From patchwork Thu Jun 13 04:41:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 752 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id +A67LuNgAl0QdgAAIUCqbw for ; Thu, 13 Jun 2019 10:42:43 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id SG+NLuNgAl2tWwAAfY0hYg ; Thu, 13 Jun 2019 10:42:43 -0400 Received: from smtp39.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTP id WP89LuNgAl3jbwAAjcXvpA ; Thu, 13 Jun 2019 10:42:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 7f2ce46c-8de9-11e9-9202-5452006c005a-1-1 Received: from [216.105.38.7] ([216.105.38.7:48190] helo=lists.sourceforge.net) by smtp39.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5C/70-11209-1E0620D5; Thu, 13 Jun 2019 10:42:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hbQv1-00047f-I9; Thu, 13 Jun 2019 14:41:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hbQv0-000473-6F for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LYpTYbGyFb3FHrum5RMLuXSfbnqZJnX71krWGJpsZcY=; b=lKK4mtIoGOq4IYfWywDxLgn99t AMcqkJ51BAGORLkr7lOAAhd0rFsS4AybsIrx8yhmYO8OxCjP81Sy+MYZPljf+0wDxA+CmhZiC1eQU hfKHIA8AQPHgtpcIvq3UnosTalUXOForMQ1Ll1beKm/jNy8Vi1z+VFCV6XiN3YBLCxqw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LYpTYbGyFb3FHrum5RMLuXSfbnqZJnX71krWGJpsZcY=; b=TJms3uJ2uVYqsChnbcqkuRe6qw QvGOvWUa8l/ATMb/Zw1dgnEQsiSo6YNr9dTBoFAKTeZadykWPqTB3rsb8l9UgENCApSuAqoxntkfW 2V42/hXCNcMHHl8rByPeEQoAPoDKvhgKfJ3u1gBBtHLGdWKuWAPg1Px0XbEN7Y6jLvOU=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hbQuw-00C2DZ-EY for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1hbQuf-000OBK-UV for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 16:41:13 +0200 Received: (nullmailer pid 6466 invoked by uid 10006); Thu, 13 Jun 2019 14:41:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jun 2019 16:41:09 +0200 Message-Id: <20190613144113.6418-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190613144113.6418-1-arne@rfc2549.org> References: <20190613144113.6418-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1hbQuw-00C2DZ-EY Subject: [Openvpn-devel] [PATCH 1/5] Implement parsing and sending INFO and INFO_PRE control messages X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenVPN out of band and auth pending authentication implements these messages to send information during the authentication to the UI, implement these message also in OpenVPN 2.x to be able to be piked up by the UI Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 8 ++++++++ src/openvpn/push.c | 33 +++++++++++++++++++++++++++++++++ src/openvpn/push.h | 3 +++ 3 files changed, 44 insertions(+) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 35df089a..3803479f 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -395,6 +395,14 @@ check_incoming_control_channel_dowork(struct context *c) { server_pushed_signal(c, &buf, false, 4); } + else if (buf_string_match_head_str(&buf, "INFO_PRE")) + { + server_pushed_info(c, &buf, 8); + } + else if (buf_string_match_head_str(&buf, "INFO")) + { + server_pushed_info(c, &buf, 4); + } else { msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 8befc6f5..8632a9bb 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -176,6 +176,39 @@ server_pushed_signal(struct context *c, const struct buffer *buffer, const bool } } +void +server_pushed_info(struct context *c, const struct buffer *buffer, + const int adv) +{ + const char *m = ""; + struct buffer buf = *buffer; + + if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf)) + { + m = BSTR(&buf); + } + + #ifdef ENABLE_MANAGEMENT + struct gc_arena gc; + if (management) + { + gc = gc_new(); + + /* + * We use >INFOMSG here instead of plain >INFO since INFO is used to + * for management greeting and we don't want to confuse the client + */ + struct buffer out = alloc_buf_gc(256, &gc); + buf_printf(&out, ">%s:%s", "INFOMSG", m); + management_notify_generic(management, BSTR(&out)); + + gc_free(&gc); + } + #endif + msg(D_PUSH, "Info command was pushed by server ('%s')", m); +} + + #if P2MP_SERVER /** * Add an option to the given push list by providing a format string. diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 5f6181e7..750a9800 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -50,6 +50,9 @@ void receive_auth_failed(struct context *c, const struct buffer *buffer); void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv); +void server_pushed_info(struct context *c, const struct buffer *buffer, + const int adv); + void incoming_push_message(struct context *c, const struct buffer *buffer); #if P2MP_SERVER From patchwork Thu Jun 13 04:41:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 751 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id GJ0KJ+FgAl0kSwAAIUCqbw for ; Thu, 13 Jun 2019 10:42:41 -0400 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id kJD0JuFgAl34TQAAIasKDg ; Thu, 13 Jun 2019 10:42:41 -0400 Received: from smtp7.