From patchwork Fri May 20 11:32:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2485 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id qK1EOFUJiGKPSQAAqwncew (envelope-from ) for ; Fri, 20 May 2022 17:34:13 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id uBFLHVYJiGLARwAAfY0hYg (envelope-from ) for ; Fri, 20 May 2022 17:34:14 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id aDT7HFYJiGLYHgAAetu3IA (envelope-from ) for ; Fri, 20 May 2022 17:34:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9798cdfc-d884-11ec-9535-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:43106] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 96/69-03747-55908826; Fri, 20 May 2022 17:34:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nsAFB-0004AD-Gy; Fri, 20 May 2022 21:33:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nsAF9-0004A7-RX for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 21:33:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sAgslcjPVvbZkZOVnZnwYdQk60xdiPeSmPZIfhMtFrE=; b=DBjoVJjXrQGzopAQSbSDW8FOuF 3Tb4FLNR5VlNubmVBBgMIXoxsT7HCykxAZOwmU89TKdwqDKo+QJLrW/mw2fh0gKr4appzlUOuLEC8 7hKDGngviQGLCdizf4+USxqJkb3BzBc7H91symtujxaqXwcWtUQ1EdQh0pM6iRma86/4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=sAgslcjPVvbZkZOVnZnwYdQk60xdiPeSmPZIfhMtFrE=; b=B WA19gAuMQ5Mg7UzRg5MAakNPRhUxNv9Jej7NzTnVj7HgREhHbFD83sm7oSBoThilmToCd0W8GYUrh w8ndPYNG4zqvYFIJkBc42EfwGJBZTMf4R7j5i0X3T1hqUFfr3j5Fnm8JcWEQ10iJcUO0vMp0Z24PP 6siO+zzBO65hX6Ds=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nsAF5-00Dyxy-C4 for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 21:33:05 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nsAEt-0005Sd-Ay for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 23:32:51 +0200 Received: (nullmailer pid 3126420 invoked by uid 10006); Fri, 20 May 2022 21:32:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 20 May 2022 23:32:46 +0200 Message-Id: <20220520213250.3126372-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This patchset consts of three patches and one small clean up patches. The first patch deals with exit notification via control channel instead of using OCC data message if both peers support it. This [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nsAF5-00Dyxy-C4 Subject: [Openvpn-devel] [PATCH v2 0/4] Implement exit notifcation via control channel and temporary AUTH_FAIL X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patchset consts of three patches and one small clean up patches. The first patch deals with exit notification via control channel instead of using OCC data message if both peers support it. This is need to avoid implementing OCC exit messages in DCO implementation. In p2p mode this is also implemented keeps the behaviour that an OCC_EXIT triggers a SIGTERM on receiving side. This is questionable but should be addressed in a different patch after a discussion. The second patch implements a way for OpenVPN server to temporarily reject a user or send them directly to the next server. To allow testing and using this feature without needing to use the management interface and client-deny, the third patch adds support for providing a AUTH_FAIL message from plugins and scripts. Finally, here is my own script that I use for testing the custom AUTH_FAIL and auth-pending messages. It will change its behaviour depending on the username: https://gist.github.com/schwabe/2d412ae9236888b398063317ed6a9be4 Patchset v2 includes the comment from Frank to patch 1-3 and patch 4 is resent to have a complete patch set again, so v1 can be ignored Arne Schwabe (4): Implement exit notification via control channel Cleanup receive_auth_failed and simplify method Implement AUTH_FAIL,TEMP message support Allow scripts and plugins to set a custom AUTH_FAILED message doc/man-sections/client-options.rst | 7 +- doc/man-sections/script-options.rst | 36 ++++++++ src/openvpn/Makefile.am | 1 + src/openvpn/crypto.h | 5 ++ src/openvpn/forward.c | 4 + src/openvpn/init.c | 9 +- src/openvpn/multi.c | 5 ++ src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 3 + src/openvpn/options.c | 20 +++++ src/openvpn/options.h | 9 +- src/openvpn/options_util.c | 104 ++++++++++++++++++++++ src/openvpn/options_util.h | 33 +++++++ src/openvpn/push.c | 127 ++++++++++++++++----------- src/openvpn/push.h | 2 + src/openvpn/sig.c | 27 +++++- src/openvpn/ssl.c | 16 +++- src/openvpn/ssl.h | 6 ++ src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_ncp.c | 5 ++ src/openvpn/ssl_verify.c | 74 +++++++++++++++- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/test_misc.c | 49 +++++++++++ 23 files changed, 486 insertions(+), 60 deletions(-) create mode 100644 src/openvpn/options_util.c create mode 100644 src/openvpn/options_util.h