From patchwork Tue May 17 23:32:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2468 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id yD1GNmu9hGJybQAAqwncew (envelope-from ) for ; Wed, 18 May 2022 05:33:31 -0400 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id 2AFzEmy9hGIYQAAAfY0hYg (envelope-from ) for ; Wed, 18 May 2022 05:33:32 -0400 Received: from smtp10.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTPS id QAkJDWy9hGKhSAAAEsW3lA (envelope-from ) for ; Wed, 18 May 2022 05:33:32 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 94286bc6-d68d-11ec-809f-52540055034d-1-1 Received: from [216.105.38.7] ([216.105.38.7:51512] helo=lists.sourceforge.net) by smtp10.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6A/84-10046-B6DB4826; Wed, 18 May 2022 05:33:31 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nrG2i-0002HY-Rr; Wed, 18 May 2022 09:32:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nrG2g-0002HG-Q8 for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=r1vZFuEOEo0P054JeoYmKM4mT8wWeS6wbSPRpsgE5tA=; b=lTUlBwd8velfPWGNUqcXsOFhP/ Otv+D80gfOzrbAPBkmQSfp1aYKaqybagZchmeN8QSelznbIDisUuQyMOUmIruQzfniqYsZTxiIIIc YhYN67Um3TqyhTodKBv/Bfgnk4Rv5ne1OuVW8o/uBbhZsyaes+Tf/lvnetNc1ERvhtXY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=r1vZFuEOEo0P054JeoYmKM4mT8wWeS6wbSPRpsgE5tA=; b=M sAiNd9OpaeBaXc1zcxe7yrJ1vTgIIIDcclg7xkBll/C0ifPqn+YeTg39e0Aexs2Jglh5aIRGcNrhR S08lKVE3TwiNTBoqEjRDxgwRFdpaFHEVKzq4Hvf/LUhu64gmekNeAsUy9aKSD/7XjnMnSPnTQP8m3 LeQYQKHlunBCpva0=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nrG2f-006S6G-7H for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:29 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nrG2O-000GUA-R0 for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 11:32:12 +0200 Received: (nullmailer pid 2802543 invoked by uid 10006); Wed, 18 May 2022 09:32:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 18 May 2022 11:32:08 +0200 Message-Id: <20220518093212.2802495-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This patchset consts of three patches and one small clean up patches. The first patch deals with exit notification via control channel instead of using OCC data message if both peers support it. This [...] Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1nrG2f-006S6G-7H Subject: [Openvpn-devel] [PATCH 0/4] Implement exit notifcation via control channel and temporary AUTH_FAIL X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patchset consts of three patches and one small clean up patches. The first patch deals with exit notification via control channel instead of using OCC data message if both peers support it. This is need to avoid implementing OCC exit messages in DCO implementation. In p2p mode this is also implemented keeps the behaviour that an OCC_EXIT triggers a SIGTERM on receiving side. This is questionable but should be addressed in a different patch after a discussion. The second patch implements a way for OpenVPN server to temporarily reject a user or send them directly to the next server. To allow testing and using this feature without needing to use the management interface and client-deny, the third patch adds support for providing a AUTH_FAIL message from plugins and scripts. Finally, here is my own script that I use for testing the custom AUTH_FAIL and auth-pending messages. It will change its behaviour depending on the username: https://gist.github.com/schwabe/2d412ae9236888b398063317ed6a9be4 Arne Schwabe (4): Implement exit notification via control channel Cleanup receive_auth_failed and simplify method Implement AUTH_FAIL,TEMP message support Allow scripts and plugins to set a custom AUTH_FAILED message doc/man-sections/client-options.rst | 7 +- doc/man-sections/script-options.rst | 30 +++++++ src/openvpn/Makefile.am | 1 + src/openvpn/crypto.h | 5 ++ src/openvpn/forward.c | 4 + src/openvpn/init.c | 9 +- src/openvpn/multi.c | 5 ++ src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 3 + src/openvpn/options.c | 14 +++ src/openvpn/options.h | 9 +- src/openvpn/options_util.c | 104 ++++++++++++++++++++++ src/openvpn/options_util.h | 33 +++++++ src/openvpn/push.c | 124 +++++++++++++++++---------- src/openvpn/push.h | 2 + src/openvpn/sig.c | 27 +++++- src/openvpn/ssl.c | 16 +++- src/openvpn/ssl.h | 6 ++ src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_ncp.c | 5 ++ src/openvpn/ssl_verify.c | 74 +++++++++++++++- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/test_misc.c | 49 +++++++++++ 23 files changed, 474 insertions(+), 57 deletions(-) create mode 100644 src/openvpn/options_util.c create mode 100644 src/openvpn/options_util.h