From 2a3d17ed182608cf60d731a237f9f926c28db522 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Thu, 9 Dec 2010 11:21:04 +0000 Subject: Added "management-external-key" option. This option can be used instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then sign BASE64_DATA using the private key and return the signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 157 insertions(+), 47 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index 820621e..0c99d0f 100644 --- a/manage.c +++ b/manage.c @@ -101,6 +101,10 @@ man_help () #ifdef MANAGEMENT_PF msg (M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); #endif +#endif +#ifdef MANAGMENT_EXTERNAL_KEY + msg (M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); + msg (M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); #endif msg (M_CLIENT, "signal s : Send signal s to daemon,"); msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); @@ -768,49 +772,31 @@ man_hold (struct management *man, const char *cmd) msg (M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD)); } -#ifdef MANAGEMENT_DEF_AUTH - -static bool -parse_cid (const char *str, unsigned long *cid) -{ - if (sscanf (str, "%lu", cid) == 1) - return true; - else - { - msg (M_CLIENT, "ERROR: cannot parse CID"); - return false; - } -} +#ifdef MANAGEMENT_IN_EXTRA -static bool -parse_kid (const char *str, unsigned int *kid) -{ - if (sscanf (str, "%u", kid) == 1) - return true; - else - { - msg (M_CLIENT, "ERROR: cannot parse KID"); - return false; - } -} +#define IER_RESET 0 +#define IER_NEW 1 +#define IER_CONDRESET 2 static void -in_extra_reset (struct man_connection *mc, const bool new) +in_extra_reset (struct man_connection *mc, const int mode) { - if (mc) + if (mc && (mc->in_extra_cmd < IEC_STATEFUL_BASE || mode != IER_CONDRESET)) { - if (!new) + if (mode != IER_NEW) { mc->in_extra_cmd = IEC_UNDEF; +#ifdef MANAGEMENT_DEF_AUTH mc->in_extra_cid = 0; mc->in_extra_kid = 0; +#endif } if (mc->in_extra) { buffer_list_free (mc->in_extra); mc->in_extra = NULL; } - if (new) + if (mode == IER_NEW) mc->in_extra = buffer_list_new (0); } } @@ -820,6 +806,7 @@ in_extra_dispatch (struct management *man) { switch (man->connection.in_extra_cmd) { +#ifdef MANAGEMENT_DEF_AUTH case IEC_CLIENT_AUTH: if (man->persist.callback.client_auth) { @@ -846,6 +833,7 @@ in_extra_dispatch (struct management *man) msg (M_CLIENT, "ERROR: The client-auth command is not supported by the current daemon mode"); } break; +#endif #ifdef MANAGEMENT_PF case IEC_CLIENT_PF: if (man->persist.callback.client_pf) @@ -870,8 +858,41 @@ in_extra_dispatch (struct management *man) } break; #endif +#ifdef MANAGMENT_EXTERNAL_KEY + case IEC_RSA_SIGN: + man->connection.in_extra_cmd = IEC_RSA_SIGN_FINAL; + return; +#endif + } + in_extra_reset (&man->connection, IER_RESET); +} + +#endif /* MANAGEMENT_IN_EXTRA */ + +#ifdef MANAGEMENT_DEF_AUTH + +static bool +parse_cid (const char *str, unsigned long *cid) +{ + if (sscanf (str, "%lu", cid) == 1) + return true; + else + { + msg (M_CLIENT, "ERROR: cannot parse CID"); + return false; + } +} + +static bool +parse_kid (const char *str, unsigned int *kid) +{ + if (sscanf (str, "%u", kid) == 1) + return true; + else + { + msg (M_CLIENT, "ERROR: cannot parse KID"); + return false; } - in_extra_reset (&man->connection, false); } static void @@ -884,7 +905,7 @@ man_client_auth (struct management *man, const char *cid_str, const char *kid_st && parse_kid (kid_str, &mc->in_extra_kid)) { mc->in_extra_cmd = IEC_CLIENT_AUTH; - in_extra_reset (mc, true); + in_extra_reset (mc, IER_NEW); if (!extra) in_extra_dispatch (man); } @@ -980,11 +1001,28 @@ man_client_pf (struct management *man, const char *cid_str) if (parse_cid (cid_str, &mc->in_extra_cid)) { mc->in_extra_cmd = IEC_CLIENT_PF; - in_extra_reset (mc, true); + in_extra_reset (mc, IER_NEW); } } -#endif +#endif /* MANAGEMENT_PF */ +#endif /* MANAGEMENT_DEF_AUTH */ + +#ifdef MANAGMENT_EXTERNAL_KEY + +static void +man_rsa_sig (struct management *man) +{ + struct man_connection *mc = &man->connection; + if (mc->in_extra_cmd == IEC_RSA_SIGN_PRE) + { + in_extra_reset (&man->connection, IER_NEW); + mc->in_extra_cmd = IEC_RSA_SIGN; + } + else + msg (M_CLIENT, "ERROR: The rsa-sig command is not currently available"); +} + #endif static void @@ -1250,6 +1288,12 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch } #endif #endif +#ifdef MANAGMENT_EXTERNAL_KEY + else if (streq (p[0], "rsa-sig")) + { + man_rsa_sig (man); + } +#endif #ifdef ENABLE_PKCS11 else if (streq (p[0], "pkcs11-id-count")) { @@ -1626,8 +1670,8 @@ man_reset_client_socket (struct management *man, const bool exiting) man->connection.state = MS_INITIAL; command_line_reset (man->connection.in); buffer_list_reset (man->connection.out); -#ifdef MANAGEMENT_DEF_AUTH - in_extra_reset (&man->connection, false); +#ifdef MANAGEMENT_IN_EXTRA + in_extra_reset (&man->connection, IER_RESET); #endif msg (D_MANAGEMENT, "MANAGEMENT: Client disconnected"); } @@ -1666,8 +1710,8 @@ man_process_command (struct management *man, const char *line) CLEAR (parms); so = status_open (NULL, 0, -1, &man->persist.vout, 0); -#ifdef MANAGEMENT_DEF_AUTH - in_extra_reset (&man->connection, false); +#ifdef MANAGEMENT_IN_EXTRA + in_extra_reset (&man->connection, IER_CONDRESET); #endif if (man_password_needed (man)) @@ -1751,18 +1795,13 @@ man_read (struct management *man) const unsigned char *line; while ((line = command_line_get (man->connection.in))) { -#ifdef MANAGEMENT_DEF_AUTH +#ifdef MANAGEMENT_IN_EXTRA if (man->connection.in_extra) { if (!strcmp ((char *)line, "END")) - { - in_extra_dispatch (man); - in_extra_reset (&man->connection, false); - } + in_extra_dispatch (man); else - { - buffer_list_push (man->connection.in_extra, line); - } + buffer_list_push (man->connection.in_extra, line); } else #endif @@ -2063,8 +2102,8 @@ man_connection_close (struct management *man) command_line_free (mc->in); if (mc->out) buffer_list_free (mc->out); -#ifdef MANAGEMENT_DEF_AUTH - in_extra_reset (&man->connection, false); +#ifdef MANAGEMENT_IN_EXTRA + in_extra_reset (&man->connection, IER_RESET); #endif man_connection_clear (mc); } @@ -2387,7 +2426,7 @@ management_learn_addr (struct management *management, gc_free (&gc); } -#endif +#endif /* MANAGEMENT_DEF_AUTH */ void management_echo (struct management *man, const char *string, const bool pull) @@ -2693,6 +2732,7 @@ man_standalone_event_loop (struct management *man, volatile int *signal_received #define MWCC_PASSWORD_WAIT (1<<0) #define MWCC_HOLD_WAIT (1<<1) +#define MWCC_OTHER_WAIT (1<<2) /* * Block until client connects @@ -2710,6 +2750,8 @@ man_wait_for_client_connection (struct management *man, msg (D_MANAGEMENT, "Need password(s) from management interface, waiting..."); if (flags & MWCC_HOLD_WAIT) msg (D_MANAGEMENT, "Need hold release from management interface, waiting..."); + if (flags & MWCC_OTHER_WAIT) + msg (D_MANAGEMENT, "Need information from management interface, waiting..."); do { man_standalone_event_loop (man, signal_received, expire); if (signal_received && *signal_received) @@ -2873,6 +2915,74 @@ management_query_user_pass (struct management *man, return ret; } +#ifdef MANAGMENT_EXTERNAL_KEY + +char * /* returns allocated base64 signature */ +management_query_rsa_sig (struct management *man, + const char *b64_data) +{ + struct gc_arena gc = gc_new (); + char *ret = NULL; + volatile int signal_received = 0; + struct buffer alert_msg = clear_buf(); + struct buffer *buf; + const bool