From patchwork Tue May 17 23:32:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2471 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0ASeBXi9hGKWbQAAqwncew (envelope-from ) for ; Wed, 18 May 2022 05:33:44 -0400 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id 6HpNHXi9hGKkKgAAalYnBA (envelope-from ) for ; Wed, 18 May 2022 05:33:44 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTPS id WL+oF3i9hGJ8IQAA3NpJmQ (envelope-from ) for ; Wed, 18 May 2022 05:33:44 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9aaa8b32-d68d-11ec-a204-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:51578] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4A/7E-02284-67DB4826; Wed, 18 May 2022 05:33:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nrG2j-0002Hh-21; Wed, 18 May 2022 09:32:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nrG2h-0002HO-CY for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=787G4S/jcpCeLiSY0CHzktHs6RJoFozAnf2xmEkX1ak=; b=FcR2znsHdkbV8NQ4DU8bpgaG1N egoocCe6rYbp0a0kaIBoA00u4Z/E6iLOa71myHwnt66qXySFxtNe0+X+LOsDjTo8jJaFtZcbdakOd OghyVJXEp0AFwmH1NoEVoFMD0A8nAJ8+3vmMsRhMGcE31l8Yta4R5F6C9avxPUzzqydY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=787G4S/jcpCeLiSY0CHzktHs6RJoFozAnf2xmEkX1ak=; b=M0hEAQKzvtQLLBMHSKE4aqs6g5 MMx9rk7YsiZXEFcq5h0+q2pIOwnks3QScFogIkAHY+Rs5cEjv9IVZcgfzR+6QxcYDw6/fNqCQAPaY qnm9AH46vbN4ALo0la5gk1AGKwNyJraz+stBGzxfCDmSK9PBHRO1cFErpnFf0j3yRcco=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nrG2f-006S6I-H6 for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nrG2P-000GUM-3B for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 11:32:13 +0200 Received: (nullmailer pid 2802555 invoked by uid 10006); Wed, 18 May 2022 09:32:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 18 May 2022 11:32:12 +0200 Message-Id: <20220518093212.2802495-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220518093212.2802495-1-arne@rfc2549.org> References: <20220518093212.2802495-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is currently only possible when using the management interface and the client-deny functionality. --- src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 74 ++++++++++++++++++++++++++++++++ [...] Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nrG2f-006S6I-H6 Subject: [Openvpn-devel] [PATCH 4/4] Allow scripts and plugins to set a custom AUTH_FAILED message X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is currently only possible when using the management interface and the client-deny functionality. --- src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 74 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 73 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index cef2611b9..433563068 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -155,6 +155,7 @@ struct auth_deferred_status { char *auth_control_file; char *auth_pending_file; + char *auth_failed_reason_file; unsigned int auth_control_status; }; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c01841fa9..4cf772fef 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -989,6 +989,12 @@ key_state_rm_auth_control_files(struct auth_deferred_status *ads) free(ads->auth_control_file); ads->auth_control_file = NULL; } + if (ads->auth_failed_reason_file) + { + platform_unlink(ads->auth_failed_reason_file); + free(ads->auth_failed_reason_file); + ads->auth_failed_reason_file = NULL; + } key_state_rm_auth_pending_file(ads); } @@ -1007,19 +1013,47 @@ key_state_gen_auth_control_files(struct auth_deferred_status *ads, key_state_rm_auth_control_files(ads); const char *acf = platform_create_temp_file(opt->tmp_dir, "acf", &gc); const char *apf = platform_create_temp_file(opt->tmp_dir, "apf", &gc); + const char *afr = platform_create_temp_file(opt->tmp_dir, "afr", &gc); if (acf && apf) { ads->auth_control_file = string_alloc(acf, NULL); ads->auth_pending_file = string_alloc(apf, NULL); + ads->auth_failed_reason_file = string_alloc(afr, NULL); + setenv_str(opt->es, "auth_control_file", ads->auth_control_file); setenv_str(opt->es, "auth_pending_file", ads->auth_pending_file); + setenv_str(opt->es, "auth_failed_reason_file", ads->auth_failed_reason_file); } gc_free(&gc); return (acf && apf); } +/** + * Checks if the auth failed reason file has any content and if yes it will + * be returned as string allocated in gc to the caller. + */ +static char * +key_state_check_auth_failed_message_file(const struct auth_deferred_status *ads, + struct tls_multi *multi, + struct gc_arena *gc) +{ + char *ret = NULL; + if (ads->auth_failed_reason_file) + { + struct buffer reason = buffer_read_from_file(ads->auth_failed_reason_file, gc); + + if (BLEN(&reason)) + { + ret = BSTR(&reason); + } + + } + return ret; +} + + /** * Checks the auth control status from a file. The function will try * to read and update the cached status if the status is still pending @@ -1184,6 +1218,20 @@ tls_authentication_status(struct tls_multi *multi) #endif if (failed_auth) { + struct gc_arena gc = gc_new(); + const struct key_state *ks = get_primary_key(multi); + const char *plugin_message = key_state_check_auth_failed_message_file(&ks->plugin_auth, multi, &gc); + const char *script_message = key_state_check_auth_failed_message_file(&ks->script_auth, multi, &gc); + + if (plugin_message) + { + auth_set_client_reason(multi, plugin_message); + } + if (script_message) + { + auth_set_client_reason(multi, script_message); + } + /* We have at least one session that failed authentication. There * might be still another session with valid keys. * Although our protocol allows keeping the VPN session alive @@ -1248,6 +1296,21 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con * this is the place to start. *************************************************************************** */ +/** + * Check if the script/plugin left a message in the auth failed message + * file and rely it to the user */ +static void +check_for_client_reason(struct tls_multi *multi, + struct auth_deferred_status *status) +{ + struct gc_arena gc = gc_new(); + const char *msg = key_state_check_auth_failed_message_file(status, multi, &gc); + if (msg) + { + auth_set_client_reason(multi, msg); + } + gc_free(&gc); +} /* * Verify the user name and password using a script */ @@ -1316,6 +1379,7 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, break; default: + check_for_client_reason(multi, &ks->script_auth); retval = OPENVPN_PLUGIN_FUNC_ERROR; break; } @@ -1376,6 +1440,7 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, /* call command */ retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es); + if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED) { /* Check if the plugin has written the pending auth control @@ -1383,10 +1448,15 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, if (!key_state_check_auth_pending_file(&ks->plugin_auth, multi)) { retval = OPENVPN_PLUGIN_FUNC_ERROR; - key_state_rm_auth_control_files(&ks->plugin_auth); } } - else + + if (retval == OPENVPN_PLUGIN_FUNC_ERROR) + { + check_for_client_reason(multi, &ks->plugin_auth); + } + + if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED) { /* purge auth control filename (and file itself) for non-deferred returns */ key_state_rm_auth_control_files(&ks->plugin_auth);