From patchwork Tue May 19 12:00:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1115 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SKojAypXxF5SZAAAIUCqbw for ; Tue, 19 May 2020 18:01:14 -0400 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 4OdzACpXxF6pQAAAvGGmqA ; Tue, 19 May 2020 18:01:14 -0400 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTP id GPgJNilXxF5nGgAA9crAow ; Tue, 19 May 2020 18:01:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40db24d6-9a1c-11ea-a182-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:39690] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/8C-14180-92754CE5; Tue, 19 May 2020 18:01:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAHc-00035u-G5; Tue, 19 May 2020 22:00:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHa-00035h-5y for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JcQrXxENt+bcLGrewBlj1MwK4uyeNuJzACNXSQQZqew=; b=EoXeqL5sBW2Y2Hlh01CwZ7gFJV xCLyoQN0wG7BCX0azEz4kQnw6h00X9+hCQBUN5uMpu3f7Hz6gHr/YngcxzMc3ovoon5A5vChKNaum ikYNmkaq5jlcGh1jHxl07xtE5bfwyLoh2ohGHlhCUK+H064dXaERS9UEbnU4VHw0q8/w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JcQrXxENt+bcLGrewBlj1MwK4uyeNuJzACNXSQQZqew=; b=TG5uzDLojzbuFMhDACrNluomEO WNomctrCzLXq3T9QNXOyTJCzS0FdE4rsUz1iBYee1H47lsyuCpP5fjqAqhBImzT9V5O8nfYYlE38B z0ULvbcethMxW8XVL0WWTkCf+nrjlFJjaDxNnt0JmDLeSl6ZkWSc7hiL9mL838hf4hHc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHX-007z7Q-9R for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:18 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHN-000DMd-65 for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:05 +0200 Received: (nullmailer pid 25193 invoked by uid 10006); Tue, 19 May 2020 22:00:05 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:03 +0200 Message-Id: <20200519220004.25136-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHX-007z7Q-9R Subject: [Openvpn-devel] [PATCH v3 4/5] Implement sending AUTH_PENDING challenges to clients X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can currently be out of band (openurl) or a normal challenge/response two like TOTP (CR_TEXT). Unfortunately this patch spend so much time in review in openvpn2 that the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its way to released products so changing this right now is difficult. https://github.com/OpenVPN/openvpn3/commit/34a3f264f56bd050d9b26d2e7163f88af9a559e2 Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- doc/management-notes.txt | 86 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.c | 46 +++++++++++++++++++++ src/openvpn/manage.h | 3 ++ src/openvpn/multi.c | 19 +++++++++ src/openvpn/push.c | 24 +++++++++++ src/openvpn/push.h | 7 ++++ 6 files changed, 185 insertions(+) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index a7ae84e3..ce32b85f 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -592,6 +592,92 @@ interface to approve client connections. CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. +COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) +---------------------------------------------------- + +Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message +to signal a pending authenticating to the client. A pending auth means +that the connecting requires extra authentication like a one time +password or doing a single sign one via web. + + client-pending-auth {CID} {EXTRA} + +The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. +The client is expected to inform the user that authentication is pending and +display the extra information. For the format of EXTRA see below +For the OpenVPN server this is stateless operation and needs to be +followed by a client-deny/client-auth[-nt] command (that is the result of the +out of band authentication). + +Before issuing a client-pending-auth to a client instead of a +client-auth/client-deny, the server should check the IV_SSO +environment variable if the method is support. The currently +defined method are crtext for challenge/response using text +(e.g. TOTP), openurl and proxy_url for opening an URL in the client to +continue authentication. A client supporting the first two methods would +set + + setenv IV_SSO openurl,crtext + +The variable name IV_SSO is historic as AUTH_PENDING was first used +to signal single sign on support. To keep compatiblity with existing +implementations the name IV_SSO is kept in lieu of a better name. + +openurl +======== +For a web based extra authentication (like for +SSO/SAML) EXTRA should be + + OPEN_URL:url + +and client should ask to the user to open the URL to continue. + +The space in a control message is limited, so this url should be kept +short to avoid issues. If a loger url is required a URL that redirects +to the longer URL should be sent instead. + +url_proxy +======== +To avoid issues with OpenVPN connection persist-tun and not able +to reach the web server, a method a virant of openurl via a HTTPS +Proxy exists. The client should announce url_proxy in its IV_SSO +and parse the PROXY_URL message. The format is + + PROXY_URL:::::url + +The proxy should be a literal IPv4 address or Ipv6 address in [] to avoid +ambiguity in parsing. A literal IP address is preferred as DNS might not +be available when the needs to open the url. The IP address will usually +be the address that client uses to connect to the server. For dual-homed +server, the server should respond with the same address that the client +connects to. + +This address is also usually excluded from being redirected over the VPN +by a host route. If the