[Openvpn-devel] [PATCH] tls-crypt-v2: fix testing of inline key
The inline logic was recently changed by commit ("convert *_inline attributes to bool"), however the code testing a newly created tls-crypt-v2 client key was not adapted. Adapt tls-crypt-v2 test routine by properly signaling when the passed key is inlined or not. Signed-off-by: Antonio Quartulli --- src/openvpn/tls_crypt.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 484d4d46..a3894d66 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -697,14 +697,14 @@ tls_crypt_v2_write_client_key_file(const char *filename, goto cleanup; } -const char *client_filename = filename; -const char *client_inline = NULL; +const char *client_file = filename; +bool client_inline = false; if (!filename || streq(filename, "")) { printf("%s\n", BPTR(_key_pem)); -client_filename = INLINE_FILE_TAG; -client_inline = (const char *)BPTR(_key_pem); +client_file = (const char *)BPTR(_key_pem); +client_inline = true; } else if (!buffer_write_file(filename, _key_pem)) { @@ -717,7 +717,7 @@ tls_crypt_v2_write_client_key_file(const char *filename, struct buffer test_wrapped_client_key; msg(D_GENKEY, "Testing client-side key loading..."); tls_crypt_v2_init_client_key(_client_key, _wrapped_client_key, - client_filename, client_inline); + client_file, client_inline); free_key_ctx_bi(_client_key); /* Sanity check: unwrap and load client key (as "server") */ -- 2.26.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant
Hi, On 10/05/2020 15:53, David Sommerseth wrote: > This looks promising, but is not complete - and breaking compilation: > > > $ git grep INLINE_FILE_TAG > src/openvpn/tls_crypt.c:client_filename = INLINE_FILE_TAG; > > $ make -j5 > [...] > make[3]: Entering directory `/home/davids/devel/OpenVPN/openvpn/src/openvpn' > CC tls_crypt.o > tls_crypt.c: In function ‘tls_crypt_v2_write_client_key_file’: > tls_crypt.c:706:27: error: ‘INLINE_FILE_TAG’ undeclared (first use in this > function) > client_filename = INLINE_FILE_TAG; >^ > > I haven't dug into if client_filename really needs to be set to > INLINE_FILE_TAG. > whoop - I prepared a patch for this last occurrence (to be applied before this patch), but did not send it. Incoming... -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant
On 08/05/2020 23:23, Antonio Quartulli wrote: > Now that the whole inline logic has been converted to using bool flags, > the TAG_FILE_INLINE constant is not useful anymore. > > Get rid of the constant as it's now unused and to prevent any future > developer from mistakenly use it again. > > Signed-off-by: Antonio Quartulli > --- > > to be applied after all other fixes, as they remove the few last usages > of this constant. > > > src/openvpn/common.h | 6 -- > src/openvpn/crypto.c | 2 +- > 2 files changed, 1 insertion(+), 7 deletions(-) > > diff --git a/src/openvpn/common.h b/src/openvpn/common.h > index 4e6f4809..623b3e0d 100644 > --- a/src/openvpn/common.h > +++ b/src/openvpn/common.h > @@ -88,12 +88,6 @@ typedef unsigned long ptr_type; > */ > #define PUSH_REQUEST_INTERVAL 5 > > -/* > - * A sort of pseudo-filename for data provided inline within > - * the configuration file. > - */ > -#define INLINE_FILE_TAG "[[INLINE]]" > - > /* > * Script security warning > */ > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 672aa14a..f1a52d8c 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -1189,7 +1189,7 @@ print_key_filename(const char *str, bool is_inline) > { > if (is_inline) > { > -return INLINE_FILE_TAG; > +return "[[INLINE]]"; > } > > return np(str); > This looks promising, but is not complete - and breaking compilation: $ git grep INLINE_FILE_TAG src/openvpn/tls_crypt.c:client_filename = INLINE_FILE_TAG; $ make -j5 [...] make[3]: Entering directory `/home/davids/devel/OpenVPN/openvpn/src/openvpn' CC tls_crypt.o tls_crypt.c: In function ‘tls_crypt_v2_write_client_key_file’: tls_crypt.c:706:27: error: ‘INLINE_FILE_TAG’ undeclared (first use in this function) client_filename = INLINE_FILE_TAG; ^ I haven't dug into if client_filename really needs to be set to INLINE_FILE_TAG. -- kind regards, David Sommerseth OpenVPN Inc signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] options: fix inlining auth-gen-token-secret file
On 08/05/2020 23:14, Antonio Quartulli wrote: > With commit ("convert *_inline attributes to bool") the logic for > signaling when a certain option is inline has been changed. > Due to an overlook, the auth-gen-token-secret was not converted, thus > making it impossible to be inlined. > > Fix parsing logic and allow auth-gen-token-secret to be inlined as well. > > Signed-off-by: Antonio Quartulli > --- > src/openvpn/options.c | 10 +++--- > 1 file changed, 3 insertions(+), 7 deletions(-) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 56c9e411..2d2089e3 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -6981,16 +6981,12 @@ add_option(struct options *options, > } > > } > -else if (streq(p[0], "auth-gen-token-secret") && p[1] && (!p[2] > - || (p[2] && > streq(p[1], INLINE_FILE_TAG > +else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2]) > { > -VERIFY_PERMISSION(OPT_P_GENERAL); > +VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); > options->auth_token_secret_file = p[1]; > +options->auth_token_secret_file_inline = is_inline; > > -if (streq(p[1], INLINE_FILE_TAG) && p[2]) > -{ > -options->auth_token_secret_file_inline = p[2]; > -} > } > else if (streq(p[0], "client-connect") && p[1]) > { > Good to see that braintwister of boolean logic go away. I've only done a quick compile test and glared at the code change, which all makes sense. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel