From patchwork Sun Mar 13 08:31:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2331 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id QPBPLz1HLmK+DwAAqwncew (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 Received: from proxy2.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id mA5qNT1HLmI2fAAAovjBpQ (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 Received: from smtp32.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3b.rsapps.net with LMTPS id GGQcMD1HLmJFXAAAvAZTew (envelope-from ) for ; Sun, 13 Mar 2022 15:34:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 946c94d4-a304-11ec-8d97-5254006a2e70-1-1 Received: from [216.105.38.7] ([216.105.38.7:44940] helo=lists.sourceforge.net) by smtp32.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 04/49-06898-D374E226; Sun, 13 Mar 2022 15:34:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nTTxs-0006yi-VQ; Sun, 13 Mar 2022 19:33:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nTTxq-0006yb-4h for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 19:33:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=J+mfr+BYvTBVn/4cl76oWhlHPjwr6rE+VsKIbdxTqHU=; b=fRDYT6JueRgnNeuBT3MLxIqdk4 zNAdBVihGXiGyg5O+PYLr3kN9395ZTcqHo2rCw3BUSeeX/blPnQV/w9jrqwldoVvFUFNMQs97agxo J6fbGhdi1/uo4Z25aiIlcvaP/Aa9FGOH3Nnl7PDL1sDlmIXt9EBtyZapugnvaoIg3HFo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=J+mfr+BYvTBVn/4cl76oWhlHPjwr6rE+VsKIbdxTqHU=; b=a NS5TAAtlFTxqqEDxFFayKq6yzg8zFIPIUN+GY8+Zfp7LLtuzvL1MosNadT4mIFhnroz5311m9X0fk yFueLeX0akmjifaxFpcb6Iopb3ZnYeL27HroYMZ3eplERhQHXne1Sv5rm5F8QWFQulo1EuIrnC8oD Ao8m60rR743oXx5o=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nTTxn-0002uB-Re for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 19:33:12 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id 1D0ECE714 for ; Sun, 13 Mar 2022 19:32:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647199979; bh=J+mfr+BYvTBVn/4cl76oWhlHPjwr6rE+VsKIbdxTqHU=; h=From:To:Subject:Date:From; b=FWGAhJhOoTDfeLLnY+Z2bRTm3eIkJWy8n5+sQo7cvMwO/ahHToI7m3mNW1sSK8vPb 8rjCsBo7+PtyuisbO8ZY/jWpv2Wb28fzUl1Vl8h/TXEgKKSMvLDctlWZqBlXSDbVN2 nPHa9/wMJLWymg5NeK7lGSfQTIfY1k8zqn+6SWDUtf6BtRYHi8l7msFr+7SvR68ZGg gyTuTmhgzOGvkrlxnnBYSEDfKKkE62zaD7CAsGPnVQ5AMkc/GMvDik3+f5yxmqvP8b e9fRxGS6CP7vdzgI4ELXkXmd7Mnu6RpH+aYTOveNHRUhUcuKARmbVrq4I3JqfI6asU Fz0w8svEPXU3Q== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBOR4zUiIlGU for ; Sun, 13 Mar 2022 20:32:57 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id AD10DE713 for ; Sun, 13 Mar 2022 20:32:57 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Sun, 13 Mar 2022 20:31:51 +0100 Message-Id: <20220313193154.9350-1-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth It was discovered an issue with OpenVPN 2.x when multiple --plugin modules were loaded and more than one of them used deferred authentication. To fix this properly will require a larger refactoring of [...] Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nTTxn-0002uB-Re Subject: [Openvpn-devel] [PATCH v4 0/3] Disable multiple deferred authentication X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth It was discovered an issue with OpenVPN 2.x when multiple --plugin modules were loaded and more than one of them used deferred authentication. To fix this properly will require a larger refactoring of the plug-in code, so it was decided in the mean time to disable the possibility to run an OpenVPN server with such a setup. This issue affects the OpenVPN server mode only. This patch set adds a new test plug-in and adds some test documentation on how to test various combinations of authentication plug-ins. Since this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in, just more flexible for test setups, we remove the old one. The fix itself is isolated in a separate patch in this set. The order of patches are insignificant; there are no inter-dependencies between them. --- kind regards, David Sommerseth OpenVPN Inc --- David Sommerseth (3): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins plugins: Remove defer/simple.c sample plugin doc/man-sections/plugin-options.rst | 9 + doc/tests/authentication-plugins.md | 153 +++++++++++ include/openvpn-plugin.h.in | 4 +- sample/sample-plugins/Makefile.plugins | 2 +- sample/sample-plugins/README | 6 +- .../defer/{simple.c => multi-auth.c} | 248 ++++++++++-------- sample/sample-plugins/defer/simple.def | 6 - src/openvpn/plugin.c | 33 ++- 8 files changed, 333 insertions(+), 128 deletions(-) create mode 100644 doc/tests/authentication-plugins.md rename sample/sample-plugins/defer/{simple.c => multi-auth.c} (61%) delete mode 100755 sample/sample-plugins/defer/simple.def