From patchwork Sat Sep 17 03:48:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2764 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.56]) by backend30.mail.ord1d.rsapps.net with LMTP id KLq0BJnQJWMiZQAAIUCqbw (envelope-from ) for ; Sat, 17 Sep 2022 09:50:17 -0400 Received: from proxy12.mail.iad3a.rsapps.net ([172.27.255.56]) by director13.mail.ord1d.rsapps.net with LMTP id QMixBJnQJWNXYQAA91zNiA (envelope-from ) for ; Sat, 17 Sep 2022 09:50:17 -0400 Received: from smtp2.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3a.rsapps.net with LMTPS id 0DQGOJjQJWNDEgAAh9K5Vw (envelope-from ) for ; Sat, 17 Sep 2022 09:50:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: a8b2261a-368f-11ed-8718-525400de56ae-1-1 Received: from [216.105.38.7] ([216.105.38.7:47548] helo=lists.sourceforge.net) by smtp2.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 61/C5-20304-890D5236; Sat, 17 Sep 2022 09:50:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oZYBs-0001I5-Ai; Sat, 17 Sep 2022 13:49:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oZYBq-0001Hu-Pg for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 13:49:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1Rm2Ke5Om9cJA9oRnlctUrClpz8Hm/juv7qzlioIJRM=; b=LTV9Ce0WzR990720Ja6baw5q6U xS+MP4EWWU27eDuV2VhrLSsYAoGHbMe6bTEEnTtTCVndp2kXG/veoQZLflYxcVe5Reh7AP7lUuk6b Ou6JPZ2IhY/xXFWDPqzPGlCJdN47o/LDZp6RssjgkHA6+IhmQYNdxYeYnWiLi7o1Rv9c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1Rm2Ke5Om9cJA9oRnlctUrClpz8Hm/juv7qzlioIJRM=; b=E/uDAMrMsvv9TbQUUz9Pxy4fve xgQakcqjKG8iZf0gYJnOGJXB5mvjh+ssBiv4WD2NODLMQs6ABKaW/YvFd1690OUVCFXvztM+70gqE ygZf6HsVYiNlabdqehmE4PgO8eoyzYo28Wry0Lh29/h6mLJJJGNjE+cGTymaF72XTgjY=; Received: from mailout-l3b-97.contactoffice.com ([212.3.242.97]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oZYBf-0000D9-Uv for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 13:49:02 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by mailout-l3b-97.contactoffice.com (Postfix) with ESMTP id 315F6C3C; Sat, 17 Sep 2022 15:48:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663422525; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=8208; bh=1Rm2Ke5Om9cJA9oRnlctUrClpz8Hm/juv7qzlioIJRM=; b=W9zRVZ9KWxb9OLdSucFK9YCZE6cYen+RNd9jgAlzGBcy4thiGBaX+ihz1wYQCr7S S3RTf0mUlOMt1t5P6D9u21fhDOs6V7ofJR+UOxlNpP8YvJ+TPcM/+A6N2sSd18asmd3 BxYPjXuUwvx725UZoUc3AnuYdXOQs91Ahn+kv5vYlgV4xhIkTVke+T5mokC7gmpjIQT n4AlIsksO18rttuvuC7kK/V4waBN4scct4Ze8cTWKoaAlw+fKi3GD/PlczhHGn8/nC8 V4thLQ88n+s0Ri8UEUjuqZa6XMI6/YkuFQ5pDsH+yMWNp4loreHat6aG6XM7WHi5sWZ 66YioE3TgQ== Received: by smtp.mailfence.com with ESMTPSA ; Sat, 17 Sep 2022 15:48:42 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 17 Sep 2022 15:48:32 +0200 Message-Id: <20220917134832.16359-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220914185937.31423-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00, T_FILL_THIS_FORM_SHORT device=10.2.0.20 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: --auth-user-pass is probably the only option expecting a filename as argument that cannot be inline'd as of today. This patch allows specifying username and password inline in the config file within the tag. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.97 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information X-Headers-End: 1oZYBf-0000D9-Uv Subject: [Openvpn-devel] [PATCH v2 1/2] auth-user-pass: add support for inline credentials X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox --auth-user-pass is probably the only option expecting a filename as argument that cannot be inline'd as of today. This patch allows specifying username and password inline in the config file within the tag. This logic was already implemented for --http-proxy-user-pass, therefore it was just about applying it to this specific option as well. Note that the current logic expects username and password to always be specified when inline. Therefore omitting the password will result in storing an empty password. A later patch will change this behaviour to make it consistent with the classic case (username writte in file), where the password is requested via stdin when missing. While a it, add an empty line between prototypes in init.c to make uncrustify happy. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- Changes from v1: * properly add _inline suffix to 2nd argument of auth_user_pass_setup() --- Changes.rst | 4 ++++ src/openvpn/init.c | 9 +++++++-- src/openvpn/options.c | 12 +++++++----- src/openvpn/options.h | 1 + src/openvpn/ssl.c | 24 ++++++++++++++++++------ src/openvpn/ssl.h | 6 ++++-- src/openvpn/ssl_common.h | 1 + 7 files changed, 42 insertions(+), 15 deletions(-) diff --git a/Changes.rst b/Changes.rst index 275f8d64..2967533a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -87,6 +87,10 @@ Data channel offloading with ovpn-dco this implies that peers must be running 2.6.0+ in order to have P2P-NCP which brings DATA_V2 packet support. +Inline auth username and password + Username and password can now be specified inline in the configuration file + within the tags. + Deprecated features ------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f3770477..f2db8dd9 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -71,6 +71,7 @@ static const char *saved_pid_file_name; /* GLOBAL */ #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) static void do_init_first_time(struct context *c); + static bool do_deferred_p2p_ncp(struct context *c); void @@ -593,9 +594,12 @@ init_query_passwords(const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file_inline, + &c->options.sc_info); #else - auth_user_pass_setup(c->options.auth_user_pass_file, NULL); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file_inline, NULL); #endif } } @@ -3061,6 +3065,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.client_config_dir_exclusive = options->client_config_dir; } to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; to.auth_token_generate = options->auth_token_generate; to.auth_token_lifetime = options->auth_token_lifetime; to.auth_token_call_auth = options->auth_token_call_auth; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 765695da..2786c28b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1556,7 +1556,7 @@ show_p2mp_parms(const struct options *o) SHOW_BOOL(client); SHOW_BOOL(pull); - SHOW_STR(auth_user_pass_file); + SHOW_STR_INLINE(auth_user_pass_file); gc_free(&gc); } @@ -4027,9 +4027,10 @@ options_postprocess_filechecks(struct options *options) options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ - errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, - options->auth_user_pass_file, R_OK, - "--auth-user-pass"); + errs |= check_file_access_inline(options->auth_user_pass_file_inline, + CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, + options->auth_user_pass_file, R_OK, + "--auth-user-pass"); /* ** System related ** */ errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK|X_OK, "--chroot directory"); @@ -7705,10 +7706,11 @@ add_option(struct options *options, } else if (streq(p[0], "auth-user-pass") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); if (p[1]) { options->auth_user_pass_file = p[1]; + options->auth_user_pass_file_inline = is_inline; } else { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 5488db31..c9144154 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -523,6 +523,7 @@ struct options int push_continuation; unsigned int push_option_types_found; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; int scheduled_exit_interval; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 15c8defc..b166da6d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -396,23 +396,32 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sci) { + unsigned int flags = GET_USER_PASS_MANAGEMENT; + + if (is_inline) + { + flags |= GET_USER_PASS_INLINE_CREDS; + } + auth_user_pass_enabled = true; if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT if (auth_challenge) /* dynamic challenge/response */ { + flags |= GET_USER_PASS_DYNAMIC_CHALLENGE; get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_DYNAMIC_CHALLENGE, + flags, auth_challenge); } else if (sci) /* static challenge response */ { - int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_STATIC_CHALLENGE; + flags |= GET_USER_PASS_STATIC_CHALLENGE; if (sci->flags & SC_ECHO) { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; @@ -425,7 +434,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * } else #endif /* ifdef ENABLE_MANAGEMENT */ - get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); + get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags); } } @@ -2165,9 +2174,12 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined)) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, + session->opt->sci); #else - auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, NULL); #endif struct user_pass *up = &auth_user_pass; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index ec0d2862..8a8a299f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -367,9 +367,11 @@ void pem_password_setup(const char *auth_file); /* * Setup authentication username and password. If auth_file is given, use the - * credentials stored in the file. + * credentials stored in the file, however, if is_inline is true then auth_file + * contains the username/password inline. */ -void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info); +void auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sc_info); /* * Ensure that no caching is performed on authentication information diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index bf3ac67a..eb91de15 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -366,6 +366,7 @@ struct tls_options bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; bool auth_token_generate; /**< Generate auth-tokens on successful * user/pass auth,seet via