From patchwork Fri Jul 19 13:14:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3771 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6242:b0:5a1:d4fc:4ac6 with SMTP id v2csp573068mad; Fri, 19 Jul 2024 06:15:08 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX/8rL1nBha6FjTCoyI8K99Iw2Tdxh9IeS8k10WBsmP+8EuzGSLVsyVHUKeS3Dg1Zwc4GgJrsF/R+MW4pUZgaNEfYUpnE8= X-Google-Smtp-Source: AGHT+IFDvpLJgjAC+e+wCYi1RsdHZem0z7Nu2ryEoKvHHUl8IN1/C2Df4IPIBGZycGhq2TcZXbT2 X-Received: by 2002:a17:902:da8e:b0:1fc:611a:bca with SMTP id d9443c01a7336-1fd5ed48af1mr17271575ad.8.1721394907716; Fri, 19 Jul 2024 06:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1721394907; cv=none; d=google.com; s=arc-20160816; b=mFw+ZQjuGEJ8N2maOKwvPbPkHaEJuTN1vfisdI3x0WGJL+Lqk1SZiMzyBDGFcYVvfi ItbiloytFsS0Q0KJ1rQE+iB0Ms7JHzGgZY5WUy+eRK/A8Y2gwTsrpFAVTfvRbkLcWcBV qwudinN37KGkFKGhIX+UeMtmVqnBNT4VMybUdxIVpjyXz1BCKgP5H5RwIk3W3ySEGnk1 zJyuijlN0wf15U4i32E9uhRaELslgH3z8va3tVi80Tbjp6I+KtT11slfB2lBFnUjGH47 VaX6THPGGL0tKJ/yALxMa0xbqwOY1wnUGs4jTVJorVBrR0XRTfzAB7aE8ElFYJEmLNSO G/zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=OBrnatPlPhOloN39kwxPCFXmxQwVG48pimzjMBqHmxw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=bGOz1x0AgooNlXFego5frDh7IAydn0h74hoLaGpmUJ2ZglpKMBS9PrYV6Te0N0Y3BN KX1G3SOQB+IZYh9DF5gq6fvRLKvEOQEQwIqP8pV2eLcN20bJId8fQjN9kYUvCwLW9VTt DPNoifBi9AGu4nVqToIIFrsyBkdkBAWvTH0Neb8/r6mwtdZ3tJwWV6Wff2jFnHHlgZPj i9p76BckgHX4hqEz3zM8xVdzZJkd3jrkgSe8UjXhq2W/D+WG2XANA32E04SRewn00DKr l3aCTPY3m3RDsanJhhSkXELRpWao4+rk0mZoQGKvKVnbcELoM5RcciHDuDHp3OHpDZY7 qsFA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bqBO9zfH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iFv493ng; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=cMYEu2A8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1fd6f316433si4245815ad.237.2024.07.19.06.15.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Jul 2024 06:15:07 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bqBO9zfH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iFv493ng; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=cMYEu2A8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sUnRR-00032b-LL; Fri, 19 Jul 2024 13:14:33 +0000 Received: from [172.30.29.67] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sUnRI-00032L-HI for openvpn-devel@lists.sourceforge.net; Fri, 19 Jul 2024 13:14:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=R1I6RR84u9G8sRXglgg4H/0dREuOewj0hCaqxc+oVho=; b=bqBO9zfHLtLWWJ6l+rdlbh9Xa4 N8Dvq3soVE3+/1NcjINhgSzRl4H4qQ1LYuZjuS5nV4sNWhxESNnynQ1ouJ7H8jbdexL+z6WOitvXU CqDn0cDwVp4USRqH7YdZC0YS6N244LTYXf7hiBZftK222htQnyXKg6iTEDudkMWb40ME=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=R1I6RR84u9G8sRXglgg4H/0dREuOewj0hCaqxc+oVho=; b=iFv493ngNGZvGEthFfBLSE30FE 6z/tVjv+qJl12zUwurL289oW7FiaBXyQysjVwwWL+itNgDevgn8HvhaNTo0wLoHFxUESbXHGzRqRN Cbb4A6vx3zHHwPTxuJvvp+BUfaRjoHO51J/Ze6CeAKHymg329CkAQyoHd55IlDYSHyjY=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sUnRE-0001kd-TH for openvpn-devel@lists.sourceforge.net; Fri, 19 Jul 2024 13:14:23 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4WQVW42pl1z9sT7; Fri, 19 Jul 2024 15:14:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1721394848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R1I6RR84u9G8sRXglgg4H/0dREuOewj0hCaqxc+oVho=; b=cMYEu2A8Uh5AMYzhewbOQwTRwuKnmW0aPlXeDy7ZG7EzIPK3Gw3IVlfGwcZEBoPG3vBI2D txPmGQeAaGM51ldps/VEVIXBbtk/k0SDxJM1+5mH82+4R670sdl462xRI80u4gaPl4ghPJ GYcnqm092UDTmYcRJiFhY3FcTYSeK7bCKbACdLzP7bvair7YwRnX1BF3RAgcYAYnEiyQTF F8X1WRXBGh/HC3DkUZBeuTYU3Cv5qPIeb7DtiG8JrioJXuLykk9YRx+hP0JkkAK7UtZNId VqrQ2pIvS6sIyR0s00RI8gOqq/gEbqaKHhduIXqzskgzGnaNoViaFhA9gTmNtA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Jul 2024 15:14:07 +0200 Message-Id: <20240719131407.75746-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.2 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Extend "--static-challenge" option to take a third argument (= scrv1 or concat) to specify that the password and response should be concatenated instead of using the SCRV1 protocol. If unspecified, it [...] Content analysis details: (-5.