#define CONFIGURE_DEFINES "N/A"
-#define ENABLE_DEF_AUTH 1
#define ENABLE_PF 1
#define ENABLE_CRYPTO_OPENSSL 1
#define ENABLE_DEBUG 1
[enable_iproute2="no"]
)
-AC_ARG_ENABLE(
- [def-auth],
- [AS_HELP_STRING([--disable-def-auth], [disable deferred authentication @<:@default=yes@:>@])],
- ,
- [enable_def_auth="yes"]
-)
-
AC_ARG_ENABLE(
[pf],
[AS_HELP_STRING([--disable-pf], [disable internal packet filter @<:@default=yes@:>@])],
test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size])
test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
-test "${enable_def_auth}" = "yes" && AC_DEFINE([ENABLE_DEF_AUTH], [1], [Enable deferred authentication])
test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], [1], [Enable internal packet filter])
test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers])
if (management)
{
management_bytes_in(management, c->c2.buf.len);
-#ifdef MANAGEMENT_DEF_AUTH
management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
-#endif
}
#endif
}
if (management)
{
management_bytes_out(management, size);
-#ifdef MANAGEMENT_DEF_AUTH
management_bytes_server(management, &c->c2.link_read_bytes, &c->c2.link_write_bytes, &c->c2.mda_context);
-#endif
}
#endif
}
to.plugins = c->plugins;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
to.mda_context = &c->c2.mda_context;
#endif
/* close TUN/TAP device */
do_close_tun(c, false);
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (management)
{
management_notify_client_close(management, &c->c2.mda_context, NULL);
msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
#endif
-#ifdef MANAGEMENT_DEF_AUTH
msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
#ifdef MANAGEMENT_PF
msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)");
-#endif
#endif
msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
man->connection.bytecount_last_update = now;
}
-#ifdef MANAGEMENT_DEF_AUTH
-
void
man_bytecount_output_server(struct management *man,
const counter_type *bytes_in_total,
mdac->bytecount_last_update = now;
}
-#endif
-
static void
man_kill(struct management *man, const char *victim)
{
if (mode != IER_NEW)
{
mc->in_extra_cmd = IEC_UNDEF;
-#ifdef MANAGEMENT_DEF_AUTH
mc->in_extra_cid = 0;
mc->in_extra_kid = 0;
-#endif
}
if (mc->in_extra)
{
{
switch (man->connection.in_extra_cmd)
{
-#ifdef MANAGEMENT_DEF_AUTH
case IEC_CLIENT_AUTH:
if (man->persist.callback.client_auth)
{
}
break;
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
#ifdef MANAGEMENT_PF
case IEC_CLIENT_PF:
if (man->persist.callback.client_pf)
in_extra_reset(&man->connection, IER_RESET);
}
-#ifdef MANAGEMENT_DEF_AUTH
-
static bool
parse_cid(const char *str, unsigned long *cid)
{
}
#endif /* MANAGEMENT_PF */
-#endif /* MANAGEMENT_DEF_AUTH */
static void
man_pk_sig(struct management *man, const char *cmd_name)
{
msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
}
-#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "nclients"))
{
man_client_n_clients(man);
}
man_env_filter(man, level);
}
-#endif
else if (streq(p[0], "signal"))
{
if (man_need(man, p, 1, 0))
man_bytecount(man, atoi(p[1]));
}
}
-#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "client-kill"))
{
if (man_need(man, p, 1, MN_AT_LEAST))
}
}
#endif
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
else if (streq(p[0], "rsa-sig"))
{
man_pk_sig(man, "rsa-sig");
msg(M_CLIENT, "%s", str);
}
-#ifdef MANAGEMENT_DEF_AUTH
-
static void
man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
{
gc_free(&gc);
}
-#endif /* MANAGEMENT_DEF_AUTH */
-
void
management_echo(struct management *man, const char *string, const bool pull)
{
/*
* Management-interface-based deferred authentication
*/
-#ifdef MANAGEMENT_DEF_AUTH
struct man_def_auth_context {
unsigned long cid;
time_t bytecount_last_update;
};
-#endif
/*
* Manage build-up of command line
void (*delete_event) (void *arg, event_t event);
int (*n_clients) (void *arg);
bool (*send_cc_message) (void *arg, const char *message, const char *parameter);
-#ifdef MANAGEMENT_DEF_AUTH
bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg);
bool (*client_auth) (void *arg,
const unsigned long cid,
const unsigned long cid,
const char *url);
char *(*get_peer_info) (void *arg, const unsigned long cid);
-#endif
#ifdef MANAGEMENT_PF
bool (*client_pf)(void *arg,
const unsigned long cid,
#define IEC_PK_SIGN 5
int in_extra_cmd;
struct buffer_list *in_extra;
-#ifdef MANAGEMENT_DEF_AUTH
unsigned long in_extra_cid;
unsigned int in_extra_kid;
-#endif
#define EKS_UNDEF 0
#define EKS_SOLICIT 1
#define EKS_INPUT 2
#define MF_SIGNAL (1<<3)
#define MF_FORGET_DISCONNECT (1<<4)
#define MF_CONNECT_AS_CLIENT (1<<5)