standalone_disabled_save = man->persist.standalone_disabled; + + if (man_standalone_ok (man)) + { + man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ + man->persist.special_state_msg = NULL; + + in_extra_reset (&man->connection, IER_RESET); + man->connection.in_extra_cmd = IEC_RSA_SIGN_PRE; + + alert_msg = alloc_buf_gc (strlen(b64_data)+64, &gc); + buf_printf (&alert_msg, ">RSA_SIGN:%s", b64_data); + + man_wait_for_client_connection (man, &signal_received, 0, MWCC_OTHER_WAIT); + + if (signal_received) + goto done; + + man->persist.special_state_msg = BSTR (&alert_msg); + msg (M_CLIENT, "%s", man->persist.special_state_msg); + + /* run command processing event loop until we get our signature */ + do + { + man_standalone_event_loop (man, &signal_received, 0); + if (!signal_received) + man_check_for_signals (&signal_received); + if (signal_received) + goto done; + } while (man->connection.in_extra_cmd != IEC_RSA_SIGN_FINAL); + + if (buffer_list_defined(man->connection.in_extra)) + { + buffer_list_aggregate (man->connection.in_extra, 2000); + buf = buffer_list_peek (man->connection.in_extra); + if (buf && BLEN(buf) > 0) + { + ret = (char *) malloc(BLEN(buf)+1); + check_malloc_return(ret); + memcpy(ret, buf->data, BLEN(buf)); + ret[BLEN(buf)] = '\0'; + } + } + } + + done: + /* revert state */ + man->persist.standalone_disabled = standalone_disabled_save; + man->persist.special_state_msg = NULL; + in_extra_reset (&man->connection, IER_RESET); + + gc_free (&gc); + return ret; +} + +#endif + /* * Return true if management_hold() would block */ -- cgit From ae1884c0cbf42c21e54922c150cde44c43200340 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 13 Dec 2010 09:27:08 +0000 Subject: Misc fixes to r6708. Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index 0c99d0f..310a70e 100644 --- a/manage.c +++ b/manage.c @@ -776,12 +776,11 @@ man_hold (struct management *man, const char *cmd) #define IER_RESET 0 #define IER_NEW 1 -#define IER_CONDRESET 2 static void in_extra_reset (struct man_connection *mc, const int mode) { - if (mc && (mc->in_extra_cmd < IEC_STATEFUL_BASE || mode != IER_CONDRESET)) + if (mc) { if (mode != IER_NEW) { @@ -860,7 +859,10 @@ in_extra_dispatch (struct management *man) #endif #ifdef MANAGMENT_EXTERNAL_KEY case IEC_RSA_SIGN: - man->connection.in_extra_cmd = IEC_RSA_SIGN_FINAL; + man->connection.ext_key_state = EKS_READY; + buffer_list_free (man->connection.ext_key_input); + man->connection.ext_key_input = man->connection.in_extra; + man->connection.in_extra = NULL; return; #endif } @@ -1014,10 +1016,11 @@ static void man_rsa_sig (struct management *man) { struct man_connection *mc = &man->connection; - if (mc->in_extra_cmd == IEC_RSA_SIGN_PRE) + if (mc->ext_key_state == EKS_SOLICIT) { - in_extra_reset (&man->connection, IER_NEW); + mc->ext_key_state = EKS_INPUT; mc->in_extra_cmd = IEC_RSA_SIGN; + in_extra_reset (mc, IER_NEW); } else msg (M_CLIENT, "ERROR: The rsa-sig command is not currently available"); @@ -1711,7 +1714,7 @@ man_process_command (struct management *man, const char *line) CLEAR (parms); so = status_open (NULL, 0, -1, &man->persist.vout, 0); #ifdef MANAGEMENT_IN_EXTRA - in_extra_reset (&man->connection, IER_CONDRESET); + in_extra_reset (&man->connection, IER_RESET); #endif if (man_password_needed (man)) @@ -2104,6 +2107,9 @@ man_connection_close (struct management *man) buffer_list_free (mc->out); #ifdef MANAGEMENT_IN_EXTRA in_extra_reset (&man->connection, IER_RESET); +#endif +#ifdef MANAGMENT_EXTERNAL_KEY + buffer_list_free (mc->ext_key_input); #endif man_connection_clear (mc); } @@ -2927,14 +2933,14 @@ management_query_rsa_sig (struct management *man, struct buffer alert_msg = clear_buf(); struct buffer *buf; const bool standalone_disabled_save = man->persist.standalone_disabled; + struct man_connection *mc = &man->connection; if (man_standalone_ok (man)) { man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; - in_extra_reset (&man->connection, IER_RESET); - man->connection.in_extra_cmd = IEC_RSA_SIGN_PRE; + mc->ext_key_state = EKS_SOLICIT; alert_msg = alloc_buf_gc (strlen(b64_data)+64, &gc); buf_printf (&alert_msg, ">RSA_SIGN:%s", b64_data); @@ -2955,12 +2961,12 @@ management_query_rsa_sig (struct management *man, man_check_for_signals (&signal_received); if (signal_received) goto done; - } while (man->connection.in_extra_cmd != IEC_RSA_SIGN_FINAL); + } while (mc->ext_key_state != EKS_READY); - if (buffer_list_defined(man->connection.in_extra)) + if (buffer_list_defined(mc->ext_key_input)) { - buffer_list_aggregate (man->connection.in_extra, 2000); - buf = buffer_list_peek (man->connection.in_extra); + buffer_list_aggregate (mc->ext_key_input, 2048); + buf = buffer_list_peek (mc->ext_key_input); if (buf && BLEN(buf) > 0) { ret = (char *) malloc(BLEN(buf)+1); @@ -2972,10 +2978,18 @@ management_query_rsa_sig (struct management *man, } done: + if (mc->ext_key_state == EKS_READY && ret) + msg (M_CLIENT, "SUCCESS: rsa-sig command succeeded"); + else if (mc->ext_key_state == EKS_INPUT || mc->ext_key_state == EKS_READY) + msg (M_CLIENT, "ERROR: rsa-sig command failed"); + /* revert state */ man->persist.standalone_disabled = standalone_disabled_save; man->persist.special_state_msg = NULL; - in_extra_reset (&man->connection, IER_RESET); + in_extra_reset (mc, IER_RESET); + mc->ext_key_state = EKS_UNDEF; + buffer_list_free (mc->ext_key_input); + mc->ext_key_input = NULL; gc_free (&gc); return ret; -- cgit From 9356bae859938c30808aa0d2ee764bdcbb5dbe0d Mon Sep 17 00:00:00 2001 From: James Yonan Date: Wed, 5 Jan 2011 00:50:11 +0000 Subject: Added --x509-track option. Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index 310a70e..eabfb1f 100644 --- a/manage.c +++ b/manage.c @@ -2274,14 +2274,17 @@ env_filter_match (const char *env_str, const int env_filter_level) "bytes_sent=", "bytes_received=" }; - if (env_filter_level >= 1) + + if (env_filter_level >= 2 && !strncmp(env_str, "X509_", 5)) + return true; + else if (env_filter_level >= 1) { size_t i; for (i = 0; i < SIZE(env_names); ++i) { const char *en = env_names[i]; const size_t len = strlen(en); - if (strncmp(env_str, en, len) == 0) + if (!strncmp(env_str, en, len)) return true; } return false; -- cgit From 15be3202b279abc431597db5d11e826eaf1c1bb6 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Mon, 10 Jan 2011 19:13:02 +0000 Subject: * added --management-up-down option to allow management interface to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 43 +++++++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 16 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index eabfb1f..e8f67cd 100644 --- a/manage.c +++ b/manage.c @@ -2252,8 +2252,6 @@ management_set_state (struct management *man, } } -#ifdef MANAGEMENT_DEF_AUTH - static bool env_filter_match (const char *env_str, const int env_filter_level) { @@ -2275,9 +2273,11 @@ env_filter_match (const char *env_str, const int env_filter_level) "bytes_received=" }; - if (env_filter_level >= 2 && !strncmp(env_str, "X509_", 5)) + if (env_filter_level == 0) return true; - else if (env_filter_level >= 1) + else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5)) + return true; + else if (env_filter_level <= 2) { size_t i; for (i = 0; i < SIZE(env_names); ++i) @@ -2289,12 +2289,11 @@ env_filter_match (const char *env_str, const int env_filter_level) } return false; } - else - return true; + return false; } static void -man_output_env (const struct env_set *es, const bool tail, const int