From patchwork Wed Jan 29 16:16:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4105 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6a49:b0:5e7:b9eb:58e8 with SMTP id v9csp1137193mat; Wed, 29 Jan 2025 08:16:31 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXB8zbjS3lRGo4qtNqc4KDpWRnPf9v9kwd1wihuHTXOPB5tpoe+kj0DFduoLNjH+F1I0jFIQeINdJg=@openvpn.net X-Google-Smtp-Source: AGHT+IHrBhJ5t95qLVAWHLTjuUnCbH+MdhRoJaSi4CzG/EEHizy5PclfS+UQNfeznOtFih5ZX5OP X-Received: by 2002:a05:6808:23c2:b0:3e6:5522:b333 with SMTP id 5614622812f47-3f323a7d8afmr2128590b6e.22.1738167390788; Wed, 29 Jan 2025 08:16:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738167390; cv=none; d=google.com; s=arc-20240605; b=RS7d83BziVEy4AQ4Qt1yzroMHtRPe6pZTkZ7ZR4aG4ScdwFkkLhCocWyn/b2VVu9Ex ludKztL68koEV5YY+kXWGhf9jZi8138OpmUT2fZtwiT3TH4sCOG79mW0aXmNvK3f4p+e g82/0FHy9hco1eidCMLYs07IzsgvjTNRPiibaRX1BdeRQ4DoaAw8uG7G1W2DyjavSYyl sQfb3+IhvzJCqEdEqoUXY0BJoXms2RuHym64VoKlH8kA2H/CSzC0vcbSF/MEDOtQYUuy han8L4qLnVGNZupis6LBAZJWE9BHKTF75fZIzFZBRM/RqjLQ0QWb6Akyg8Oa84MuXaGx lggw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=AvM1P6DaZyqgVYWXPfiiJF0RcEqjrxdlhFJnQNHhYyg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=kQWmGt1JDt62fvAmOWO9Kibg2uHcnb++29rBvxIR/Lt47r5zCgBAGZAGl6q8V6JSmu 958fC/YY0gA9gfcDlqRCQPJOYH6xJBCZ9nSRS4l6yeHgSAfCURzPs8Othc4BhS3GvL71 G7vMNL6QQQ/CW9TM9Z4/rEIwM7JKkRQlFiRMljaDzJIxA2NFnC9AXhdSxQUuYfqlFhuM stxRtWsvvPLQWyUW26ib8ogEyG8SAf9VBI4oYNrCVY23HXckN6i1YdKyIsUKEmZS38kN yP2Vf71lqps2QAzSTO3pDUiouBKBvxhnIdHzhOeUE9aD5ZXarzs02x/1wGlGWgVCXCEw El2A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nGOd73Vg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j+sIImyV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3f1f09ccb1dsi10666875b6e.226.2025.01.29.08.16.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2025 08:16:30 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nGOd73Vg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j+sIImyV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tdAjq-0005zf-LB; Wed, 29 Jan 2025 16:16:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tdAjo-0005zY-NJ for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 16:16:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tj965b9ALWT/7T58LbmDJmwnFzjm8FReQVPu2WeJhJ0=; b=nGOd73VgibnrLgauWwRidX0fm3 WWWmcZq7UiFpGMP3ia1Qv4OyrfWQXv5ztwYgl0NwTUpsZC71oH/9D75WvRWc8z6UGT8tgRGw23dIe q9iAZetrjbywFb4Z2/Y4XLvWEZyVxFatN3GRH7kBYwCjB+U73GmDpOvtp6AJDlNhxovM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tj965b9ALWT/7T58LbmDJmwnFzjm8FReQVPu2WeJhJ0=; b=j+sIImyVVZal+Uor7qwqSUf399 FDQ0vG2LwQiuz5JOtBACCfd+Vx5+3DeDLAmgLFucsDAfryqLFQEVdCVKrwRETj1s1O5MmPJIP3Cu5 /EJ560eVSxN4MYZf9aNnEoihHMuJLBJ44ay6vrkoAniY8lFsiO2v7PN7CCAtm6hxeS5I=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tdAjl-0000wU-QI for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 16:16:24 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 50TGG9uC019212 for ; Wed, 29 Jan 2025 17:16:09 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 50TGG9tj019211 for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 17:16:09 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 29 Jan 2025 17:16:08 +0100 Message-ID: <20250129161609.19202-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Fix issue reported by Coverity: CID 1641564: Uninitialized variables (UNINIT) Using unitialized value "maddr.proto" when calling "mroute_addr_equal()". Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1tdAjl-0000wU-QI Subject: [Openvpn-devel] [PATCH v6] mroute/management: repair mgmt client-kill for mroute with proto X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822583334001306001?= X-GMAIL-MSGID: =?utf-8?q?1822600610160599478?= From: Gianmarco De Gregori Fix issue reported by Coverity: CID 1641564: Uninitialized variables (UNINIT) Using unitialized value "maddr.proto" when calling "mroute_addr_equal()". Due to changes at the mroute structure which now includes the protocol, the mgmt iface client-kill-by-addr feature has been updated to include this new value along with IP:port. While at it, changed the mroute_addr_print_ex() format to display the protocol only in case of MR_WITH_PROTO avoid doing it on virtual addresses when MR_WITH_PORT is not specified. Change-Id: I4be0ff4d308213d2ef8ba66bd3178eee1f60fff1 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/880 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/Changes.rst b/Changes.rst index 16ae6fc..d01816b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -317,6 +317,9 @@ settings will contradict the setting of allow-compression as this almost always results in a non-working connection. +- The "kill" by addr management command now requires also the protocol + as string e.g. "udp", "tcp". + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b55135a..f1d2930 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -205,8 +205,12 @@ kill Test-Client -- kill the client instance having a common name of "Test-Client". - kill 1.2.3.4:4000 -- kill the client instance having a - source address and port of 1.2.3.4:4000 + kill tcp:1.2.3.4:4000 -- kill the client instance having a + source address, port and proto of + tcp:1.2.3.4:4000 + + Note that kill by address won't work for IPv6-connected + clients yet, so rely on kill by CN or CID instead. Use the "status" command to see which clients are connected. diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 0c77f85..484042a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -544,45 +544,52 @@ struct buffer buf; char p1[128]; char p2[128]; + char p3[128]; int n_killed; buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1); buf_parse(&buf, ':', p1, sizeof(p1)); buf_parse(&buf, ':', p2, sizeof(p2)); + buf_parse(&buf, ':', p3, sizeof(p3)); - if (strlen(p1) && strlen(p2)) + if (strlen(p1) && strlen(p2) && strlen(p3)) { /* IP:port specified */ bool status; - const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL); + const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL); if (status) { - const int port = atoi(p2); - if (port > 0 && port < 65536) + const int port = atoi(p3); + const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER : + (streq(p1, "udp")) ? PROTO_UDP : PROTO_NONE; + + if ((port > 0 && port < 65536) && (proto != PROTO_NONE)) { - n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port); + n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port, proto); if (n_killed > 0) { - msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed", + msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", n_killed, + proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc), port); } else { - msg(M_CLIENT, "ERROR: client at address %s:%d not found", + msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found", + proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc), port); } } else { - msg(M_CLIENT, "ERROR: port number is out of range: %s", p2); + msg(M_CLIENT, "ERROR: port number or protocol out of range: %s %s", p3, p1); } } else { - msg(M_CLIENT, "ERROR: error parsing IP address: %s", p1); + msg(M_CLIENT, "ERROR: error parsing IP address: %s", p2); } } else if (strlen(p1)) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index f501543..02ceb82 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -180,7 +180,7 @@ void (*status) (void *arg, const int version, struct status_output *so); void (*show_net) (void *arg, const int msglevel); int (*kill_by_cn) (void *arg, const char *common_name); - int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); + int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port, const int proto); void (*delete_event) (void *arg, event_t event); int (*n_clients) (void *arg); bool (*send_cc_message) (void *arg, const char *message, const char *parameter); diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 74923cf..24b9543 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -276,6 +276,10 @@ addr->len = 6; addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; addr->v4.port = osaddr->addr.in4.sin_port; + if (addr->proto != PROTO_NONE) + { + addr->type |= MR_WITH_PROTO; + } } else { @@ -295,6 +299,10 @@ addr->len = 18; addr->v6.addr = osaddr->addr.in6.sin6_addr; addr->v6.port = osaddr->addr.in6.sin6_port; + if (addr->proto != PROTO_NONE) + { + addr->type |= MR_WITH_PROTO; + } } else { @@ -403,6 +411,10 @@ { buf_printf(&out, "ARP/"); } + if (maddr.type & MR_WITH_PROTO) + { + buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET, false)); + } buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr), (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); if (maddr.type & MR_WITH_NETBITS) @@ -426,6 +438,10 @@ case MR_ADDR_IPV6: { + if (maddr.type & MR_WITH_PROTO) + { + buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET6, false)); + } if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) ) { buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr, @@ -454,7 +470,6 @@ buf_printf(&out, "UNKNOWN"); break; } - buf_printf(&out, "|%d", maddr.proto); return BSTR(&out); } else diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index 2659695..fbe102a 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -72,6 +72,9 @@ /* Indicates than IPv4 addr was extracted from ARP packet */ #define MR_ARP 16 +/* Address type mask indicating that proto # is part of address */ +#define MR_WITH_PROTO 32 + struct mroute_addr { uint8_t len; /* length of address */ uint8_t proto; diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index 62ed044..9a8b1cb 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -111,6 +111,7 @@ ASSERT(mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6 ); + mi->real.proto = mi->context.c2.link_sockets[0]->info.proto; if (!mroute_extract_openvpn_sockaddr(&mi->real, &mi->context.c2.link_sockets[0]->info.lsa->actual.dest, true)) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 9c8c014..b0e1941 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -794,7 +794,6 @@ { goto err; } - mi->real.proto = ls->info.proto; generate_prefix(mi); } @@ -3942,7 +3941,8 @@ } static int -management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port) +management_callback_kill_by_addr(void *arg, const in_addr_t addr, + const int port, const int proto) { struct multi_context *m = (struct multi_context *) arg; struct hash_iterator hi; @@ -3957,6 +3957,7 @@ saddr.addr.in4.sin_port = htons(port); if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true)) { + maddr.proto = proto; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) {