-#ifdef MANAGEMENT_DEF_AUTH
#define MF_CLIENT_AUTH (1<<6)
-#endif
#ifdef MANAGEMENT_PF
#define MF_CLIENT_PF (1<<7)
#endif
void management_notify_generic(struct management *man, const char *str);
-#ifdef MANAGEMENT_DEF_AUTH
void management_notify_client_needing_auth(struct management *management,
const unsigned int auth_id,
struct man_def_auth_context *mdac,
const struct env_set *es,
const char *response);
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
-
char *management_query_pk_sig(struct management *man, const char *b64_data,
const char *algorithm);
}
#endif
-#ifdef MANAGEMENT_DEF_AUTH
static inline bool
management_enable_def_auth(const struct management *man)
{
return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH);
}
-#endif
/*
* OpenVPN tells the management layer what state it's in
}
}
-#ifdef MANAGEMENT_DEF_AUTH
-
void man_bytecount_output_server(struct management *man,
const counter_type *bytes_in_total,
const counter_type *bytes_out_total,
}
}
-#endif /* MANAGEMENT_DEF_AUTH */
-
#endif /* ifdef ENABLE_MANAGEMENT */
/**
}
#endif
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
static void
set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
{
return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
static uint32_t
cid_hash_function(const void *key, uint32_t iv)
mroute_addr_hash_function,
mroute_addr_compare_function);
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
m->cid_hash = hash_init(t->options.real_hash_size,
0,
cid_hash_function,
openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
argv_free(&argv);
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (management)
{
management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
{
ASSERT(hash_remove(m->iter, &mi->real));
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (mi->did_cid_hash)
{
ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
mbuf_dereference_instance(m->mbuf, mi);
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
set_cc_config(mi, NULL);
#endif
if (mi->context.c2.context_auth == CAS_SUCCEEDED)
hash_free(m->hash);
hash_free(m->vhash);
hash_free(m->iter);
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
hash_free(m->cid_hash);
#endif
m->hash = NULL;
}
mi->did_iter = true;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
do
{
mi->context.c2.mda_context.cid = m->cid_counter++;
if (!mi->halt)
{
status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
"%lu"
#else
""
sep, time_string(mi->created, 0, false, &gc),
sep, (unsigned int)mi->created,
sep, tls_username(mi->context.c2.tls_multi, false),
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
sep, mi->context.c2.mda_context.cid,
#else
sep,
{
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (management && owner)
{
management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
{
struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (management && owner)
{
management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
/* We never return CC_RET_DEFERRED */
ASSERT(!deferred);
enum client_connect_return ret = CC_RET_SKIPPED;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (mi->cc_config)
{
struct buffer_entry *be;
ret = CC_RET_SUCCEEDED;
}
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
+#endif /* ifdef ENABLE_MANAGEMENT */
return ret;
}
update_mstat_n_clients(m->n_clients);
--mi->n_clients_delta;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (management)
{
management_connection_established(management,
compute_wakeup_sigma(&mi->context.c2.timeval));
}
-#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
+#if defined(ENABLE_ASYNC_PUSH)
static void
add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
int inotify_fd, const char *file)
msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
}
}
-#endif /* if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) */
+#endif /* if defined(ENABLE_ASYNC_PUSH) */
/*
* Figure instance-specific timers, convert
if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
{
-#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
+#if defined(ENABLE_ASYNC_PUSH)
bool was_unauthenticated = true;
struct key_state *ks = NULL;
if (mi->context.c2.tls_multi)
* to_link packets (such as ping or TLS control) */
pre_select(&mi->context);
-#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
+#if defined(ENABLE_ASYNC_PUSH)
/*
* if we see the state transition from unauthenticated to deferred
* and an auth_control_file, we assume it got just added and add
{
multi_connection_established(m, mi);
}
-#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
+#if defined(ENABLE_ASYNC_PUSH)
if (is_cas_pending(mi->context.c2.context_auth)
