(struct user_pass *up, > return true; > } > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > > /* > * See management/management-notes.txt for more info on the > @@ -455,7 +453,7 @@ get_auth_challenge(const char *auth_challenge, struct gc_arena *gc) > } > } > > -#endif /* ifdef ENABLE_CLIENT_CR */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > > void > purge_user_pass(struct user_pass *up, const bool force) > diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h > index b4d9d035..a54185f0 100644 > --- a/src/openvpn/misc.h > +++ b/src/openvpn/misc.h > @@ -76,7 +76,7 @@ struct user_pass > char password[USER_PASS_LEN]; > }; > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > /* > * Challenge response info on client as pushed by server. > */ > @@ -102,10 +102,10 @@ struct static_challenge_info { > const char *challenge_text; > }; > > -#else /* ifdef ENABLE_CLIENT_CR */ > +#else /* ifdef ENABLE_MANAGEMENT */ > struct auth_challenge_info {}; > struct static_challenge_info {}; > -#endif /* ifdef ENABLE_CLIENT_CR */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > > /* > * Flags for get_user_pass and management_query_user_pass > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index e42029c5..f0762f2e 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -1735,7 +1735,7 @@ show_settings(const struct options *o) > SHOW_STR(ca_file); > SHOW_STR(ca_path); > SHOW_STR(dh_file); > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if ((o->management_flags & MF_EXTERNAL_CERT)) > { > SHOW_PARM("cert_file","EXTERNAL_CERT","%s"); > @@ -1745,7 +1745,7 @@ show_settings(const struct options *o) > SHOW_STR(cert_file); > SHOW_STR(extra_certs_file); > > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if ((o->management_flags & MF_EXTERNAL_KEY)) > { > SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s"); > @@ -2567,7 +2567,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > { > msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); > } > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (options->management_flags & MF_EXTERNAL_KEY) > { > msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); > @@ -2590,7 +2590,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > } > else > #endif /* ifdef ENABLE_PKCS11 */ > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) > { > msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); > @@ -2627,7 +2627,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > { > msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); > } > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (options->management_flags & MF_EXTERNAL_KEY) > { > msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); > @@ -2657,7 +2657,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > { > msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); > } > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (options->management_flags & MF_EXTERNAL_KEY) > { > msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); > @@ -2690,7 +2690,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > { > > const int sum = > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) > +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); > #else > @@ -2714,11 +2714,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > } > else > { > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (!(options->management_flags & MF_EXTERNAL_CERT)) > #endif > notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (!(options->management_flags & MF_EXTERNAL_KEY)) > #endif > notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); > @@ -3308,7 +3308,7 @@ options_postprocess_filechecks(struct options *options) > errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); > errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, > "--extra-certs"); > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > if (!(options->management_flags & MF_EXTERNAL_KEY)) > #endif > { > @@ -5155,7 +5155,7 @@ add_option(struct options *options, > options->management_flags |= MF_CONNECT_AS_CLIENT; > options->management_write_peer_info_file = p[1]; > } > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > else if (streq(p[0], "management-external-key") && !p[1]) > { > VERIFY_PERMISSION(OPT_P_GENERAL); > @@ -7023,7 +7023,7 @@ add_option(struct options *options, > VERIFY_PERMISSION(OPT_P_GENERAL); > auth_retry_set(msglevel, p[1]); > } > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) > { > VERIFY_PERMISSION(OPT_P_GENERAL); > diff --git a/src/openvpn/options.h b/src/openvpn/options.h > index acbd1087..33aa71f7 100644 > --- a/src/openvpn/options.h > +++ b/src/openvpn/options.h > @@ -469,7 +469,7 @@ struct options > > int scheduled_exit_interval; > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > struct static_challenge_info sc_info; > #endif > #endif /* if P2MP */ > diff --git a/src/openvpn/push.c b/src/openvpn/push.c > index a7ec4dd6..72f09962 100644 > --- a/src/openvpn/push.c > +++ b/src/openvpn/push.c > @@ -88,7 +88,7 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) > * Save the dynamic-challenge text even when management is defined > */ > { > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > struct buffer buf = *buffer; > if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) > { > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 455adfb7..58261e66 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -399,7 +399,7 @@ pem_password_callback(char *buf, int size, int rwflag, void *u) > static bool auth_user_pass_enabled; /* GLOBAL */ > static struct user_pass auth_user_pass; /* GLOBAL */ > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > static char *auth_challenge; /* GLOBAL */ > #endif > > @@ -409,7 +409,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * > auth_user_pass_enabled = true; > if (!auth_user_pass.defined) > { > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > if (auth_challenge) /* dynamic challenge/response */ > { > get_user_pass_cr(&auth_user_pass, > @@ -432,7 +432,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * > sci->challenge_text); > } > else > -#endif /* ifdef ENABLE_CLIENT_CR */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); > } > } > @@ -480,12 +480,12 @@ ssl_purge_auth(const bool auth_user_pass_only) > purge_user_pass(&passbuf, true); > } > purge_user_pass(&auth_user_pass, true); > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > ssl_purge_auth_challenge(); > #endif > } > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > > void > ssl_purge_auth_challenge(void) > @@ -652,7 +652,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) > tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert); > } > #endif > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > else if (options->management_flags & MF_EXTERNAL_CERT) > { > char *cert = management_query_cert(management, > @@ -674,7 +674,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) > goto err; > } > } > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > else if (options->management_flags & MF_EXTERNAL_KEY) > { > if (tls_ctx_use_management_external_key(new_ctx)) > @@ -2364,7 +2364,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) > /* write username/password if specified */ > if (auth_user_pass_enabled) > { > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); > #else > auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); > diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h > index 72227d97..a1bd9bf0 100644 > --- a/src/openvpn/ssl.h > +++ b/src/openvpn/ssl.h > @@ -428,7 +428,8 @@ void ssl_purge_auth(const bool auth_user_pass_only); > > void ssl_set_auth_token(const char *token); > > -#ifdef ENABLE_CLIENT_CR > + > +#ifdef ENABLE_MANAGEMENT This inserts a superfluous newline and space. > /* > * ssl_get_auth_challenge will parse the server-pushed auth-failed > * reason string and return a dynamically allocated > diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h > index 5023c02a..856e809f 100644 > --- a/src/openvpn/ssl_backend.h > +++ b/src/openvpn/ssl_backend.h > @@ -272,7 +272,7 @@ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, > int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, > const char *priv_key_file_inline); > > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > > /** > * Tell the management interface to load the given certificate and the external > @@ -284,7 +284,7 @@ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, > */ > int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); > > -#endif /* MANAGMENT_EXTERNAL_KEY */ > +#endif /* ENABLE_MANAGEMENT */ > > /** > * Load certificate authority certificates from the given file or path. > diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h > index 08ef6ffa..919ec57c 100644 > --- a/src/openvpn/ssl_common.h > +++ b/src/openvpn/ssl_common.h > @@ -332,7 +332,7 @@ struct tls_options > > const struct x509_track *x509_track; > > -#ifdef ENABLE_CLIENT_CR > +#ifdef ENABLE_MANAGEMENT > const struct static_challenge_info *sci; > #endif > > diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c > index e4850cb6..00e5d819 100644 > --- a/src/openvpn/ssl_mbedtls.c > +++ b/src/openvpn/ssl_mbedtls.c > @@ -605,7 +605,7 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, > return 0; > } > > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > > /** Query the management interface for a signature, see external_sign_func. */ > static bool > @@ -645,7 +645,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) > return tls_ctx_use_external_signing_func(ctx, management_sign_func, NULL); > } > > -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > > void > tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 1a66d178..0858d5eb 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -997,7 +997,7 @@ end: > } > > > -#ifdef