From patchwork Wed Mar 1 13:53:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3102 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2681608dye; Wed, 1 Mar 2023 05:54:46 -0800 (PST) X-Google-Smtp-Source: AK7set81Hy2aRk3K/YtiYVDr1LUo5QqlAmSu6mOIZ+bYRDMbGoaGEjX/AOrkhhiB8xsikODaP1Bj X-Received: by 2002:a17:902:d4c7:b0:19d:d14:d48a with SMTP id o7-20020a170902d4c700b0019d0d14d48amr7994552plg.3.1677678886223; Wed, 01 Mar 2023 05:54:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677678886; cv=none; d=google.com; s=arc-20160816; b=G5RbALEIGOWGs0krF25bX99xw5+J6yMgu0/bsFWzfmOMwQK3jC8qrnngyVnkuc+LA4 Lkw9rNdxAHbyhO7dOzUrEVAYa4jq0YoQUIwmD3t7pCM+ItUuBDIDmjfNXaTpzWJuYKm7 jqNnAxgy03oqzdjC/WeNBCLj1h+YP+foLdCBtieOyjYxXcNUvFNEdKZ1PWcs6A5FiNXq DxUa62z//q88xnyyvbRV44nD2DwkUzIFA3XuwyCnAmeCFrU7VCTCX+D56a+RNu6hfAgN fr+YW/EzdeB8YgHzVT/MQ4e3GvtnYkQMmdRN8RYfpxcan0pANEi3FnyRh/57Y2eUIKQn 5FJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=ZYdv6gLydS1Bb1wX7KN6DCTJRMlZDkBw2bzCaZCj5UQ=; b=f9V2EkNG2gYAMs4aObozy7zKeIyprXwbp6DDSnvkgsMpsZLT6LRlfftv8jRP6CubBS u5DVCKgBrSZ6bkh13X9/QMXGQ3lJ/jsOHloFF+AHJ7XwtL1tpSJlzAbuO9Uzek0XU7xA AyeSkc4dZLz8BR/foOAbnmrpyNjPWIv6IS//XcsJ6noG/gAW7/zWyHbkAvJLc0TDQGKI pbruCUgPyIpGy/ZgJKr0KRFt/czULLofcCxZtD7EkeSmbjGK6eFsmIU/Z3sjdkcKvU7F ag/lpfgcOhVKbNOqKfidSjJvYaoJ2wAhKplWsu3KsWa4WME9HsnnNqeN2JvsIy56RlNu cCmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QiTM7Bj3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJ5wB3Mk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h12-20020a170902704c00b0019e3ff97c99si2967666plt.293.2023.03.01.05.54.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Mar 2023 05:54:46 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QiTM7Bj3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJ5wB3Mk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pXMuB-0002y3-2r; Wed, 01 Mar 2023 13:54:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pXMu9-0002xj-FR for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iFxwfeYPKxvThseRe1yPpzCxwSjLabnBu1IaGsFY3hY=; b=QiTM7Bj3UtLSoFYwIZHT8jmp+C ioO4xEEyhul0A3XkDUkDi5CplcZDmNgpS7Nkxq71ZqiIpCGxsAXpb4wyx43A8giO7Eb985J9mscXw lNjdBKsZnI8r0rddheCU2uXXeZ22pHki2eu1ZR5P/XobYFGTzKOzYUZR2NE97/Xd8ee4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=iFxwfeYPKxvThseRe1yPpzCxwSjLabnBu1IaGsFY3hY=; b=d J5wB3MkGf3PaEQ+2i2unCiKuipRBaECCeSgWC/gUex//8zWMSLn68G6JZxQWH4oxMeM8CgrdYLLZe u21FKV+l5PtqqDXc6rddGUyDIw4MEXUzL4iHlxflj0T8t/NbAiK5yu2xHCPIgPLjCreJuvuIhs3bf kaLv8L8gXaaorg4E=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pXMu7-0006Oi-DX for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pXMu1-0003a2-MD for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 14:53:53 +0100 Received: (nullmailer pid 2811115 invoked by uid 10006); Wed, 01 Mar 2023 13:53:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 Mar 2023 14:53:52 +0100 Message-Id: <20230301135353.2811069-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently, this function and other parts of OpenVPN assume that multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session to send control message. This assumption was only achieve through complicated session moving and shuffling in our state machine in the past. The old logic basically also always assumed that control messages are always for ful [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pXMu7-0006Oi-DX Subject: [Openvpn-devel] [PATCH 1/2] Use key_state instead of multi for tls_send_payload parameter X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1759173815552088337?= X-GMAIL-MSGID: =?utf-8?q?1759173815552088337?= Currently, this function and other parts of OpenVPN assume that multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session to send control message. This assumption was only achieve through complicated session moving and shuffling in our state machine in the past. The old logic basically also always assumed that control messages are always for fully authenticated clients. This assumption was never really true (see AUTH_FAILED message) but has been broken even more by auth-pending. Cleaning up the state machine transitions in 7dcde87b7a broke this assumption even more. This change now allows to specify the key_state/TLS session that is used to send the control message. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 5 ++++- src/openvpn/ssl.c | 7 ++----- src/openvpn/ssl.