From patchwork Thu Aug 20 20:24:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Thorpe X-Patchwork-Id: 1398 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4MDmIgppP1/1fgAAIUCqbw for ; Fri, 21 Aug 2020 02:26:18 -0400 Received: from proxy19.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id eM3EIgppP1/bewAAovjBpQ (envelope-from ) for ; Fri, 21 Aug 2020 02:26:18 -0400 Received: from smtp4.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3b.rsapps.net with LMTPS id yOXMGwppP1+pHgAAIG4riQ (envelope-from ) for ; Fri, 21 Aug 2020 02:26:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sparklabs.com; dmarc=none (p=nil; dis=none) header.from=sparklabs.com X-Suspicious-Flag: YES X-Classification-ID: 385d8642-e377-11ea-861c-525400789c6c-1-1 Received: from [216.105.38.7] ([216.105.38.7:60362] helo=lists.sourceforge.net) by smtp4.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7B/0D-31483-9096F3F5; Fri, 21 Aug 2020 02:26:18 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k90UV-0007jD-4m; Fri, 21 Aug 2020 06:25:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k90US-0007j3-8X for openvpn-devel@lists.sourceforge.net; Fri, 21 Aug 2020 06:25:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=46PbophOGhdFsWgLSZHIzpRGHvPBnD9LMKFp/KNLI2o=; b=bepCaWf9SaQoSpxfDM3XIeD6a1 ZW1Pcpz64ZgG6MomlYCIWEHCoBNOrzHUBN7sB4u2F8iEZlkR1jGu4FNsmVLLs7xmsxLutD1nhon8P cM4t1OqD0BNlKhEpmUF/3T7WW+A2EcaZWIn9cYGIhnbwi8MAAha/lJfMOD6FKgZUvlKs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=46PbophOGhdFsWgLSZHIzpRGHvPBnD9LMKFp/KNLI2o=; b=C CSzOxodCH3cwV6id6oQDDgmZwlGqEzzNMySrOcf4xQr6Pks+68wsMlvWbaehVOzd241yB6Yg41wVA hjdIS44+i6QNa+U0ZSD1c039Cr+FBcEMDG72XOT7btAk1B3AEmrbZDISLG6wct6XmQTrgwbSrkqhf Rpoiqmrq8Fh8x+FQ=; Received: from silicon.sparklabs.com ([66.185.22.121]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k90UP-00ECCE-LW for openvpn-devel@lists.sourceforge.net; Fri, 21 Aug 2020 06:25:28 +0000 Received: from silicon.sparklabs.com (localhost [127.0.0.1]) by silicon.sparklabs.com (Postfix) with ESMTP id 4BXs2P4nF7zPkp0 for ; Fri, 21 Aug 2020 06:25:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sparklabs.com; h= content-transfer-encoding:mime-version:x-mailer:message-id:date :date:subject:subject:to:from:from; s=dkim; t=1597991117; x= 1600583118; bh=OQ06o/TEizpNK2bq2ZP7g/vV1Wfzl7l3++cooSuPA7w=; b=W tlH4qOM2g2vjiu1DfpS99Zi9ABzT9O+vZXdsVtnPBNHSotYA5+0Xh82jjuIpu7ge 6+22/Dkzi1dHT6xMMhVGj5AVf+3WJ8mkLxC/nHyGl8sTTxRj6lGkePzxtOqtUUD6 RinC/VG86ECPMfPioOtU+6a+TlPCq90bOniRIRyXpc= Received: from silicon.sparklabs.com ([127.0.0.1]) by silicon.sparklabs.com (silicon.sparklabs.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rJHZao7XFynK for ; Fri, 21 Aug 2020 06:25:17 +0000 (UTC) Received: from ubuntu20.trametheka.net (pa49-195-139-224.pa.nsw.optusnet.com.au [49.195.139.224]) by silicon.sparklabs.com (Postfix) with ESMTPSA id 4BXs2N0yCMzPlPk; Fri, 21 Aug 2020 06:25:15 +0000 (UTC) From: Eric Thorpe To: openvpn-devel@lists.sourceforge.net Date: Thu, 20 Aug 2020 23:24:43 -0700 Message-Id: <20200821062443.69245-1-eric@sparklabs.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sparklabs.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1k90UP-00ECCE-LW Subject: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows extra INFO_PRE mesasges to be sent to a client during an authentication stage. This may be required to send additional challenges, or allow longer messages to be sent by breaking them up and sending in parts. Signed-off-by: Eric Thorpe --- doc/management-notes.txt | 32 +++++++++++++++++++++++----- src/openvpn/manage.c | 45 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.h | 3 +++ src/openvpn/multi.c | 17 +++++++++++++++ src/openvpn/push.c | 7 ++++++- src/openvpn/push.h | 1 + 6 files changed, 99 insertions(+), 6 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 61daaf07..74e05414 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -595,10 +595,10 @@ notification for more info. COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) ---------------------------------------------------- -Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message +Instruct the OpenVPN server to send AUTH_PENDING and INFO_PRE message to signal a pending authenticating to the client. A pending auth means -that the connecting requires extra authentication like a one time -password or doing a single sign one via web. +that the connection requires extra authentication like a one time +password or doing a single sign on via web. client-pending-auth {CID} {EXTRA} @@ -611,8 +611,8 @@ out of band authentication). Before issuing a client-pending-auth to a client instead of a client-auth/client-deny, the server should check the IV_SSO -environment variable if the method is support. The currently -defined method are crtext for challenge/response using text +environment variable if the method is supported. The currently +defined methods are crtext for challenge/response using text (e.g. TOTP), openurl and proxy_url for opening an URL in the client to continue authentication. A client supporting the first two methods would set @@ -676,7 +676,29 @@ and fields are used: : the challenge text to be shown to the user. +COMMAND -- client-auth-pending-extra (OpenVPN 2.5 or higher) +------------------------------------------------------------- +Instruct the OpenVPN server to send an INFO_PRE message to the