&& mi->client_connect_defer_state.deferred_ret_file)
{
ASSERT(hash_add(m->hash, &mi->real, mi, false));
ASSERT(hash_add(m->iter, &mi->real, mi, false));
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
#endif
#endif /* ifdef ENABLE_MANAGEMENT */
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
static struct multi_instance *
lookup_by_cid(struct multi_context *m, const unsigned long cid)
return ret;
}
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
+#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_PF
static bool
cb.kill_by_addr = management_callback_kill_by_addr;
cb.delete_event = management_delete_event;
cb.n_clients = management_callback_n_clients;
-#ifdef MANAGEMENT_DEF_AUTH
cb.kill_by_cid = management_kill_by_cid;
cb.client_auth = management_client_auth;
cb.client_pending_auth = management_client_pending_auth;
cb.get_peer_info = management_get_peer_info;
-#endif
#ifdef MANAGEMENT_PF
cb.client_pf = management_client_pf;
#endif
bool did_real_hash;
bool did_iter;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
bool did_cid_hash;
struct buffer_list *cc_config;
#endif
int status_file_version;
int n_clients; /* current number of authenticated clients */
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
struct hash *cid_hash;
unsigned long cid_counter;
#endif
struct pf_context pf;
#endif
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
struct man_def_auth_context mda_context;
#endif
"--management-client-group g : When management interface is a unix socket, only\n"
" allow connections from group g.\n"
#endif
-#ifdef MANAGEMENT_DEF_AUTH
"--management-client-auth : gives management interface client the responsibility\n"
" to authenticate clients after their client certificate\n"
" has been verified.\n"
-#endif
#ifdef MANAGEMENT_PF
"--management-client-pf : management interface clients must specify a packet\n"
" filter file for each connecting client.\n"
options->management_flags |= MF_EXTERNAL_CERT;
options->management_certificate = p[1];
}
-#endif /* ifdef ENABLE_MANAGEMENT */
-#ifdef MANAGEMENT_DEF_AUTH
else if (streq(p[0], "management-client-auth") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->management_flags |= MF_CLIENT_AUTH;
}
-#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef MANAGEMENT_PF
else if (streq(p[0], "management-client-pf") && !p[1])
{
#define PLUGIN_OPTION_LIST(opt) (NULL)
#endif
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
#define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
#else
#define MAN_CLIENT_AUTH_ENABLED(opt) (false)
{
m = BSTR(&buf);
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
struct man_def_auth_context *mda = session->opt->mda_context;
struct env_set *es = session->opt->es;
ks->crypto_options.pid_persist = NULL;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
#endif
}
{
return (session->opt->auth_user_pass_verify_script
|| plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
|| management_enable_def_auth(management)
#endif
);
enum ks_auth_state authenticated;
time_t auth_deferred_expire;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
unsigned int mda_key_id;
unsigned int mda_status;
#endif
-#ifdef PLUGIN_DEF_AUTH
unsigned int auth_control_status;
time_t acf_last_mod;
char *auth_control_file;
-#endif
};
/** Control channel wrapping (--tls-auth/--tls-crypt) context */
#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
unsigned int ssl_flags;
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
struct man_def_auth_context *mda_context;
#endif
char *locked_username;
struct cert_hash_set *locked_cert_hash_set;
-#ifdef ENABLE_DEF_AUTH
/* Time of last call to tls_authentication_status */
time_t tas_last;
-#endif
/*
* An error message to send to client on AUTH_FAILED
* user/password authentication.
*************************************************************************** */
-#ifdef ENABLE_DEF_AUTH
/* key_state_test_auth_control_file return values,
* NOTE: acf_merge indexing depends on these values */
#define ACF_UNDEFINED 0
#define ACF_SUCCEEDED 1
#define ACF_DISABLED 2
#define ACF_FAILED 3
-#endif
void
auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
}
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
static inline unsigned int
man_def_auth_test(const struct key_state *ks)
return ACF_DISABLED;
}
}
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
+#endif /* ifdef ENABLE_MANAGEMENT */
-#ifdef PLUGIN_DEF_AUTH
/*
* auth_control_file functions
return ACF_DISABLED;
}
-#endif /* ifdef PLUGIN_DEF_AUTH */
-
/*
* Return current session authentication state. Return
* value is TLS_AUTHENTICATION_x.