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 257c7c75c..9bb099097 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -372,8 +372,11 @@ send_control_channel_string_dowork(struct tls_multi *multi, struct gc_arena gc = gc_new(); bool stat; + ASSERT(multi); + struct key_state *ks = get_key_scan(multi, 0); + /* buffered cleartext write onto TLS control channel */ - stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1); + stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1); msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", tls_common_name(multi, false), diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 016bdc57f..b84f23c62 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3988,18 +3988,15 @@ tls_post_encrypt(struct tls_multi *multi, struct buffer *buf) */ bool -tls_send_payload(struct tls_multi *multi, +tls_send_payload(struct key_state *ks, const uint8_t *data, int size) { - struct key_state *ks; bool ret = false; tls_clear_error(); - ASSERT(multi); - - ks = get_key_scan(multi, 0); + ASSERT(ks); if (ks->state >= S_ACTIVE) { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index b0a2823fb..7ea13b920 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -414,7 +414,7 @@ void ssl_put_auth_challenge(const char *cr_str); /* * Send a payload over the TLS control channel */ -bool tls_send_payload(struct tls_multi *multi, +bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size); From patchwork Wed Mar 1 13:53:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3101 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2681394dye; Wed, 1 Mar 2023 05:54:22 -0800 (PST) X-Google-Smtp-Source: AK7set+aZDueDVOGN1WVl93UPSIPl41KL6gXC14/diPXzg41vzcnoK7QAdVRVSZaT5Qp1r0PLOob X-Received: by 2002:a17:90b:4b90:b0:234:1f57:ecb1 with SMTP id lr16-20020a17090b4b9000b002341f57ecb1mr7517184pjb.40.1677678862622; Wed, 01 Mar 2023 05:54:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677678862; cv=none; d=google.com; s=arc-20160816; b=c/vd6l7eBo2kHJek4bB/1THpQmcjb3VidAanTWIJR6AXAoTsNr0UV/KKBc1/+g8ZVp Moidtl9QjRpY5zD8bgmzT0TueQvFQeGOsjCmgOMzaf0IyDFMBMcvoRfGLGIasFqFxarL S7gyvqkoEzOFsHhc9ydW1E4e+4/gvC9IcSeRmX9xWcVtJJDFzZWCJ0mtvs9OYvMSB6sU vhZtv7KXwC3yy0S4DPovkHgXFK+340MkYoSBRX0DB0XtkcgRWBVCOEPFY4eT8RS2Fyy3 zWwH/p35nfIZudewvtDaSaloLjo0v6xrgdjlqlvJIFv4hJaezA92EbGRi8ulf2uG/f55 tQsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=ccPM5/+oSIgc0zTyCwRN7c7gz+Hi1qg09fmeJxUQzU4=; b=CqOGff/jrXcDvOxHVlKsODOeypiBbg7plnKabXJHC14CoIRW7jBR3kACoqA7iAm9fg SD4CfIcgPDnixlI7QxZo4WYX07lj4/rGRPxCzN4fZIISXpL2aczd553Iwa/pd5NidjE8 aBo5efYJiAa7TZyB/UGHl9PNZPmgYbBN1K2ATraVmPDFskryPZtWTtEJr4JKR6ZwOJmd VrqgRMw62G3r8BS5k9075mjJfqz9nz45zL2QXelePQppFaHnYC3hbr+3rdlKm5w1W3+2 /2Kosax3THMUb/Hxuh1jxd5Tmd0fQHOD7w3ee2FN8ap6nvbyDyORFhDmWwMTf1J+50Rv opiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y2rubKPT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Tkx2IBgH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ce17-20020a17090aff1100b002291da0e5efsi12339668pjb.132.2023.03.01.05.54.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Mar 2023 05:54:22 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y2rubKPT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Tkx2IBgH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pXMuB-0002Jo-1w; Wed, 01 Mar 2023 13:54:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pXMuA-0002Ji-05 for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sHv58n2WTL6PHaksQSPgRTeIVk8v69Ulii3nn+WVCng=; b=Y2rubKPTTfaYFYVnkWCHBTXhNP tzaV0UH7xC5A2G6hvUo7ZZOwb8YLbnCyStd6qGTsnm2OimxWxM05AVt89MQshH4o8+sy3vdGiUHvm r06OqYXbQdzuPX4zXaP0f9fAbJcUMBqQ1NyWNVPjcYNBYRuUxOnY5ASZmifHs7eWl1/8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sHv58n2WTL6PHaksQSPgRTeIVk8v69Ulii3nn+WVCng=; b=Tkx2IBgHgM9Zjb3GFUxKRphEz7 TwgkECPK+5EWQBjNo/dw/cBet6Cq33onXopJrpZylfDPycZqZhiRb9xsGtpA+OrL98eZadZbbEi3k hAfF7rEy/wVC1cihRpw/d17XPGNREGtmvunX0Wcj61UIqoBCHIi6IwPLTuE55erNvfHI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pXMu8-00AlkC-6W for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:01 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pXMu1-0003a4-Mo for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 14:53:53 +0100 Received: (nullmailer pid 2811118 invoked by uid 10006); Wed, 01 Mar 2023 13:53:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 Mar 2023 14:53:53 +0100 Message-Id: <20230301135353.2811069-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230301135353.2811069-1-arne@rfc2549.org> References: <20230301135353.2811069-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The control messages coming from auth pending should always be on the session that triggered them (i.e. INITIAL or ACTIVE) and not always on the active session. Rework the code path that trigger those [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1pXMu8-00AlkC-6W Subject: [Openvpn-devel] [PATCH 2/2] Make sending plain text control message session aware X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1759173791046596977?