From patchwork Tue Mar 15 04:53:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2343 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 2CKJAx23MGJbDQAAqwncew (envelope-from ) for ; Tue, 15 Mar 2022 11:56:13 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id aHCHBB23MGJYHQAAvGGmqA (envelope-from ) for ; Tue, 15 Mar 2022 11:56:13 -0400 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id sK88BB23MGKaKAAAQyIf0w (envelope-from ) for ; Tue, 15 Mar 2022 11:56:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 6fb0e076-a478-11ec-bd87-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:13250] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 91/EC-07260-C17B0326; Tue, 15 Mar 2022 11:56:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nU9V1-0005iF-J7; Tue, 15 Mar 2022 15:54:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nU9Uz-0005i5-BH for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Tkf3v9GS2HKlOKfGDVatmARgK74C5750Avund/E3klY=; b=gOPsPMTdUGsGTCYQRtkbN2JJOk ISNXFFP76gMFOM8aEN4PT9hhzzYhIe0uy7l0iVrZyNNZGT9jlxhfpiqP5u4ieGD7CBGVplf3+k+NR 9z/JOKTVBBL4POZErWkDBaa+YYM/7rpR5PQ8hqjInKyqvL8Z3R2bARtQmvimrWQyNc5A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Tkf3v9GS2HKlOKfGDVatmARgK74C5750Avund/E3klY=; b=U6Smyc7Am+uelhSz8pZDqpUIQm vBMNiCp85Mv4aNCHAQnoX8VgtzaHLEMy6nfonQhM/VGLLiawXal1gGGXlcSQ2iVWosPkE90Ooqqor dLEr/1VcKjiptXoUfJQNxR2DAgYWmrUzsJW7/NRERpUI6F2l9diGBQLvk/Zo+6yz+U9w=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nU9Uu-00071S-4Z for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:11 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id B8136E714 for ; Tue, 15 Mar 2022 15:54:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647359641; bh=Tkf3v9GS2HKlOKfGDVatmARgK74C5750Avund/E3klY=; h=From:To:Subject:Date:In-Reply-To:References:From; b=tvXBPonneKU/5mO9F8JzCfDsqObwa4+CPb6MB2JsetGm5+XOfiWBUrv4gZr6XqJrX ezsWjLvrb7A5Ry11d+YeDQx8emYaZoBOXOVliQ4hY32IRktXOf56+taCOwAN6mJF/D 5LuBkVho8Sb8EmncGRZ1IlFzt9Lfq/Q1+HU7UZOXNAcdD7QKZ2zfEvJdr0AhZXqGf4 fqg2Qm4OkYjPPRkiV7gQN+6PL5p0cLHQfl2WhS0oAEVW299D3mF2Eg5syo7jJ57znI DhY8AnCMQa2gAkSM7JYuvafm3Hp3D9ix3V/qqR/kfxhMl1ZupeC8lrOFP6jRDtI+xN 9aw52tThfsPLg== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShS0XUxgVNcO for ; Tue, 15 Mar 2022 16:54:00 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 6279FE712 for ; Tue, 15 Mar 2022 16:54:00 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Mar 2022 16:53:42 +0100 Message-Id: <20220315155344.37787-2-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> References: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nU9Uu-00071S-4Z Subject: [Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth This plugin allows setting username/passwords as well as configure deferred authentication behaviour as part of the runtime initialization. With this plug-in it is easier to test various scenarios where multiple authentication plug-ins are active on the server side. A test documentation was also added to describe various test cases and the expected results. Signed-off-by: David Sommerseth --- v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block --- doc/tests/authentication-plugins.md | 153 +++++++++ sample/sample-plugins/defer/README | 8 + sample/sample-plugins/defer/multi-auth.c | 413 +++++++++++++++++++++++ 3 files changed, 574 insertions(+) create mode 100644 doc/tests/authentication-plugins.md create mode 100644 sample/sample-plugins/defer/multi-auth.c diff --git a/doc/tests/authentication-plugins.md b/doc/tests/authentication-plugins.md new file mode 100644 index 00000000..1f5fb851 --- /dev/null +++ b/doc/tests/authentication-plugins.md @@ -0,0 +1,153 @@ +# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS + + +OpenVPN 2.x can support loading and authenticating users through multiple +plug-ins at the same time. But it can only support a single plug-in doing +deferred authentication. However, a plug-in supporting deferred +authentication may be accompanied by other authentication plug-ins **not** +doing deferred authentication. + +This is a test script useful to test the various combinations and order of +plug-in execution. + +The configuration files are expected to be used from the root of the build +directory. + +To build the needed authentication plug-in, run: + + make -C sample/sample-plugins + + +## Test configs + +* Client config + + verb 4 + dev tun + client + remote x.x.x.x + ca sample/sample-keys/ca.crt + cert sample/sample-keys/client.crt + key sample/sample-keys/client.key + auth-user-pass + +* Base server config (`base-server.conf`) + + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 + dh sample/sample-keys/dh2048.pem + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key + + +## Test cases + +### Test: *sanity-1* + +This tests the basic authentication with an instant answer. + + config base-server.conf + plugin multi-auth.so S1.1 0 foo bar + +#### Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-2* + +This is similar to `sanity-1`, but does