From patchwork Tue Mar 15 04:53:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2344 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id yMOJNSu3MGKvDQAAqwncew (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id YMKNNiu3MGJDDQAAalYnBA (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id UJhPNiu3MGJwFwAAgjf6aA (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 7882c5fc-a478-11ec-bb18-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:53060] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F5/91-02364-B27B0326; Tue, 15 Mar 2022 11:56:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nU9VC-0005jO-IM; Tue, 15 Mar 2022 15:54:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nU9VA-0005j9-Nx for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; b=fvSS4j0ACPLypGi0uy0vOyVQUI nBmuUdpcLUo0vFf17Y2xIsQQxBBRNONROXHF3IFc4DmPzlEMVBTEPKOuCY67kul9JrWGeGzJF9w+0 TkELucBZxMOqlXeWW248kI+2rhDieQFXQ9OaenEu+IjO196rcubjB4qM+CCNNHpSLNzU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; b=hra/pr72T/YjS07wmyfzIW6N1Z YWk2DPDlAcYEWUzCeAx0pPzwXbcS2YJhcKyE+GIV071+RN+1Cs/x8gMuJjFlpejBvMoEg9gttbD0P JkPfW1DqfIfnjBFazZC6+x4Z65bLD6sFE6mx5gpNH6UooW2ttxK30RztgOeDRwKJUXyg=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nU9V7-00072c-OL for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:23 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id E2600E713 for ; Tue, 15 Mar 2022 15:54:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647359654; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=qBUkAG6HkC1uK58AgbVTPXOnGltr5eqUjRhE6/V1iNqNLQXxlxzk2tK4qnvOXuidb I4qk1HtgqKyKYF5ec8qM1As86vdQIcblyJbEPCNeSd9xBh6G2XXgAUDVGTNRb0Fb8V xIA83S3NMP/l61MxK735SwqKE02TSckelqr/lWnUM7W5Qhf1Z3pemIc7rogu1znu/9 6BTY3xO17ANeImL33SUCoExeHMYWHp+NfsjVxhl5bVzw+w6VlI6SPo9hz3mxqaat8B 9Cw3acOUzZpteDiYbnXr8gQptaPyGm4ieCbQcTCiaQAmXj4JGwbp6BMUcQsjqyNOqY 7P97Oru2BxSJQ== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hwmpo2uN3vL9 for ; Tue, 15 Mar 2022 16:54:14 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 356CAE712 for ; Tue, 15 Mar 2022 16:54:14 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Mar 2022 16:53:43 +0100 Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> References: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we b [...] Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nU9V7-00072c-OL Subject: [Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth --- Note: The man page snippet is copied from the generated nroff formatting from the git master generated man page. v3 - flip CONSTANT==var to var==CONSTANT in if() clause v4 - Use M_FATAL instead of M_ERR v5 - Fix missing ) in if() clause --- doc/openvpn.8 | 13 +++++++++++++ src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 598d5fce..a6a5feb6 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. + +.INDENT 7.0 +.TP +.B \fBWARNING\fP: +Plug\-ins may do deferred execution, meaning the plug\-in will +return the control back to the main OpenVPN process and provide +the plug\-in result later on via a different thread or process. +OpenVPN does \fBNOT\fP support multiple authentication plug\-ins +\fBwhere more than one of them\fP do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. +.UNINDENT +.UNINDENT .\"********************************************************* .TP .B \-\-keying\-material\-exporter label len diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 0ab99ab5..a019ec77 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; - bool deferred = false; + bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: - deferred = true; + if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + && deferred_auth_done) + { + /* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ + error = true; + msg(M_FATAL, + "Exiting due to multiple authentication plug-ins " + "performing deferred authentication. Only one " + "authentication plug-in doing deferred auth is " + "allowed. Ignoring the result and stopping now, " + "the current authentication result is not to be " + "trusted."); + break; + } + deferred_auth_done = true; break; default: @@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } - else if (deferred) + else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; }