[Openvpn-devel] [PATCH] tls-crypt-v2: fix testing of inline key
The inline logic was recently changed by commit
("convert *_inline attributes to bool"), however the code testing a
newly created tls-crypt-v2 client key was not adapted.
Adapt tls-crypt-v2 test routine by properly signaling when the passed
key is inlined or not.
Signed-off-by: Antonio Quartulli
---
src/openvpn/tls_crypt.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 484d4d46..a3894d66 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -697,14 +697,14 @@ tls_crypt_v2_write_client_key_file(const char *filename,
goto cleanup;
}
-const char *client_filename = filename;
-const char *client_inline = NULL;
+const char *client_file = filename;
+bool client_inline = false;
if (!filename || streq(filename, ""))
{
printf("%s\n", BPTR(_key_pem));
-client_filename = INLINE_FILE_TAG;
-client_inline = (const char *)BPTR(_key_pem);
+client_file = (const char *)BPTR(_key_pem);
+client_inline = true;
}
else if (!buffer_write_file(filename, _key_pem))
{
@@ -717,7 +717,7 @@ tls_crypt_v2_write_client_key_file(const char *filename,
struct buffer test_wrapped_client_key;
msg(D_GENKEY, "Testing client-side key loading...");
tls_crypt_v2_init_client_key(_client_key, _wrapped_client_key,
- client_filename, client_inline);
+ client_file, client_inline);
free_key_ctx_bi(_client_key);
/* Sanity check: unwrap and load client key (as "server") */
--
2.26.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant
Hi, On 10/05/2020 15:53, David Sommerseth wrote: > This looks promising, but is not complete - and breaking compilation: > > > $ git grep INLINE_FILE_TAG > src/openvpn/tls_crypt.c:client_filename = INLINE_FILE_TAG; > > $ make -j5 > [...] > make[3]: Entering directory `/home/davids/devel/OpenVPN/openvpn/src/openvpn' > CC tls_crypt.o > tls_crypt.c: In function ‘tls_crypt_v2_write_client_key_file’: > tls_crypt.c:706:27: error: ‘INLINE_FILE_TAG’ undeclared (first use in this > function) > client_filename = INLINE_FILE_TAG; >^ > > I haven't dug into if client_filename really needs to be set to > INLINE_FILE_TAG. > whoop - I prepared a patch for this last occurrence (to be applied before this patch), but did not send it. Incoming... -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] get rid of TAG_FILE_INLINE constant
On 08/05/2020 23:23, Antonio Quartulli wrote:
> Now that the whole inline logic has been converted to using bool flags,
> the TAG_FILE_INLINE constant is not useful anymore.
>
> Get rid of the constant as it's now unused and to prevent any future
> developer from mistakenly use it again.
>
> Signed-off-by: Antonio Quartulli
> ---
>
> to be applied after all other fixes, as they remove the few last usages
> of this constant.
>
>
> src/openvpn/common.h | 6 --
> src/openvpn/crypto.c | 2 +-
> 2 files changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/src/openvpn/common.h b/src/openvpn/common.h
> index 4e6f4809..623b3e0d 100644
> --- a/src/openvpn/common.h
> +++ b/src/openvpn/common.h
> @@ -88,12 +88,6 @@ typedef unsigned long ptr_type;
> */
> #define PUSH_REQUEST_INTERVAL 5
>
> -/*
> - * A sort of pseudo-filename for data provided inline within
> - * the configuration file.
> - */
> -#define INLINE_FILE_TAG "[[INLINE]]"
> -
> /*
> * Script security warning
> */
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 672aa14a..f1a52d8c 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -1189,7 +1189,7 @@ print_key_filename(const char *str, bool is_inline)
> {
> if (is_inline)
> {
> -return INLINE_FILE_TAG;
> +return "[[INLINE]]";
> }
>
> return np(str);
>
This looks promising, but is not complete - and breaking compilation:
$ git grep INLINE_FILE_TAG
src/openvpn/tls_crypt.c:client_filename = INLINE_FILE_TAG;
$ make -j5
[...]
make[3]: Entering directory `/home/davids/devel/OpenVPN/openvpn/src/openvpn'
CC tls_crypt.o
tls_crypt.c: In function ‘tls_crypt_v2_write_client_key_file’:
tls_crypt.c:706:27: error: ‘INLINE_FILE_TAG’ undeclared (first use in this
function)
client_filename = INLINE_FILE_TAG;
^
I haven't dug into if client_filename really needs to be set to INLINE_FILE_TAG.
--
kind regards,
David Sommerseth
OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] options: fix inlining auth-gen-token-secret file
On 08/05/2020 23:14, Antonio Quartulli wrote:
> With commit ("convert *_inline attributes to bool") the logic for
> signaling when a certain option is inline has been changed.
> Due to an overlook, the auth-gen-token-secret was not converted, thus
> making it impossible to be inlined.
>
> Fix parsing logic and allow auth-gen-token-secret to be inlined as well.
>
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/options.c | 10 +++---
> 1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 56c9e411..2d2089e3 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -6981,16 +6981,12 @@ add_option(struct options *options,
> }
>
> }
> -else if (streq(p[0], "auth-gen-token-secret") && p[1] && (!p[2]
> - || (p[2] &&
> streq(p[1], INLINE_FILE_TAG
> +else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
> {
> -VERIFY_PERMISSION(OPT_P_GENERAL);
> +VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
> options->auth_token_secret_file = p[1];
> +options->auth_token_secret_file_inline = is_inline;
>
> -if (streq(p[1], INLINE_FILE_TAG) && p[2])
> -{
> -options->auth_token_secret_file_inline = p[2];
> -}
> }
> else if (streq(p[0], "client-connect") && p[1])
> {
>
Good to see that braintwister of boolean logic go away. I've only done a
quick compile test and glared at the code change, which all makes sense.
Acked-By: David Sommerseth
--
kind regards,
David Sommerseth
OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
