From patchwork Sun Oct  9 20:12:29 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 2808
X-Patchwork-Delegate: arne-openvpn@rfc2549.org
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id 6P4NJCvGQ2MtDwAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 10 Oct 2022 03:13:47 -0400
Received: from proxy1.mail.iad3b.rsapps.net ([172.31.255.6])
	by director14.mail.ord1d.rsapps.net with LMTP
	id aEbOIyvGQ2PvDgAAeJ7fFg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 10 Oct 2022 03:13:47 -0400
Received: from smtp28.gate.iad3b ([172.31.255.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy1.mail.iad3b.rsapps.net with LMTPS
	id 2BbvHCvGQ2MTJQAALM5PBw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 10 Oct 2022 03:13:47 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp28.gate.iad3b.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=greenie.muc.de
X-Suspicious-Flag: YES
X-Classification-ID: 14a36806-486b-11ed-96ce-525400c8cd63-1-1
Received: from [216.105.38.7] ([216.105.38.7:52596]
 helo=lists.sourceforge.net)
	by smtp28.gate.iad3b.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id D8/FC-19282-A26C3436; Mon, 10 Oct 2022 03:13:47 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1ohmxz-00085D-CN;
	Mon, 10 Oct 2022 07:12:47 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@gentoo.ov.greenie.net>) id 1ohmxx-000857-1T
 for openvpn-devel@lists.sourceforge.net;
 Mon, 10 Oct 2022 07:12:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=WkXjUit3lVIyPmrqLU4tYM5HzlbH/EBz6qu6fEPMdLg=; b=XxIuc4ogoOI0nXTWKFgURZQ7GF
 biJjMdNHDwCXqLP9IdGZbjA3Kv+7PC31+lheZ2HoEP36F0R+FhlfGBsJPDFihlo3Q2xSVssXq9fVr
 gFgpUxIQ+XKsR/3WmuxCxjdSWtwyM6QjcEHo7MoS2LDnsvkX2RAI+WyeMOXLfGnPnkOU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
 Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=WkXjUit3lVIyPmrqLU4tYM5HzlbH/EBz6qu6fEPMdLg=; b=Q
 nsuqgEJCWPGsRSAhExxSsE2/7vYtDQv2LO5xL74x8QyiHWgVPE0EweVMD0GN/3rEH8nUa4HTxtz0d
 T59Ms0XnBzhlyXFi+yCsZ1hGBGTQLgym4CmXLsffc0YmHUyhxkO5N8RQaRww/GQ7tbDH2oD1/ApCg
 oGvNo2L17dP2pVY4=;
Received: from vmail1.greenie.net ([195.30.8.66])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1ohmxr-0000EK-8p for openvpn-devel@lists.sourceforge.net;
 Mon, 10 Oct 2022 07:12:44 +0000
Received: from gentoo.ov.greenie.net (gentoo.ov.greenie.net
 [IPv6:2001:608:0:814:0:0:f000:11])
 by vmail1.greenie.net (8.17.1/8.16.1) with SMTP id 29A7CTLh084288
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 10 Oct 2022 09:12:29 +0200 (CEST)
Received: (nullmailer pid 7944 invoked by uid 1000);
 Mon, 10 Oct 2022 07:12:29 -0000
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 10 Oct 2022 09:12:29 +0200
Message-Id: <20221010071229.7935-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]);
 Mon, 10 Oct 2022 09:12:29 +0200 (CEST)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: We do not permit username changes on renegotiation (=
 username
 is "locked" after successful initial authentication). Unfortunately the way
 this is written this gets in the way of using auth-user-pass-optional +
 pushing
 "auth-token-user" from client-connect (and most likely also "from
 management")
 because we'll lock [...]
 Content analysis details:   (-2.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [195.30.8.66 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1ohmxr-0000EK-8p
Subject: [Openvpn-devel] [PATCH] TLS: do not lock empty usernames
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

We do not permit username changes on renegotiation (= username is
"locked" after successful initial authentication).

Unfortunately the way this is written this gets in the way of using
auth-user-pass-optional + pushing "auth-token-user" from client-connect
(and most likely also "from management") because we'll lock an empty
username, and on renegotiation, refuse the client with

   TLS Auth Error: username attempted to change from
            '' to 'MyTokenUser' -- tunnel disabled

Fix: extend "is username a valid pointer" to "... and points to a
     non-empty string" before locking.
---
 src/openvpn/ssl_verify.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 76cb9f19..4206cf9c 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -166,7 +166,7 @@ tls_lock_username(struct tls_multi *multi, const char *username)
     }
     else
     {
-        if (username)
+        if (username && *username)
         {
             multi->locked_username = string_alloc(username, NULL);
         }