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTP id cEeLJuFgAl0kHAAA9sKXow ; Thu, 13 Jun 2019 10:42:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 7edf6412-8de9-11e9-b87b-bc305bf04148-1-1 Received: from [216.105.38.7] ([216.105.38.7:48176] helo=lists.sourceforge.net) by smtp7.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6F/0D-01898-1E0620D5; Thu, 13 Jun 2019 10:42:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hbQv1-000482-PM; Thu, 13 Jun 2019 14:41:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hbQv0-00047K-K4 for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=amExPLujpNED812Y/pC019H9VCPVUifHvLyUroMnptE=; b=KGIenRtKs8E69Z//4jhk5bx2HP jdD+/I/GT60mKqsz5i5IsepNUeSYf9htbS8gOYUw3c/ayObDL1Hiuo7tXH6MTDu9tnTxf1uS/2z30 R657igpUDSOz9wxhCoGfKXjU/5KBiAggohjiJmpnQE/E67AMr99R6HlJnqVkZXKReCUk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=amExPLujpNED812Y/pC019H9VCPVUifHvLyUroMnptE=; b=CWhHMpG5MoBgO845pj3HolGrLc LIkac+Nt/QDaZ94AtqZiU0y6bh6yjH4WOWeITxKChlAOsR2na00xd11YaMIVsfEOSIx96xALzdy16 JKN1AA1cSEH12IGezb992XjESuxp1qAngNRH0z8vxdwSrupJ8i2+FXJn7l64Y7Mg51M4=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hbQuw-005DOk-Hg for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1hbQug-000OBP-1C for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 16:41:14 +0200 Received: (nullmailer pid 6469 invoked by uid 10006); Thu, 13 Jun 2019 14:41:13 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jun 2019 16:41:10 +0200 Message-Id: <20190613144113.6418-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190613144113.6418-1-arne@rfc2549.org> References: <20190613144113.6418-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1hbQuw-005DOk-Hg Subject: [Openvpn-devel] [PATCH 2/5] Implement forwarding client CR_RESPONSE messages to management X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When signalling the client that it should do Challenge response without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server needs forward the response via the management console. Signed-off-by: Arne Schwabe --- doc/management-notes.txt | 19 +++++++++++++++++++ src/openvpn/forward.c | 4 ++++ src/openvpn/manage.c | 28 +++++++++++++++++++++++++++- src/openvpn/manage.h | 4 ++++ src/openvpn/push.c | 21 +++++++++++++++++++++ src/openvpn/push.h | 2 ++ 6 files changed, 77 insertions(+), 1 deletion(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 17645c1d..05d30b0a 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -979,6 +979,24 @@ CLIENT notification types: >CLIENT:ADDRESS,{CID},{ADDR},{PRI} +(5) Single Sign On Based Challenge/Response + + >CLIENT:CR_RESPONSE,{CID},{KID},{response_base64} + >CLIENT:ENV,name1=val1 + >CLIENT:ENV,name2=val2 + >CLIENT:ENV,... + >CLIENT:ENV,END + + CR_RESPONSE notifcation. The >CR_RESPONSE fulfils the same purpose as the + CRV1 response in the traditional challenge/response. See that section below for more + details. Since this still uses the same cid as the original response, we do + not use the username and opaque session data in this response. + + It is important to note that OpenVPN2 merely passes the authentication information and + does not do any further checks. (E.g. if a CR was issued before or if multiple CR responses + were sent from the client). + + Variables: CID -- Client ID, numerical ID for each connecting client, sequence = 0,1,2,... @@ -1175,3 +1193,4 @@ issued: ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the base 64 encoding of "8675309".) + diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3803479f..0dbbb88c 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -403,6 +403,10 @@ check_incoming_control_channel_dowork(struct context *c) { server_pushed_info(c, &buf, 4); } + else if (buf_string_match_head_str(&buf, "CR_RESPONSE")) + { + receive_cr_response(c, &buf); + } else { msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 2d86dad4..a2b58296 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2823,7 +2823,7 @@ management_notify_generic(struct management *man, const char *str) #ifdef MANAGEMENT_DEF_AUTH static void -man_output_peer_info_env(struct management *man, struct man_def_auth_context *mdac) +man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac) { char line[256]; if (man->persist.callback.get_peer_info) @@ -2873,6 +2873,32 @@ management_notify_client_needing_auth(struct management *management, } } +void +management_notify_client_cr_response(unsigned mda_key_id, + const struct man_def_auth_context *mdac, + const struct env_set *es, + const char* response) +{ + struct gc_arena gc; + if (management) + { + gc = gc_new(); + + struct buffer out = alloc_buf_gc(256, &gc); + msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", + mdac->cid, mda_key_id, response); + man_output_extra_env(management, "CLIENT"); + if (management->connection.env_filter_level>0) + { + man_output_peer_info_env(management, mdac); + } + man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); + management_notify_generic(management, BSTR(&out)); + + gc_free(&gc); + } +} + void management_connection_established(struct management *management, struct man_def_auth_context *mdac, diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index d24abe09..5f19cc3d 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -428,6 +428,10 @@ void management_learn_addr(struct management *management, const struct mroute_addr *addr, const bool primary); +void management_notify_client_cr_response(unsigned mda_key_id, + const struct man_def_auth_context *mdac, + const struct env_set *es, + const char* response); #endif char *management_query_pk_sig(struct management *man, const char *b64_data); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 8632a9bb..3b568b9b 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -208,6 +208,27 @@ server_pushed_info(struct context *c, const struct buffer *buffer, msg(D_PUSH, "Info command was pushed by server ('%s')", m); } +void +receive_cr_response(struct context *c, const struct buffer *buffer) +{ + struct buffer buf = *buffer; + const char *m = ""; + + if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf)) + { + m = BSTR(&buf); + } +#ifdef MANAGEMENT_DEF_AUTH + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + struct man_def_auth_context *mda = session->opt->mda_context; + struct env_set *es = session->opt->es; + int key_id = session->key[KS_PRIMARY].key_id; + + + management_notify_client_cr_response(key_id, mda, es, m); +#endif + msg(D_PUSH, "CR response was sent by client ('%s')", m); +} #if P2MP_SERVER /** diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 750a9800..3f5079f3 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -53,6 +53,8 @@ void server_pushed_signal(struct context *c, const struct buffer *buffer, const void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv); +void receive_cr_response(struct context *c, const struct buffer *buffer); + void incoming_push_message(struct context *c, const struct buffer *buffer); #if P2MP_SERVER From patchwork Thu Jun 13 04:41:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 749 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id WEEoG9NgAl2QZgAAIUCqbw for ; Thu, 13 Jun 2019 10:42:27 -0400 Received: from proxy3.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id oIQGG9NgAl0QXAAAfY0hYg ; Thu, 13 Jun 2019 10:42:27 -0400 Received: from smtp14.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1c.rsapps.net with LMTP id GMK6GtNgAl38TwAANIxBXg ; Thu, 13 Jun 2019 10:42:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 75ee5278-8de9-11e9-a9b0-bc305bf032e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:47716] helo=lists.sourceforge.net) by smtp14.