platform (like Android) uses another way of protecting +the VPN connection routing loops the client needs to also exclude the +connection to the proxy in the same manner. + +Should another IP be used the VPN configuration should include the route +statement to exclude that route from being routed over the VPN. + +crtext +======= + +The format of EXTRA is similar to the already used two step authentication +described in Challenge/Response Protocol section of this document. Since +most of the fields are not necessary or can be infered only the +and fields are used: + + CR_TEXT:: + +: a series of optional, comma-separated flags: + E : echo the response when the user types it. + R : a response is required. + +: the challenge text to be shown to the user. + + + COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index a72c7678..3ebe72ec 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -105,6 +105,8 @@ man_help(void) msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg(M_CLIENT, " text R and optional client reason text CR"); + msg(M_CLIENT, "client-pending-auth CID MSG : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg" + " to the client and wait for a final client-auth/client-deny"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF @@ -1001,6 +1003,43 @@ parse_kid(const char *str, unsigned int *kid) } } +/** + * Will send a notification to the client that succesful authentication + * will require an additional step (web based SSO/2-factor auth/etc) + * + * @param man The management interface struct + * @param cid_str The CID in string form + * @param extra The string to be send to the client containing + * the information of the additional steps + */ +static void +man_client_pending_auth(struct management *man, const char *cid_str, const char *extra) +{ + unsigned long cid = 0; + if (parse_cid(cid_str, &cid)) + { + if (man->persist.callback.client_pending_auth) + { + bool ret = (*man->persist.callback.client_pending_auth) + (man->persist.callback.arg, cid, extra); + + if (ret) + { + msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded"); + } + else + { + msg(M_CLIENT, "SUCCESS: client-pending-auth command failed." + " Extra paramter might be too long"); + } + } + else + { + msg(M_CLIENT, "ERROR: The client-pending-auth command is not supported by the current daemon mode"); + } + } +} + static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra) { @@ -1541,6 +1580,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_client_auth(man, p[1], p[2], true); } } + else if (streq(p[0], "client-pending-auth")) + { + if (man_need(man, p, 2, 0)) + { + man_client_pending_auth(man, p[1], p[2]); + } + } #ifdef MANAGEMENT_PF else if (streq(p[0], "client-pf")) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index e1dabceb..e28b11d1 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -174,6 +174,9 @@ struct management_callback const char *reason, const char *client_reason, struct buffer_list *cc_config); /* ownership transferred */ + bool (*client_pending_auth) (void *arg, + const unsigned long cid, + const char *url); char *(*get_peer_info) (void *arg, const unsigned long cid); #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 7f61350d..74e035e5 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3310,6 +3310,24 @@ management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) } } +static bool +management_client_pending_auth(void *arg, + const unsigned long cid, + const char *extra) +{ + struct multi_context *m = (struct multi_context *) arg; + struct multi_instance *mi = lookup_by_cid(m, cid); + if (mi) + { + /* sends INFO_PRE and AUTH_PENDING messages to client */ + bool ret = send_auth_pending_messages(&mi->context, extra); + multi_schedule_context_wakeup(m, mi); + return ret; + } + return false; +} + + static bool management_client_auth(void *arg, const unsigned long cid, @@ -3417,6 +3435,7 @@ init_management_callback_multi(struct multi_context *m) #ifdef MANAGEMENT_DEF_AUTH cb.kill_by_cid = management_kill_by_cid; cb.client_auth = management_client_auth; + cb.client_pending_auth = management_client_pending_auth; cb.get_peer_info = management_get_peer_info; #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 965dd139..a5fa87d8 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -265,6 +265,30 @@ send_auth_failed(struct context *c, const char *client_reason) gc_free(&gc); } +bool +send_auth_pending_messages(struct context *c, const char* extra) +{ + send_control_channel_string(c, "AUTH_PENDING", D_PUSH); + + static const char info_pre[] = "INFO_PRE,"; + + + size_t len = strlen(extra)+1 + sizeof(info_pre); + if (len > PUSH_BUNDLE_SIZE) + { + return false; + } + struct gc_arena gc = gc_new(); + + struct buffer buf = alloc_buf_gc(len, &gc); + buf_printf(&buf, info_pre); + buf_printf(&buf, "%s", extra); + send_control_channel_string(c, BSTR(&buf), D_PUSH); + + gc_free(&gc); + return true; +} + /* * Send restart message from server to client. */ diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 1898f238..42ab100d 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -70,6 +70,13 @@ void remove_iroutes_from_push_route_list(struct options *o); void send_auth_failed(struct context *c, const char *client_reason); +/** + * Sends the auth pending control messages to a client. See + * doc/management-notes.txt under client-pending-auth for + * more details on message format + */ +bool send_auth_pending_messages(struct context *c, const char *extra); + void send_restart(struct context *c, const char *kill_msg); /**