From patchwork Wed Apr 10 16:07:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Thorpe X-Patchwork-Id: 718 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 8PmcGXenrlwwDAAAIUCqbw for ; Wed, 10 Apr 2019 22:33:27 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 0N9AGXenrlw3YwAAalYnBA ; Wed, 10 Apr 2019 22:33:27 -0400 Received: from smtp24.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTP id SGT+GHenrlzIbAAAetu3IA ; Wed, 10 Apr 2019 22:33:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sparklabs.com; dmarc=none (p=nil; dis=none) header.from=sparklabs.com X-Suspicious-Flag: YES X-Classification-ID: 2f2a175a-5c02-11e9-aeef-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:57995] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 91/34-42449-677AEAC5; Wed, 10 Apr 2019 22:33:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hEPWB-00052y-54; Thu, 11 Apr 2019 02:32:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hEPW9-00052l-UR for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Subject: From:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GYlScXnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=Da9hKgqjwDtClvgOpKIaAuWNEc oGaxBrYSYUv6XILsax18kiKhvK4tAqxfWcGi+BKXen6GMyOFUbcSgXLt3uFNen6I08WPJvUTX97nK y+jyNOCeFWlb6qqhtjp3OknTvqwcQSwgQv7sj4OQum3u6R09j2wzd748x9Co3MLoGEu0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=GYlScXnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=I /TR9QI3paA/cQq/8K4cUAtFHhINKOyNZkiZfM4NceO+kKWivcTgsmjexg6MIsoOoHWii5TIKkXIYT trXB3hu1IeLoJeY+b0/FlVUpZ/XKBphGzCnGWN+IsfGAgPBI+Tv4M4Hqq8S/+Fyl0LvWoaETvqzqh K0JPkZbGiZ9fHRU0=; Received: from silicon.sparklabs.com ([66.185.22.121]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hEPW8-00DHlh-CQ for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:45 +0000 Received: from localhost (localhost [127.0.0.1]) by silicon.sparklabs.com (Postfix) with ESMTP id 07FAC4DE2761 for ; Thu, 11 Apr 2019 12:07:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparklabs.com; h=content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received:received; s=mail; t=1554948450; x=1557540451; bh=GYlSc XnT/YttRcyysNMYkpf1D4j6854NLlRBCmcY7CM=; b=Vzy/P9XVlXWFGNpME1VQX g9dcQGDiq8b7CgxKh/a3ND+zOTYFuLlHGmNHZZUAEcitTRAOkBLnAkDBodSlH1Ey EMgY6JsXFf5IH5F534gPA6hBcky4P1oa7aSprrOQVzH97yUX2iWr8ROOkIGvsesC hqSkR0iJOABEzpI8ZBlhiQ= Received: from silicon.sparklabs.com ([127.0.0.1]) by localhost (silicon.sparklabs.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOQ5IDZrQoYd for ; Thu, 11 Apr 2019 12:07:30 +1000 (AEST) Received: from [192.168.1.38] (180-150-107-152.b4966b.syd.nbn.aussiebb.net [180.150.107.152]) by silicon.sparklabs.com (Postfix) with ESMTPSA id 276FF4DE274B for ; Thu, 11 Apr 2019 12:07:29 +1000 (AEST) To: openvpn-devel@lists.sourceforge.net From: Eric Thorpe Message-ID: Date: Thu, 11 Apr 2019 12:07:27 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Language: en-US X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sparklabs.com] -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1hEPW8-00DHlh-CQ Subject: [Openvpn-devel] [PATCH v2 1/2] Send auth fail to client on reneg failure X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hi All, This patch relies on Arne's "Add send_control_channel_string_dowork variant" patch. This patch modifies auth so that on a renegotiation the client is informed of a SESSION re-auth failure during a renegotiation if either their auth-token has expired, or they enter a wrong password in the case of auth-nocache for example. This also addresses my previous patch for supporting a client reason being rejected. Regards, Eric diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 28c3b8867..a883faa79 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2085,6 +2085,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) /* set flag so we don't get called again */ mi->connection_established_flag = true; + mi->context.c2.tls_multi->connection_established = true; /* increment number of current authenticated clients */ ++m->n_clients; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index dd5bd4163..327ae0891 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -233,6 +233,36 @@ send_auth_failed(struct context *c, const char *client_reason) gc_free(&gc); } +/* + * Send auth failed message from server to client without scheduling. + * Main use for queuing a message during renegotiation + */ +void +send_push_reply_auth_failed(struct tls_multi *multi, const char *client_reason) +{ + struct gc_arena gc = gc_new(); + static const char auth_failed[] = "AUTH_FAILED"; + size_t len; + + len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); + if (len > PUSH_BUNDLE_SIZE) + { + len = PUSH_BUNDLE_SIZE; + } + + { + struct buffer buf = alloc_buf_gc(len, &gc); + buf_printf(&buf, auth_failed); + if (client_reason) + { + buf_printf(&buf, ",%s", client_reason); + } + send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); + } + + gc_free(&gc); +} + /* * Send restart message from server to client. */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index ac25ffa78..b82a014a0 