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F5/0F-30361-2D0620D5; Thu, 13 Jun 2019 10:42:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hbQv1-00047r-Lv; Thu, 13 Jun 2019 14:41:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hbQv0-00047A-8R for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QA/D7O1YYxj3qBGG3oO7Z/DF9tvxWixgTS8q4iBTpN4=; b=R3BxxKSJm4lPkCnp4xl2q4L7NO V7QZVYl4+sFu79O/E0HDVO9TcegANqEmUozOgMlH7dXaD3TmVJAQXwkiLintVlg0Ijw6F5ICgvjXX n+u4MjJPP2kNXpYB/0Sb4IbyApDRUJLDKUAWrhLeIi6MzpS5t2soTIlSx7gC9Mx1VcRk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QA/D7O1YYxj3qBGG3oO7Z/DF9tvxWixgTS8q4iBTpN4=; b=kWd8RVLaZ9Lt4dd/9csbru51vF Ter2E/iK7NNha9Itwjdew2L/TzD5D5bHK/GcDe5ezyN6BEY/iLUOnnjw0fhV4vTFRbDR8k8+Oma3S RAk/VnWo6WXxUglVPG4TGSq/pvbk6LdMRkXbYPeSgqM7mf48WorW8d7gyPw1S3mUSYhg=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hbQuw-00C2Da-JX for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1hbQug-000OBT-3g for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 16:41:14 +0200 Received: (nullmailer pid 6472 invoked by uid 10006); Thu, 13 Jun 2019 14:41:14 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jun 2019 16:41:11 +0200 Message-Id: <20190613144113.6418-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190613144113.6418-1-arne@rfc2549.org> References: <20190613144113.6418-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1hbQuw-00C2Da-JX Subject: [Openvpn-devel] [PATCH 3/5] Implement support for signalling IV_SSO to server X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- src/openvpn/ssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 640808f9..45806553 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2343,7 +2343,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) if ((((strncmp(e->string, "UV_", 3)==0 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0) && session->opt->push_peer_info_detail >= 2) - || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)) + || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0) + || (strncmp(e->string,"IV_SSO=",sizeof("IV_SSO=")-1)==0) + ) && buf_safe(&out, strlen(e->string)+1)) { buf_printf(&out, "%s\n", e->string); From patchwork Thu Jun 13 04:41:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 750 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id GNkxCtVgAl3RdQAAIUCqbw for ; Thu, 13 Jun 2019 10:42:29 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id eNjwCdVgAl02cAAAovjBpQ ; Thu, 13 Jun 2019 10:42:29 -0400 Received: from smtp18.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTP id 6GZ1CdVgAl0VCwAAjcXvpA ; Thu, 13 Jun 2019 10:42:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 760a3506-8de9-11e9-a583-bc305bf00c68-1-1 Received: from [216.105.38.7] ([216.105.38.7:34602] helo=lists.sourceforge.net) by smtp18.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 43/A0-19267-2D0620D5; Thu, 13 Jun 2019 10:42:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hbQv2-0007EJ-60; Thu, 13 Jun 2019 14:41:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hbQv1-0007EC-K9 for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zhdTvXTYdwJfki7DAGX7nxIOAIvtK0udUgy5YASpn5M=; b=XWxTtaDYiixcxcV/EFRjCK0IAx pTSLKYrufsJDGTuo0mSXBKBU3HeDXt5JclA5fF+VyUu6Hl2xm/3bMj9BVlZ6v+dZhHECZ2ae6jpDP /TaxhSpntoNirW7uTsP65B1ifLaAXWkSHbjOmDGSNtnishsTz2q5Uk168X2h2twxwyQ0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zhdTvXTYdwJfki7DAGX7nxIOAIvtK0udUgy5YASpn5M=; b=BNRVS19QdnhF+HkKNjBkiDXdbV pJsJmp+G+B8LzUd7XGV2lL8fITbflLXoTXX4Wn+f+8FQdbAyvaK+mY8HFxv6gBnnLzjswnvI4AL2k u55yypZg7SYNtznFqP/3YvxlUDOdt50fH3hyr8aBFbwteuS+kFIj/FyTk9Q8hHzOv8sY=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hbQuw-005DOl-KX for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1hbQug-000OBX-5p for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 16:41:14 +0200 Received: (nullmailer pid 6475 invoked by uid 10006); Thu, 13 Jun 2019 14:41:14 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jun 2019 16:41:12 +0200 Message-Id: <20190613144113.6418-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190613144113.6418-1-arne@rfc2549.org> References: <20190613144113.6418-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1hbQuw-005DOl-KX Subject: [Openvpn-devel] [PATCH 4/5] Implement sending response to challenge via CR_RESPONSE X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When a client announces its support to support text based challenge/response via IV_SOO=cr_text,the client needs to also be able to reply to that response. This adds the "cr-response" management function to be able to do this. The answer should be base64 encoded. Signed-off-by: Arne Schwabe --- doc/management-notes.txt | 8 ++++++++ src/openvpn/init.c | 25 +++++++++++++++++++++++++ src/openvpn/manage.c | 37 ++++++++++++++++++++++++++++++++++++- src/openvpn/manage.h | 1 + 