= X-GMAIL-MSGID: =?utf-8?q?1759173791046596977?= The control messages coming from auth pending should always be on the session that triggered them (i.e. INITIAL or ACTIVE) and not always on the active session. Rework the code path that trigger those messsages from management and plugin/script to specify the TLS session. We only support the two TLS sessions that are supposed to be active. TLS sessions in any lame slot (TM_LAME or KS_LAME) are not considered to be candidates for sending messages as these slots only serve to keep key material around. Unfortunately, this fix requires the management interface to be changed to allow including the specific session the messages should to go to. As there are very few users of this interface with auth-pending, I made this a hard change instead of adding hacky workaround code that is not always working correctly anyway. send_control_channel_string will continue to only use the primary session and key but the current users of that (push replys and exit notification) already require the established session to be the active one, so there no changes needed at the moment. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 3 +++ doc/management-notes.txt | 13 +++++++++---- src/openvpn/forward.c | 12 ++++++------ src/openvpn/forward.h | 11 ++++++----- src/openvpn/manage.c | 13 ++++++++----- src/openvpn/manage.h | 3 ++- src/openvpn/multi.c | 20 +++++++++++++++++++- src/openvpn/push.c | 27 +++++++++++++++++++-------- src/openvpn/push.h | 8 +++++--- src/openvpn/ssl_verify.c | 9 +++++---- 10 files changed, 82 insertions(+), 37 deletions(-) diff --git a/Changes.rst b/Changes.rst index c5335ce93..43f312fc6 100644 --- a/Changes.rst +++ b/Changes.rst @@ -223,6 +223,9 @@ User-visible Changes compatibility with older versions. See the manual page on the ``--compat-mode`` for details. +- The ``client-pending-auth`` management command now requires also the + key id. The management version has been changed to 5 to indicate this change. + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 34f301db7..5c51bc997 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -613,10 +613,10 @@ COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message to signal a pending authenticating to the client. A pending auth means -that the connecting requires extra authentication like a one time +that connecting requires extra authentication like a one time password or doing a single sign on via web. - client-pending-auth {CID} {EXTRA} {TIMEOUT} + client-pending-auth {CID} {KID} {EXTRA} {TIMEOUT} The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. If the client supports accepting keywords to AUTH_PENDING (announced via IV_PROTO), @@ -639,11 +639,16 @@ Both client and server limit the maximum timeout to the smaller value of half th For the format of {EXTRA} see below. For OpenVPN server this is a stateless operation and needs to be followed by a client-deny/client-auth[-nt] command -(that is the result of the out of band authentication). +(that is the result of the out-of-band authentication). + +Note that the {KID} argument has been added in management version 5 to +correctly allow specifing the pending client authentication the message is + +tying together this message strictly to the authentication Before issuing a client-pending-auth to a client instead of a client-auth/client-deny, the server should check the IV_SSO -environment variable for whether the method is supported. Currently +environment variable for whether the method is supported. Currently, defined methods are crtext for challenge/response using text (e.g., TOTP), openurl (deprecated) and webauth for opening a URL in the client to continue authentication. A client supporting webauth and diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 9bb099097..8fcd703c4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -366,20 +366,20 @@ check_connection_established(struct context *c) } bool -send_control_channel_string_dowork(struct tls_multi *multi, +send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel) { struct gc_arena gc = gc_new(); bool stat; - ASSERT(multi); - struct key_state *ks = get_key_scan(multi, 0); + ASSERT(session); + struct key_state *ks = &session->key[KS_PRIMARY]; /* buffered cleartext write onto TLS control channel */ stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1); msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", - tls_common_name(multi, false), + session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc), (int) stat); @@ -399,8 +399,8 @@ send_control_channel_string(struct context *c, const char *str, int msglevel) { if (c->c2.tls_multi) { - bool ret = send_control_channel_string_dowork(c->c2.tls_multi, - str, msglevel); + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + bool ret = send_control_channel_string_dowork(session, str, msglevel); reschedule_multi_process(c); return ret; diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 7376bca23..e19115ea1 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -265,21 +265,22 @@ send_control_channel_string(struct context *c, const char *str, int msglevel); /* * Send a string to remote over the TLS control channel. - * Used for push/pull messages, passing username/password, - * etc. + * Used for push/pull messages, auth pending and other clear text + * control messages. * * This variant does not schedule the actual sending of the message * The caller needs to ensure that it is scheduled or call * send_control_channel_string * - * @param multi - The tls_multi structure of the VPN tunnel associated - * with the packet. + * @param session - The session structure of the VPN tunnel associated + * with the packet. The method will always use the + * primary key (KS_PRIMARY) for sending the message * @param str - The message to be sent * @param msglevel - Message level to use for logging */ bool -send_control_channel_string_dowork(struct tls_multi *multi, +send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel); diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index db88e3479..05358af45 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -1042,22 +1042,25 @@ parse_uint(const char *str, const char *what, unsigned int *uint) * * @param man The management interface struct * @param cid_str The CID in string form + * @param kid_str The key ID in string form * @param extra The string to be send to the client containing * the information of the additional steps */ static void man_client_pending_auth(struct management *man, const char *cid_str, - const char *extra, const char *timeout_str) + const char *kid_str, const char *extra, + const char *timeout_str) { unsigned long cid = 0; + unsigned int kid = 0; unsigned int timeout = 0; - if (parse_cid(cid_str, &cid) + if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid) && parse_uint(timeout_str, "TIMEOUT", &timeout)) { if (man->persist.callback.client_pending_auth) { bool ret = (*man->persist.callback.client_pending_auth) - (man->persist.callback.arg, cid, extra, timeout); + (man->persist.callback.arg, cid, kid, extra, timeout); if (ret) { @@ -1594,9 +1597,9 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } else if (streq(p[0], "client-pending-auth")) { - if (man_need(man, p, 3, 0)) + if (man_need(man, p, 4, 0)) { - man_client_pending_auth(man, p[1], p[2], p[3]); + man_client_pending_auth(man, p[1], p[2], p[3], p[4]); } } else if (streq(p[0], "rsa-sig")) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 2ced90835..07317a402 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -52,7 +52,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 4 +#define MANAGEMENT_VERSION 5 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -194,6 +194,7 @@ struct management_callback struct buffer_list *cc_config); /* ownership transferred */ bool (*client_pending_auth) (void *arg, const unsigned long cid, + const unsigned int kid, const char *extra, unsigned int timeout); char *(*get_peer_info) (void *arg, const unsigned long cid); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f25590168..14ec39dc5 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -4025,15 +4025,33 @@ management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) static bool management_client_pending_auth(void *arg, const unsigned long cid, + const unsigned int mda_key_id, const char *extra, unsigned int timeout) { struct multi_context *m = (struct multi_context *) arg; struct multi_instance *mi = lookup_by_cid(m, cid); + if (mi) { + struct tls_multi *multi = mi->context.c2.tls_multi; + struct tls_session *session; + + if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id) + { + session = &multi->session[TM_INITIAL]; + } + else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id) + { + session = &multi->session[TM_ACTIVE]; + } + else + { + return false; + } + /* sends INFO_PRE and AUTH_PENDING messages to client */ - bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra, + bool ret = send_auth_pending_messages(multi, session, extra, timeout); reschedule_multi_process(&mi->context); multi_schedule_context_wakeup(m, mi); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 4d64ad1af..3475cbda8 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -412,7 +412,16 @@ send_auth_failed(struct context *c, const char *client_reason) { buf_printf(&buf, ",%s", client_reason); } - send_control_channel_string(c, BSTR(&buf), D_PUSH); + + /* We kill the whole session, send the