From patchwork Thu Jan 25 08:41:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 214 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 9bnrEBAzalr5fwAAgoeIoA for ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from director7.mail.ord1c.rsapps.net ([172.28.255.1]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id 7eGKARAzalqKDgAAgYhSiA ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from smtp6.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director7.mail.ord1c.rsapps.net (Dovecot) with LMTP id KHrJABAzalpCCQAAqdfm7w ; Thu, 25 Jan 2018 14:42:08 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp6.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: d34e7f66-0207-11e8-9a19-bc305bf03f9c-1-1 Received: from [216.34.181.88] ([216.34.181.88:6119] helo=lists.sourceforge.net) by smtp6.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8C/E5-29888-E033A6A5; Thu, 25 Jan 2018 14:42:06 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eenOj-0000hW-Dx; Thu, 25 Jan 2018 19:41:21 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eenOh-0000hQ-Lx for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vWV6qqy1WAylwXRzuebJz/IZOV4ngPoZyq4RJHFulu4=; b=MqC9iavD3KLNKRN61U0ur4X/ze ePc8ibqMIPS/9Mm7Em+j7zcrbVnYZ4B0pR9rOMHUXRmpWiuduqugPU0Ge/1+CJCMAkb3bALdHvh/E zxyLar6uNdcVBTEhjAITznAe3vqfA+zIuB4ofonBGDmld+w8c5Aup/XM/P1aeOpurBwY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vWV6qqy1WAylwXRzuebJz/IZOV4ngPoZyq4RJHFulu4=; b=TdbUU8bpAh8JoE6y4oIP7Q1v+O icYCVtQdIsLP9pvg6GJgqAXzm9P5ALYs/3xcP7DFa/9jrUaQN/zh1UJBuIN9gkCHG+y/2RmJAVElR GDQrXOZx8Q3pRvXQaNwjZFfPU/ZasonGwuQWv6sSZD6vgQu/gGu+qZYqN8Phh+BtCTZ4=; Received: from mail-it0-f65.google.com ([209.85.214.65]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eenOg-0000K3-Mz for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:19 +0000 Received: by mail-it0-f65.google.com with SMTP id w14so11166190itc.3 for ; Thu, 25 Jan 2018 11:41:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=vWV6qqy1WAylwXRzuebJz/IZOV4ngPoZyq4RJHFulu4=; b=hsaKzrS9xYEdcUiB2IbVpehOognUmakGF7B2JU0lM9cyMmONCR1+kRxEAXFy6PNUPw DHv2zmNNtsPoxjXSZ56aSiwLFMunEzMKEcrmKR4yKMwiowc+sZ6FlJCwWmRtlYvHCBHk GHDoF7vgv0NMWeacKS8XOP2aluxB8lJHJZYmASDeRo2PGdXAfIQHIMyR5YSCIcK8+WRB yhVyXVmZ2hUhvNx0AD1qEKAqQThzwqUTBVsUwlPPoTQC8Qp/oLk9q3mNtRwcEGXZVqoS dPtLoO4Ll+pu8mbp71j3iQe4UxywNztl1MyDPBNE3aKy0brZ2pco2t3Enqlc+HNJy44z EVPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=vWV6qqy1WAylwXRzuebJz/IZOV4ngPoZyq4RJHFulu4=; b=huFeW6aQ/i1P32k9AU+FleR+JXgvvK5r4QNKIFtOdIUv4wwWft1DloGGxQXaXnKByt ZMqMeFFn0Y9VG9OlqUzF4xWVpGaaDtT7cQK2cjcrm9MFZzShu60DYCM+e3XGWMPXvTAv dDAShHBENTJJGEE4Clxj5Wnq8qOSic6YClXR4mPe3CSPSfI/TL+ADcKisoP973kRpAKF SRhBVbjzR+wPrKxeIg5uWPvnGH28oJDDsJnJr8s/Tar+d97uyB/u8CoXQcW/C23C+lWj YMNn63DcddRCDZTWAndHmOFqLTFMEcqNa6Y9/x9JanIpkLsHU9/cztW+Au6kImi9+MnD vrqg== X-Gm-Message-State: AKwxytcpLKCf2oJvgJyCR8aZ5aepgRS1mhodBe2RLSQgGO/R+mldiXE1 YtgGATVem7b2J/oNE8vEC+Sz3kXh X-Google-Smtp-Source: AH8x226uXs5WsXWbWPccdny9PLkN0QFjhqRLlcCL9nWPmkvxuK8RKICqxkZ3C3QyRxpvNZVMWWZzvg== X-Received: by 10.36.162.8 with SMTP id j8mr15133827itf.72.1516909268072; Thu, 25 Jan 2018 11:41:08 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id i78sm2113784ioe.45.2018.01.25.11.41.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jan 2018 11:41:04 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Jan 2018 14:41:00 -0500 Message-Id: <1516909261-31623-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.65 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eenOg-0000K3-Mz Subject: [Openvpn-devel] [PATCH 1/2] Add management client version X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - "version" command from client to management can now set the version of management interface supported by the client by specifying an optional integer parameter. If no parameter is specified the version of OpenVPN and its management interface is returned (current behaviour). The client version defaults to 1 which is the current version of the Management Interface. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- doc/management-notes.txt | 6 +++++- src/openvpn/manage.c | 17 ++++++++++++++++- src/openvpn/manage.h | 1 + 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 908b981..e03cd39 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -432,8 +432,12 @@ Command examples: COMMAND -- version ------------------ -Show the current OpenVPN and Management Interface versions. +Set the version (integer) of Management Interface supported by the +client or show the current OpenVPN and Management Interface versions. +Command examples: + version 2 -- Change management version of client to 2 (default = 1) + version -- Show the version of OpenVPN and its Management Interface COMMAND -- auth-retry --------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 650f9e0..c36d94d 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -123,7 +123,7 @@ man_help(void) msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging."); msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username."); msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent."); - msg(M_CLIENT, "version : Show current version number."); + msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon."); msg(M_CLIENT, "END"); } @@ -1241,6 +1241,15 @@ man_network_change(struct management *man, bool samenetwork) #endif static void +set_client_version(struct management *man, const char *version) +{ + if (version) + { + man->connection.client_version = atoi(version); + } +} + +static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms) { struct gc_arena gc = gc_new(); @@ -1255,6 +1264,10 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha { man_help(); } + else if (streq(p[0], "version") && p[1]) + { + set_client_version(man, p[1]); + } else if (streq(p[0], "version")) { msg(M_CLIENT, "OpenVPN Version: %s", title_string); @@ -2508,6 +2521,8 @@ man_connection_init(struct management *man) man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST); } + man->connection.client_version = 1; /* default version */ + /* * Listen/connect socket */ diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 364488f..3bd4e50 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -318,6 +318,7 @@ struct man_connection { int fdtosend; int lastfdreceived; #endif + int client_version; }; struct management From patchwork Thu Jan 25 08:41:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 213 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id Q3BrIBAzalrJRgAAgoeIoA for ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id NPDfABAzaloXGwAAhgvE6Q ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net (Dovecot) with LMTP id opdUChAzalpQIAAAiYrejw ; Thu, 25 Jan 2018 14:42:08 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: d355b466-0207-11e8-bd6a-525400d73c44-1-1 Received: from [216.34.181.88] ([216.34.181.88:36760] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 08/05-02812-E033A6A5; Thu, 25 Jan 2018 14:42:06 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eenOn-00083d-3p; Thu, 25 Jan 2018 19:41:25 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eenOl-00083L-Hr for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=OzrcntYdsXIgnQ0iJhw8tZm0C3 xazXMQ2n3V/8kl/eRx8o5Dzzm8r8GcLjJG0y8U+glT1RD0ESl4ojkrr04V6S3gZa5vMDvL+FK/Twz anMCgLrJsCIlS/CsIroJ0V88iV/wJg56lSY3tBen8fXry+pDKGsrSDkKWzxXjzMYRvWs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=l4+SX/z3lwJu7bdo8UFw5kUyHx on9xilo7LUklYvZkdvNF0e0qDasWwYUPcApeDOiAGWMbETRaSBsaTvLCL3VYuKpQWgkoNXf8WPkn0 ffNWNTFcetFYIWt5a5/cO0hzkkCeHWTOAxPyCWpLw+a7fq7Z/NghOL1EoXeWhuHAdqL4=; Received: from mail-it0-f46.google.com ([209.85.214.46]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eenOk-0006z6-Dy for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:23 +0000 Received: by mail-it0-f46.google.com with SMTP id w14so11166337itc.3 for ; Thu, 25 Jan 2018 11:41:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=Hf5rev+tzicbHLc+WbzuRO5+sgZYkj2hO35Lmnz+xQTaCrsL4yG06M5B+j+Y4brJ16 lXiiRNem6QSKm3hY9rtBo20CQJnvMJZaN0SfNZPwWJDR2S6fTxrqMVStY6ZzFnMt3ZOr cSd977tSLtfZa2znO34oprB8zxIskKNKxmQ2lRjxEM6N4Czs3WFk7v+wUBCtTHLA60gC mVG+hzLuawolQAJd4KuGi0tKvl0+6yHlifij9sHKSIyYh+nkclwNvLnGlT7dTECxVv2s mK1zXcJK3FGkYKHrGTWX6wO3KEG8WhlI+lRs2FW6/V4jPO70Hp62T8wf/fF8QLVsQgTG A6DA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=D6/KSwgae1lYMAmwCpoU7uE4rXtDc8+HQdNmjOK6eNlqTWK89LnyNyKgQXdYXPWJnR Y0ctVMQq6CuuL3v6z2XhbSNHY0fQcgGDaGOJHXElA0hhB9W2Y78MeW0uvDe4d7lDPwfQ 8sx/aRg5/ghYQNJu7f6epBTKXWAC7aIzysKIE/41bmPZWfODWAXRf/uZJathg/nSr/pc DajlbXwWWOm5LipOytAi8j91nO2US1xCklf3Osrm5LWSt2nGbBlX6HTbgY6cqhYyMEmf kNybrLvGEcA1ISjWGT25kH9DQ24HI9RgyYUzGc3Uij2JpmWPAQnLM7tCaW7DbIX2CzTC v8dg== X-Gm-Message-State: AKwxytc5ca2eVCtRAc5ZcbsWQoI6S/7GOgbd9eUnBP6O8eKU/Lqx8HZE iqpjsXz5gVPukma3VYM1e9j3pQqo X-Google-Smtp-Source: AH8x2250Gb7RZjCcFKX6vEC5cmN4/HODfDyYT0QMw9RGMj0CWjPyY41CDznElANUOX5jbcPDz0VXrA== X-Received: by 10.36.77.139 with SMTP id l133mr13574323itb.52.1516909272084; Thu, 25 Jan 2018 11:41:12 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id i78sm2113784ioe.45.2018.01.25.11.41.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jan 2018 11:41:11 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Jan 2018 14:41:01 -0500 Message-Id: <1516909261-31623-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1516909261-31623-1-git-send-email-selva.nair@gmail.com> References: <1516909261-31623-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.46 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eenOk-0006z6-Dy Subject: [Openvpn-devel] [PATCH 2/2] Prompt for signature using '>PK_SIGN' if the client supports it X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Increase the management version from 1 to 2 - If the client announces support for management version > 1 prompt for signature using >PK_SIGN to which the client responds using 'pk-sig' Older (current) clients will be continued to be prompted by '>RSA_SIGN' and can respond using 'rsa-sig' - Remove an unused rsa_sig buffer-list variable This facilitates a transparent transition to PK_SIG and future deprecation of RSA_SIGN Signed-off-by: Selva Nair Acked-by: Arne Schwabe --- doc/management-notes.txt | 13 +++++++++---- src/openvpn/manage.c | 32 ++++++++++++++++++++++---------- src/openvpn/manage.h | 8 +++----- src/openvpn/ssl_mbedtls.c | 2 +- src/openvpn/ssl_openssl.c | 2 +- 5 files changed, 36 insertions(+), 21 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index e03cd39..070c2d6 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -773,8 +773,9 @@ To accept connecting to the host and port directly, use this command: proxy NONE -COMMAND -- rsa-sig (OpenVPN 2.3 or higher) ------------------------------------------- +COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) +COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) +----------------------------------------------------------------- Provides support for external storage of the private key. Requires the --management-external-key option. This option can be used instead of "key" in client mode, and allows the client to run without the need to load the @@ -782,13 +783,14 @@ actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: ->RSA_SIGN:[BASE64_DATA] +>PK_SIGN:[BASE64_DATA] (if client announces support for management version > 1) +>RSA_SIGN:[BASE64_DATA] (only older clients will be prompted like this) The management interface client should then create a