MANAGMENT_EXTERNAL_KEY > +#ifdef ENABLE_MANAGEMENT > > /* encrypt */ > static int > @@ -1340,7 +1340,7 @@ cleanup: > return ret; > } > > -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ > +#endif /* ifdef ENABLE_MANAGEMENT */ > > static int > sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b) > diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h > index 487b32a6..d2a50341 100644 > --- a/src/openvpn/syshead.h > +++ b/src/openvpn/syshead.h > @@ -548,26 +548,11 @@ socket_defined(const socket_descriptor_t sd) > #undef ENABLE_DEF_AUTH > #endif > > -/* > - * Enable external private key > - */ > -#if defined(ENABLE_MANAGEMENT) > -#define MANAGMENT_EXTERNAL_KEY > -#endif > - > /* Enable mbed TLS RNG prediction resistance support */ > #ifdef ENABLE_CRYPTO_MBEDTLS > #define ENABLE_PREDICTION_RESISTANCE > #endif /* ENABLE_CRYPTO_MBEDTLS */ > > -/* > - * MANAGEMENT_IN_EXTRA allows the management interface to > - * read multi-line inputs from clients. > - */ > -#if defined(MANAGEMENT_DEF_AUTH) || defined(MANAGMENT_EXTERNAL_KEY) > -#define MANAGEMENT_IN_EXTRA > -#endif > - > /* > * Enable packet filter? > */ > @@ -658,13 +643,6 @@ socket_defined(const socket_descriptor_t sd) > #define CONNECT_NONBLOCK > #endif > > -/* > - * Do we support challenge/response authentication as client? > - */ > -#if defined(ENABLE_MANAGEMENT) > -#define ENABLE_CLIENT_CR > -#endif > - > /* > * Compression support > */ > Apart from the single whitespace nit, this looks good, compiles fine with and without --disable-management, and passes basic sanity checks. Acked-by: Steffan Karger <steffan.karger@fox-it.com> -Steffan
Your patch has been applied to the master branch.
Cursory review, looks all reasonable, and passes my local t_client tests
plus a windows build ("just to be safe").
Spurious extra whitespace fixed on the go.
There is one thing that Selva commented on on the first round of this
patch in December 2015 which you might want to look at - while
ENABLE_CLIENT_CR depended on ENABLE_MANAGEMENT, there's a code path in
misc.c which is useful also on "non management enabled" clients, in
get_user_pass_cr() - "Get username/password from standard input?"
now depends on #ifdef ENABLE_MANAGEMENT, which is what we *had*, but
might not be what we *want*... as far as I can see, these two blocks
should not be dependent on management functions (didn't test, though).
commit 66b9409bb25402c1bfcd66359332792cf57d0825 (master)
Author: Arne Schwabe
Date: Wed Oct 10 16:25:27 2018 +0200
Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20181010142527.27025-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20181010142527.27025-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52c64da4..1b9f19d0 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -540,7 +540,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else auth_user_pass_setup(c->options.auth_user_pass_file, NULL); @@ -2800,7 +2800,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.x509_track = options->x509_track; #if P2MP -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT to.sci = &options->sc_info; #endif #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index ed981ab9..8b633f20 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -110,14 +110,12 @@ man_help(void) msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); #endif #endif -#ifdef MANAGMENT_EXTERNAL_KEY msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); -#endif msg(M_CLIENT, "signal s : Send signal s to daemon,"); msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history."); @@ -847,8 +845,6 @@ man_hold(struct management *man, const char *cmd) } } -#ifdef MANAGEMENT_IN_EXTRA - #define IER_RESET 0 #define IER_NEW 1 @@ -936,7 +932,6 @@ in_extra_dispatch(struct management *man) break; #endif /* ifdef MANAGEMENT_PF */ -#ifdef MANAGMENT_EXTERNAL_KEY case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); @@ -950,13 +945,10 @@ in_extra_dispatch(struct management *man) man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; -#endif } in_extra_reset(&man->connection, IER_RESET); } -#endif /* MANAGEMENT_IN_EXTRA */ - #ifdef MANAGEMENT_DEF_AUTH static bool @@ -1102,8 +1094,6 @@ man_client_pf(struct management *man, const char *cid_str) #endif /* MANAGEMENT_PF */ #endif /* MANAGEMENT_DEF_AUTH */ -#ifdef MANAGMENT_EXTERNAL_KEY - static void man_pk_sig(struct management *man, const char *cmd_name) { @@ -1136,8 +1126,6 @@ man_certificate(struct management *man) } } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ - static void man_load_stats(struct management *man) { @@ -1526,7 +1514,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } #endif #endif /* ifdef MANAGEMENT_DEF_AUTH */ -#ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { man_pk_sig(man, "rsa-sig"); @@ -1539,7 +1526,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha { man_certificate(man); } -#endif #ifdef ENABLE_PKCS11 