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [80.241.56.151 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [80.241.56.151 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [80.241.56.151 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1sUnRE-0001kd-TH Subject: [Openvpn-devel] [PATCH v3] Static-challenge concatenation option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1805013386832301397?= X-GMAIL-MSGID: =?utf-8?q?1805013386832301397?= From: Selva Nair Extend "--static-challenge" option to take a third argument (= scrv1 or concat) to specify that the password and response should be concatenated instead of using the SCRV1 protocol. If unspecified, it defaults to "scrv1" meaning that the SCRV1 protocol should be used. v2: use scrv1|concat instead of 0|1 as option argument fix typos v3: improve and correct documentation in management-notes.txt Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/665 This mail reflects revision 3 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5b..a06948e 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -541,12 +541,15 @@ Valid syntax: :: - static-challenge text echo + static-challenge text echo [format] The ``text`` challenge text is presented to the user which describes what information is requested. The ``echo`` flag indicates if the user's input should be echoed on the screen. Valid ``echo`` values are - :code:`0` or :code:`1`. + :code:`0` or :code:`1`. The optional ``format`` indicates whether + the password and response should be combined using the SCRV1 protocol + (``format`` = :code:`scrv1`) or simply concatenated (``format`` = :code:`concat`). + :code:`scrv1` is the default. See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b9947fa..b55135a 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -1320,14 +1320,20 @@ OpenVPN's --static-challenge option is used to provide the challenge text to OpenVPN and indicate whether or not the response -should be echoed. +should be echoed and how the response should be combined with the +password. When credentials are needed and the --static-challenge option is used, the management interface will send: - >PASSWORD:Need 'Auth' username/password SC:, + >PASSWORD:Need 'Auth' username/password SC:, - ECHO: "1" if response should be echoed, "0" to not echo + flag: an integer whose least significant bit is the ECHO flag and + the next significant bit is the FORMAT flag. + ECHO = (flag & 0x1) is 1 if response should be echoed, 0 to not echo + FORMAT = (flag & 0x2) is 1 if response should be concatenated with + password as plain text, 0 if response and password should be encoded + as described below. Thus flag could take values 0, 1, 2, or 3. TEXT: challenge text that should be shown to the user to facilitate their response @@ -1342,8 +1348,9 @@ The management interface client in this case should add the static challenge text to the auth dialog followed by a field for the user to -enter a response. Then the management interface client should pack the -password and response together into an encoded password and send: +enter a response. If flag = 0 or 1 (i.e., FORMAT=0), the management +interface client should pack the password and response together into +an encoded password and send: username "Auth" password "Auth" "SCRV1::" @@ -1354,6 +1361,12 @@ the user. The and/or the can be empty strings. +If flag = 2 or 3 (i.e., FORMAT=1), the client should simply concatenate +password and response with no separator and send: + + username "Auth" + password "Auth" "" + (As in all username/password responses described in the "COMMAND -- password and username" section above, the username can be in quotes, and special characters such as double quotes or backslashes must be @@ -1361,10 +1374,15 @@ For example, if user "foo" entered "bar" as the password and 8675309 as the PIN, the following management interface commands should be -issued: +issued if flag = 0 or 1 (i.e., FORMAT = 0): username "Auth" foo password "Auth" "SCRV1:YmFy:ODY3NTMwOQ==" ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the base 64 encoding of "8675309".) + +or, if flag = 2 