From patchwork Sun Mar 13 09:07:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2336 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id ADRJI09PLmIWMAAAqwncew (envelope-from ) for ; Sun, 13 Mar 2022 16:08:47 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id UDAHN09PLmLfWAAA91zNiA (envelope-from ) for ; Sun, 13 Mar 2022 16:08:47 -0400 Received: from smtp28.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id ADanNk9PLmKFRAAA8Zzt7w (envelope-from ) for ; Sun, 13 Mar 2022 16:08:47 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 6419637a-a309-11ec-b674-525400ea129b-1-1 Received: from [216.105.38.7] ([216.105.38.7:39916] helo=lists.sourceforge.net) by smtp28.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F6/D6-11248-F4F4E226; Sun, 13 Mar 2022 16:08:47 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nTUVY-0005ux-7I; Sun, 13 Mar 2022 20:08:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nTUVW-0005uH-95 for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 20:08:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sg5x1eco77iM4pDOHFHoXdG5AAsAG3A5E0nD0dKPUdU=; b=KTFd6gdYkOcUe8Tdet3u5N/cA3 H9mUUGnQRxKlSlaTsn9FhViPZJ5zk8kKY6oDAPtmDSxtZWJHmNAu1IdH+igyAj/c/29SF1bE3QHxt G0qs439XtNxOo/o/Pcxk5dqhAAt+VYLVYf6FEAJ8f97LA7cgJGs9XXsv55RvYgyyGqnU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sg5x1eco77iM4pDOHFHoXdG5AAsAG3A5E0nD0dKPUdU=; b=T76oXFcxP+DTMcmdkK626afUod d8GLh0zC/n6aMqp9ZVU2rK/O3xsivGEKBazw77ehFQKL0oB/y/qzaziE0Ag/HeddwEwoehT0+jvF7 yyAZ/UOz8k1k+TU94xWDJWO6AfNqnJYj5YHF9gXyWsbrAO3NWYx8CjoMAKZikN+j53WU=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nTUVT-00Eagh-Fa for openvpn-devel@lists.sourceforge.net; Sun, 13 Mar 2022 20:08:00 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id A2F5FE716 for ; Sun, 13 Mar 2022 20:07:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647202070; bh=sg5x1eco77iM4pDOHFHoXdG5AAsAG3A5E0nD0dKPUdU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=nvX0cJTjxdm1qldALiZbxKheEk2IAlqNfvY3uHAEXc6ZB+nRaFvIZYFwqJMn78zNN hglhSycJO9l5nOVsrMyCa+69qTEmVCZllJRDieu8Mr7bCl1NjNfaVZqr0A7B8JdahV CRndilgU7WZj/lnvBYzMNu0KA2nGyTld+H9DbzizQoEXHRzwbK4ZhW8jQ0VqvYA9dB eS5POEBmpbMpqaFVPEoAQFLjxL5peNo3S+XPWS6MO/lsn153rkQwrrQ7LjAhw3K3M+ 0PfYe7vBSVP4q+80VqneJF0U9dGgwCbeU2FxUhjAaghagGnGq4b03EVH1Y7XHIT9Vb 5Gq4cgDTh2Cew== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDMB5YJN9Ts0 for ; Sun, 13 Mar 2022 21:07:49 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id EC5C7E713 for ; Sun, 13 Mar 2022 21:07:49 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Sun, 13 Mar 2022 21:07:14 +0100 Message-Id: <20220313200715.13518-3-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220313200715.13518-1-openvpn@sf.lists.topphemmelig.net> References: <20220313200715.13518-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we b [...] Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1nTUVT-00Eagh-Fa Subject: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth Acked-by: Antonio Quartulli --- Note: The man page snippet is copied from the generated nroff formatting from the git master generated man page. v3 - flip CONSTANT==var to var==CONSTANT in if() clause v4 - Use M_FATAL instead of M_ERR --- doc/openvpn.8 | 13 +++++++++++++ src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 598d5fce..a6a5feb6 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. + +.INDENT 7.0 +.TP +.B \fBWARNING\fP: +Plug\-ins may do deferred execution, meaning the plug\-in will +return the control back to the main OpenVPN process and provide +the plug\-in result later on via a different thread or process. +OpenVPN does \fBNOT\fP support multiple authentication plug\-ins +\fBwhere more than one of them\fP do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. +.UNINDENT +.UNINDENT .\"********************************************************* .TP .B \-\-keying\-material\-exporter label len diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 0ab99ab5..76d1b2e5 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; - bool deferred = false; + bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: - deferred = true; + if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY + && deferred_auth_done) + { + /* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ + error = true; + msg(M_FATAL, + "Exiting due to multiple authentication plug-ins " + "performing deferred authentication. Only one " + "authentication plug-in doing deferred auth is " + "allowed. Ignoring the result and stopping now, " + "the current authentication result is not to be " + "trusted."); + break; + } + deferred_auth_done = true; break; default: @@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } - else if (deferred) + else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; }