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 05d30b0a..29f2da75 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -806,6 +806,14 @@ To accept connecting to the host and port directly, use this command: proxy NONE +COMMAND -- cr-response (OpenVPN 2.5 or higher) +------------------------------------------------- +Provides support for sending responses a challenge/response +query via INFOMSG,CR_TEXT. The response should be base64 encoded: + + cr-response SGFsbG8gV2VsdCE= + + COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) ----------------------------------------------------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 647f5336..08425d85 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -287,6 +287,30 @@ ce_management_query_proxy(struct context *c) return ret; } +static bool +management_callback_send_cc_mesage(void *arg, + const char *command, + const char *parameters) +{ + struct context *c = (struct context *) arg; + size_t len = strlen(command) + 1 + sizeof(parameters) + 1; + if (len > PUSH_BUNDLE_SIZE) + { + return false; + } + + struct gc_arena gc = gc_new(); + struct buffer buf = alloc_buf_gc(len, &gc); + ASSERT(buf_printf(&buf, "%s", command)); + if (parameters) + { + ASSERT(buf_printf(&buf, ",%s", parameters)); + } + bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH); + + gc_free(&gc); + return status; +} static bool management_callback_remote_cmd(void *arg, const char **p) @@ -3920,6 +3944,7 @@ init_management_callback_p2p(struct context *c) cb.show_net = management_show_net_callback; cb.proxy_cmd = management_callback_proxy_cmd; cb.remote_cmd = management_callback_remote_cmd; + cb.send_cc_message = management_callback_send_cc_mesage; #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index a2b58296..8ec90bb1 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -75,6 +75,7 @@ man_help(void) msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract)."); msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off)."); msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer."); + msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server"); msg(M_CLIENT, "exit|quit : Close management session."); msg(M_CLIENT, "forget-passwords : Forget passwords entered so far."); msg(M_CLIENT, "help : Print this message."); @@ -779,6 +780,27 @@ man_net(struct management *man) } } +static void +man_send_cc_message(struct management *man, const char* message, const char* parameters) +{ + if (man->persist.callback.send_cc_message) + { + const bool status = (*man->persist.callback.send_cc_message) + (man->persist.callback.arg, message, parameters); + if (status) + { + msg(M_CLIENT, "SUCCESS: command succeeded"); + } + else + { + msg(M_CLIENT, "ERROR: command failed"); + } + } + else + { + msg(M_CLIENT, "ERROR: This command is not supported by the current daemon mode"); + } +} #ifdef ENABLE_PKCS11 static void @@ -1144,7 +1166,13 @@ man_load_stats(struct management *man) } #define MN_AT_LEAST (1<<0) - +/** + * + * @param p pointer to the parameter array + * @param n number of arguments required + * @param flags if MN_AT_LEAST require at least n parameters and not exactly n + * @return Return wether p has n (or at least n) parameters + */ static bool man_need(struct management *man, const char **p, const int n, unsigned int flags) { @@ -1460,6 +1488,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_query_need_str(man, p[1], p[2]); } } + else if (streq(p[0], "cr-response")) + { + if (man_need (man, p, 1, 0)) + { + man_send_cc_message (man, "CR_RESPONSE", p[1]); + } + } else if (streq(p[0], "net")) { man_net(man); diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 5f19cc3d..6a749725 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -164,6 +164,7 @@ struct management_callback int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); void (*delete_event) (void *arg, event_t event); int (*n_clients) (void *arg); + bool (*send_cc_message) (void *arg, const char *message, const char *parameter); #ifdef MANAGEMENT_DEF_AUTH bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg); bool (*client_auth) (void *arg, From patchwork Thu Jun 13 04:41:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 753 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 2I2dFedgAl0QdgAAIUCqbw for ; Thu, 13 Jun 2019 10:42:47 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id WFFzFedgAl3WWwAAfY0hYg ; Thu, 13 Jun 2019 10:42:47 -0400 Received: from smtp19.