else if (streq(p[0], "pkcs11-id-count")) { @@ -1928,9 +1914,7 @@ man_reset_client_socket(struct management *man, const bool exiting) man->connection.state = MS_INITIAL; command_line_reset(man->connection.in); buffer_list_reset(man->connection.out); -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected"); } if (!exiting) @@ -1972,9 +1956,7 @@ man_process_command(struct management *man, const char *line) CLEAR(parms); so = status_open(NULL, 0, -1, &man->persist.vout, 0); -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif if (man_password_needed(man)) { @@ -2212,7 +2194,6 @@ man_read(struct management *man) const char *line; while ((line = command_line_get(man->connection.in))) { -#ifdef MANAGEMENT_IN_EXTRA if (man->connection.in_extra) { if (!strcmp(line, "END")) @@ -2225,8 +2206,9 @@ man_read(struct management *man) } } else -#endif - man_process_command(man, (char *) line); + { + man_process_command(man, (char *) line); + } if (man->connection.halt) { break; @@ -2572,12 +2554,8 @@ man_connection_close(struct management *man) { buffer_list_free(mc->out); } -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif -#ifdef MANAGMENT_EXTERNAL_KEY buffer_list_free(mc->ext_key_input); -#endif man_connection_clear(mc); } @@ -3412,9 +3390,7 @@ management_query_user_pass(struct management *man, const char *alert_type = NULL; const char *prefix = NULL; unsigned int up_query_mode = 0; -#ifdef ENABLE_CLIENT_CR const char *sc = NULL; -#endif ret = true; man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; @@ -3444,12 +3420,10 @@ management_query_user_pass(struct management *man, up_query_mode = UP_QUERY_USER_PASS; prefix = "PASSWORD"; alert_type = "username/password"; -#ifdef ENABLE_CLIENT_CR if (static_challenge) { sc = static_challenge; } -#endif } buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, @@ -3461,14 +3435,12 @@ management_query_user_pass(struct management *man, buf_printf(&alert_msg, " MSG:%s", up->username); } -#ifdef ENABLE_CLIENT_CR if (sc) { buf_printf(&alert_msg, " SC:%d,%s", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), sc); } -#endif man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT); if (signal_received) @@ -3531,8 +3503,6 @@ management_query_user_pass(struct management *man, return ret; } -#ifdef MANAGMENT_EXTERNAL_KEY - static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) @@ -3699,8 +3669,6 @@ management_query_cert(struct management *man, const char *cert_name) return result; } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ - /* * Return true if management_hold() would block */ diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index ff143fc1..d24abe09 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -275,7 +275,6 @@ struct man_connection { struct command_line *in; struct buffer_list *out; -#ifdef MANAGEMENT_IN_EXTRA #define IEC_UNDEF 0 #define IEC_CLIENT_AUTH 1 #define IEC_CLIENT_PF 2 @@ -288,7 +287,6 @@ struct man_connection { unsigned long in_extra_cid; unsigned int in_extra_kid; #endif -#ifdef MANAGMENT_EXTERNAL_KEY #define EKS_UNDEF 0 #define EKS_SOLICIT 1 #define EKS_INPUT 2 @@ -297,8 +295,6 @@ struct man_connection { struct buffer_list *ext_key_input; int ext_cert_state; struct buffer_list *ext_cert_input; -#endif -#endif /* ifdef MANAGEMENT_IN_EXTRA */ struct event_set *es; int env_filter_level; @@ -346,9 +342,7 @@ struct management *management_init(void); #define MF_CLIENT_PF (1<<7) #endif #define MF_UNIX_SOCK (1<<8) -#ifdef MANAGMENT_EXTERNAL_KEY #define MF_EXTERNAL_KEY (1<<9) -#endif #define MF_UP_DOWN (1<<10) #define MF_QUERY_REMOTE (1<<11) #define MF_QUERY_PROXY (1<<12) @@ -436,14 +430,10 @@ void management_learn_addr(struct management *management, #endif -#ifdef MANAGMENT_EXTERNAL_KEY - char *management_query_pk_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); -#endif - static inline bool management_connected(const struct management *man) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 2759d98d..d75b7685 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -157,12 +157,10 @@ get_user_pass_cr(struct user_pass *up, management_auth_failure(management, prefix, "previous auth credentials failed"); } -#ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)) { sc = auth_challenge; } -#endif if (!management_query_user_pass(management, up, prefix, flags, sc)) { if ((flags & GET_USER_PASS_NOFATAL) != 0) @@ -272,7 +270,7 @@ get_user_pass_cr(struct user_pass *up, */ if (username_from_stdin || password_from_stdin || response_from_stdin) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) { struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc); @@ -299,7 +297,7 @@ get_user_pass_cr(struct user_pass *up, } } else -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ { struct buffer user_prompt = alloc_buf_gc(128, &gc); struct buffer pass_prompt = alloc_buf_gc(128, &gc); @@ -333,7 +331,7 @@ get_user_pass_cr(struct