From patchwork Tue Sep 7 12:31:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1942 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id iCRYHoLoN2E8WAAAIUCqbw (envelope-from ) for ; Tue, 07 Sep 2021 18:32:34 -0400 Received: from proxy9.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id sKxcHoLoN2EJSQAApN4f7A (envelope-from ) for ; Tue, 07 Sep 2021 18:32:34 -0400 Received: from smtp22.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1c.rsapps.net with LMTPS id yHjnHYLoN2H1VAAAgxtkuw (envelope-from ) for ; Tue, 07 Sep 2021 18:32:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7e8bd1be-102b-11ec-b706-a0369f0d84d2-1-1 Received: from [216.105.38.7] ([216.105.38.7:49804] helo=lists.sourceforge.net) by smtp22.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 16/6E-32712-188E7316; Tue, 07 Sep 2021 18:32:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mNjd5-0007DY-FL; Tue, 07 Sep 2021 22:31:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mNjd3-0007DQ-Gc for openvpn-devel@lists.sourceforge.net; Tue, 07 Sep 2021 22:31:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V+atD+qBkOOsM1g2Y0UO12BCU5yGdUPfF7OXh0L/HX8=; b=mKb2vrO6qv/9CFGCS6DNFRWE+0 cowRHK+5O0CyCb3XuHdbpp7Z+OCjMIsAgcTHRL09Mxe6I/bDferqnFqe4R/9xZfAYIoLy+CkGTaGV TELy48l011idlgdS5ve0wpawM4v05fk+f28+0hhtqR4yjhiMqY2+z0pRFyKxqOq/u+R8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=V+atD+qBkOOsM1g2Y0UO12BCU5yGdUPfF7OXh0L/HX8=; b=X/ILKjQmtK5JOdQwjRtgN0aeej vbCaUBV2IcvsnXv/e/hfQg+kU7rMEuhK0f1Esp/0ru8p/Ph8wCDbKTiw5CbRz/V8aMqCLSRz8jGa/ kz61yl3Ko3pSrMRAD96h9zjDDCdmoJBPoH+bW5N2+fyi6h0sIVkYYIAsCXZaLFkaFh98=; Received: from mail-io1-f52.google.com ([209.85.166.52]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mNjd2-001aU0-OG for openvpn-devel@lists.sourceforge.net; Tue, 07 Sep 2021 22:31:45 +0000 Received: by mail-io1-f52.google.com with SMTP id g9so547120ioq.11 for ; Tue, 07 Sep 2021 15:31:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=V+atD+qBkOOsM1g2Y0UO12BCU5yGdUPfF7OXh0L/HX8=; b=p/95OJA8PuncBj6wG3Q7NFfnvu25RhDoN9SNomp3emgr6hVBxSlpasudY9tHicryqv YLMvpsfe+/1zBtOPwmZGgvTlOx8l6U1GGLPnINpsw6J19M2iedC5cMMuLpSpgQYrLy9o LrYU0x/RfAhUrYAn8H/6NeA3chQGg38Kk3GXR4U3cekthY/m7bqJWedOX6+2Y0M/DmVj 6rdRyBiHRo3bfCzmqhusUO3c67NVBYhrzLEgLpdOtulIWwkS3DsTcWzA6hpmvxwy2tfs 1jXhHY7mA9ScMwCkXMuUb5hS7ipw5Ne4/9XbvbU5aSNSIbvDQmkElTP0mNupfLSE8yX9 zMyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=V+atD+qBkOOsM1g2Y0UO12BCU5yGdUPfF7OXh0L/HX8=; b=gk+SB1dHyenlbPi8wPfgXG8l82xoiHW/cF4hxbYXl8Q0su6rkLAEsfrq6Cw36Z9XZT PLibF+GQm/+NFTiaoUVDwEweudatjFtzo5ZDELHka2odQ8QdEEk08dQuNgTPTlCdX/Us 7uZ2g0ReCxZXKGNzg0evmB3R/+YCtSeJ4J/qjbfX4pcT4eqew/Dym1r+28V8/djy6zcG uqO5JaDsM7WgTB6cDbg7KAz2hD2mRekt8Eocw7Ok/MuTYqIKQHHJDEcHonvdTmnwo3Sd LYNkeQQXXPIUuN4ZEJiyI8iigjpb+4Y43Bx1mZXmwUze2Ka+5XdTNSLCtSsnsxOuSA1v XW6A== X-Gm-Message-State: AOAM530CwACsSwTuZSq3fG+EpIkCxEAo4zbn+sHeOt0Wb6JkyStHAHkT ng/WbhC/KAjvSfRN41OrFpC69I3ERS0= X-Google-Smtp-Source: ABdhPJwgtsIXYi22QHzRUil0hUGeP7CgZzSSMQZGpzssLCSiKjg9NWX9Xf6oL9kS6qN7i679YC/RtQ== X-Received: by 2002:a5d:8715:: with SMTP id u21mr428679iom.1.1631053898874; Tue, 07 Sep 2021 15:31:38 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-174.dsl.bell.ca. [70.51.223.174]) by smtp.gmail.com with ESMTPSA id b10sm224405ils.13.2021.09.07.15.31.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Sep 2021 15:31:38 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Sep 2021 18:31:24 -0400 Message-Id: <20210907223126.8440-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210825210232.22509-1-selva.nair@gmail.com> References: <20210825210232.22509-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Selecting the remote host via the management iterface (management-query-remote) provides a restrictive user experience as there is no easy way to tabulate all available remote entries and show a list [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.52 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.52 