From patchwork Sun Jul 3 16:58:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2573 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id eNA/BMJXwmKwfwAAIUCqbw (envelope-from ) for ; Sun, 03 Jul 2022 23:00:18 -0400 Received: from proxy9.mail.ord1c.rsapps.net ([172.28.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id gL07BMJXwmICcAAAIcMcQg (envelope-from ) for ; Sun, 03 Jul 2022 23:00:18 -0400 Received: from smtp38.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1c.rsapps.net with LMTPS id GH78A8JXwmKfHAAAgxtkuw (envelope-from ) for ; Sun, 03 Jul 2022 23:00:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 6d25f796-fb45-11ec-9c72-5452007bdf16-1-1 Received: from [216.105.38.7] ([216.105.38.7:39792] helo=lists.sourceforge.net) by smtp38.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0E/7E-05813-1C752C26; Sun, 03 Jul 2022 23:00:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o8CIk-0007VZ-Rk; Mon, 04 Jul 2022 02:59:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o8CIb-0007VB-Kr for openvpn-devel@lists.sourceforge.net; Mon, 04 Jul 2022 02:58:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=irdU9XH9y5yDEgbq2RYeJ2gX0kWHO3ksyH6+SJYtWrk=; b=YK+3GN0w7u0w/86oHPxusSkHNU Bm+6MhpGVoxV+sG95kHLGO5s+HquLxDNrRqNDPAt7xP7GKLs8VxVr9ehRBwPeXjLYwMNrKJXecPYw aJqe65sYAaPYX7g0rxKtQGonDbfqnaagQ3tV/D0876/IwkCzg7lXk6QQ1gUjkU1CLkwQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=irdU9XH9y5yDEgbq2RYeJ2gX0kWHO3ksyH6+SJYtWrk=; b=U UnBdLguWnCELfZkWwuE4ixnFW5BKPO969E7Xnhu6uVQcf6fAB+r8+cEZpjh7tYHWPOkmpe2/SmSfT e+xlVJB+pTHS71hMN9vy3f+Z1HT4uI7yk9QId+GTwonoo4sA6jMWPjwMW/r/8W9hBo7b0pKswXHnN WPkrAVF4MxPt+1fY=; Received: from mail-qt1-f180.google.com ([209.85.160.180]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1o8CIV-0007B1-Ce for openvpn-devel@lists.sourceforge.net; Mon, 04 Jul 2022 02:58:52 +0000 Received: by mail-qt1-f180.google.com with SMTP id z13so8256352qts.12 for ; Sun, 03 Jul 2022 19:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=irdU9XH9y5yDEgbq2RYeJ2gX0kWHO3ksyH6+SJYtWrk=; b=gEVSQuaZVNa9ThJemMXEXNV0zZ0UrbiRuKHl8rb8MIKFQkvRKcVfgNyPIRgQs/M6cN DipW6BhA/eWxN3/9LZeXdHz6Qb0+n3tiv/Mco/fnW5zCsVy/SuAu2PPthU6vpi3DkeCD bSsnnWm8M1+Nsb1LbSwrQRIjcxfZFVvVO9DB1OdHHKt5KHobPpZO4EQ4YwT1qwAZKg6F qkjF3+paoEGpb+Hb8/7Xsi8keGSgJDRq8jN2ZAZlCB7PWsacNJtjqpOEZmWC35lAKGVw W2VXQ/3U/sUTdhK1qVhRhatMYKwFQWIZPWbMxvtmgs2Iz2ZdCKJnxin7j/IbgP+k231K Xe7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=irdU9XH9y5yDEgbq2RYeJ2gX0kWHO3ksyH6+SJYtWrk=; b=CKM2yva1z0DB7SF6bcVtp7yQWiDXhdr0uQg3iXcG/OWXkB1ygb7fal7bpx8DqNiGRJ 7221r2Q+JKnPDc7U+yX0bwj5XXE7fBq9ENJfxeI2JTC3HMehhQisgvirWwnOM/RbqMTs ISo4eWRlLI0C+Dnh/XHt8sZYv/nP1uevOnyiin4BN6AFutNz0mAk/z1iHjRAv3IE6GvE 3+nEqceca665QvGyGM4L3zc+2qgjRMDYO/ZG5XVKhoNiQQsmKqpRK6Wz1ARUUL47SnA5 gg/CT9U04Aurpf59qR7Kwp5FXZNWp7ZJ2EESUF862yaw1iNHBCNOqrj7avNVaMszFGIc iLPg== X-Gm-Message-State: AJIora/hirFd74a3/19RUpCuw2L5Z9Lzo+4esIZ9WU4GfsX8qADOYpD2 oGZq8ykjcZocybIX8GvBRPWAFVae/2A= X-Google-Smtp-Source: AGRyM1vojq4k5yPXkDqthTUTQ3/Nj/ucguXNWHWZGuq2zdFfdggYcE4ZTqgX5Qq6nHS39eTNcPS4YA== X-Received: by 2002:ac8:5fd0:0:b0:31d:32f0:5db7 with SMTP id k16-20020ac85fd0000000b0031d32f05db7mr16259854qta.113.1656903525325; Sun, 03 Jul 2022 19:58:45 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-109.dsl.bell.ca. [70.51.223.109]) by smtp.gmail.com with ESMTPSA id r132-20020a37a88a000000b006af373cec2csm15557968qke.70.2022.07.03.19.58.