the authentication +through two plug-ins providing an instant reply. + + config base-server.conf + plugin multi-auth.so S2.1 0 foo bar + plugin multi-auth.so S2.2 0 foo bar + +#### Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *sanity-3* + +This is also similar to `sanity-1`, but uses deferred authentication +with a 1 second delay on the response. + + plugin multi-auth.so S3.1 1000 foo bar + +#### Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-a* + +Runs two authentications, the first one deferred by 1 second and the +second one providing an instant response. + + plugin multi-auth.so A.1 1000 foo bar + plugin multi-auth.so A.2 0 foo bar + +#### Expected results + - Username/password `foo`/`bar`: **PASS** + - Anything else: **FAIL** + + +### Test: *case-b* + +This is similar to `case-a`, but the instant authentication response +is provided first before the deferred authentication. + + plugin multi-auth.so B.1 0 foo bar + plugin multi-auth.so B.2 1000 test pass + +#### Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-c* + +This is similar to the two prior tests, but the authentication result +is returned instantly in both steps. + + plugin multi-auth.so C.1 0 foo bar + plugin multi-auth.so C.2 0 foo2 bar2 + +#### Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-d* + +This is similar to the `case-b` test, but the order of deferred +and instant response is reversed. + + plugin ./multi-auth.so D.1 2000 test pass + plugin ./multi-auth.so D.2 0 foo bar + +#### Expected results + - **Always FAIL** + - This test should never pass, as each plug-in expects different + usernames and passwords. + + +### Test: *case-e* + +This test case will run two deferred authentication plug-ins. This is +**not** supported by OpenVPN, and should therefore fail instantly. + + plugin ./multi-auth.so E1 1000 test1 pass1 + plugin ./multi-auth.so E2 2000 test2 pass2 + +#### Expected results + - The OpenVPN server process should stop running + - An error about multiple deferred plug-ins being configured + should be seen in the server log. + + diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README index d8990f8b..4c032993 100644 --- a/sample/sample-plugins/defer/README +++ b/sample/sample-plugins/defer/README @@ -5,12 +5,20 @@ Examples provided: simple.c -- using the --auth-user-pass-verify callback, test deferred authentication. +multi-auth.c -- Test plug-in for testing multiple authentication + plug-ins in the same OpenVPN server configuration. + Only tested on Linux. + To build: ./build simple (Linux/BSD/etc.) + ./build multi-auth (Linux/BSD/etc.) ./winbuild simple (MinGW on Windows) To use in OpenVPN, add to config file: plugin simple.so (Linux/BSD/etc.) plugin simple.dll (MinGW on Windows) + +For the multi-auth.so, see the documentation in +doc/tests/authentication-plugins.md diff --git a/sample/sample-plugins/defer/multi-auth.c b/sample/sample-plugins/defer/multi-auth.c new file mode 100644 index 00000000..b7bc6dc5 --- /dev/null +++ b/sample/sample-plugins/defer/multi-auth.c @@ -0,0 +1,413 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2021 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * This file implements a simple OpenVPN plugin module which + * can do either an instant authentication or a deferred auth. + * The purpose of this plug-in is to test multiple auth plugins + * in the same configuration file + * + * Plugin arguments: + * + * multi-auth.so LOG_ID DEFER_TIME USERNAME PASSWORD + * + * LOG_ID is just an ID string used to separate auth results in the log + * DEFER_TIME is the time to defer the auth. Set to 0 to return immediately + * USERNAME is the username for a valid authentication + * PASSWORD is the password for a valid authentication + * + * The DEFER_TIME time unit is in ms. + * + * Sample usage: + * + * plugin multi-auth.so MA_1 0 foo bar # Instant reply user:foo pass:bar + * plugin multi-auth.so MA_2 5000 fux bax # Defer 5 sec, user:fux pass: bax + * + */ +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "openvpn-plugin.h" + +static char *MODULE = "multi-auth"; + +/* + * Our context, where we keep our state. + */ + +struct plugin_context { + int test_deferred_auth; + char *authid; + char *test_valid_user; + char *test_valid_pass; +}; + +/* local wrapping of the log function, to add more details */ +static plugin_vlog_t _plugin_vlog_func = NULL; +static void plog(const struct plugin_context *ctx, int flags, char *fmt, ...) +{ + char logid[129]; + + if (ctx && ctx->authid) + { + snprintf(logid, 128, "%s[%s]", MODULE, ctx->authid); + } + else + { + snprintf(logid, 128, "%s", MODULE); + } + + va_list arglist; + va_start(arglist, fmt); + _plugin_vlog_func(flags, logid, fmt, arglist); + va_end(arglist); +} + + +/* + * Constants indicating minimum API and struct versions by the functions + * in this plugin. Consult openvpn-plugin.h, look for: + * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER + * + * Strictly speaking, this sample code only requires plugin_log, a