AUTH_FAILED to any TLS session + * that might be active */ + send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL], + BSTR(&buf), D_PUSH); + send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE], + BSTR(&buf), D_PUSH); + + reschedule_multi_process(c); + } gc_free(&gc); @@ -420,10 +429,11 @@ send_auth_failed(struct context *c, const char *client_reason) bool -send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, - unsigned int timeout) +send_auth_pending_messages(struct tls_multi *tls_multi, + struct tls_session *session, + const char *extra, unsigned int timeout) { - struct key_state *ks = get_key_scan(tls_multi, 0); + struct key_state *ks = &session->key[KS_PRIMARY]; static const char info_pre[] = "INFO_PRE,"; @@ -440,7 +450,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, struct gc_arena gc = gc_new(); if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0) { - send_control_channel_string_dowork(tls_multi, "AUTH_PENDING", D_PUSH); + send_control_channel_string_dowork(session, "AUTH_PENDING", D_PUSH); } else { @@ -451,7 +461,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, struct buffer buf = alloc_buf_gc(len, &gc); buf_printf(&buf, auth_pre); buf_printf(&buf, "%u", timeout); - send_control_channel_string_dowork(tls_multi, BSTR(&buf), D_PUSH); + send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH); } size_t len = strlen(extra) + 1 + sizeof(info_pre); @@ -464,7 +474,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, struct buffer buf = alloc_buf_gc(len, &gc); buf_printf(&buf, info_pre); buf_printf(&buf, "%s", extra); - send_control_channel_string_dowork(tls_multi, BSTR(&buf), D_PUSH); + send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH); ks->auth_deferred_expire = now + timeout; @@ -736,6 +746,7 @@ send_push_reply_auth_token(struct tls_multi *multi) { struct gc_arena gc = gc_new(); struct push_list push_list = { 0 }; + struct tls_session *session = &multi->session[TM_ACTIVE]; prepare_auth_token_push_reply(multi, &gc, &push_list); @@ -746,7 +757,7 @@ send_push_reply_auth_token(struct tls_multi *multi) /* Construct a mimimal control channel push reply message */ struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc); buf_printf(&buf, "%s,%s", push_reply_cmd, e->option); - send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); + send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH); gc_free(&gc); } diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 5e594a30a..f43ab0966 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -78,16 +78,18 @@ void send_auth_failed(struct context *c, const char *client_reason); * more details on message format */ bool -send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, +send_auth_pending_messages(struct tls_multi *tls_multi, + struct tls_session *session, const char *extra, unsigned int timeout); void send_restart(struct context *c, const char *kill_msg); /** * Sends a push reply message only containin the auth-token to update - * the auth-token on the client + * the auth-token on the client. Always pushes to the active session * - * @param multi - The tls_multi structure belonging to the instance to push to + * @param multi - The \c tls_multi structure belonging to the instance + * to push to */ void send_push_reply_auth_token(struct tls_multi *multi); diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 996aee01f..1b589f1a6 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -916,7 +916,8 @@ check_auth_pending_method(const char *peer_info, const char *method) */ static bool key_state_check_auth_pending_file(struct auth_deferred_status *ads, - struct tls_multi *multi) + struct tls_multi *multi, + struct tls_session *session) { bool ret = true; if (ads->auth_pending_file) @@ -965,7 +966,7 @@ key_state_check_auth_pending_file(struct auth_deferred_status *ads, } else { - send_auth_pending_messages(multi, BSTR(extra_buf), timeout); + send_auth_pending_messages(multi, session, BSTR(extra_buf), timeout); } } @@ -1390,7 +1391,7 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, /* Check if we the plugin has written the pending auth control * file and send the pending auth to the client */ if (!key_state_check_auth_pending_file(&ks->script_auth, - multi)) + multi, session)) { retval = OPENVPN_PLUGIN_FUNC_ERROR; key_state_rm_auth_control_files(&ks->script_auth); @@ -1514,7 +1515,7 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, { /* Check if the plugin has written the pending auth control * file and send the pending auth to the client */ - if (!key_state_check_auth_pending_file(&ks->plugin_auth, multi)) + if (!key_state_check_auth_pending_file(&ks->plugin_auth, multi, session)) { retval = OPENVPN_PLUGIN_FUNC_ERROR; }