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTP id sJFYFedgAl0ADwAA2VeTtA ; Thu, 13 Jun 2019 10:42:47 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 81e84dae-8de9-11e9-8c05-bc305bf036e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:40972] helo=lists.sourceforge.net) by smtp19.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 18/57-21561-6E0620D5; Thu, 13 Jun 2019 10:42:46 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hbQv2-0006zH-3Q; Thu, 13 Jun 2019 14:41:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hbQuz-0006yz-Ud for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ryWZTeV5Zwq4k3AQ6exkOL96YX+SP/VR/J8EEY99PEU=; b=j698ihOK441pIwKrmXlbpAA/Hh SfFbfkBcqgbdgBWQiRx3DK6hhABJa4ejKU2d3Xi5VD67VW38/L9dNt/8rUuPvSEBW9HxZW6Yd44zY gkSqVMjR0OR0Ith/f18yABidiM4pFXWVZ0p3Pvw9lfdc/PYKWwbk0zI7xzEbmDlPJJhc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ryWZTeV5Zwq4k3AQ6exkOL96YX+SP/VR/J8EEY99PEU=; b=CQkTVI6IUZIww3u4CaiTX5O5Lp FRQcTNZT42tis11s0UAKGFnrZnYYJqdO6TCZoQ8KIJedhtyLX6yEIr3u7j26DDRFQJvuSPrIvuyaI a6s7VGy6jQlGhlv/6egC+33dYE58jvPJCh96g+Q5ieEEnWay6zNRJNtmYa3G4X3n4Pjc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hbQuw-00C2Dc-JH for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 14:41:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1hbQug-000OBb-8Y for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2019 16:41:14 +0200 Received: (nullmailer pid 6478 invoked by uid 10006); Thu, 13 Jun 2019 14:41:14 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jun 2019 16:41:13 +0200 Message-Id: <20190613144113.6418-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190613144113.6418-1-arne@rfc2549.org> References: <20190613144113.6418-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1hbQuw-00C2Dc-JH Subject: [Openvpn-devel] [PATCH 5/5] Implement sending SSO challenge to clients X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can currently be out of band (openurl) or a normal challenge/response 2FA like TOTP (CR_TEXT). Note that this also sends a AUTH_PENDING message that signal the client to change its behaviour and continue polling with PUSH request. In OpenVPN2 this is already default behaviour, so we can ignore this message in OpenVPN2. Signed-off-by: Arne Schwabe --- doc/management-notes.txt | 47 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.c | 36 ++++++++++++++++++++++++++++++ src/openvpn/manage.h | 3 +++ src/openvpn/multi.c | 19 ++++++++++++++++ src/openvpn/push.c | 24 ++++++++++++++++++++ src/openvpn/push.h | 2 ++ 6 files changed, 131 insertions(+) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 29f2da75..a3c09b78 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -592,6 +592,53 @@ interface to approve client connections. CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. +COMMAND -- client-sso-auth (OpenVPN 2.5 or higher) +---------------------------------------------------- + +Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE signal +a single sign on url to the client. + + client-sso-auth {CID} {EXTRA} + +The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. +The client is expected to inform the user that authentication is pending and +display the extra information. +For the openurl SSO method EXTRA has the form OPEN_URL:url +and an example is: + + client-sso-auth 17 "OPENURL:https://examples.com/do_web_auth" + +and client should ask to the user to open the URL to continue. + +For the OpenVPN server this is stateless operation and needs to be +followed by a client-deny/client-auth[-nt] command (that is the result of the +out of band authentication). + +The other implemented method is challenge/response (crtext). This uses +the same format as the user and password bases challenge respsonse with +AUTH_FAILED but omits the session id and username. + + client-sso-auth 18 "CR_TEXT::" + +For exmaple: + + client-sso-auth 18 "CR_TEXT:R,E:Please enter token PIN" + +The client should present the user the challenge and follow up +with cr-response command. + +See the section >CLIENT,CR_RESPONSE for the client response. + +A client should announce its support for these methods with +the IV_SSO variable seperated by comma. E.g., in the configuration file + + setenv IV_SSO openurl,crtext + +A server should