user_pass *up, } } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) { char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); @@ -361,7 +359,7 @@ get_user_pass_cr(struct user_pass *up, string_clear(resp64); free(resp64); } -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ } } @@ -380,7 +378,7 @@ get_user_pass_cr(struct user_pass *up, return true; } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT /* * See management/management-notes.txt for more info on the @@ -455,7 +453,7 @@ get_auth_challenge(const char *auth_challenge, struct gc_arena *gc) } } -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ void purge_user_pass(struct user_pass *up, const bool force) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index b4d9d035..a54185f0 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -76,7 +76,7 @@ struct user_pass char password[USER_PASS_LEN]; }; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT /* * Challenge response info on client as pushed by server. */ @@ -102,10 +102,10 @@ struct static_challenge_info { const char *challenge_text; }; -#else /* ifdef ENABLE_CLIENT_CR */ +#else /* ifdef ENABLE_MANAGEMENT */ struct auth_challenge_info {}; struct static_challenge_info {}; -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ /* * Flags for get_user_pass and management_query_user_pass diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e42029c5..f0762f2e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1735,7 +1735,7 @@ show_settings(const struct options *o) SHOW_STR(ca_file); SHOW_STR(ca_path); SHOW_STR(dh_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_CERT)) { SHOW_PARM("cert_file","EXTERNAL_CERT","%s"); @@ -1745,7 +1745,7 @@ show_settings(const struct options *o) SHOW_STR(cert_file); SHOW_STR(extra_certs_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_KEY)) { SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s"); @@ -2567,7 +2567,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); @@ -2590,7 +2590,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else #endif /* ifdef ENABLE_PKCS11 */ -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) { msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); @@ -2627,7 +2627,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); @@ -2657,7 +2657,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); @@ -2690,7 +2690,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { const int sum = -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); #else @@ -2714,11 +2714,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else { -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_CERT)) #endif notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); @@ -3308,7 +3308,7 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, "--extra-certs"); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif { @@ -5155,7 +5155,7 @@ add_option(struct options *options, options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (streq(p[0], "management-external-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7023,7 +7023,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); auth_retry_set(msglevel, p[1]); } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index acbd1087..33aa71f7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -469,7 +469,7 @@ struct options int scheduled_exit_interval; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT struct static_challenge_info sc_info; #endif #endif /* if P2MP */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a7ec4dd6..72f09962 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -88,7 +88,7 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) * Save the dynamic-challenge text even when management is defined */ { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT struct buffer buf = *buffer; if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 455adfb7..58261e66 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -399,7 +399,7 @@ pem_password_callback(char *buf, int size, int rwflag, void *u) static bool auth_user_pass_enabled; /* GLOBAL */ static struct user_pass auth_user_pass; /* GLOBAL */ -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT static char *auth_challenge; /* GLOBAL */ #endif @@ -409,7 +409,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * auth_user_pass_enabled = true; if (!auth_user_pass.defined) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge) /* dynamic challenge/response */ { get_user_pass_cr(&auth_user_pass, @@ -432,7 +432,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * sci->challenge_text); } else -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); } } @@ -480,12 +480,12 @@ ssl_purge_auth(const bool auth_user_pass_only) purge_user_pass(&passbuf, true); } purge_user_pass(&auth_user_pass, true); -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT ssl_purge_auth_challenge(); #endif } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT void ssl_purge_auth_challenge(void) @@ -652,7 +652,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert); } #endif -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (options->management_flags & MF_EXTERNAL_CERT) { char *cert = management_query_cert(management, @@ -674,7 +674,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) goto err; } } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (options->management_flags & MF_EXTERNAL_KEY) { if (tls_ctx_use_management_external_key(new_ctx)) @@ -2364,7 +2364,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) /* write username/password if specified */ if (auth_user_pass_enabled) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); #else auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 72227d97..a1bd9bf0 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -428,7 +428,8 @@ void ssl_purge_auth(const bool auth_user_pass_only); void ssl_set_auth_token(const char *token); -#ifdef ENABLE_CLIENT_CR + +#ifdef ENABLE_MANAGEMENT /* * ssl_get_auth_challenge will parse the server-pushed auth-failed * reason string and return a dynamically allocated diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 5023c02a..856e809f 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -272,7 +272,7 @@ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /** * Tell the management interface to load the given certificate and the external @@ -284,7 +284,7 @@ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, */ int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); -#endif /* MANAGMENT_EXTERNAL_KEY */ +#endif /* ENABLE_MANAGEMENT */ /** * Load certificate authority certificates from the given file or path. diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 08ef6ffa..919ec57c 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -332,7 +332,7 @@ struct tls_options const struct x509_track *x509_track; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT const struct static_challenge_info *sci; #endif diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e4850cb6..00e5d819 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -605,7 +605,7 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, return 0; } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /** Query the management interface for a signature, see external_sign_func. */ static bool @@ -645,7 +645,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) return tls_ctx_use_external_signing_func(ctx, management_sign_func, NULL); } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ +#endif /* ifdef ENABLE_MANAGEMENT */ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1a66d178..0858d5eb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -997,7 +997,7 @@ end: } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /* encrypt */ static int @@ -1340,7 +1340,7 @@ cleanup: return ret; } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ +#endif /* ifdef ENABLE_MANAGEMENT */ static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b) diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 487b32a6..d2a50341 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -548,26 +548,11 @@ socket_defined(const socket_descriptor_t sd) #undef ENABLE_DEF_AUTH #endif -/* - * Enable external private key - */ -#if defined(ENABLE_MANAGEMENT) -#define MANAGMENT_EXTERNAL_KEY -#endif - /* Enable mbed TLS RNG prediction resistance support */ #ifdef ENABLE_CRYPTO_MBEDTLS #define ENABLE_PREDICTION_RESISTANCE #endif /* ENABLE_CRYPTO_MBEDTLS */ -/* - * MANAGEMENT_IN_EXTRA allows the management interface to - * read multi-line inputs from clients. - */ -#if defined(MANAGEMENT_DEF_AUTH) || defined(MANAGMENT_EXTERNAL_KEY) -#define MANAGEMENT_IN_EXTRA -#endif - /* * Enable packet filter? */ @@ -658,13 +643,6 @@ socket_defined(const socket_descriptor_t sd) #define CONNECT_NONBLOCK #endif -/* - * Do we support challenge/response authentication as client? - */ -#if defined(ENABLE_MANAGEMENT) -#define ENABLE_CLIENT_CR -#endif - /* * Compression support */
These defines are always defined when management is enabled. We still have --disable-management as configure option, so we need to replace these with ENABLE_MANAGEMENT in some cases. PATCH v3: Rebase directly on master Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/init.c | 4 ++-- src/openvpn/manage.c | 38 +++----------------------------------- src/openvpn/manage.h | 10 ---------- src/openvpn/misc.c | 14 ++++++-------- src/openvpn/misc.h | 6 +++--- src/openvpn/options.c | 24 ++++++++++++------------ src/openvpn/options.h | 2 +- src/openvpn/push.c | 2 +- src/openvpn/ssl.c | 16 ++++++++-------- src/openvpn/ssl.h | 3 ++- src/openvpn/ssl_backend.h | 4 ++-- src/openvpn/ssl_common.h | 2 +- src/openvpn/ssl_mbedtls.c | 4 ++-- src/openvpn/ssl_openssl.c | 4 ++-- src/openvpn/syshead.h | 22 ---------------------- 15 files changed, 45 insertions(+), 110 deletions(-)