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mNjd2-001aU0-OG Subject: [Openvpn-devel] [PATCH v3 1/3] Add remote-count and remote-entry query via management X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Selecting the remote host via the management iterface (management-query-remote) provides a restrictive user experience as there is no easy way to tabulate all available remote entries and show a list to the user to choose from. Fix that. Two new commands for querying the management interface are added: (i) remote-entry-count : returns the number of remotes specified in the config file. Example result: 10 END (ii) remote-entry-get i [j]: returns the remote entry at index i in the form index,host,port,protocol. Or, if j is present all entries from index i to j-1 are returned, one per line. Example result for i = 2: 2,ovpn.example.com,1194,udp END Example result for i = 2, j = 4 2,ovpn.example.com,1194,udp 3,ovpn.example.com,443,tcp-client END remote-entry-get all: returns all remote entries. v2: use independent callback functions for the two commands v3: return results as 0 or more lines terminated by END, as done for all other similar commands. v1 was fashioned after pkcs11-id-count and pkcs11-id-get which uses a format not consistent with the rest of the management commands. See also management-notes.txt Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- Changes.rst | 5 +++ doc/management-notes.txt | 60 ++++++++++++++++++++++++++++++++++ src/openvpn/init.c | 44 +++++++++++++++++++++++++ src/openvpn/manage.c | 70 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.h | 4 ++- 5 files changed, 182 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 637ed97a..fa5d5ffa 100644 --- a/Changes.rst +++ b/Changes.rst @@ -4,6 +4,11 @@ Overview of changes in 2.6 New features ------------ +New management commands to enumerate and list remote entries + Use ``remote-entry-count`` and ``remote-entry-get`` + commands from the management interface to get the number of + remote entries and the entries themselves. + Keying Material Exporters (RFC 5705) based key generation As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 84e3d04b..544caf46 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -897,6 +897,66 @@ the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client may not interact with external IP addresses using an "unknown" protocol (i.e. one that is not IPv4 or ARP). +COMMAND -- remote-entry-count (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------- + +Retrieve available number of remote host/port entries + +Example: + + Management interface client sends: + + remote-entry-count + + OpenVPN daemon responds with + + 5 + END + +COMMAND -- remote-entry-get (OpenVPN 2.6+ management version > 3) +------------------------------------------------------------------ + + remote-entry-get [] + +Retrieve remote entry (host, port and protocol) for index + or indices from to +1. Alternatively + = "all" retrieves all remote entries. + +Example 1: + + Management interface client sends: + + remote-entry-get 1 + + OpenVPN daemon responds with + + 1,vpn.example.com,1194,udp + END + +Example 2: + + Management interface client sends: + + remote-entry-get 1 3 + + OpenVPN daemon responds with + + 1,vpn.example.com,1194,udp + 2,vpn.example.net,443,tcp-client + END + +Example 3: + Management interface client sends: + + remote-entry-get all + + OpenVPN daemon with 3 connection entries responds with + + 1,vpn.example.com,1194,udp + 2,vpn.example.com,443,tcp-client + 3,vpn.example.net,443,udp + END + COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher) -------------------------------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 386aee23..39dcfcef 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -330,6 +330,48 @@ management_callback_send_cc_message(void *arg, return status; } +static unsigned int +management_callback_remote_entry_count(void *arg) +{ + assert(arg); + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + + return l->len; +} + +static bool +management_callback_remote_entry_get(void *arg, unsigned int index, char **remote) +{ + assert(arg); + assert(remote); + + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + bool ret = true; + + if (index < l->len) + { + struct connection_entry *ce = l->array[index]; + const char *proto = proto2ascii(ce->proto, ce->af, false); + + /* space for output including 2 commas and a nul */ + int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) + 2 + 1; + char *out = malloc(len); + check_malloc_return(out); + + openvpn_snprintf(out, len, "%s,%s,%s", ce->remote, ce->remote_port, proto); + *remote = out; + } + else + { + ret = false; + msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index); + } + + return ret; +} + static bool management_callback_remote_cmd(void *arg, const char **p) { @@ -3944,6 +3986,8 @@ init_management_callback_p2p(struct context *c) #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif + cb.remote_entry_count = management_callback_remote_entry_count; + cb.remote_entry_get = management_callback_remote_entry_get; management_set_callback(management, &cb); } #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index f86c87f2..f2a51d6c 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -94,6 +94,8 @@ man_help(void) msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); + msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); + msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all."); msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info."); msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process."); #ifdef ENABLE_PKCS11 @@ -829,6 +831,63 @@ man_pkcs11_id_get(struct management *man, const int index) #endif /* ifdef ENABLE_PKCS11 */ +static void +man_remote_entry_count(struct management *man) +{ + unsigned count = 0; + if (man->persist.callback.remote_entry_count) + { + count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg); + msg(M_CLIENT, "%u", count); + msg(M_CLIENT, "END"); + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry-count command is not supported by the current daemon mode"); + } +} + +#define min(a,b) ((a) < (b) ? (a) : (b)) + +static void +man_remote_entry_get(struct management *man, const char *p1, const char *p2) +{ + ASSERT(p1); + + if (man->persist.callback.remote_entry_get + && man->persist.callback.remote_entry_count) + { + bool res; + unsigned int from, to; + unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg); + + from = (unsigned int) atoi(p1); + to = p2? (unsigned int) atoi(p2) : from + 1; + + if (!strcmp(p1, "all")) + { + from = 0; + to = count; + } + + for (unsigned int i = from; i < min(to, count); i++) + { + char *remote = NULL; + res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote); + if (res && remote) + { + msg(M_CLIENT, "%u,%s", i, remote); + } + free(remote); + } + msg(M_CLIENT, "END"); + } + else + { + msg(M_CLIENT, "ERROR: The remote-entry command is not supported by the current daemon mode"); + } +} + static void man_hold(struct management *man, const char *cmd) { @@ -1601,6 +1660,17 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } } #endif + else if (streq(p[0], "remote-entry-count")) + { + man_remote_entry_count(man); + } + else if (streq(p[0], "remote-entry-get")) + { + if (man_need(man, p, 1, MN_AT_LEAST)) + { + man_remote_entry_get(man, p[1], p[2]); + } + } else if (streq(p[0], "proxy")) { if (man_need(man, p, 1, MN_AT_LEAST)) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6d6f2fb1..5de0a7da 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 3 +#define MANAGEMENT_VERSION 4 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -186,6 +186,8 @@ struct management_callback #ifdef TARGET_ANDROID int (*network_change)(void *arg, bool samenetwork); #endif + unsigned int (*remote_entry_count)(void *arg); + bool (*remote_entry_get)(void *arg, unsigned int index, char **remote); }; /*