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -547,6 +547,7 @@ struct tls_multi time_t auth_token_tstamp; /**< timestamp of the generated token */ bool auth_token_sent; /**< If server uses --auth-gen-token and * token has been sent to client */ + bool connection_established ; /** Notifies future auth calls this is a reneg */ /* * Our session objects. */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c7e595e46..fd83cde85 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1336,6 +1336,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < now) { msg(D_HANDSHAKE, "Auth-token for client expired\n"); + send_push_reply_auth_failed(multi, "SESSION:Auth-token expired"); wipe_auth_token(multi); ks->authenticated = false; goto done; @@ -1458,6 +1459,12 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } else { + if (multi->connection_established) + { + /* Notify the client */ + send_push_reply_auth_failed(multi, "SESSION:Auth failed"); + + } msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } From patchwork Wed Apr 10 16:07:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Thorpe X-Patchwork-Id: 719 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id mI1UCIinrlxHVgAAIUCqbw for ; Wed, 10 Apr 2019 22:33:44 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id eIQKCIinrly/YwAAfY0hYg ; Wed, 10 Apr 2019 22:33:44 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTP id CAyyB4inrlyiKAAAAY1PeQ ; Wed, 10 Apr 2019 22:33:44 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sparklabs.com; dmarc=none (p=nil; dis=none) header.from=sparklabs.com X-Suspicious-Flag: YES X-Classification-ID: 3940f4c0-5c02-11e9-aff9-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:50743] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E8/34-17295-787AEAC5; Wed, 10 Apr 2019 22:33:43 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hEPWB-0004NZ-0q; Thu, 11 Apr 2019 02:32:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hEPWA-0004NS-4c for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Subject: From:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ugf/MTWAYvx0KH/jrv5zCEQo1ni3eRm1Du8A/+fNJi0=; b=eCE+9FpwFBOnO8Yr6Vr8A3KXFr iMBkkrZzsZsqh/19Gkvh/5Orcy8lWAIuagME4EFJC/q0Ak9Q9M4qyrXx4ShktgyRs7oD47aTAPEEa DlNZGSICc2b0YYmmiR1iOOwMaeBAqZ0m15tPCoRnK1ioLQURXVl/bFJCl7WX7Yb++ssE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ugf/MTWAYvx0KH/jrv5zCEQo1ni3eRm1Du8A/+fNJi0=; b=K bmvKAIurAdiYzNpaBadOc6ZEuqKs0gG6trk++lT/6OjBlvHH3Byy8kKRRpgMd5XMf/rGRMQXvi0Up Ln1lIq0vLmHUyJHm7nPjwG7JXh7j4aMcfP7qyqsv8cGIGLm/jz5WKWZDp0PCF3RHm0RdqiQwiqi46 ApPxLuxn5sjASFvo=; Received: from silicon.sparklabs.com ([66.185.22.121]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hEPW8-00DHli-Ge for openvpn-devel@lists.sourceforge.net; Thu, 11 Apr 2019 02:32:46 +0000 Received: from localhost (localhost [127.0.0.1]) by silicon.sparklabs.com (Postfix) with ESMTP id 6E9F44DE277B for ; Thu, 11 Apr 2019 12:07:35 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparklabs.com; h=content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received:received; s=mail; t=1554948455; x=1557540456; bh=ugf/M TWAYvx0KH/jrv5zCEQo1ni3eRm1Du8A/+fNJi0=; b=iXWmttaRpQ2I8J/XYNPTN 4vtj/5rf2VESI1MzV08VVoCCcjY5+FRvc3YVyuBhS5OdZXJbrjsnvxP8Frxr7793 zNI8Ugn3vs1YyhAnmAvqfLjuEHFvSUfjwxLwp3EbZOUY9vnQd2vgh6EzMgXR6wxX XPmG1ID2Y8PdvRzFiZgipI= Received: from silicon.sparklabs.com ([127.0.0.1]) by localhost (silicon.sparklabs.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXZoV78QzLrZ for ; Thu, 11 Apr 2019 12:07:35 +1000 (AEST) Received: from [192.168.1.38] (180-150-107-152.b4966b.syd.nbn.aussiebb.net [180.150.107.152]) by silicon.sparklabs.com (Postfix) with ESMTPSA id C02024DE2765 for ; Thu, 11 Apr 2019 12:07:34 +1000 (AEST) To: openvpn-devel@lists.sourceforge.net From: Eric Thorpe Message-ID: Date: Thu, 11 Apr 2019 12:07:32 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Language: en-US X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: sparklabs.com] -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1hEPW8-00DHli-Ge Subject: [Openvpn-devel] [PATCH v2 2/2] Support client reason from auth plugin X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hi All, This patch allows for a client reason to be returned from an auth plugin and sent to the connecting client on an auth fail. This change is backwards compatible with existing plugins and hasn't caused issues with existing plugins like the included pam plugin in our testing. The main purpose of this change is to support dynamic challenge/response from plugins, currently this is only possible from the management interface. Example usage for this change can be found in a new plugin here modified from the included PAM plugin - https://github.com/thesparklabs/openvpn-two-factor-extensions/tree/master/yubikey-u2f-pam-plugin This is version two for this patch and addresses previous inadequacies pointed out. Regards, Eric diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9696e9bab..884c94a23 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1354,10 +1354,8 @@ tls_multi_free(struct