mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 12:02:28 +02:00
Code

Remove --disable-def-auth configure argument

Browse Source 
With scripts, plugin and management interface now all supporting
deferred auth, maintaining support of --disbale-def-auth becomes more
of a burden and the few kilobyte in potential binary size do not
outweigh this. Also the code in ssl_verify is hard to hard because
all the ifdefs.

Especially for management interface there are so many features not
directly related to deferred that depend on MANAGEMENT_DEF_AUTH
(like client-kill) that supporting management without deferred auth
is not worth it anymore. And removing this remover a high number of
ifdefs in manage.c/h

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201023113244.26295-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21214.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Arne Schwabe 2020-10-23 13:32:44 +02:00 committed by Gert Doering
parent 0d4ca79d4f
commit 99d217b200
17 changed files with 50 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config-msvc.h
View File

@ -2,7 +2,6 @@
#define CONFIGURE_DEFINES "N/A"
#define ENABLE_DEF_AUTH 1
#define ENABLE_PF 1
#define ENABLE_CRYPTO_OPENSSL 1
#define ENABLE_DEBUG 1

8
configure.ac
View File

@ -156,13 +156,6 @@ AC_ARG_ENABLE(
[enable_iproute2="no"]
)
AC_ARG_ENABLE(
[def-auth],
[AS_HELP_STRING([--disable-def-auth], [disable deferred authentication @<:@default=yes@:>@])],
,
[enable_def_auth="yes"]
)
AC_ARG_ENABLE(
[pf],
[AS_HELP_STRING([--disable-pf], [disable internal packet filter @<:@default=yes@:>@])],
@ -1221,7 +1214,6 @@ test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debuggi
test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size])
test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
test "${enable_def_auth}" = "yes" && AC_DEFINE([ENABLE_DEF_AUTH], [1], [Enable deferred authentication])
test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], [1], [Enable internal packet filter])
test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers])

4
src/openvpn/forward.c
View File

@ -880,9 +880,7 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
if (management)
{
management_bytes_in(management, c->c2.buf.len);
#ifdef MANAGEMENT_DEF_AUTH
management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
#endif
}
#endif
}
@ -1642,9 +1640,7 @@ process_outgoing_link(struct context *c)
if (management)
{
management_bytes_out(management, size);
#ifdef MANAGEMENT_DEF_AUTH
management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
#endif
}
#endif
}

4
src/openvpn/init.c
View File

@ -2943,7 +2943,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
to.plugins = c->plugins;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
to.mda_context = &c->c2.mda_context;
#endif
@ -4490,7 +4490,7 @@ close_instance(struct context *c)
/* close TUN/TAP device */
do_close_tun(c, false);
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (management)
{
management_notify_client_close(management, &c->c2.mda_context, NULL);

21
src/openvpn/manage.c
View File

@ -100,7 +100,6 @@ man_help(void)
msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
#endif
#ifdef MANAGEMENT_DEF_AUTH
msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
@ -111,7 +110,6 @@ man_help(void)
msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
#ifdef MANAGEMENT_PF
msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)");
#endif
#endif
msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
@ -483,8 +481,6 @@ man_bytecount_output_client(struct management *man)
man->connection.bytecount_last_update = now;
}
#ifdef MANAGEMENT_DEF_AUTH
void
man_bytecount_output_server(struct management *man,
const counter_type *bytes_in_total,
@ -500,8 +496,6 @@ man_bytecount_output_server(struct management *man,
mdac->bytecount_last_update = now;
}
#endif
static void
man_kill(struct management *man, const char *victim)
{
@ -874,10 +868,8 @@ in_extra_reset(struct man_connection *mc, const int mode)
if (mode != IER_NEW)
{
mc->in_extra_cmd = IEC_UNDEF;
#ifdef MANAGEMENT_DEF_AUTH
mc->in_extra_cid = 0;
mc->in_extra_kid = 0;
#endif
}
if (mc->in_extra)
{
@ -896,7 +888,6 @@ in_extra_dispatch(struct management *man)
{
switch (man->connection.in_extra_cmd)
{
#ifdef MANAGEMENT_DEF_AUTH
case IEC_CLIENT_AUTH:
if (man->persist.callback.client_auth)
{
@ -924,7 +915,6 @@ in_extra_dispatch(struct management *man)
}
break;
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#ifdef MANAGEMENT_PF
case IEC_CLIENT_PF:
if (man->persist.callback.client_pf)
@ -967,8 +957,6 @@ in_extra_dispatch(struct management *man)
in_extra_reset(&man->connection, IER_RESET);
}
#ifdef MANAGEMENT_DEF_AUTH
static bool
parse_cid(const char *str, unsigned long *cid)
{
@ -1147,7 +1135,6 @@ man_client_pf(struct management *man, const char *cid_str)
}
#endif /* MANAGEMENT_PF */
#endif /* MANAGEMENT_DEF_AUTH */
static void
man_pk_sig(struct management *man, const char *cmd_name)
@ -1331,7 +1318,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha
{
msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
}
#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "nclients"))
{
man_client_n_clients(man);
@ -1345,7 +1331,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha
}
man_env_filter(man, level);
}
#endif
else if (streq(p[0], "signal"))
{
if (man_need(man, p, 1, 0))
@ -1545,7 +1530,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha
man_bytecount(man, atoi(p[1]));
}
}
#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "client-kill"))
{
if (man_need(man, p, 1, MN_AT_LEAST))
@ -1590,7 +1574,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha
}
}
#endif
#endif /* ifdef MANAGEMENT_DEF_AUTH */
else if (streq(p[0], "rsa-sig"))
{
man_pk_sig(man, "rsa-sig");
@ -2892,8 +2875,6 @@ management_notify_generic(struct management *man, const char *str)
msg(M_CLIENT, "%s", str);
}
#ifdef MANAGEMENT_DEF_AUTH
static void
man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
{
@ -3012,8 +2993,6 @@ management_learn_addr(struct management *management,
gc_free(&gc);
}
#endif /* MANAGEMENT_DEF_AUTH */
void
management_echo(struct management *man, const char *string, const bool pull)
{

17
src/openvpn/manage.h
View File

@ -40,7 +40,6 @@
/*
* Management-interface-based deferred authentication
*/
#ifdef MANAGEMENT_DEF_AUTH
struct man_def_auth_context {
unsigned long cid;
@ -53,7 +52,6 @@ struct man_def_auth_context {
time_t bytecount_last_update;
};
#endif
/*
* Manage build-up of command line
@ -165,7 +163,6 @@ struct management_callback
void (*delete_event) (void *arg, event_t event);
int (*n_clients) (void *arg);
bool (*send_cc_message) (void *arg, const char *message, const char *parameter);
#ifdef MANAGEMENT_DEF_AUTH
bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg);
bool (*client_auth) (void *arg,
const unsigned long cid,
@ -178,7 +175,6 @@ struct management_callback
const unsigned long cid,
const char *url);
char *(*get_peer_info) (void *arg, const unsigned long cid);
#endif
#ifdef MANAGEMENT_PF
bool (*client_pf)(void *arg,
const unsigned long cid,
@ -287,10 +283,8 @@ struct man_connection {
#define IEC_PK_SIGN 5
int in_extra_cmd;
struct buffer_list *in_extra;
#ifdef MANAGEMENT_DEF_AUTH
unsigned long in_extra_cid;
unsigned int in_extra_kid;
#endif
#define EKS_UNDEF 0
#define EKS_SOLICIT 1
#define EKS_INPUT 2
@ -339,9 +333,7 @@ struct management *management_init(void);
#define MF_SIGNAL (1<<3)
#define MF_FORGET_DISCONNECT (1<<4)
#define MF_CONNECT_AS_CLIENT (1<<5)
#ifdef MANAGEMENT_DEF_AUTH
#define MF_CLIENT_AUTH (1<<6)
#endif
#ifdef MANAGEMENT_PF
#define MF_CLIENT_PF (1<<7)
#endif
@ -415,7 +407,6 @@ void management_notify(struct management *man, const char *severity, const char
void management_notify_generic(struct management *man, const char *str);
#ifdef MANAGEMENT_DEF_AUTH
void management_notify_client_needing_auth(struct management *management,
const unsigned int auth_id,
struct man_def_auth_context *mdac,
@ -439,8 +430,6 @@ void management_notify_client_cr_response(unsigned mda_key_id,
const struct env_set *es,
const char *response);
#endif /* ifdef MANAGEMENT_DEF_AUTH */
char *management_query_pk_sig(struct management *man, const char *b64_data,
const char *algorithm);
@ -478,13 +467,11 @@ management_enable_pf(const struct management *man)
}
#endif
#ifdef MANAGEMENT_DEF_AUTH
static inline bool
management_enable_def_auth(const struct management *man)
{
return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH);
}
#endif
/*
* OpenVPN tells the management layer what state it's in
@ -582,8 +569,6 @@ management_bytes_in(struct management *man, const int size)
}
}
#ifdef MANAGEMENT_DEF_AUTH
void man_bytecount_output_server(struct management *man,
const counter_type *bytes_in_total,
const counter_type *bytes_out_total,
@ -603,8 +588,6 @@ management_bytes_server(struct management *man,
}
}
#endif /* MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
/**