env_filter_level) +man_output_env (const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix) { if (es) { @@ -2302,15 +2301,15 @@ man_output_env (const struct env_set *es, const bool tail, const int env_filter_ for (e = es->list; e != NULL; e = e->next) { if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level))) - msg (M_CLIENT, ">CLIENT:ENV,%s", e->string); + msg (M_CLIENT, ">%s:ENV,%s", prefix, e->string); } } if (tail) - msg (M_CLIENT, ">CLIENT:ENV,END"); + msg (M_CLIENT, ">%s:ENV,END", prefix); } static void -man_output_extra_env (struct management *man) +man_output_extra_env (struct management *man, const char *prefix) { struct gc_arena gc = gc_new (); struct env_set *es = env_set_create (&gc); @@ -2319,10 +2318,22 @@ man_output_extra_env (struct management *man) const int nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg); setenv_int (es, "n_clients", nclients); } - man_output_env (es, false, man->connection.env_filter_level); + man_output_env (es, false, man->connection.env_filter_level, prefix); gc_free (&gc); } +void +management_up_down(struct management *man, const char *updown, const struct env_set *es) +{ + if (man->settings.flags & MF_UP_DOWN) + { + msg (M_CLIENT, ">UPDOWN:%s", updown); + man_output_env (es, true, 0, "UPDOWN"); + } +} + +#ifdef MANAGEMENT_DEF_AUTH + static bool validate_peer_info_line(const char *line) { @@ -2387,9 +2398,9 @@ management_notify_client_needing_auth (struct management *management, if (mdac->flags & DAF_CONNECTION_ESTABLISHED) mode = "REAUTH"; msg (M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id); - man_output_extra_env (management); + man_output_extra_env (management, "CLIENT"); man_output_peer_info_env(management, mdac); - man_output_env (es, true, management->connection.env_filter_level); + man_output_env (es, true, management->connection.env_filter_level, "CLIENT"); mdac->flags |= DAF_INITIAL_AUTH; } } @@ -2401,8 +2412,8 @@ management_connection_established (struct management *management, { mdac->flags |= DAF_CONNECTION_ESTABLISHED; msg (M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid); - man_output_extra_env (management); - man_output_env (es, true, management->connection.env_filter_level); + man_output_extra_env (management, "CLIENT"); + man_output_env (es, true, management->connection.env_filter_level, "CLIENT"); } void @@ -2413,7 +2424,7 @@ management_notify_client_close (struct management *management, if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) { msg (M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid); - man_output_env (es, true, management->connection.env_filter_level); + man_output_env (es, true, management->connection.env_filter_level, "CLIENT"); mdac->flags |= DAF_CONNECTION_CLOSED; } } -- cgit From a74b741b6114d29ad68766139dbcd9dfcf715c4a Mon Sep 17 00:00:00 2001 From: James Yonan Date: Thu, 17 Mar 2011 20:04:56 +0000 Subject: env_filter_match now includes the serial number of all certs in chain (as tls_serial_n vars), rather than only tls_serial_0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7055 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index e8f67cd..0939105 100644 --- a/manage.c +++ b/manage.c @@ -2259,7 +2259,7 @@ env_filter_match (const char *env_str, const int env_filter_level) "username=", "password=", "X509_0_CN=", - "tls_serial_0=", + "tls_serial_", "untrusted_ip=", "ifconfig_local=", "ifconfig_netmask=", -- cgit From e1b99e6b6630a81ffd3287bc11533707332d2dda Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 20 Mar 2011 04:12:26 +0000 Subject: Extended "client-kill" management interface command (server-side) to accept an optional message string. The message string format is: RESTART|HALT, RESTART will tell the client to restart (i.e. SIGUSR1). HALT