feature + * of structver version 1. However, '1' lines up with ancient versions + * of openvpn that are past end-of-support. As such, we are requiring + * structver '5' here to indicate a desire for modern openvpn, rather + * than a need for any particular feature found in structver beyond '1'. + */ +#define OPENVPN_PLUGIN_VERSION_MIN 3 +#define OPENVPN_PLUGIN_STRUCTVER_MIN 5 + + +struct plugin_per_client_context { + int n_calls; + bool generated_pf_file; +}; + + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env(const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen(name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp(envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + { + return cp + 1; + } + } + } + } + return NULL; +} + +/* used for safe printf of possible NULL strings */ +static const char * +np(const char *str) +{ + if (str) + { + return str; + } + else + { + return "[NULL]"; + } +} + +static int +atoi_null0(const char *str) +{ + if (str) + { + return atoi(str); + } + else + { + return 0; + } +} + +/* Require a minimum OpenVPN Plugin API */ +OPENVPN_EXPORT int +openvpn_plugin_min_version_required_v1() +{ + return OPENVPN_PLUGIN_VERSION_MIN; +} + +/* use v3 functions so we can use openvpn's logging and base64 etc. */ +OPENVPN_EXPORT int +openvpn_plugin_open_v3(const int v3structver, + struct openvpn_plugin_args_open_in const *args, + struct openvpn_plugin_args_open_return *ret) +{ + if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) + { + fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + /* Save global pointers to functions exported from openvpn */ + _plugin_vlog_func = args->callbacks->plugin_vlog; + + plog(NULL, PLOG_NOTE, "FUNC: openvpn_plugin_open_v3"); + + /* + * Allocate our context + */ + struct plugin_context *context = NULL; + context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); + if (!context) + { + goto error; + } + + // simple module argument parsing + if ((args->argv[4]) && !args->argv[5]) + { + context->authid = strdup(args->argv[1]); + context->test_deferred_auth = atoi_null0(args->argv[2]); + context->test_valid_user = strdup(args->argv[3]); + context->test_valid_pass = strdup(args->argv[4]); + } + else + { + plog(context, PLOG_ERR, "Too many arguments provided"); + goto error; + } + + if (context->test_deferred_auth > 0) + { + plog(context, PLOG_NOTE, "TEST_DEFERRED_AUTH %d", context->test_deferred_auth); + } + + /* + * Which callbacks to intercept. + */ + ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); + ret->handle = (openvpn_plugin_handle_t *) context; + + plog(context, PLOG_NOTE, "initialization succeeded"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + +error: + plog(context, PLOG_NOTE, "initialization failed"); + if (context) + { + free(context); + } + return OPENVPN_PLUGIN_FUNC_ERROR; +} + +static bool +do_auth_user_pass(struct plugin_context *context, + const char *username, const char *password) +{ + plog(context, PLOG_NOTE, + "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s", + np(context->test_valid_user), + np(username), + np(context->test_valid_pass), + np(password)); + + if (context->test_valid_user && context->test_valid_pass) + { + if ((strcmp(context->test_valid_user, username) != 0) + || (strcmp(context->test_valid_pass, password) != 0)) + { + plog(context, PLOG_ERR, + "User/Password auth result: FAIL"); + return false; + } + else + { + plog(context, PLOG_NOTE, + "User/Password auth result: PASS"); + return true; + } + } + return false; +} + + +static int +auth_user_pass_verify(struct plugin_context *context, + struct plugin_per_client_context *pcc, + const char *argv[], const char *envp[]) +{ + /* get username/password from envp string array */ + const char *username = get_env("username", envp); + const char *password = get_env("password", envp); + + if (!context->test_deferred_auth) + { + plog(context, PLOG_NOTE, "Direct authentication"); + return do_auth_user_pass(context, username, password) ? + OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR; + } + + /* get auth_control_file filename from envp string array*/ + const char *auth_control_file = get_env("auth_control_file", envp); + plog(context, PLOG_NOTE, "auth_control_file=%s", auth_control_file); + + /* Authenticate asynchronously in n seconds */ + if (!auth_control_file) + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + /* we do not want to complicate our lives with having to wait() + * for child processes (so they are not zombiefied) *and* we MUST NOT + * fiddle with signal handlers (= shared with openvpn main), so + * we use double-fork() trick. + */ + + /* fork, sleep, succeed (no "real" auth done = always succeed) */ + pid_t p1 = fork(); + if (p1 < 0) /* Fork failed */ + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + if (p1 > 0) /* parent process */ + { + waitpid(p1, NULL, 0); + return OPENVPN_PLUGIN_FUNC_DEFERRED; + } + + /* first gen child process, fork() again and exit() right away */ + pid_t p2 = fork(); + if (p2 < 0) + { + plog(context, PLOG_ERR|PLOG_ERRNO, "BACKGROUND: fork(2) failed"); + exit(1); + } + + if (p2 != 0) /* new parent: exit right away */ + { + exit(0); + } + + /* (grand-)child process + * - never call "return" now (would mess up openvpn) + * - return status is communicated by file + * - then exit() + */ + + /* do mighty complicated work that will really take time here... */ + plog(context, PLOG_NOTE, "in async/deferred handler, usleep(%d)", + context->test_deferred_auth*1000); + usleep(context->test_deferred_auth*1000); + + /* now signal success state to openvpn */ + int fd = open(auth_control_file, O_WRONLY); + if (fd < 0) + { + plog(context, PLOG_ERR|PLOG_ERRNO, + "open('%s') failed", auth_control_file); + exit(1); + } + + char result[2] = "0\0"; + if (do_auth_user_pass(context, username, password)) + { + result[0] = '1'; + } + + if (write(fd, result, 1) != 1) + { + plog(context, PLOG_ERR|PLOG_ERRNO, "write to '%s' failed", auth_control_file ); + } + close(fd); + + exit(0); +} + + +OPENVPN_EXPORT int +openvpn_plugin_func_v3(const int v3structver, + struct openvpn_plugin_args_func_in const *args, + struct openvpn_plugin_args_func_return *ret) +{ + if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) + { + fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + const char **argv = args->argv; + const char **envp = args->envp; + struct plugin_context *context = (struct plugin_context *) args->handle; + struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context; + switch (args->type) + { + case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: + plog(context, PLOG_NOTE, "OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY"); + return auth_user_pass_verify(context, pcc, argv, envp); + + default: + plog(context, PLOG_NOTE, "OPENVPN_PLUGIN_?"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } +} + +OPENVPN_EXPORT void * +openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_constructor_v1"); + return calloc(1, sizeof(struct plugin_per_client_context)); +} + +OPENVPN_EXPORT void +openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context) +{ + struct plugin_context *context = (struct plugin_context *) handle; + plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_client_destructor_v1"); + free(per_client_context); +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) +{ + struct plugin_context *context = (struct plugin_context *) handle; + plog(context, PLOG_NOTE, "FUNC: openvpn_plugin_close_v1"); + free(context); +} From patchwork Tue Mar 15 04:53:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2344 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id yMOJNSu3MGKvDQAAqwncew (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id YMKNNiu3MGJDDQAAalYnBA (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id UJhPNiu3MGJwFwAAgjf6aA (envelope-from ) for ; Tue, 15 Mar 2022 11:56:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 7882c5fc-a478-11ec-bb18-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:53060] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F5/91-02364-B27B0326; Tue, 15 Mar 2022 11:56:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nU9VC-0005jO-IM; Tue, 15 Mar 2022 15:54:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nU9VA-0005j9-Nx for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; b=fvSS4j0ACPLypGi0uy0vOyVQUI nBmuUdpcLUo0vFf17Y2xIsQQxBBRNONROXHF3IFc4DmPzlEMVBTEPKOuCY67kul9JrWGeGzJF9w+0 TkELucBZxMOqlXeWW248kI+2rhDieQFXQ9OaenEu+IjO196rcubjB4qM+CCNNHpSLNzU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; b=hra/pr72T/YjS07wmyfzIW6N1Z YWk2DPDlAcYEWUzCeAx0pPzwXbcS2YJhcKyE+GIV071+RN+1Cs/x8gMuJjFlpejBvMoEg9gttbD0P JkPfW1DqfIfnjBFazZC6+x4Z65bLD6sFE6mx5gpNH6UooW2ttxK30RztgOeDRwKJUXyg=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nU9V7-00072c-OL for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:23 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id E2600E713 for ; Tue, 15 Mar 2022 15:54:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647359654; bh=M0PftXhkJu0jK9Es5l6srGMmN7D/HlJMDY2kJOyxSHA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=qBUkAG6HkC1uK58AgbVTPXOnGltr5eqUjRhE6/V1iNqNLQXxlxzk2tK4qnvOXuidb I4qk1HtgqKyKYF5ec8qM1As86vdQIcblyJbEPCNeSd9xBh6G2XXgAUDVGTNRb0Fb8V xIA83S3NMP/l61MxK735SwqKE02TSckelqr/lWnUM7W5Qhf1Z3pemIc7rogu1znu/9 6BTY3xO17ANeImL33SUCoExeHMYWHp+NfsjVxhl5bVzw+w6VlI6SPo9hz3mxqaat8B 9Cw3acOUzZpteDiYbnXr8gQptaPyGm4ieCbQcTCiaQAmXj4JGwbp6BMUcQsjqyNOqY 7P97Oru2BxSJQ== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hwmpo2uN3vL9 for ; Tue, 15 Mar 2022 16:54:14 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 356CAE712 for ; Tue, 15 Mar 2022 16:54:14 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Mar 2022 16:53:43 +0100 Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> References: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we b [...] Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nU9V7-00072c-OL Subject: [Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth --- Note: The man page snippet is copied from the generated nroff formatting from the git master generated man page. v3 - flip CONSTANT==var to var==CONSTANT in if() clause v4 - Use M_FATAL instead of M_ERR v5 - Fix missing ) in if() clause --- doc/openvpn.8 | 13 +++++++++++++ src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 598d5fce..a6a5feb6 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. + +.INDENT 7.0 +.TP +.B \fBWARNING\fP: +Plug\-ins may do deferred execution, meaning the plug\-in will +return the control back to the main OpenVPN process and provide +the plug\-in result later on via a different thread or process. +OpenVPN does \fBNOT\fP support multiple authentication plug\-ins +\fBwhere more than one of them\fP do deferred authentication. +If this behaviour is detected, OpenVPN will shut down upon first +authentication. +.UNINDENT +.UNINDENT .\"********************************************************* .TP .B \-\-keying\-material\-exporter label len diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 0ab99ab5..a019ec77 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; - bool deferred = false; + bool deferred_auth_done = false; setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); @@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: - deferred = true; + if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) + && deferred_auth_done) + { + /* + * Do not allow deferred auth if a deferred auth has + * already been started. This should allow a single + * deferred auth call to happen, with one or more + * auth calls with an instant authentication result. + * + * The plug-in API is not designed for multiple + * deferred authentications to happen, as the + * auth_control_file file will be shared across all + * the plug-ins. + * + * Since this is considered a critical configuration + * error, we bail out and exit the OpenVPN process. + */ + error = true; + msg(M_FATAL, + "Exiting due to multiple authentication plug-ins " + "performing deferred authentication. Only one " + "authentication plug-in doing deferred auth is " + "allowed. Ignoring the result and stopping now, " + "the current authentication result is not to be " + "trusted."); + break; + } + deferred_auth_done = true; break; default: @@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } - else if (deferred) + else if (deferred_auth_done) { return OPENVPN_PLUGIN_FUNC_DEFERRED; } From patchwork Tue Mar 15 04:53:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2342 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id eC6UJP+2MGL+CwAAqwncew (envelope-from ) for ; Tue, 15 Mar 2022 11:55:43 -0400 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id QPd1Jf+2MGIJKAAApN4f7A (envelope-from ) for ; Tue, 15 Mar 2022 11:55:43 -0400 Received: from smtp31.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTPS id wIArJf+2MGJTXgAAiYrejw (envelope-from ) for ; Tue, 15 Mar 2022 11:55:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 5e39ee82-a478-11ec-87ce-525400b3ac8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:40372] helo=lists.sourceforge.net) by smtp31.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 97/5A-02341-EF6B0326; Tue, 15 Mar 2022 11:55:43 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nU9NS-0003O7-Dy; Tue, 15 Mar 2022 15:54:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nU9NR-0003O0-F6 for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ubcvHtOmXaQBPCoqbJJdd2aQgE3jmK/yTemSxG7l5Cw=; b=i97ZQJOTqLldYhC5urFxvL42bC R9Eej5OOoXnGWj3Vyl885bp56kpphafE+6vUPPqUrFYapv0rCxcfIYJfSxE3HYWKmE/rMlxG/VW36 avCnetKzGIOi+iP+QDr1Z2rFfzCFHvA508qurfZAIQGBu/XA3ESprSSfXvWMEe35BbHo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ubcvHtOmXaQBPCoqbJJdd2aQgE3jmK/yTemSxG7l5Cw=; b=WqavUDVOBDTKlfYmlF6bU1EPxb NTfAghUoTFpBDL0cZJg187PlbKK3pCPf7FAMBORfkDLIDtoe22zzz5IgOKLAHw7rFD1s7KU4pA8EB ZCqbEN4omxAinQUw3ADXOhna4+L3gJodEnSpdPKvs4Bckv/jSZoDWieye6MouX95Gfu4=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nU9VL-00HH9H-NA for openvpn-devel@lists.sourceforge.net; Tue, 15 Mar 2022 15:54:37 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id C01C0E713 for ; Tue, 15 Mar 2022 15:54:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1647359666; bh=ubcvHtOmXaQBPCoqbJJdd2aQgE3jmK/yTemSxG7l5Cw=; h=From:To:Subject:Date:In-Reply-To:References:From; b=2+jCyM/rMXUs8gL05EM99ikEYKCxeuYfe1NgTt0Hgjr0xFP28FoF7nHyjVfTOjoG3 fyjoatRh/AfLjzO2BONWsIPMgj3PNyYwaEvMwYEMZOUoXg63Q9Iw5aEGZTbqDxPnQ8 +sTcDRqJvTKsIFBs9rkwF8kQoDVtUEv2hVkwIFH2/270Uwo5HqcWjLsQDHOUz9UuZP n5Hdn7onJCBjGGvTXrcUrHCALiaVjLoFgID2KLBCZ1+5+I2oqIQg1CxLockNaYiKyi jfxlvf+u3iAd4h87B9IfB8SP9NzRrS6HT5axrzjPWS1nVG/YFcn21X5uKWgHf7mT9A Bj8nsCHsGQWUQ== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlCmxvzQmqEj for ; Tue, 15 Mar 2022 16:54:25 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 85184E712 for ; Tue, 15 Mar 2022 16:54:25 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Mar 2022 16:53:44 +0100 Message-Id: <20220315155344.37787-4-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> References: <20220315155344.37787-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nU9VL-00HH9H-NA Subject: [Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth The use case for this plug-in is dubious now with the new multi-auth.c plugin available. This new plugin is based on simple.c, but allows far more flexibility for testing. Signed-off-by: David Sommerseth --- sample/sample-plugins/defer/README | 3 - sample/sample-plugins/defer/simple.c | 541 ------------------------- sample/sample-plugins/defer/simple.def | 6 - 3 files changed, 550 deletions(-) delete mode 100644 sample/sample-plugins/defer/simple.c delete mode 100755 sample/sample-plugins/defer/simple.def diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README index 4c032993..b20f4eea 100644 --- a/sample/sample-plugins/defer/README +++ b/sample/sample-plugins/defer/README @@ -2,9 +2,6 @@ OpenVPN plugin examples. Examples provided: -simple.c -- using the --auth-user-pass-verify callback, - test deferred authentication. - multi-auth.c -- Test plug-in for testing multiple authentication plug-ins in the same OpenVPN server configuration. Only tested on Linux. diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c deleted file mode 100644 index 6f08bedd..00000000 --- a/sample/sample-plugins/defer/simple.c +++ /dev/null @@ -1,541 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2018 OpenVPN Inc - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -/* - * This file implements a simple OpenVPN plugin module which - * will test deferred authentication and packet filtering. - * - * Will run on Windows or *nix. - * - * Sample usage: - * - * setenv test_deferred_auth 20 - * setenv test_packet_filter 10 - * plugin plugin/defer/simple.so - * - * This will enable deferred authentication to occur 20 - * seconds after the normal TLS authentication process, - * and will cause a packet filter file to be generated 10 - * seconds after the initial TLS negotiation, using - * {common-name}.pf as the source. - * - * Sample packet filter configuration: - * - * [CLIENTS DROP] - * +otherclient - * [SUBNETS DROP] - * +10.0.0.0/8 - * -10.10.0.8 - * [END] - * - * See the README file for build instructions. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "openvpn-plugin.h" - -/* Pointers to functions exported from openvpn */ -static plugin_log_t plugin_log = NULL; - -/* - * Constants indicating minimum API and struct versions by the functions - * in this plugin. Consult openvpn-plugin.h, look for: - * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER - * - * Strictly speaking, this sample code only requires plugin_log, a feature - * of structver version 1. However, '1' lines up with ancient versions - * of openvpn that are past end-of-support. As such, we are requiring - * structver '5' here to indicate a desire for modern openvpn, rather - * than a need for any particular feature found in structver beyond '1'. - */ -#define OPENVPN_PLUGIN_VERSION_MIN 3 -#define OPENVPN_PLUGIN_STRUCTVER_MIN 5 - -/* - * Our context, where we keep our state. - */ - -struct plugin_context { - int test_deferred_auth; - int test_packet_filter; -}; - -struct plugin_per_client_context { - int n_calls; - bool generated_pf_file; -}; - -/* module name for plugin_log() */ -static char *MODULE = "defer/simple"; - -/* - * Given an environmental variable name, search - * the envp array for its value, returning it - * if found or NULL otherwise. - */ -static const char * -get_env(const char *name, const char *envp[]) -{ - if (envp) - { - int i; - const int namelen = strlen(name); - for (i = 0; envp[i]; ++i) - { - if (!strncmp(envp[i], name, namelen)) - { - const char *cp = envp[i] + namelen; - if (*cp == '=') - { - return cp + 1; - } - } - } - } - return NULL; -} - -/* used for safe printf of possible NULL strings */ -static const char * -np(const char *str) -{ - if (str) - { - return str; - } - else - { - return "[NULL]"; - } -} - -static int -atoi_null0(const char *str) -{ - if (str) - { - return atoi(str); - } - else - { - return 0; - } -} - -/* Require a minimum OpenVPN Plugin API */ -OPENVPN_EXPORT int -openvpn_plugin_min_version_required_v1() -{ - return OPENVPN_PLUGIN_VERSION_MIN; -} - -/* use v3 functions so we can use openvpn's logging and base64 etc. */ -OPENVPN_EXPORT int -openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, - struct openvpn_plugin_args_open_return *ret) -{ - const char **envp = args->envp; /* environment variables */ - struct plugin_context *context; - - if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) - { - fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); - return OPENVPN_PLUGIN_FUNC_ERROR; - } - - /* Save global pointers to functions exported from openvpn */ - plugin_log = args->callbacks->plugin_log; - - plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_open_v3"); - - /* - * Allocate our context - */ - context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); - if (!context) - { - goto error; - } - - context->test_deferred_auth = atoi_null0(get_env("test_deferred_auth", envp)); - plugin_log(PLOG_NOTE, MODULE, "TEST_DEFERRED_AUTH %d", context->test_deferred_auth); - - context->test_packet_filter = atoi_null0(get_env("test_packet_filter", envp)); - plugin_log(PLOG_NOTE, MODULE, "TEST_PACKET_FILTER %d", context->test_packet_filter); - - /* - * Which callbacks to intercept. - */ - ret->type_mask = - OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); - - /* ENABLE_PF should only be called if we're actually willing to do PF */ - if (context->test_packet_filter) - { - ret->type_mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF); - } - - ret->handle = (openvpn_plugin_handle_t *) context; - plugin_log(PLOG_NOTE, MODULE, "initialization succeeded"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - -error: - if (context) - { - free(context); - } - plugin_log(PLOG_NOTE, MODULE, "initialization failed"); - return OPENVPN_PLUGIN_FUNC_ERROR; -} - -static int -auth_user_pass_verify(struct plugin_context *context, - struct plugin_per_client_context *pcc, - const char *argv[], const char *envp[]) -{ - if (!context->test_deferred_auth) - { - return OPENVPN_PLUGIN_FUNC_SUCCESS; - } - - /* get username/password from envp string array */ - const char *username = get_env("username", envp); - const char *password = get_env("password", envp); - - /* get auth_control_file filename from envp string array*/ - const char *auth_control_file = get_env("auth_control_file", envp); - - plugin_log(PLOG_NOTE, MODULE, "DEFER u='%s' p='%s' acf='%s'", - np(username), - np(password), - np(auth_control_file)); - - /* Authenticate asynchronously in n seconds */ - if (!auth_control_file) - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } - - /* we do not want to complicate our lives with having to wait() - * for child processes (so they are not zombiefied) *and* we MUST NOT - * fiddle with signal handlers (= shared with openvpn main), so - * we use double-fork() trick. - */ - - /* fork, sleep, succeed (no "real" auth done = always succeed) */ - pid_t p1 = fork(); - if (p1 < 0) /* Fork failed */ - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } - if (p1 > 0) /* parent process */ - { - waitpid(p1, NULL, 0); - return OPENVPN_PLUGIN_FUNC_DEFERRED; - } - - /* first gen child process, fork() again and exit() right away */ - pid_t p2 = fork(); - if (p2 < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); - exit(1); - } - - if (p2 != 0) /* new parent: exit right away */ - { - exit(0); - } - - /* (grand-)child process - * - never call "return" now (would mess up openvpn) - * - return status is communicated by file - * - then exit() - */ - - /* do mighty complicated work that will really take time here... */ - plugin_log(PLOG_NOTE, MODULE, "in async/deferred handler, sleep(%d)", context->test_deferred_auth); - sleep(context->test_deferred_auth); - - /* now signal success state to openvpn */ - int fd = open(auth_control_file, O_WRONLY); - if (fd < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", auth_control_file); - exit(1); - } - - plugin_log(PLOG_NOTE, MODULE, "auth_user_pass_verify: done" ); - - if (write(fd, "1", 1) != 1) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", auth_control_file ); - } - close(fd); - - exit(0); -} - -static int -tls_final(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) -{ - if (!context->test_packet_filter) /* no PF testing, nothing to do */ - { - return OPENVPN_PLUGIN_FUNC_SUCCESS; - } - - if (pcc->generated_pf_file) /* we already have created a file */ - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } - - const char *pff = get_env("pf_file", envp); - const char *cn = get_env("username", envp); - if (!pff || !cn) /* required vars missing */ - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } - - pcc->generated_pf_file = true; - - /* the PF API is, basically - * - OpenVPN sends a filename (pf_file) to the plugin - * - OpenVPN main loop will check every second if that file shows up - * - when it does, it will be read & used for the pf config - * the pre-created file needs to be removed in ...ENABLE_PF - * to make deferred PF setup work - * - * the regular PF hook does not know the client username or CN, so - * this is deferred to the TLS_FINAL hook which knows these things - */ - - /* do the double fork dance (see above for more verbose comments) - */ - pid_t p1 = fork(); - if (p1 < 0) /* Fork failed */ - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } - if (p1 > 0) /* parent process */ - { - waitpid(p1, NULL, 0); - return OPENVPN_PLUGIN_FUNC_SUCCESS; /* no _DEFERRED here! */ - } - - /* first gen child process, fork() again and exit() right away */ - pid_t p2 = fork(); - if (p2 < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); - exit(1); - } - - if (p2 != 0) /* new parent: exit right away */ - { - exit(0); - } - - /* (grand-)child process - * - never call "return" now (would mess up openvpn) - * - return