client. +This should be used following client-auth-pending to send extra messages +to the client during an authentication stage, or respond to CR_RESPONSE messages +if further challenges are required. + + client-pending-auth-extra {CID} {EXTRA} + +The server will send INFO_PRE,{EXTRA} to the client. +The client is expected to display the extra information to the user. For the +format of EXTRA, see the client-pending-auth section of this document. +For the OpenVPN server this is stateless operation and needs to be +followed by a client-deny/client-auth[-nt] command (that is the result of the +out of band authentication). + +Before issuing a client-pending-auth-extra to a client, the server should +check the IV_SSO environment variable if the method is supported. + + setenv IV_SSO openurl,crtext + +Refer to client-auth-pending for further information. COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 898cb3b3..b5a7d0df 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -107,6 +107,8 @@ man_help(void) msg(M_CLIENT, " text R and optional client reason text CR"); msg(M_CLIENT, "client-pending-auth CID MSG : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg" " to the client and wait for a final client-auth/client-deny"); + msg(M_CLIENT, "client-pending-auth-extra CID MSG : Instruct OpenVPN to send INFO_PRE msg to the client" + " without AUTH_PENDING. For additional messages"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF @@ -1040,6 +1042,42 @@ man_client_pending_auth(struct management *man, const char *cid_str, const char } } +/** + * Send additional INFO_PRE information to the client for additional authentication steps + * + * @param man The management interface struct + * @param cid_str The CID in string form + * @param extra The string to be send to the client containing + * the information of the additional steps + */ +static void +man_client_pending_auth_extra(struct management* man, const char* cid_str, const char* extra) +{ + unsigned long cid = 0; + if (parse_cid(cid_str, &cid)) + { + if (man->persist.callback.client_pending_auth_extra) + { + bool ret = (*man->persist.callback.client_pending_auth_extra) + (man->persist.callback.arg, cid, extra); + + if (ret) + { + msg(M_CLIENT, "SUCCESS: client-pending-auth-extra command succeeded"); + } + else + { + msg(M_CLIENT, "SUCCESS: client-pending-auth-extra command failed." + " Extra paramter might be too long"); + } + } + else + { + msg(M_CLIENT, "ERROR: The client-pending-auth-extra command is not supported by the current daemon mode"); + } + } +} + static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra) { @@ -1587,6 +1625,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_client_pending_auth(man, p[1], p[2]); } } + else if (streq(p[0], "client-pending-auth-extra")) + { + if (man_need(man, p, 2, 0)) + { + man_client_pending_auth_extra(man, p[1], p[2]); + } + } #ifdef MANAGEMENT_PF else if (streq(p[0], "client-pf")) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 881bfb14..e586f9ca 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -177,6 +177,9 @@ struct management_callback bool (*client_pending_auth) (void *arg, const unsigned long cid, const char *url); + bool (*client_pending_auth_extra) (void* arg, + const unsigned long cid, + const char* url); char *(*get_peer_info) (void *arg, const unsigned long cid); #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 13738180..157db302 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3931,6 +3931,22 @@ management_client_pending_auth(void *arg, return false; } +static bool +management_client_pending_auth_extra(void* arg, + const unsigned long cid, + const char* extra) +{ + struct multi_context* m = (struct multi_context*)arg; + struct multi_instance* mi = lookup_by_cid(m, cid); + if (mi) + { + /* sends INFO_PRE message to client */ + bool ret = send_auth_info_pre_message(&mi->context, extra); + multi_schedule_context_wakeup(m, mi); + return ret; + } + return false; +} static bool management_client_auth(void *arg, @@ -4040,6 +4056,7 @@ init_management_callback_multi(struct multi_context *m) cb.kill_by_cid = management_kill_by_cid; cb.client_auth = management_client_auth; cb.client_pending_auth = management_client_pending_auth; + cb.client_pending_auth_extra = management_client_pending_auth_extra; cb.get_peer_info = management_get_peer_info; #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/push.c b/src/openvpn/push.c index e0d2eeaf..beb3223b 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -292,8 +292,13 @@ send_auth_pending_messages(struct context *c, const char *extra) { send_control_channel_string(c, "AUTH_PENDING", D_PUSH); - static const char info_pre[] = "INFO_PRE,"; + return send_auth_info_pre_message(c, extra); +} +bool +send_auth_info_pre_message(struct context* c, const char* extra) +{ + static const char info_pre[] = "INFO_PRE,"; size_t len = strlen(extra)+1 + sizeof(info_pre); if (len > PUSH_BUNDLE_SIZE) diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 2faf19a6..e067f8b1 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -78,6 +78,7 @@ void send_auth_failed(struct context *c, const char *client_reason); * more details on message format */ bool send_auth_pending_messages(struct context *c, const char *extra); +bool send_auth_info_pre_message(struct context* c, const char* extra); void send_restart(struct context *c, const char *kill_msg);