48
src/openvpn/multi.c
View File

@ -69,7 +69,7 @@ id(struct multi_instance *mi)
}
#endif
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
static void
set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
{
@ -249,7 +249,7 @@ reap_buckets_per_pass(int n_buckets)
return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
static uint32_t
cid_hash_function(const void *key, uint32_t iv)
@ -339,7 +339,7 @@ multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread
mroute_addr_hash_function,
mroute_addr_compare_function);
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
m->cid_hash = hash_init(t->options.real_hash_size,
0,
cid_hash_function,
@ -589,7 +589,7 @@ multi_client_disconnect_script(struct multi_instance *mi)
openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
argv_free(&argv);
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (management)
{
management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
@ -634,7 +634,7 @@ multi_close_instance(struct multi_context *m,
{
ASSERT(hash_remove(m->iter, &mi->real));
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (mi->did_cid_hash)
{
ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
@ -672,7 +672,7 @@ multi_close_instance(struct multi_context *m,
mbuf_dereference_instance(m->mbuf, mi);
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
set_cc_config(mi, NULL);
#endif
if (mi->context.c2.context_auth == CAS_SUCCEEDED)
@ -728,7 +728,7 @@ multi_uninit(struct multi_context *m)
hash_free(m->hash);
hash_free(m->vhash);
hash_free(m->iter);
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
hash_free(m->cid_hash);
#endif
m->hash = NULL;
@ -810,7 +810,7 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
}
mi->did_iter = true;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
do
{
mi->context.c2.mda_context.cid = m->cid_counter++;
@ -941,7 +941,7 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int
if (!mi->halt)
{
status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
"%lu"
#else
""
@ -956,7 +956,7 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int
sep, time_string(mi->created, 0, false, &gc),
sep, (unsigned int)mi->created,
sep, tls_username(mi->context.c2.tls_multi, false),
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
sep, mi->context.c2.mda_context.cid,
#else
sep,
@ -1249,7 +1249,7 @@ multi_learn_in_addr_t(struct multi_context *m,
{
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (management && owner)
{
management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
@ -1282,7 +1282,7 @@ multi_learn_in6_addr(struct multi_context *m,
{
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (management && owner)
{
management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
@ -1713,7 +1713,7 @@ multi_client_connect_mda(struct multi_context *m,
/* We never return CC_RET_DEFERRED */
ASSERT(!deferred);
enum client_connect_return ret = CC_RET_SKIPPED;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (mi->cc_config)
{
struct buffer_entry *be;
@ -1739,7 +1739,7 @@ multi_client_connect_mda(struct multi_context *m,
ret = CC_RET_SUCCEEDED;
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
return ret;
}
@ -2696,7 +2696,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi)
update_mstat_n_clients(m->n_clients);
--mi->n_clients_delta;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (management)
{
management_connection_established(management,
@ -2919,7 +2919,7 @@ multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi
compute_wakeup_sigma(&mi->context.c2.timeval));
}
#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
#if defined(ENABLE_ASYNC_PUSH)
static void
add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
int inotify_fd, const char *file)
@ -2943,7 +2943,7 @@ add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
}
}
#endif /* if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) */
#endif /* if defined(ENABLE_ASYNC_PUSH) */
/*
* Figure instance-specific timers, convert
@ -2959,7 +2959,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns
if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
{
#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
#if defined(ENABLE_ASYNC_PUSH)
bool was_unauthenticated = true;
struct key_state *ks = NULL;
if (mi->context.c2.tls_multi)
@ -2973,7 +2973,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns
* to_link packets (such as ping or TLS control) */
pre_select(&mi->context);
#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
#if defined(ENABLE_ASYNC_PUSH)
/*
* if we see the state transition from unauthenticated to deferred
* and an auth_control_file, we assume it got just added and add
@ -2996,7 +2996,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns
{
multi_connection_established(m, mi);
}
#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
#if defined(ENABLE_ASYNC_PUSH)
if (is_cas_pending(mi->context.c2.context_auth)
&& mi->client_connect_defer_state.deferred_ret_file)
{
@ -3108,7 +3108,7 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi)
ASSERT(hash_add(m->hash, &mi->real, mi, false));
ASSERT(hash_add(m->iter, &mi->real, mi, false));
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
#endif
@ -3882,7 +3882,7 @@ management_delete_event(void *arg, event_t event)
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
static struct multi_instance *
lookup_by_cid(struct multi_context *m, const unsigned long cid)
@ -3996,7 +3996,7 @@ management_get_peer_info(void *arg, const unsigned long cid)
return ret;
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_PF
static bool
@ -4034,12 +4034,10 @@ init_management_callback_multi(struct multi_context *m)
cb.kill_by_addr = management_callback_kill_by_addr;
cb.delete_event = management_delete_event;
cb.n_clients = management_callback_n_clients;
#ifdef MANAGEMENT_DEF_AUTH
cb.kill_by_cid = management_kill_by_cid;
cb.client_auth = management_client_auth;
cb.client_pending_auth = management_client_pending_auth;
cb.get_peer_info = management_get_peer_info;
#endif
#ifdef MANAGEMENT_PF
cb.client_pf = management_client_pf;
#endif

4
src/openvpn/multi.h
View File

@ -123,7 +123,7 @@ struct multi_instance {
bool did_real_hash;
bool did_iter;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
bool did_cid_hash;
struct buffer_list *cc_config;
#endif
@ -185,7 +185,7 @@ struct multi_context {
int status_file_version;
int n_clients; /* current number of authenticated clients */
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
struct hash *cid_hash;
unsigned long cid_counter;
#endif

2
src/openvpn/openvpn.h
View File

@ -479,7 +479,7 @@ struct context_2
struct pf_context pf;
#endif
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
struct man_def_auth_context mda_context;
#endif

6
src/openvpn/options.c
View File

@ -390,11 +390,9 @@ static const char usage_message[] =
"--management-client-group g : When management interface is a unix socket, only\n"
" allow connections from group g.\n"
#endif
#ifdef MANAGEMENT_DEF_AUTH
"--management-client-auth : gives management interface client the responsibility\n"
" to authenticate clients after their client certificate\n"
" has been verified.\n"
#endif
#ifdef MANAGEMENT_PF
"--management-client-pf : management interface clients must specify a packet\n"
" filter file for each connecting client.\n"
@ -5438,14 +5436,12 @@ add_option(struct options *options,
options->management_flags |= MF_EXTERNAL_CERT;
options->management_certificate = p[1];
}
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "management-client-auth") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->management_flags |= MF_CLIENT_AUTH;
}
#endif
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_PF
else if (streq(p[0], "management-client-pf") && !p[1])
{

2
src/openvpn/options.h
View File

@ -722,7 +722,7 @@ struct options
#define PLUGIN_OPTION_LIST(opt) (NULL)
#endif
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
#else
#define MAN_CLIENT_AUTH_ENABLED(opt) (false)

2
src/openvpn/push.c
View File

@ -219,7 +219,7 @@ receive_cr_response(struct context *c, const struct buffer *buffer)
{
m = BSTR(&buf);
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
struct man_def_auth_context *mda = session->opt->mda_context;
struct env_set *es = session->opt->es;

