From patchwork Wed Aug 25 11:02:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1922 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id GN8jITawJmHSRQAAIUCqbw (envelope-from ) for ; Wed, 25 Aug 2021 17:03:50 -0400 Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.55]) by director7.mail.ord1d.rsapps.net with LMTP id SCYCITawJmFWbgAAovjBpQ (envelope-from ) for ; Wed, 25 Aug 2021 17:03:50 -0400 Received: from smtp9.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3a.rsapps.net with LMTPS id AAsMFjawJmEVawAAR4KW9A (envelope-from ) for ; Wed, 25 Aug 2021 17:03:50 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: f1d3a41a-05e7-11ec-adb3-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:48162] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 22/0C-15397-530B6216; Wed, 25 Aug 2021 17:03:50 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mJ031-0001sW-1p; Wed, 25 Aug 2021 21:02:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mJ02z-0001sI-GI for openvpn-devel@lists.sourceforge.net; Wed, 25 Aug 2021 21:02:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hwgmw/cDzJSJNslO+U6d1/fvHXLxyGZ51Mpp5Ta1YfI=; b=bthm3JDsmfD7TuHJExL8oVFfoi Zq/vgm9sol39vqEXuoWNhYxycEq6VC9nNYDNtHYv/YRFIvE/JxLSCDRW+IjCz2Aa6dFk/f9LlheCm 85MaHbj2cdjdHXm8ylhF5O4rwdBGxYgAhMEmz9vpIRoeAJx155oYn3Y3d0QW71V4q31o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hwgmw/cDzJSJNslO+U6d1/fvHXLxyGZ51Mpp5Ta1YfI=; b=Qd5ppbmxC7TOchkHXVtrHXn1ay ZgoVyUvrRmxgHtLggWeCAtVT76D6qZSs5dJF54Cg/C3wA7R8pnM1EVGxC9HRdmXmwzatOxYmFtKCX uYNNp2nI0RQQl1OP7lvaMOyPlT0nRhpFI0yAGtJkkDhIEj5KvFJSbZjd61RamHEXUpdY=; Received: from mail-qt1-f178.google.com ([209.85.160.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mJ02v-00060p-VS for openvpn-devel@lists.sourceforge.net; Wed, 25 Aug 2021 21:02:57 +0000 Received: by mail-qt1-f178.google.com with SMTP id t32so658911qtc.3 for ; Wed, 25 Aug 2021 14:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hwgmw/cDzJSJNslO+U6d1/fvHXLxyGZ51Mpp5Ta1YfI=; b=Rq9alrz2sagAhkSNVfVg/oZreiahkuWiRxsOX2f/kSJXCPS9nQ6fEzVlOFaDlyjhXU MyZ2salQMWQN3pwnzxgqEW8MP+td8km+rxphm8DdDVHEyYkiA1MlqxBFhfHLn6Mo7fPa tJmt5Tz9Ne5D9WFqGh6Kh26Ucz5/guRAAKh5WW2k43fm3pWjXrMlshHDX2Nt585e0o2L ugbilnRkpxGQZpkF4kO284KZ2kraTLhKzGDIJlxRuISohArpFGv0VZAojlczDM+g1XiD mbBZ+/Sqq1jC6YxPaVHoehHn9SFSO/o/la+VifzboItzi4CSXB9VSrquiPyWdUa+HI5J CT7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hwgmw/cDzJSJNslO+U6d1/fvHXLxyGZ51Mpp5Ta1YfI=; b=F6fxDMYKfOm3Yi/Nivm9Hd9ZechhgtFjeXG5X612EsuSdf4D8eSVYWxPr9f8JJf7v1 GVfk/jeRbKSN1OrOrEAC379XobZ/ZaeerQ8uxDe8bw6DdtPzYARc+3GKdMRM3LbnTKan IZcr245bxeSegkuXSkfhiTZLNoPrG/vuaUB70ubeIxUHuR4dstVqi5JrwXq6trS7mMRo 9Jcw7Gj25koj13aN0gTodrgPGm7Ih6ezLIOD9kmwIvWnqa1uQzI8tkohBhE9p491g7Mb gqwP486/Z1ZBurrjYBBvaQDrRizK0a6qh/KLCL0ASQ+ONZ2E4EGsaoCuI/ZI7cHIeDyG acDQ== X-Gm-Message-State: AOAM533TdgC855VP1WmRbXIoI2r53L8eNG970FF8W5OPrFd4zsOoer+S J5wGe3SBmysLEC6hcdwwjLUP+rIwbAXHK/am X-Google-Smtp-Source: ABdhPJyBuOLiTTR9I4tTQSQQNEXe8N60jwb/dE7dL6jE0Zg05ddOdp2Dq0hncj7KSD41bhVAU4P3PQ== X-Received: by 2002:ac8:489a:: with SMTP id i26mr221756qtq.372.1629925367685; Wed, 25 Aug 2021 14:02:47 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-174.dsl.bell.ca. [70.51.223.174]) by smtp.gmail.com with ESMTPSA id o7sm527549qtw.87.2021.08.25.14.02.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Aug 2021 14:02:47 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 25 Aug 2021 17:02:30 -0400 Message-Id: <20210825210232.22509-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210825040122.14244-1-selva.nair@gmail.com> References: <20210825040122.14244-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.160.178 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.160.178 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1mJ02v-00060p-VS Subject: [Openvpn-devel] [PATCH v2 1/3] Add remote-count and remote-entry query via management X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Selecting the remote host via the management iterface (management-query-remote) provides a restrictive user experience as there is no easy way to tabulate all available remote entries and show a list to the user to choose from. Fix that. Two new commands for querying the management interface are added: (i) remote-entry-count : returns the number of remotes specified in the config file. Example result: >REMOTE-ENTRY-COUNT:10 (ii) remote-entry-get index : returns the remote entry at index in the form index,host,port,protocol. Example result for index = 2: >REMOTE-ENTRY:2,ovpn.example.com,1194,udp v2: use independent callback functions for the two commands See also management-notes.txt Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- Changes.rst | 5 ++++ doc/management-notes.txt | 22 +++++++++++++++++ src/openvpn/init.c | 43 ++++++++++++++++++++++++++++++++ src/openvpn/manage.c | 53 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.h | 4 ++- 5 files changed, 126 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 0323a7f7..e5ac8098 100644 --- a/Changes.rst +++ b/Changes.rst @@ -4,6 +4,11 @@ Overview of changes in 2.6 New features ------------ +New management commands to enumerate and list remote entries + Use ``remote-entry-count`` and ``remote-entry-get index`` + commands from the management interface to get the number of + remote entries and the entry at index respectively. + Keying Material Exporters (RFC 5705) based key generation As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 84e3d04b..f7a0fe1f 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -897,6 +897,28 @@ the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client may not interact with external IP addresses using an "unknown" protocol (i.e. one that is not IPv4 or ARP). +COMMAND -- remote-entry-count (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------- + +Retrieve available number of remote host/port entries + +Example: + + remote-entry-count + >REMOTE-ENTRY-COUNT:5 + +COMMAND -- remote-entry-get (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------ + +Retrieve remote entry (host, port and protocol) by index. + +Example: + + remote-entgry-get 1 + REMOTE-ENTRY:1,vpn.example.com,1194,udp + +The protocol could be tcp-client or udp on client. + COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher) -------------------------------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 386aee23..7c550b6a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -330,6 +330,47 @@ management_callback_send_cc_message(void *arg, return status; } +static unsigned int +management_callback_remote_entry_count(void *arg) +{ + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + + return l->len; +} + +static bool +management_callback_remote_entry_get(void *arg, unsigned int index, char **remote) +{ + assert(arg); + assert(remote); + + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + bool ret = true; + + if (index < l->len) + { + struct connection_entry *ce = l->array[index]; + const char *proto = proto2ascii(ce->proto, ce->af, false); + + /* space for output including 2 commas and a nul */ + int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + 2 + 1; + char *out = malloc(len); + check_malloc_return(out); + + openvpn_snprintf(out, len, "%s,%s,%s", ce->remote, ce->remote_port, proto); + *remote = out; + } + else + { + ret = false; + msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index); + } + + return ret; +} + static bool management_callback_remote_cmd(void *arg, const char **p) { @@ -3944,6 +3985,8 @@ init_management_callback_p2p(struct context *c) #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif + cb.remote_entry_count = management_callback_remote_entry_count; + cb.remote_entry_get = management_callback_remote_entry_get; management_set_callback(management, &cb); } #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index f86c87f2..214ea4be 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -94,6 +94,8 @@ man_help(void) msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); + msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); + msg(M_CLIENT, "remote-entry-get index : Get remote entry at index."); msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info."); msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process."); #ifdef ENABLE_PKCS11 @@ -829,6 +831,46 @@ man_pkcs11_id_get(struct management *man, const int index) #endif /* ifdef ENABLE_PKCS11 */ +static void +man_remote_entry_count(struct management *man) +{ + unsigned count = 0; + if (man->persist.callback.remote_entry_count) + { + count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg); + msg(M_CLIENT, ">REMOTE-ENTRY-COUNT:%u", count); + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry-count command is not supported by the current daemon mode"); + } +} + +static void +man_remote_entry_get(struct management *man, unsigned int index) +{ + char *remote = NULL; + + if (man->persist.callback.remote_entry_get) + { + bool res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, index, &remote); + if (res && remote) + { + msg(M_CLIENT, ">REMOTE-ENTRY:%u,%s", index, remote); + } + else + { + msg(M_CLIENT, ">REMOTE-ENTRY:%u", index); + } + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry command is not supported by the current daemon mode"); + } + + free(remote); +} + static void man_hold(struct management *man, const char *cmd) { @@ -1601,6 +1643,17 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } } #endif + else if (streq(p[0], "remote-entry-count")) + { + man_remote_entry_count(man); + } + else if (streq(p[0], "remote-entry-get")) + { + if (man_need(man, p, 1, 0)) + { + man_remote_entry_get(man, atoi(p[1])); + } + } else if (streq(p[0], "proxy")) { if (man_need(man, p, 1, MN_AT_LEAST)) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6d6f2fb1..5de0a7da 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 3 +#define MANAGEMENT_VERSION 4 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -186,6 +186,8 @@ struct management_callback #ifdef TARGET_ANDROID int (*network_change)(void *arg, bool samenetwork); #endif + unsigned int (*remote_entry_count)(void *arg); + bool (*remote_entry_get)(void *arg, unsigned int index, char **remote); }; /*