tls_multi *multi, bool clear) ASSERT(multi); -#ifdef MANAGEMENT_DEF_AUTH - man_def_auth_set_client_reason(multi, NULL); + set_client_reason(multi, NULL); -#endif #if P2MP_SERVER free(multi->peer_info); #endif diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index b82a014a0..975fb983a 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -515,13 +515,13 @@ struct tls_multi char *locked_cn; char *locked_username; struct cert_hash_set *locked_cert_hash_set; - -#ifdef ENABLE_DEF_AUTH + /* * An error message to send to client on AUTH_FAILED */ char *client_reason; +#ifdef ENABLE_DEF_AUTH /* Time of last call to tls_authentication_status */ time_t tas_last; #endif diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index fd83cde85..fa0ba28c4 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -837,21 +837,6 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep #endif #ifdef MANAGEMENT_DEF_AUTH -void -man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason) -{ - if (multi->client_reason) - { - free(multi->client_reason); - multi->client_reason = NULL; - } - if (client_reason && strlen(client_reason)) - { - /* FIXME: Last alloc will never be freed */ - multi->client_reason = string_alloc(client_reason, NULL); - } -} - static inline unsigned int man_def_auth_test(const struct key_state *ks) { @@ -1055,7 +1040,7 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con if (multi) { int i; - man_def_auth_set_client_reason(multi, client_reason); + set_client_reason(multi, client_reason); for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; @@ -1081,6 +1066,21 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con * this is the place to start. *************************************************************************** */ + +void +set_client_reason(struct tls_multi *multi, const char *client_reason) +{ + if (multi->client_reason) + { + free(multi->client_reason); + multi->client_reason = NULL; + } + if (client_reason && strlen(client_reason)) + { + multi->client_reason = string_alloc(client_reason, NULL); + } +} + /* * Verify the user name and password using a script */ @@ -1166,7 +1166,7 @@ verify_user_pass_script(struct tls_session *session, const struct user_pass *up) * Verify the username and password using a plugin */ static int -verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, const char *raw_username) +verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up, const char *raw_username) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; #ifdef PLUGIN_DEF_AUTH @@ -1176,6 +1176,9 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { + struct plugin_return pr, prfetch; + plugin_return_init(&pr); + /* set username/password in private env space */ setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); setenv_str(session->opt->es, "password", up->password); @@ -1197,7 +1200,23 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, #endif /* call command */ - retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es); + retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, &pr, session->opt->es); + + /* Fetch client reason */ + plugin_return_get_column(&pr, &prfetch, "client_reason"); + if (plugin_return_defined(&prfetch)) + { + int i; + for (i = 0; i < prfetch.n; ++i) + { + if (prfetch.list[i] && prfetch.list[i]->value) + { + set_client_reason(multi, prfetch.list[i]->value); + } + } + } + + plugin_return_free(&pr); #ifdef PLUGIN_DEF_AUTH /* purge auth control filename (and file itself) for non-deferred returns */ @@ -1378,7 +1397,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #endif if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) { - s1 = verify_user_pass_plugin(session, up, raw_username); + s1 = verify_user_pass_plugin(session, multi, up, raw_username); } if (session->opt->auth_user_pass_verify_script) { @@ -1462,7 +1481,16 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (multi->connection_established) { /* Notify the client */ - send_push_reply_auth_failed(multi, "SESSION:Auth failed"); + const char *client_reason; + if (multi->client_reason != NULL) + { + client_reason = multi->client_reason; + } + else + { + client_reason = "SESSION:Auth failed"; + } + send_push_reply_auth_failed(multi, client_reason); } msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index 3e2267aed..afcfb77be 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -171,6 +171,8 @@ tls_common_name_hash(const struct tls_multi *multi, const char **cn, uint32_t *c #endif +void set_client_reason(struct tls_multi *multi, const char *client_reason); + /** * Verify the given username and password, using either an external script, a * plugin, or the management interface. @@ -225,19 +227,12 @@ struct x509_track */ #ifdef MANAGEMENT_DEF_AUTH bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason); - -void man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason); - #endif static inline const char * tls_client_reason(struct tls_multi *multi) { -#ifdef ENABLE_DEF_AUTH return multi->client_reason; -#else - return NULL; -#endif } /** Remove any X509_ env variables from env_set es */