From patchwork Sun Mar 13 08:31:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2330 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.7]) by backend41.mail.ord1d.rsapps.net with LMTP id WDrZFj1HLmK+DwAAqwncew (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 Received: from proxy7.mail.iad3a.rsapps.net ([172.27.255.7]) by director15.mail.ord1d.rsapps.net with LMTP id yOXGHD1HLmIMYAAAIcMcQg (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 Received: from smtp16.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3a.rsapps.net with LMTPS id KKqYFz1HLmLKagAAnPvY+A (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 944230fe-a304-11ec-8caa-5254004ee196-1-1 Received: from [216.105.38.7] ([216.105.38.7:55764] helo=lists.sourceforge.net) by smtp16.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C6/D0-26865-C374E226; Sun, 13 Mar 2022 15:34:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nTTpz-0008Tt-Ez; Sun, 13 Mar 2022 19:33:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nTTpy-0008Tn-IA for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 19:33:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=f1Fbh8nAA2lZoVbmh/cZFVyiwXvzDNtY3P0kTejgTxk=; b=c0Y84Ue9EsjMvau8m8XEGIXMkR 5nq0AkZthOgqOnBOdBtCjgQFuttiBk4CqVuM1oJF4Gg8jkScBmSUtU2ZovLV1vgkHmeg2cNph497V 3XQ4nKRylp9nE5+HSpH2qFueLeV1samr4Qg1fnDvKbkOfnKvyY16QwyLExfn1pfeSkmI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=f1Fbh8nAA2lZoVbmh/cZFVyiwXvzDNtY3P0kTejgTxk=; b=jM0iyK4X+1lLJ6CzKiAseU/gzT K2/vjwU8vtiA1zazx5gB9tKtiE7AMvMBBz/qacNR4LgoCSeiMidbqy4FQiybX5/VCTwb5R1n33gqP zlgNzYgXAb/cSZb+hC+xs4l/+jBsES0aJjKxvl8OzOf004udCV/HkaM4/yZqk/hkpVOc=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nTTxs-0002ub-DN for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 19:33:17 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id 01F24E717 for ; Sun, 13 Mar 2022 19:33:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647199990; bh=f1Fbh8nAA2lZoVbmh/cZFVyiwXvzDNtY3P0kTejgTxk=; h=From:To:Subject:Date:In-Reply-To:References:From; b=uU+HXHfaVOuI2JCJJNmpoxxrNW60p3e21wXyghiVvQF8TKvBZ1iEjAGlsgUOCGXiI 6P1OD9tS6BwraUpHKp6enBr8aKBs7pHr+5bRYhcVyCxXHW1r72wWBjTPIus5s8VaxV 8Ylls0H9CxiO47zWu2vxaja4VESJhQ98LircOfrtIOLvDTIkGt0Fk4ZsaUtQIeqN2x t9L26uOjsHostILZVzO6BgL/FiY/MJnTaykvFeRCFCIpGNKCxjM50eWA2h1679RyR5 Ym4smHG02MqJ9A0JRsPdhkcUf0EW4YY7USZ1yNEafC+lIoWcRr3dFfpBAkRXHbbUp9 ggSK+ng/b32Dw== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_wQMsCDncpv for ; Sun, 13 Mar 2022 20:33:09 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 14207E713 for ; Sun, 13 Mar 2022 20:33:09 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Sun, 13 Mar 2022 20:31:53 +0100 Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220313193154.9350-1-openvpn@sf.lists.topphemmelig.net> References: <20220313193154.9350-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we b [...] Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nTTxs-0002ub-DN Subject: [Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth Acked-by: Antonio Quartulli --- v2 - flip CONSTANT==var to var==CONSTANT in if() clause v3 - Use M_FATAL instead of M_ERR --- doc/man-sections/plugin-options.rst | 9 ++++++++ src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++--- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst index 51c574fe..6cbbc2f3 100644 --- a/doc/man-sections/plugin-options.rst +++ b/doc/man-sections/plugin-options.rst @@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API. (such as tls-verify, auth-user-pass-verify, or client-connect), then every module and script must return success (:code:`0`) in order for the connection to be authenticated. + + **WARNING**: + Plug-ins may do deferred execution, meaning the plug-in will + return the control back to the main OpenVPN process and provide + the plug-in result later on via a different thread or process. + OpenVPN does **NOT** support multiple authentication plug-ins + **where more than one of them** do deferred authentication. + If this behaviour is detected, OpenVPN will shut down upon first + authentication. diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index e3a89293..8236e29e 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -802,7 +802,7 @@ plugin_call_ssl(const struct plugin_list *pl, const char **envp; const int n = plugin_n(pl); bool error = false; - bool deferred = false; + bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -824,7 +824,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: - deferred = true; + if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + && deferred_auth_done) + { + /* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ + error = true; + msg(M_FATAL, + "Exiting due to multiple authentication plug-ins " + "performing deferred authentication. Only one " + "authentication plug-in doing deferred auth is " + "allowed. Ignoring the result and stopping now, " + "the current authentication result is not to be " + "trusted."); + break; + } + deferred_auth_done = true; break; default: @@ -844,7 +871,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } - else if (deferred) + else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; }