or 3 (i.e., FORMAT = 1): + + username "Auth" foo + password "Auth" "bar8675309" diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 24f3121..05b5a1a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3544,7 +3544,8 @@ if (sc) { buf_printf(&alert_msg, " SC:%d,%s", - BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), + BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO) + |(BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1), sc); } diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 598fbae..516b1ed 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -438,17 +438,28 @@ { msg(M_FATAL, "ERROR: could not retrieve static challenge response"); } - if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 - || openvpn_base64_encode(response, strlen(response), &resp64) == -1) + if (!(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT)) { - msg(M_FATAL, "ERROR: could not base64-encode password/static_response"); + if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 + || openvpn_base64_encode(response, strlen(response), &resp64) == -1) + { + msg(M_FATAL, "ERROR: could not base64-encode password/static_response"); + } + buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); + buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64); + string_clear(pw64); + free(pw64); + string_clear(resp64); + free(resp64); } - buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); - buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64); - string_clear(pw64); - free(pw64); - string_clear(resp64); - free(resp64); + else + { + if (strlen(up->password) + strlen(response) >= USER_PASS_LEN) + { + msg(M_FATAL, "ERROR: could not concatenate password/static_response: string too long"); + } + strncat(up->password, response, USER_PASS_LEN - strlen(up->password) - 1); + } } #endif /* ifdef ENABLE_MANAGEMENT */ } diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 963f3e6..f3b824e 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -91,6 +91,7 @@ */ struct static_challenge_info { #define SC_ECHO (1<<0) /* echo response when typed by user */ +#define SC_CONCAT (1<<1) /* concatenate password and response and do not base64 encode */ unsigned int flags; const char *challenge_text; @@ -117,6 +118,7 @@ #define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ +#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11) /* indicates password and response should be concatenated */ /** * Retrieves the user credentials from various sources depending on the flags. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 64e67aa..295ed3d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -518,8 +518,10 @@ " Add domains to DNS domain search list\n" "--auth-retry t : How to handle auth failures. Set t to\n" " none (default), interact, or nointeract.\n" - "--static-challenge t e : Enable static challenge/response protocol using\n" + "--static-challenge t e []: Enable static challenge/response protocol using\n" " challenge text t, with e indicating echo flag (0|1)\n" + " and optional argument scrv1 or concat to use SCRV1 protocol or" + " concatenate response with password. Default is scrv1.\n" "--connect-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" @@ -7932,7 +7934,7 @@ auth_retry_set(msglevel, p[1]); } #ifdef ENABLE_MANAGEMENT - else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) + else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sc_info.challenge_text = p[1]; @@ -7940,6 +7942,15 @@ { options->sc_info.flags |= SC_ECHO; } + if (p[3] && streq(p[3], "concat")) + { + options->sc_info.flags |= SC_CONCAT; + } + else if (p[3] && !streq(p[3], "scrv1")) + { + msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]); + goto err; + } } #endif else if (streq(p[0], "msg-channel") && p[1]) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..25c6ccf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -312,6 +312,10 @@ { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; } + if (sci->flags & SC_CONCAT) + { + flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT; + } get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH,