From patchwork Tue Aug 24 18:01:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1919 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wI26M+PAJWG5aQAAIUCqbw (envelope-from ) for ; Wed, 25 Aug 2021 00:02:43 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id qOyWM+PAJWEjFwAAIasKDg (envelope-from ) for ; Wed, 25 Aug 2021 00:02:43 -0400 Received: from smtp13.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTPS id sHFQM+PAJWEFOQAAsk8m8w (envelope-from ) for ; Wed, 25 Aug 2021 00:02:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 4c3009a6-0559-11ec-b513-bc305bf03494-1-1 Received: from [216.105.38.7] ([216.105.38.7:47346] helo=lists.sourceforge.net) by smtp13.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AD/2F-21545-3E0C5216; Wed, 25 Aug 2021 00:02:43 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mIk6b-0007cP-Ch; Wed, 25 Aug 2021 04:01:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mIk6Z-0007cJ-71 for openvpn-devel@lists.sourceforge.net; Wed, 25 Aug 2021 04:01:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+LMdyp2vJwSGDeOr5+xjwDjYJYA9P91LJEi/HeFI4Oc=; b=kHU+ALSkPUOhTgf1p01e+zlasa +fMR36DvLjCY/LuNjEElUaKBj1JYu61qwL3r7aKYLp29PjjtwMcu5xue5fh8SgBWrnx6HI5hcU9HW 16PXjO6zVdM44i9a5P1RhOqmEVpxPWeggM3FfE7WIixJrzeu3vJjFsfobu5Jh9b9zVnI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=+LMdyp2vJwSGDeOr5+xjwDjYJYA9P91LJEi/HeFI4Oc=; b=d rBgjBOR++NLTnOZ5LnoIvwZwXG2/X1RUW++XnXA9TALOjhIRnyAKMFCJWdFEmXqKHrh1qB0N1ydQb 4CYXXJsjehHC3SCDqv6SZoxhxeACIhiDKtDCovhH0KTnMAA41vRTD1FqfWFV83ej/8y//QfoaGFLr JEA1P21riZIaX9w8=; Received: from mail-qk1-f173.google.com ([209.85.222.173]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mIk6V-0003p1-QX for openvpn-devel@lists.sourceforge.net; Wed, 25 Aug 2021 04:01:35 +0000 Received: by mail-qk1-f173.google.com with SMTP id a10so16842937qka.12 for ; Tue, 24 Aug 2021 21:01:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+LMdyp2vJwSGDeOr5+xjwDjYJYA9P91LJEi/HeFI4Oc=; b=Edo3vYixBM45xQX22aPBiwrhLYSD97/3yy+2auVoYWqjQobCLTeQx5HyX/9+EZbMaV fC1bErxz3XBIlIQ/hiRUONMEl7APYd/CZ+okmWl88hWadaDVvwSGggTZjVnc/roXpsH3 zpVoFCVEHRWGqkHp8Gp7ZAFIPG1Sc4oJ2EV0u7VbvQE9AJsdCoSoCNW/bIvu88xBAqOf 2GYrugJNGefBsEMVMJLOR7PoJ5Qaby1XsaZ43q8ggZhp8uHsSMyq3wC4jDQqdaU6aVZu FOg1RiAL49KIy+NfeKken3eBc+dMJuvLpq9xkxpxT3YHqDYfcAddG8HOW4ofdkwj2DEo Fy5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+LMdyp2vJwSGDeOr5+xjwDjYJYA9P91LJEi/HeFI4Oc=; b=jaPpwHUWDKp5h06CtrJ5bO/1J6Y/CQlPgAtgP0vGzgZZgDugqm/9UBcV+Zh7vLniQT HgJQrrviToFdHg2h0MYXAhBR2/w6YfTvmM5ntLbr6AtDL2mtNvoWyrVNnuW64OWH5SXH QImNHdrLY9x92eHB72WR414d6jBsZ1VCz37U6EoUUcAuoWeb5PwUoYChOfgcu3bSTvS/ ZF88eXcVbgF8I4iaTd0gUIV3zERyFi/lSyKf/VTUA2IyNKDA+fuyPgcD27ahbx5crN/F FDTsDfs6Bi2cXGs3MnlkQPEjfVy8CBlhETnRASmvL6b2eVJoQ17wx5M8cmYGkNlt+frr SeYQ== X-Gm-Message-State: AOAM532dHy81L5gfEgzRuowOAgYNiUOYUNdmRFt70KuYfSiz7ECIx2MP kDgE3NRmdVAVGDliQHh7Z4I3JWmtlb5Hwg== X-Google-Smtp-Source: ABdhPJxPRNj8VJ486AGsO16a8CFrzlllUfbr+KLeppvGSDxk1whsoPXH8orZO86GkUGiMsnbIOsz/w== X-Received: by 2002:a05:620a:1035:: with SMTP id a21mr29141362qkk.422.1629864085698; Tue, 24 Aug 2021 21:01:25 -0700 (PDT) Received: from uranus.home.sansel.ca ([2600:3c03:e001:3b08::1006]) by smtp.gmail.com with ESMTPSA id i18sm9596652qke.103.2021.08.24.21.01.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Aug 2021 21:01:25 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 25 Aug 2021 00:01:21 -0400 Message-Id: <20210825040122.14244-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Selecting the remote host via the management iterface (management-query-remote) provides a restrictive user experience as there is no easy way to tabulate all available remote entries and show a list [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.173 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.173 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mIk6V-0003p1-QX Subject: [Openvpn-devel] [PATCH 1/2] Add remote-count and remote-entry query via management X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Selecting the remote host via the management iterface (management-query-remote) provides a restrictive user experience as there is no easy way to tabulate all available remote entries and show a list to the user to choose from. Fix that. Two new commands for querying the management interface are added: (i) remote-entry-count : returns the number of remotes specified in the config file. Example result: >REMOTE-ENTRY-COUNT:10 (ii) remote-entry-get index : returns the remote entry at index in the form index,host,port,protocol. Example result for index = 2: >REMOTE-ENTRY:2,ovpn.example.com,1194,udp See also management-notes.txt Signed-off-by: Selva Nair --- Changes.rst | 5 ++++ doc/management-notes.txt | 22 +++++++++++++++++ src/openvpn/init.c | 36 ++++++++++++++++++++++++++++ src/openvpn/manage.c | 52 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.h | 3 ++- 5 files changed, 117 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 0323a7f7..e5ac8098 100644 --- a/Changes.rst +++ b/Changes.rst @@ -4,6 +4,11 @@ Overview of changes in 2.6 New features ------------ +New management commands to enumerate and list remote entries + Use ``remote-entry-count`` and ``remote-entry-get index`` + commands from the management interface to get the number of + remote entries and the entry at index respectively. + Keying Material Exporters (RFC 5705) based key generation As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 84e3d04b..f7a0fe1f 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -897,6 +897,28 @@ the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client may not interact with external IP addresses using an "unknown" protocol (i.e. one that is not IPv4 or ARP). +COMMAND -- remote-entry-count (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------- + +Retrieve available number of remote host/port entries + +Example: + + remote-entry-count + >REMOTE-ENTRY-COUNT:5 + +COMMAND -- remote-entry-get (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------ + +Retrieve remote entry (host, port and protocol) by index. + +Example: + + remote-entgry-get 1 + REMOTE-ENTRY:1,vpn.example.com,1194,udp + +The protocol could be tcp-client or udp on client. + COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher) -------------------------------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 386aee23..3c98a408 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -330,6 +330,41 @@ management_callback_send_cc_message(void *arg, return status; } +static bool +management_callback_remote_entry(void *arg, unsigned *count, char **remote) +{ + assert(arg); + assert(count); + + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + bool ret = true; + + if (!remote) /* query is for the count of entries */ + { + *count = l->len; + } + else if (*count < l->len) /* the query is for entry with index = count */ + { + struct connection_entry *ce = l->array[*count]; + const char *proto = proto2ascii(ce->proto, ce->af, false); + + /* space for output including 2 commas and a nul */ + int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + 2 + 1; + char *out = malloc(len); + check_malloc_return(out); + + openvpn_snprintf(out, len, "%s,%s,%s", ce->remote, ce->remote_port, proto); + *remote = out; + } + else + { + ret = false; + msg(M_WARN, "Invalid arguments in management query for remote entry: count = %u", *count); + } + return ret; +} + static bool management_callback_remote_cmd(void *arg, const char **p) { @@ -3944,6 +3979,7 @@ init_management_callback_p2p(struct context *c) #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif + cb.remote_entry = management_callback_remote_entry; management_set_callback(management, &cb); } #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index f86c87f2..c2eb699f 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -94,6 +94,8 @@ man_help(void) msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); + msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); + msg(M_CLIENT, "remote-entry-get index : Get remote entry at index."); msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info."); msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process."); #ifdef ENABLE_PKCS11 @@ -829,6 +831,45 @@ man_pkcs11_id_get(struct management *man, const int index) #endif /* ifdef ENABLE_PKCS11 */ +static void +man_remote_entry_count(struct management *man) +{ + unsigned count = 0; + if (man->persist.callback.remote_entry) + { + (*man->persist.callback.remote_entry)(man->persist.callback.arg, &count, NULL); + msg(M_CLIENT, ">REMOTE-ENTRY-COUNT:%u", count); + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry-count command is not supported by the current daemon mode"); + } +} + +static void +man_remote_entry_get(struct management *man, unsigned index) +{ + char *remote = NULL; + + if (man->persist.callback.remote_entry) + { + const bool status = (*man->persist.callback.remote_entry)(man->persist.callback.arg, &index, &remote); + if (status) + { + msg(M_CLIENT, ">REMOTE-ENTRY:%u,%s", index, remote); + } + else + { + msg(M_CLIENT, ">REMOTE-ENTRY:%u", index); + } + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry command is not supported by the current daemon mode"); + } + free(remote); +} + static void man_hold(struct management *man, const char *cmd) { @@ -1601,6 +1642,17 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } } #endif + else if (streq(p[0], "remote-entry-count")) + { + man_remote_entry_count(man); + } + else if (streq(p[0], "remote-entry-get")) + { + if (man_need(man, p, 1, 0)) + { + man_remote_entry_get(man, atoi(p[1])); + } + } else if (streq(p[0], "proxy")) { if (man_need(man, p, 1, MN_AT_LEAST)) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6d6f2fb1..b7fcb86c 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 3 +#define MANAGEMENT_VERSION 4 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -186,6 +186,7 @@ struct management_callback #ifdef TARGET_ANDROID int (*network_change)(void *arg, bool samenetwork); #endif + bool (*remote_entry) (void *arg, unsigned *count, char **remote); }; /*