proxy NONE
-COMMAND -- rsa-sig (OpenVPN 2.3 or higher)
-------------------------------------------
+COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1)
+COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1)
+-----------------------------------------------------------------
Provides support for external storage of the private key. Requires the
--management-external-key option. This option can be used instead of "key"
in client mode, and allows the client to run without the need to load the
operation, the data to be signed will be sent to the management interface
via a notification as follows:
->RSA_SIGN:[BASE64_DATA]
+>PK_SIGN:[BASE64_DATA] (if client announces support for management version > 1)
+>RSA_SIGN:[BASE64_DATA] (only older clients will be prompted like this)
The management interface client should then create a PKCS#1 v1.5 signature of
the (decoded) BASE64_DATA using the private key and return the SSL signature as
follows:
-rsa-sig
+pk-sig (or rsa-sig)
[BASE64_SIG_LINE]
.
.
This capability is intended to allow the use of arbitrary cryptographic
service providers with OpenVPN via the management interface.
+New and updated clients are expected to use the version command to announce
+a version > 1 and handle '>PK_SIGN' prompt and respond with 'pk-sig'.
+
COMMAND -- certificate (OpenVPN 2.4 or higher)
----------------------------------------------
Provides support for external storage of the certificate. Requires the
#endif
#endif
#ifdef MANAGMENT_EXTERNAL_KEY
- msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge");
+ msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
+ msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
+ msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END");
#endif /* ifdef MANAGEMENT_PF */
#ifdef MANAGMENT_EXTERNAL_KEY
- case IEC_RSA_SIGN:
+ case IEC_PK_SIGN:
man->connection.ext_key_state = EKS_READY;
buffer_list_free(man->connection.ext_key_input);
man->connection.ext_key_input = man->connection.in_extra;
#ifdef MANAGMENT_EXTERNAL_KEY
static void
-man_rsa_sig(struct management *man)
+man_pk_sig(struct management *man, const char *cmd_name)
{
struct man_connection *mc = &man->connection;
if (mc->ext_key_state == EKS_SOLICIT)
{
mc->ext_key_state = EKS_INPUT;
- mc->in_extra_cmd = IEC_RSA_SIGN;
+ mc->in_extra_cmd = IEC_PK_SIGN;
in_extra_reset(mc, IER_NEW);
}
else
{
- msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available");
+ msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name);
}
}
#ifdef MANAGMENT_EXTERNAL_KEY
else if (streq(p[0], "rsa-sig"))
{
- man_rsa_sig(man);
+ man_pk_sig(man, "rsa-sig");
+ }
+ else if (streq(p[0], "pk-sig"))
+ {
+ man_pk_sig(man, "pk-sig");
}
else if (streq(p[0], "certificate"))
{
char *
/* returns allocated base64 signature */
-management_query_rsa_sig(struct management *man,
+management_query_pk_sig(struct management *man,
const char *b64_data)
{
- return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign",
- &man->connection.ext_key_state, &man->connection.ext_key_input);
+ const char *prompt = "PK_SIGN";
+ const char *desc = "pk-sign";
+ if (man->connection.client_version <= 1)
+ {
+ prompt = "RSA_SIGN";
+ desc = "rsa-sign";
+ }
+ return management_query_multiline_flatten(man, b64_data, prompt, desc,
+ &man->connection.ext_key_state, &man->connection.ext_key_input);
}
-
char *
management_query_cert(struct management *man, const char *cert_name)
{
#include "socket.h"
#include "mroute.h"
-#define MANAGEMENT_VERSION 1
+#define MANAGEMENT_VERSION 2
#define MANAGEMENT_N_PASSWORD_RETRIES 3
#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100
#define MANAGEMENT_ECHO_BUFFER_SIZE 100
#define IEC_CLIENT_PF 2
#define IEC_RSA_SIGN 3
#define IEC_CERTIFICATE 4
+#define IEC_PK_SIGN 5
int in_extra_cmd;
struct buffer_list *in_extra;
#ifdef MANAGEMENT_DEF_AUTH
int up_query_mode;
struct user_pass up_query;
-#ifdef MANAGMENT_EXTERNAL_KEY
- struct buffer_list *rsa_sig;
-#endif
#ifdef TARGET_ANDROID
int fdtosend;
int lastfdreceived;
#ifdef MANAGMENT_EXTERNAL_KEY
-char *management_query_rsa_sig(struct management *man, const char *b64_data);
+char *management_query_pk_sig(struct management *man, const char *b64_data);
char *management_query_cert(struct management *man, const char *cert_name);
projects / thirdparty / openvpn.git / commitdiff
