diff options
author | Selva Nair | 2018-01-25 14:41:01 -0500 |
---|---|---|
committer | Gert Doering | 2018-01-29 20:15:32 +0100 |
commit | e7995f3c62597eb963483b96db619f3e5cd4cf13 (patch) | |
tree | 45bd7d8d0f161bf6fab9655509c0c51a7eaa70e4 /src/openvpn/manage.c | |
parent | 686fe9ce54c6913f638b80dd7c28d393aa0cadb1 (diff) | |
download | openvpn-e7995f3c62597eb963483b96db619f3e5cd4cf13.zip openvpn-e7995f3c62597eb963483b96db619f3e5cd4cf13.tar.gz |
Prompt for signature using '>PK_SIGN' if the client supports it
- Increase the management version from 1 to 2
- If the client announces support for management version > 1
prompt for signature using >PK_SIGN to which the client
responds using 'pk-sig'
Older (current) clients will be continued to be prompted
by '>RSA_SIGN' and can respond using 'rsa-sig'
- Remove an unused rsa_sig buffer-list variable
This facilitates a transparent transition to PK_SIG and future deprecation
of RSA_SIGN
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1516909261-31623-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16364.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/manage.c')
-rw-r--r-- | src/openvpn/manage.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c36d94d..ca793a9 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -111,7 +111,9 @@ man_help(void) #endif #endif #ifdef MANAGMENT_EXTERNAL_KEY - msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); @@ -935,7 +937,7 @@ in_extra_dispatch(struct management *man) #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY - case IEC_RSA_SIGN: + case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; @@ -1103,18 +1105,18 @@ man_client_pf(struct management *man, const char *cid_str) #ifdef MANAGMENT_EXTERNAL_KEY static void -man_rsa_sig(struct management *man) +man_pk_sig(struct management *man, const char *cmd_name) { struct man_connection *mc = &man->connection; if (mc->ext_key_state == EKS_SOLICIT) { mc->ext_key_state = EKS_INPUT; - mc->in_extra_cmd = IEC_RSA_SIGN; + mc->in_extra_cmd = IEC_PK_SIGN; in_extra_reset(mc, IER_NEW); } else { - msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available"); + msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name); } } @@ -1527,7 +1529,11 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { - man_rsa_sig(man); + man_pk_sig(man, "rsa-sig"); + } + else if (streq(p[0], "pk-sig")) + { + man_pk_sig(man, "pk-sig"); } else if (streq(p[0], "certificate")) { @@ -3663,14 +3669,20 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ -management_query_rsa_sig(struct management *man, +management_query_pk_sig(struct management *man, const char *b64_data) { - return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", - &man->connection.ext_key_state, &man->connection.ext_key_input); + const char *prompt = "PK_SIGN"; + const char *desc = "pk-sign"; + if (man->connection.client_version <= 1) + { + prompt = "RSA_SIGN"; + desc = "rsa-sign"; + } + return management_query_multiline_flatten(man, b64_data, prompt, desc, + &man->connection.ext_key_state, &man->connection.ext_key_input); } - char * management_query_cert(struct management *man, const char *cert_name) { |