From patchwork Wed Apr 10 16:07:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Thorpe X-Patchwork-Id: 718 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 8PmcGXenrlwwDAAAIUCqbw for ; Wed, 10 Apr 2019 22:33:27 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 0N9AGXenrlw3YwAAalYnBA ; Wed, 10 Apr 2019 22:33:27 -0400 Received: from smtp24.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTP id SGT+GHenrlzIbAAAetu3IA ; Wed, 10 Apr 2019 22:33:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sparklabs.com; dmarc=none (p=nil; dis=none) header.from=sparklabs.com X-Suspicious-Flag: YES X-Classification-ID: 2f2a175a-5c02-11e9-aeef-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:57995] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 91/34-42449-677AEAC5; Wed, 10 Apr 2019 22:33:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hEPWB-00052y-54; Thu, 11 Apr 2019 02:32:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hEPW9-00052l-UR for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Subject: From:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GYlScXnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=Da9hKgqjwDtClvgOpKIaAuWNEc oGaxBrYSYUv6XILsax18kiKhvK4tAqxfWcGi+BKXen6GMyOFUbcSgXLt3uFNen6I08WPJvUTX97nK y+jyNOCeFWlb6qqhtjp3OknTvqwcQSwgQv7sj4OQum3u6R09j2wzd748x9Co3MLoGEu0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=GYlScXnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=I /TR9QI3paA/cQq/8K4cUAtFHhINKOyNZkiZfM4NceO+kKWivcTgsmjexg6MIsoOoHWii5TIKkXIYT trXB3hu1IeLoJeY+b0/FlVUpZ/XKBphGzCnGWN+IsfGAgPBI+Tv4M4Hqq8S/+Fyl0LvWoaETvqzqh K0JPkZbGiZ9fHRU0=; Received: from silicon.sparklabs.com ([66.185.22.121]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hEPW8-00DHlh-CQ for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:45 +0000 Received: from localhost (localhost [127.0.0.1]) by silicon.sparklabs.com (Postfix) with ESMTP id 07FAC4DE2761 for ; Thu, 11 Apr 2019 12:07:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparklabs.com; h=content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received:received; s=mail; t=1554948450; x=1557540451; bh=GYlSc XnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=Vzy/P9XVlXWFGNpME1VQX g9dcQGDiq8b7CgxKh/a3ND+zOTYFuLlHGmNHZZUAEcitTRAOkBLnAkDBodSlH1Ey EMgY6JsXFf5IH5F534gPA6hBcky4P1oa7aSprrOQVzH97yUX2iWr8ROOkIGvsesC hqSkR0iJOABEzpI8ZBlhiQ= Received: from silicon.sparklabs.com ([127.0.0.1]) by localhost (silicon.sparklabs.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOQ5IDZrQoYd for ; Thu, 11 Apr 2019 12:07:30 +1000 (AEST) Received: from [192.168.1.38] (180-150-107-152.b4966b.syd.nbn.aussiebb.net [180.150.107.152]) by silicon.sparklabs.com (Postfix) with ESMTPSA id 276FF4DE274B for ; Thu, 11 Apr 2019 12:07:29 +1000 (AEST) To: openvpn-devel@lists.sourceforge.net From: Eric Thorpe Message-ID: Date: Thu, 11 Apr 2019 12:07:27 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Language: en-US X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sparklabs.com] -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1hEPW8-00DHlh-CQ Subject: [Openvpn-devel] [PATCH v2 1/2] Send auth fail to client on reneg failure X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hi All, This patch relies on Arne's "Add send_control_channel_string_dowork variant" patch. This patch modifies auth so that on a renegotiation the client is informed of a SESSION re-auth failure during a renegotiation if either their auth-token has expired, or they enter a wrong password in the case of auth-nocache for example. This also addresses my previous patch for supporting a client reason being rejected. Regards, Eric diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 28c3b8867..a883faa79 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2085,6 +2085,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) /* set flag so we don't get called again */ mi->connection_established_flag = true; + mi->context.c2.tls_multi->connection_established = true; /* increment number of current authenticated clients */ ++m->n_clients; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index dd5bd4163..327ae0891 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -233,6 +233,36 @@ send_auth_failed(struct context *c, const char *client_reason) gc_free(&gc); } +/* + * Send auth failed message from server to client without scheduling. + * Main use for queuing a message during renegotiation + */ +void +send_push_reply_auth_failed(struct tls_multi *multi, const char *client_reason) +{ + struct gc_arena gc = gc_new(); + static const char auth_failed[] = "AUTH_FAILED"; + size_t len; + + len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); + if (len > PUSH_BUNDLE_SIZE) + { + len = PUSH_BUNDLE_SIZE; + } + + { + struct buffer buf = alloc_buf_gc(len, &gc); + buf_printf(&buf, auth_failed); + if (client_reason) + { + buf_printf(&buf, ",%s", client_reason); + } + send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); + } + + gc_free(&gc); +} + /* * Send restart message from server to client. */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index ac25ffa78..b82a014a0 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -547,6 +547,7 @@ struct tls_multi time_t auth_token_tstamp; /**< timestamp of the generated token */ bool auth_token_sent; /**< If server uses --auth-gen-token and * token has been sent to client */ + bool connection_established ; /** Notifies future auth calls this is a reneg */ /* * Our session objects. */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c7e595e46..fd83cde85 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1336,6 +1336,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < now) { msg(D_HANDSHAKE, "Auth-token for client expired\n"); + send_push_reply_auth_failed(multi, "SESSION:Auth-token expired"); wipe_auth_token(multi); ks->authenticated = false; goto done; @@ -1458,6 +1459,12 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } else { + if (multi->connection_established) + { + /* Notify the client */ + send_push_reply_auth_failed(multi, "SESSION:Auth failed"); + + } msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); }