4
src/openvpn/ssl.c
View File

@ -937,7 +937,7 @@ key_state_init(struct tls_session *session, struct key_state *ks)
ks->crypto_options.pid_persist = NULL;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
#endif
}
@ -1005,7 +1005,7 @@ tls_session_user_pass_enabled(struct tls_session *session)
{
return (session->opt->auth_user_pass_verify_script
|| plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
|| management_enable_def_auth(management)
#endif
);

8
src/openvpn/ssl_common.h
View File

@ -206,15 +206,13 @@ struct key_state
enum ks_auth_state authenticated;
time_t auth_deferred_expire;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
unsigned int mda_key_id;
unsigned int mda_status;
#endif
#ifdef PLUGIN_DEF_AUTH
unsigned int auth_control_status;
time_t acf_last_mod;
char *auth_control_file;
#endif
};
/** Control channel wrapping (--tls-auth/--tls-crypt) context */
@ -353,7 +351,7 @@ struct tls_options
#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
unsigned int ssl_flags;
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
struct man_def_auth_context *mda_context;
#endif
@ -536,10 +534,8 @@ struct tls_multi
char *locked_username;
struct cert_hash_set *locked_cert_hash_set;
#ifdef ENABLE_DEF_AUTH
/* Time of last call to tls_authentication_status */
time_t tas_last;
#endif
/*
* An error message to send to client on AUTH_FAILED

51
src/openvpn/ssl_verify.c
View File

@ -829,14 +829,12 @@ cleanup:
* user/password authentication.
*************************************************************************** */
#ifdef ENABLE_DEF_AUTH
/* key_state_test_auth_control_file return values,
* NOTE: acf_merge indexing depends on these values */
#define ACF_UNDEFINED 0
#define ACF_SUCCEEDED 1
#define ACF_DISABLED 2
#define ACF_FAILED 3
#endif
void
auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
@ -850,7 +848,7 @@ auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
}
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
static inline unsigned int
man_def_auth_test(const struct key_state *ks)
@ -864,9 +862,8 @@ man_def_auth_test(const struct key_state *ks)
return ACF_DISABLED;
}
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef PLUGIN_DEF_AUTH
/*
* auth_control_file functions
@ -929,8 +926,6 @@ key_state_test_auth_control_file(struct key_state *ks)
return ACF_DISABLED;
}
#endif /* ifdef PLUGIN_DEF_AUTH */
/*
* Return current session authentication state. Return
* value is TLS_AUTHENTICATION_x.
@ -943,7 +938,6 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
bool success = false;
bool active = false;
#ifdef ENABLE_DEF_AUTH
static const unsigned char acf_merge[] =
{
ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_UNDEFINED */
@ -963,19 +957,16 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
ACF_FAILED, /* s1=ACF_FAILED s2=ACF_DISABLED */
ACF_FAILED /* s1=ACF_FAILED s2=ACF_FAILED */
};
#endif /* ENABLE_DEF_AUTH */
if (multi)
{
int i;
#ifdef ENABLE_DEF_AUTH
if (latency && multi->tas_last && multi->tas_last + latency >= now)
{
return TLS_AUTHENTICATION_UNDEFINED;
}
multi->tas_last = now;
#endif /* ENABLE_DEF_AUTH */
for (i = 0; i < KEY_SCAN_SIZE; ++i)
{
@ -985,15 +976,12 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
active = true;
if (ks->authenticated > KS_AUTH_FALSE)
{
#ifdef ENABLE_DEF_AUTH
unsigned int s1 = ACF_DISABLED;
unsigned int s2 = ACF_DISABLED;
#ifdef PLUGIN_DEF_AUTH
s1 = key_state_test_auth_control_file(ks);
#endif /* PLUGIN_DEF_AUTH */
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
s2 = man_def_auth_test(ks);
#endif /* MANAGEMENT_DEF_AUTH */
#endif
ASSERT(s1 < 4 && s2 < 4);
switch (acf_merge[(s1<<2) + s2])
{
@ -1017,9 +1005,6 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
default:
ASSERT(0);
}
#else /* !ENABLE_DEF_AUTH */
success = true;
#endif /* ENABLE_DEF_AUTH */
}
}
}
@ -1043,7 +1028,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
}
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
/*
* For deferred auth, this is where the management interface calls (on server)
* to indicate auth failure/success.
@ -1068,7 +1053,7 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con
}
return ret;
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
/* ****************************************************************************
@ -1157,14 +1142,11 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
const struct user_pass *up)
{
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
#ifdef PLUGIN_DEF_AUTH
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
#endif
/* set password in private env space */
setenv_str(session->opt->es, "password", up->password);
#ifdef PLUGIN_DEF_AUTH
/* generate filename for deferred auth control file */
if (!key_state_gen_auth_control_file(ks, session->opt))
{
@ -1172,18 +1154,15 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
"could not create deferred auth control file", __func__);
return retval;
}
#endif
/* call command */
retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
#ifdef PLUGIN_DEF_AUTH
/* purge auth control filename (and file itself) for non-deferred returns */
if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED)
{
key_state_rm_auth_control_file(ks);
}
#endif
setenv_del(session->opt->es, "password");
@ -1191,9 +1170,9 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
}
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
/*
* MANAGEMENT_DEF_AUTH internal ssl_verify.c status codes
* management deferred internal ssl_verify.c status codes
*/
#define KMDA_ERROR 0
#define KMDA_SUCCESS 1
@ -1222,7 +1201,7 @@ verify_user_pass_management(struct tls_session *session,
return retval;
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
#endif /* ifdef ENABLE_MANAGEMENT */
static bool
set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi,
@ -1267,7 +1246,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
bool s2 = true;
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
int man_def_auth = KMDA_UNDEF;
if (management_enable_def_auth(management))
@ -1334,7 +1313,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
/* call plugin(s) and/or script */
if (!skip_auth)
{
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (man_def_auth==KMDA_DEF)
{
man_def_auth = verify_user_pass_management(session, multi, up);
@ -1362,23 +1341,19 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
}
/* auth succeeded? */
if ((s1 == OPENVPN_PLUGIN_FUNC_SUCCESS
#ifdef PLUGIN_DEF_AUTH
|| s1 == OPENVPN_PLUGIN_FUNC_DEFERRED
#endif
) && s2
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
&& man_def_auth != KMDA_ERROR
#endif
&& tls_lock_username(multi, up->username))
{
ks->authenticated = KS_AUTH_TRUE;
#ifdef PLUGIN_DEF_AUTH
if (s1 == OPENVPN_PLUGIN_FUNC_DEFERRED)
{
ks->authenticated = KS_AUTH_DEFERRED;
}
#endif
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
if (man_def_auth != KMDA_UNDEF)
{
ks->authenticated = KS_AUTH_DEFERRED;

