From patchwork Thu Apr 19 19:20:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Thorpe X-Patchwork-Id: 306 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id e6yqCP542Vq8YAAAIUCqbw for ; Fri, 20 Apr 2018 01:22:06 -0400 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net (Dovecot) with LMTP id o9YXCP542VovOQAAIasKDg ; Fri, 20 Apr 2018 01:22:06 -0400 Received: from smtp8.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTP id 2GY2CP542VrZKgAAiYrejw ; Fri, 20 Apr 2018 01:22:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sparklabs.com; dmarc=none (p=nil; dis=none) header.from=sparklabs.com X-Suspicious-Flag: YES X-Classification-ID: c3734b22-445a-11e8-9fef-5254001e5a60-1-1 Received: from [216.105.38.7] ([216.105.38.7:21818] helo=lists.sourceforge.net) by smtp8.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 59/C9-08303-DF879DA5; Fri, 20 Apr 2018 01:22:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1f9OTR-0004mW-Gg; Fri, 20 Apr 2018 05:20:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1f9OTQ-0004mQ-DB for openvpn-devel@lists.sourceforge.net; Fri, 20 Apr 2018 05:20:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:To: Subject:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=r3NGIgnGXrwydz5fO40Ms6RqXCtkByuY46qMOHdINno=; b=Co8RXNXwGLlyxltsUYZFlQvNz7 N6FSLC+NF3THEtzZFYALGZMDmlCZEL6RNBCpLPf7RTU0Q61WHxkvHC+AarjNkuU7OpZefDoAGzm1s hbinrRJJ8sKc8w5yWOKZOm5FItBj94qmuDOkhPO+A25G4iBICJKE9B0bXEO1WJ7RZkLg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:To:Subject:From:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=r3NGIgnGXrwydz5fO40Ms6RqXCtkByuY46qMOHdINno=; b=b kVyIc1Xj6qJQbEE/35e7qpY4BPwUNzHUtrl6dSQM4cT5Wpp162qhHg8eVbSokWY8AKQiHJ/+ZJrt9 Sxn2IArE6ZXuwqNYaM7XxIDRQ4Ot9RDLbiVLVGPxbAC4ztXREFFgAUM8pW1CTQcwPHgZt2PRcVePd 9ACuaNxiyCv7wo1U=; Received: from silicon.sparklabs.com ([66.185.22.121]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1f9OTN-0073XM-RW for openvpn-devel@lists.sourceforge.net; Fri, 20 Apr 2018 05:20:40 +0000 Received: from localhost (localhost [127.0.0.1]) by silicon.sparklabs.com (Postfix) with ESMTP id BBE6B425FCD8 for ; Fri, 20 Apr 2018 15:20:28 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparklabs.com; h=content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received:received; s=mail; t=1524201628; x=1526793629; bh=r3NGI gnGXrwydz5fO40Ms6RqXCtkByuY46qMOHdINno=; b=o5szAV7EGB4wYFX3DowYk X+XAFqCtql56IyP/7ew0pca/6+GC+UJxDyc5u/UmgfZygqs3/Nf9WqX86U2qgl2y erWzM/BrqQp2qStfh7EDUsC5tVg1LcgDXoMjMUzaxNFJ/dvT9SVyAWYKFknd3AX/ MhG8PGvb+/AMS8ZHpTcMU0= Received: from silicon.sparklabs.com ([127.0.0.1]) by localhost (silicon.sparklabs.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxgRNmepzel5 for ; Fri, 20 Apr 2018 15:20:28 +1000 (AEST) Received: from [192.168.1.38] (180-150-107-152.nbn.syd.aussiebb.net [180.150.107.152]) by silicon.sparklabs.com (Postfix) with ESMTPSA id BBA29425FCC1 for ; Fri, 20 Apr 2018 15:20:27 +1000 (AEST) From: Eric Thorpe To: openvpn-devel@lists.sourceforge.net Message-ID: Date: Fri, 20 Apr 2018 15:20:26 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Language: en-US X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1f9OTN-0073XM-RW Subject: [Openvpn-devel] [Patch] Support client reason from auth plugin X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hi All, This patch allows for a client reason to be returned from an auth plugin and sent to the connecting client on an auth fail. This change is backwards compatible with existing plugins and hasn't caused issues with existing plugins like the included pam plugin in our testing. The main purpose of this change is to support dynamic challenge/response from plugins, currently this is only possible from the management interface. Example usage for this change can be found in a new plugin here modified from the included PAM plugin - https://github.com/thesparklabs/openvpn-two-factor-extensions/tree/master/yubikey-u2f-pam-plugin Regards, Eric diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 25395b2..6266fb3 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1167,7 +1167,7 @@ done: * Verify the username and password using a plugin */ static int -verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, const char *raw_username) +verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up, const char *raw_username) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; #ifdef PLUGIN_DEF_AUTH @@ -1177,6 +1177,9 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { + struct plugin_return pr, prfetch; + plugin_return_init(&pr); + /* set username/password in private env space */ setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); setenv_str(session->opt->es, "password", up->password); @@ -1198,7 +1201,23 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, #endif /* call command */ - retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es); + retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, &pr, session->opt->es); + + /* Fetch client reason */ + plugin_return_get_column(&pr, &prfetch, "client_reason"); + if (plugin_return_defined(&prfetch)) + { + int i; + for (i = 0; i < prfetch.n; ++i) + { + if (prfetch.list[i] && prfetch.list[i]->value) + { + man_def_auth_set_client_reason(multi, prfetch.list[i]->value); + } + } + } + + plugin_return_free(&pr); #ifdef PLUGIN_DEF_AUTH /* purge auth control filename (and file itself) for non-deferred returns */ @@ -1378,7 +1397,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #endif if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) { - s1 = verify_user_pass_plugin(session, up, raw_username); + s1 = verify_user_pass_plugin(session, multi, up, raw_username); } if (session->opt->auth_user_pass_verify_script) {