will tell the client to exit (i.e. SIGTERM). On the client, human-readable-message will be communicated via management interface: >NOTIFY,,," Version 2.1.3m git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index 0939105..67f87d6 100644 --- a/manage.c +++ b/manage.c @@ -96,7 +96,7 @@ man_help () msg (M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); msg (M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg (M_CLIENT, " text R and optional client reason text CR"); - msg (M_CLIENT, "client-kill CID : Kill client instance CID"); + msg (M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg (M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF msg (M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); @@ -947,14 +947,14 @@ man_client_deny (struct management *man, const char *cid_str, const char *kid_st } static void -man_client_kill (struct management *man, const char *cid_str) +man_client_kill (struct management *man, const char *cid_str, const char *kill_msg) { unsigned long cid = 0; if (parse_cid (cid_str, &cid)) { if (man->persist.callback.kill_by_cid) { - const bool status = (*man->persist.callback.kill_by_cid) (man->persist.callback.arg, cid); + const bool status = (*man->persist.callback.kill_by_cid) (man->persist.callback.arg, cid, kill_msg); if (status) { msg (M_CLIENT, "SUCCESS: client-kill command succeeded"); @@ -1265,8 +1265,8 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch #ifdef MANAGEMENT_DEF_AUTH else if (streq (p[0], "client-kill")) { - if (man_need (man, p, 1, 0)) - man_client_kill (man, p[1]); + if (man_need (man, p, 1, MN_AT_LEAST)) + man_client_kill (man, p[1], p[2]); } else if (streq (p[0], "client-deny")) { @@ -2190,6 +2190,7 @@ management_open (struct management *man, void management_close (struct management *man) { + man_output_list_push_finalize (man); /* flush output queue */ man_connection_close (man); man_settings_close (&man->settings); man_persist_close (&man->persist); @@ -2332,6 +2333,12 @@ management_up_down(struct management *man, const char *updown, const struct env_ } } +void +management_notify(struct management *man, const char *severity, const char *type, const char *text) +{ + msg (M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text); +} + #ifdef MANAGEMENT_DEF_AUTH static bool -- cgit From 0db046f253e86a3dd7583e2f7a13b21e7eba7493 Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sat, 26 Mar 2011 21:16:40 +0000 Subject: Added "auth-token" client directive, which is intended to be pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token: Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5 --- manage.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'manage.c') diff --git a/manage.c b/manage.c index 67f87d6..a79a8fd 100644 --- a/manage.c +++ b/manage.c @@ -698,7 +698,7 @@ static void man_forget_passwords (struct management *man) { #if defined(USE_CRYPTO) && defined(USE_SSL) - ssl_purge_auth (); + ssl_purge_auth (false); msg (M_CLIENT, "SUCCESS: Passwords were forgotten"); #endif } @@ -1682,7 +1682,7 @@ man_reset_client_socket (struct management *man, const bool exiting) { #if defined(USE_CRYPTO) && defined(USE_SSL) if (man->settings.flags & MF_FORGET_DISCONNECT) - ssl_purge_auth (); + ssl_purge_auth (false); #endif if (man->settings.flags & MF_SIGNAL) { int mysig = man_mod_signal (man, SIGUSR1); @@ -2515,6 +2515,12 @@ management_auth_failure (struct management *man, const char *type, const char *r msg (M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type); } +void +management_auth_token (struct management *man, const char *token) +{ + msg (M_CLIENT, ">PASSWORD:Auth-Token:%s", token); +} + static inline bool man_persist_state (unsigned int *persistent, const int n) { -- cgit