2
src/openvpn/ssl_verify.h
View File

@ -221,7 +221,7 @@ struct x509_track
/*
* TODO: document
*/
#ifdef MANAGEMENT_DEF_AUTH
#ifdef ENABLE_MANAGEMENT
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
#endif

15
src/openvpn/syshead.h
View File

@ -530,19 +530,6 @@ socket_defined(const socket_descriptor_t sd)
#define PORT_SHARE 0
#endif
/*
* Enable deferred authentication?
*/
#if defined(ENABLE_DEF_AUTH) && defined(ENABLE_PLUGIN)
#define PLUGIN_DEF_AUTH
#endif
#if defined(ENABLE_DEF_AUTH) && defined(ENABLE_MANAGEMENT)
#define MANAGEMENT_DEF_AUTH
#endif
#if !defined(PLUGIN_DEF_AUTH) && !defined(MANAGEMENT_DEF_AUTH)
#undef ENABLE_DEF_AUTH
#endif
#ifdef ENABLE_CRYPTO_MBEDTLS
#define ENABLE_PREDICTION_RESISTANCE
#endif /* ENABLE_CRYPTO_MBEDTLS */
@ -553,7 +540,7 @@ socket_defined(const socket_descriptor_t sd)
#if defined(ENABLE_PF) && defined(ENABLE_PLUGIN) && defined(HAVE_STAT)
#define PLUGIN_PF
#endif
#if defined(ENABLE_PF) && defined(MANAGEMENT_DEF_AUTH)
#if defined(ENABLE_PF) && defined(ENABLE_MANAGEMENT)
#define MANAGEMENT_PF
#endif
#if !defined(PLUGIN_PF) && !defined(MANAGEMENT_PF)