PKCS#1 v1.5 signature of the (decoded) BASE64_DATA using the private key and return the SSL signature as follows: -rsa-sig +pk-sig (or rsa-sig) [BASE64_SIG_LINE] . . @@ -801,6 +803,9 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. +New and updated clients are expected to use the version command to announce +a version > 1 and handle '>PK_SIGN' prompt and respond with 'pk-sig'. + COMMAND -- certificate (OpenVPN 2.4 or higher) ---------------------------------------------- Provides support for external storage of the certificate. Requires the diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c36d94d..ca793a9 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -111,7 +111,9 @@ man_help(void) #endif #endif #ifdef MANAGMENT_EXTERNAL_KEY - msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); @@ -935,7 +937,7 @@ in_extra_dispatch(struct management *man) #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY - case IEC_RSA_SIGN: + case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; @@ -1103,18 +1105,18 @@ man_client_pf(struct management *man, const char *cid_str) #ifdef MANAGMENT_EXTERNAL_KEY static void -man_rsa_sig(struct management *man) +man_pk_sig(struct management *man, const char *cmd_name) { struct man_connection *mc = &man->connection; if (mc->ext_key_state == EKS_SOLICIT) { mc->ext_key_state = EKS_INPUT; - mc->in_extra_cmd = IEC_RSA_SIGN; + mc->in_extra_cmd = IEC_PK_SIGN; in_extra_reset(mc, IER_NEW); } else { - msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available"); + msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name); } } @@ -1527,7 +1529,11 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { - man_rsa_sig(man); + man_pk_sig(man, "rsa-sig"); + } + else if (streq(p[0], "pk-sig")) + { + man_pk_sig(man, "pk-sig"); } else if (streq(p[0], "certificate")) { @@ -3663,14 +3669,20 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ -management_query_rsa_sig(struct management *man, +management_query_pk_sig(struct management *man, const char *b64_data) { - return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", - &man->connection.ext_key_state, &man->connection.ext_key_input); + const char *prompt = "PK_SIGN"; + const char *desc = "pk-sign"; + if (man->connection.client_version <= 1) + { + prompt = "RSA_SIGN"; + desc = "rsa-sign"; + } + return management_query_multiline_flatten(man, b64_data, prompt, desc, + &man->connection.ext_key_state, &man->connection.ext_key_input); } - char * management_query_cert(struct management *man, const char *cert_name) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 3bd4e50..1b3a393 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 1 +#define MANAGEMENT_VERSION 2 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -281,6 +281,7 @@ struct man_connection { #define IEC_CLIENT_PF 2 #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 +#define IEC_PK_SIGN 5 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH @@ -311,9 +312,6 @@ struct man_connection { int up_query_mode; struct user_pass up_query; -#ifdef MANAGMENT_EXTERNAL_KEY - struct buffer_list *rsa_sig; -#endif #ifdef TARGET_ANDROID int fdtosend; int lastfdreceived; @@ -440,7 +438,7 @@ void management_learn_addr(struct management *management, #ifdef MANAGMENT_EXTERNAL_KEY -char *management_query_rsa_sig(struct management *man, const char *b64_data); +char *management_query_pk_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index d503162..b65db3f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -583,7 +583,7 @@ external_pkcs1_sign( void *ctx_voidptr, /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) { diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 01be656..242b464 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1068,7 +1068,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) {