status is communicated by file - * - then exit() - */ - - /* at this point, the plugin can take its time, because OpenVPN will - * no longer block waiting for the call to finish - * - * in this example, we build a PF file by copying over a file - * named ".pf" to the OpenVPN-provided pf file name - * - * a real example could do a LDAP lookup, a REST call, ... - */ - plugin_log(PLOG_NOTE, MODULE, "in async/deferred tls_final handler, sleep(%d)", context->test_packet_filter); - sleep(context->test_packet_filter); - - char buf[256]; - snprintf(buf, sizeof(buf), "%s.pf", cn ); - - /* there is a small race condition here - OpenVPN could detect our - * file while we have only written half of it. So "perfect" code - * needs to create this with a temp file name, and then rename() it - * after it has been written. But I am lazy. - */ - - int w_fd = open( pff, O_WRONLY|O_CREAT, 0600 ); - if (w_fd < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't write to '%s'", pff); - exit(0); - } - - int r_fd = open( buf, O_RDONLY ); - if (r_fd < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't read '%s', creating empty pf file", buf); - close(w_fd); - exit(0); - } - - char data[1024]; - - int r; - do - { - r = read(r_fd, data, sizeof(data)); - if (r < 0) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error reading '%s'", buf); - close(r_fd); - close(w_fd); - exit(0); - } - int w = write(w_fd, data, r); - if (w < 0 || w != r) - { - plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error writing %d bytes to '%s'", r, pff); - close(r_fd); - close(w_fd); - exit(0); - } - } - while(r > 0); - - plugin_log(PLOG_NOTE, MODULE, "copied PF config from '%s' to '%s', job done", buf, pff); - exit(0); -} - -OPENVPN_EXPORT int -openvpn_plugin_func_v3(const int v3structver, - struct openvpn_plugin_args_func_in const *args, - struct openvpn_plugin_args_func_return *ret) -{ - if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN) - { - fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE); - return OPENVPN_PLUGIN_FUNC_ERROR; - } - const char **argv = args->argv; - const char **envp = args->envp; - struct plugin_context *context = (struct plugin_context *) args->handle; - struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context; - switch (args->type) - { - case OPENVPN_PLUGIN_UP: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_UP"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_DOWN: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_DOWN"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_ROUTE_UP: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ROUTE_UP"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_IPCHANGE: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_IPCHANGE"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_TLS_VERIFY: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_VERIFY"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY"); - return auth_user_pass_verify(context, pcc, argv, envp); - - case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_CLIENT_DISCONNECT: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_LEARN_ADDRESS: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_LEARN_ADDRESS"); - return OPENVPN_PLUGIN_FUNC_SUCCESS; - - case OPENVPN_PLUGIN_TLS_FINAL: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_FINAL"); - return tls_final(context, pcc, argv, envp); - - case OPENVPN_PLUGIN_ENABLE_PF: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ENABLE_PF"); - - /* OpenVPN pre-creates the file, which gets in the way of - * deferred pf setup - so remove it here, and re-create - * it in the background handler (in tls_final()) when ready - */ - const char *pff = get_env("pf_file", envp); - if (pff) - { - (void) unlink(pff); - } - return OPENVPN_PLUGIN_FUNC_SUCCESS; /* must succeed */ - - default: - plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_?"); - return OPENVPN_PLUGIN_FUNC_ERROR; - } -} - -OPENVPN_EXPORT void * -openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) -{ - plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_constructor_v1"); - return calloc(1, sizeof(struct plugin_per_client_context)); -} - -OPENVPN_EXPORT void -openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context) -{ - plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_destructor_v1"); - free(per_client_context); -} - -OPENVPN_EXPORT void -openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) -{ - struct plugin_context *context = (struct plugin_context *) handle; - plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_close_v1"); - free(context); -} diff --git a/sample/sample-plugins/defer/simple.def b/sample/sample-plugins/defer/simple.def deleted file mode 100755 index a87507d1..00000000 --- a/sample/sample-plugins/defer/simple.def +++ /dev/null @@ -1,6 +0,0 @@ -LIBRARY OpenVPN_PLUGIN_SAMPLE -DESCRIPTION "Sample OpenVPN plug-in module." -EXPORTS - openvpn_plugin_open_v1 @1 - openvpn_plugin_func_v1 @2 - openvpn_plugin_close_v1 @3