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 Jul 2022 19:58:44 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 3 Jul 2022 22:58:40 -0400 Message-Id: <20220704025840.2558-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair When auth-token verify succeeds during a reauth, other auth methods (plugin, script, management) are skipped unless external-auth is in effect (skip_auth gets set to true). However, in this case, the status of management-def-auth (ks->mda_satus) stays at its default value of ACF_PENDING and will never change. This causes TLS keys to go out of sync and an eventual client [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.160.180 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.160.180 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o8CIV-0007B1-Ce Subject: [Openvpn-devel] [PATCH] Fix auth-token usage with management-def-auth X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair When auth-token verify succeeds during a reauth, other auth methods (plugin, script, management) are skipped unless external-auth is in effect (skip_auth gets set to true). However, in this case, the status of management-def-auth (ks->mda_satus) stays at its default value of ACF_PENDING and will never change. This causes TLS keys to go out of sync and an eventual client disconnect. Further, a message saying username/password authentication is "deferred" gets logged which is misleading. For example: test/127.0.0.1:35874 TLS: Username/auth-token authentication succeeded for username 'test' followed by test/127.0.0.1:35874 TLS: Username/Password authentication deferred for username 'test' [CN SET] Fix by setting ks->mda_status to ACF_DISABLED, and do not set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true. Also log a warning message when token is marked as expired on missing the reneg window. Reported by: Connor Edwards Signed-off-by: Selva Nair Acked-By: Arne Schwabe Acked-By: Arne Schwabe <arne@rfc2549.org>
--- src/openvpn/auth_token.c | 8 +++++--- src/openvpn/ssl_verify.c | 9 ++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 096edc75..b5f9f6dd 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -346,20 +346,22 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, return 0; } - /* Accept session tokens that not expired are in the acceptable range - * for renogiations */ + /* Accept session tokens only if their timestamp is in the acceptable range + * for renegotiations */ bool in_renegotiation_time = now >= timestamp && now < timestamp + 2 * session->opt->renegotiate_seconds; if (!in_renegotiation_time) { + msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the renegotiation window", + timestamp); ret |= AUTH_TOKEN_EXPIRED; } /* Sanity check the initial timestamp */ if (timestamp < timestamp_initial) { - msg(M_WARN, "Initial timestamp (%" PRIu64 " in token from client earlier than " + msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client earlier than " "current timestamp %" PRIu64 ". Broken/unsynchronised clock?", timestamp_initial, timestamp); ret |= AUTH_TOKEN_EXPIRED; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c01841fa..45eaf8ed 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1599,7 +1599,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #ifdef ENABLE_MANAGEMENT if (man_def_auth != KMDA_UNDEF) { - ks->authenticated = KS_AUTH_DEFERRED; + if (skip_auth) + { + ks->mda_status = ACF_DISABLED; + } + else + { + ks->authenticated = KS_AUTH_DEFERRED; + } } #endif if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))