bool success = false;
bool active = false;
-#ifdef ENABLE_DEF_AUTH
static const unsigned char acf_merge[] =
{
ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_UNDEFINED */
ACF_FAILED, /* s1=ACF_FAILED s2=ACF_DISABLED */
ACF_FAILED /* s1=ACF_FAILED s2=ACF_FAILED */
};
-#endif /* ENABLE_DEF_AUTH */
if (multi)
{
int i;
-#ifdef ENABLE_DEF_AUTH
if (latency && multi->tas_last && multi->tas_last + latency >= now)
{
return TLS_AUTHENTICATION_UNDEFINED;
}
multi->tas_last = now;
-#endif /* ENABLE_DEF_AUTH */
for (i = 0; i < KEY_SCAN_SIZE; ++i)
{
active = true;
if (ks->authenticated > KS_AUTH_FALSE)
{
-#ifdef ENABLE_DEF_AUTH
unsigned int s1 = ACF_DISABLED;
unsigned int s2 = ACF_DISABLED;
-#ifdef PLUGIN_DEF_AUTH
s1 = key_state_test_auth_control_file(ks);
-#endif /* PLUGIN_DEF_AUTH */
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
s2 = man_def_auth_test(ks);
-#endif /* MANAGEMENT_DEF_AUTH */
+#endif
ASSERT(s1 < 4 && s2 < 4);
switch (acf_merge[(s1<<2) + s2])
{
default:
ASSERT(0);
}
-#else /* !ENABLE_DEF_AUTH */
- success = true;
-#endif /* ENABLE_DEF_AUTH */
}
}
}
}
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
/*
* For deferred auth, this is where the management interface calls (on server)
* to indicate auth failure/success.
}
return ret;
}
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
+#endif /* ifdef ENABLE_MANAGEMENT */
/* ****************************************************************************
const struct user_pass *up)
{
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
-#ifdef PLUGIN_DEF_AUTH
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
-#endif
/* set password in private env space */
setenv_str(session->opt->es, "password", up->password);
-#ifdef PLUGIN_DEF_AUTH
/* generate filename for deferred auth control file */
if (!key_state_gen_auth_control_file(ks, session->opt))
{
"could not create deferred auth control file", __func__);
return retval;
}
-#endif
/* call command */
retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
-#ifdef PLUGIN_DEF_AUTH
/* purge auth control filename (and file itself) for non-deferred returns */
if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED)
{
key_state_rm_auth_control_file(ks);
}
-#endif
setenv_del(session->opt->es, "password");
}
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
/*
- * MANAGEMENT_DEF_AUTH internal ssl_verify.c status codes
+ * management deferred internal ssl_verify.c status codes
*/
#define KMDA_ERROR 0
#define KMDA_SUCCESS 1
return retval;
}
-#endif /* ifdef MANAGEMENT_DEF_AUTH */
+#endif /* ifdef ENABLE_MANAGEMENT */
static bool
set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi,
bool s2 = true;
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
int man_def_auth = KMDA_UNDEF;
if (management_enable_def_auth(management))
/* call plugin(s) and/or script */
if (!skip_auth)
{
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (man_def_auth==KMDA_DEF)
{
man_def_auth = verify_user_pass_management(session, multi, up);
}
/* auth succeeded? */
if ((s1 == OPENVPN_PLUGIN_FUNC_SUCCESS
-#ifdef PLUGIN_DEF_AUTH
|| s1 == OPENVPN_PLUGIN_FUNC_DEFERRED
-#endif
) && s2
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
&& man_def_auth != KMDA_ERROR
#endif
&& tls_lock_username(multi, up->username))
{
ks->authenticated = KS_AUTH_TRUE;
-#ifdef PLUGIN_DEF_AUTH
if (s1 == OPENVPN_PLUGIN_FUNC_DEFERRED)
{
ks->authenticated = KS_AUTH_DEFERRED;
}
-#endif
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
if (man_def_auth != KMDA_UNDEF)
{
ks->authenticated = KS_AUTH_DEFERRED;
/*
* TODO: document
*/
-#ifdef MANAGEMENT_DEF_AUTH
+#ifdef ENABLE_MANAGEMENT
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
#endif
#define PORT_SHARE 0
#endif
-/*
- * Enable deferred authentication?
- */
-#if defined(ENABLE_DEF_AUTH) && defined(ENABLE_PLUGIN)
-#define PLUGIN_DEF_AUTH
-#endif
-#if defined(ENABLE_DEF_AUTH) && defined(ENABLE_MANAGEMENT)
-#define MANAGEMENT_DEF_AUTH
-#endif
-#if !defined(PLUGIN_DEF_AUTH) && !defined(MANAGEMENT_DEF_AUTH)
-#undef ENABLE_DEF_AUTH
-#endif
-
#ifdef ENABLE_CRYPTO_MBEDTLS
#define ENABLE_PREDICTION_RESISTANCE
#endif /* ENABLE_CRYPTO_MBEDTLS */
#if defined(ENABLE_PF) && defined(ENABLE_PLUGIN) && defined(HAVE_STAT)
#define PLUGIN_PF
#endif
-#if defined(ENABLE_PF) && defined(MANAGEMENT_DEF_AUTH)
+#if defined(ENABLE_PF) && defined(ENABLE_MANAGEMENT)
#define MANAGEMENT_PF
#endif
#if !defined(PLUGIN_PF) && !defined(MANAGEMENT_PF)
projects / thirdparty / openvpn.git / commitdiff