check wether these methods are supported by +examining IV_SSO and otherwise fall back to classic challenge +response protocol or sending a AUTH_FAILED message that points +out missing client support. + COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 8ec90bb1..ffd48445 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -105,6 +105,8 @@ man_help(void) msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg(M_CLIENT, " text R and optional client reason text CR"); + msg(M_CLIENT, "client-sso-auth CID MSG : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg" + " to the client and wait for a final client-auth/client-deny"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF @@ -1000,6 +1002,33 @@ parse_kid(const char *str, unsigned int *kid) return false; } } +static void +man_client_sso_auth(struct management *man, const char *cid_str, const char *extra) +{ + unsigned long cid = 0; + if (parse_cid(cid_str, &cid)) + { + if (man->persist.callback.client_sso) + { + bool ret = (*man->persist.callback.client_sso) + (man->persist.callback.arg, cid, extra); + + if (ret) + { + msg(M_CLIENT, "SUCCESS: client-sso-auth command succeeded"); + } + else + { + msg(M_CLIENT, "SUCCESS: client-sso-auth command failed." + " Extra paramter might be too long"); + } + } + else + { + msg(M_CLIENT, "ERROR: The client-deny command is not supported by the current daemon mode"); + } + } +} static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra) @@ -1539,6 +1568,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_client_auth(man, p[1], p[2], true); } } + else if (streq(p[0], "client-sso-auth")) + { + if (man_need(man, p, 2, 0)) + { + man_client_sso_auth(man, p[1], p[2]); + } + } #ifdef MANAGEMENT_PF else if (streq(p[0], "client-pf")) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6a749725..ff6b6737 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -174,6 +174,9 @@ struct management_callback const char *reason, const char *client_reason, struct buffer_list *cc_config); /* ownership transferred */ + bool (*client_sso) (void *arg, + const unsigned long cid, + const char *url); char *(*get_peer_info) (void *arg, const unsigned long cid); #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index d1f9c72e..03e03aff 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3253,6 +3253,24 @@ management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) } } +static bool +management_client_sso(void *arg, + const unsigned long cid, + const char *extra) +{ + struct multi_context *m = (struct multi_context *) arg; + struct multi_instance *mi = lookup_by_cid(m, cid); + if (mi) + { + /* sends INFO_PRE and AUTH_PENDING messages to client */ + bool ret = send_sso_messages(&mi->context, extra); + multi_schedule_context_wakeup(m, mi); + return ret; + } + return false; +} + + static bool management_client_auth(void *arg, const unsigned long cid, @@ -3360,6 +3378,7 @@ init_management_callback_multi(struct multi_context *m) #ifdef MANAGEMENT_DEF_AUTH cb.kill_by_cid = management_kill_by_cid; cb.client_auth = management_client_auth; + cb.client_sso = management_client_sso; cb.get_peer_info = management_get_peer_info; #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 3b568b9b..0cec692c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -287,6 +287,30 @@ send_auth_failed(struct context *c, const char *client_reason) gc_free(&gc); } +bool +send_sso_messages(struct context *c, const char* extra) +{ + send_control_channel_string(c, "AUTH_PENDING", D_PUSH); + + static const char info_pre[] = "INFO_PRE,"; + + + size_t len = strlen(extra)+1 + sizeof(info_pre); + if (len > PUSH_BUNDLE_SIZE) + { + return false; + } + struct gc_arena gc = gc_new(); + + struct buffer buf = alloc_buf_gc(len, &gc); + buf_printf(&buf, info_pre); + buf_printf(&buf, "%s", extra); + send_control_channel_string(c, BSTR(&buf), D_PUSH); + + gc_free(&gc); + return true; +} + /* * Send restart message from server to client. */ diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 3f5079f3..a15aa58c 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -72,6 +72,8 @@ void remove_iroutes_from_push_route_list(struct options *o); void send_auth_failed(struct context *c, const char *client_reason); +bool send_sso_messages(struct context *c, const char *url); + void send_restart(struct context *c, const char *kill_msg); #endif