From patchwork Tue May 19 12:00:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1117 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id CFWVMCxXxF7FZgAAIUCqbw for ; Tue, 19 May 2020 18:01:16 -0400 Received: from proxy7.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id UAXcLSxXxF6GQAAAvGGmqA ; Tue, 19 May 2020 18:01:16 -0400 Received: from smtp10.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3b.rsapps.net with LMTP id GJsuKCxXxF4uIgAAQkQ5tQ ; Tue, 19 May 2020 18:01:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 428848cc-9a1c-11ea-9d51-52540055034d-1-1 Received: from [216.105.38.7] ([216.105.38.7:52324] helo=lists.sourceforge.net) by smtp10.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 22/38-32112-B2754CE5; Tue, 19 May 2020 18:01:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAHv-0005dG-GW; Tue, 19 May 2020 22:00:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHf-0005b4-IO for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jtY8fAC3OCRUM1i6Zdk3gSkyHFEi6XDGPBkLBYNoo7M=; b=QrAlkvlz84nIQYWk9THVlDGwDQ 1KkyMx0AQXKu25iM0Pf41hdlFZOTa6vnn0UG0P1OCFI/+v6a8VMx3I+G34Xr9jtkK7hjLekVnQSKg aofFAGATPSQorJKTuFfGd/jWCv4gn9iUk68e9DrurZZwsA0NL9flLjPmb0GChTdGOI8I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jtY8fAC3OCRUM1i6Zdk3gSkyHFEi6XDGPBkLBYNoo7M=; b=MTHfw2n3AhDQu5dh2Lgp/ZxqVQ sfeJnQqYxLDA8S+rtTYBODbNBACe9bbPWQDw0emzCR7+OVHAjhJsLrEZ+FL0PvaFKEXNxP8yb1aqJ qHaBXn0Vg94sFJ7qxtSLpXzcUSP4lpcLJ4kyVj403w1vyVO2szl9DqgGJg5+AawgHvko=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHd-001DR2-Nw for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:23 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHM-000DMQ-Ve for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:04 +0200 Received: (nullmailer pid 25184 invoked by uid 10006); Tue, 19 May 2020 22:00:04 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:00 +0200 Message-Id: <20200519220004.25136-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHd-001DR2-Nw Subject: [Openvpn-devel] [PATCH v3 1/5] Implement parsing and sending INFO and INFO_PRE control messages X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenVPN 3 implements these messages to send information during the authentication to the UI, implement these message also in OpenVPN 2.x Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- src/openvpn/forward.c | 8 ++++++++ src/openvpn/push.c | 32 ++++++++++++++++++++++++++++++++ src/openvpn/push.h | 3 +++ 3 files changed, 43 insertions(+) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index fd08f12d..3b088f87 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -395,6 +395,14 @@ check_incoming_control_channel_dowork(struct context *c) { server_pushed_signal(c, &buf, false, 4); } + else if (buf_string_match_head_str(&buf, "INFO_PRE")) + { + server_pushed_info(c, &buf, 8); + } + else if (buf_string_match_head_str(&buf, "INFO")) + { + server_pushed_info(c, &buf, 4); + } else { msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 0e58b839..965dd139 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -177,6 +177,38 @@ server_pushed_signal(struct context *c, const struct buffer *buffer, const bool } } +void +server_pushed_info(struct context *c, const struct buffer *buffer, + const int adv) +{ + const char *m = ""; + struct buffer buf = *buffer; + + if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf)) + { + m = BSTR(&buf); + } + +#ifdef ENABLE_MANAGEMENT + struct gc_arena gc; + if (management) + { + gc = gc_new(); + + /* + * We use >INFOMSG here instead of plain >INFO since INFO is used to + * for management greeting and we don't want to confuse the client + */ + struct buffer out = alloc_buf_gc(256, &gc); + buf_printf(&out, ">%s:%s", "INFOMSG", m); + management_notify_generic(management, BSTR(&out)); + + gc_free(&gc); + } + #endif + msg(D_PUSH, "Info command was pushed by server ('%s')", m); +} + /** * Add an option to the given push list by providing a format string. * diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 53deae02..1898f238 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -50,6 +50,9 @@ void receive_auth_failed(struct context *c, const struct buffer *buffer); void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv); +void server_pushed_info(struct context *c, const struct buffer *buffer, + const int adv); + void incoming_push_message(struct context *c, const struct buffer *buffer); void clone_push_list(struct options *o); From patchwork Tue May 19 12:00:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1118 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QJUJFy5XxF7cagAAIUCqbw for ; Tue, 19 May 2020 18:01:18 -0400 Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id mDVuFC5XxF6KPAAAfY0hYg ; Tue, 19 May 2020 18:01:18 -0400 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3b.rsapps.net with LMTP id uGJZDi5XxF7WVQAAoCsc3g ; Tue, 19 May 2020 18:01:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 43689be8-9a1c-11ea-9ac6-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:43380] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FA/FE-22200-D2754CE5; Tue, 19 May 2020 18:01:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAI0-0004D2-8V; Tue, 19 May 2020 22:00:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHc-0004CC-JJ for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dkYTwRhwzY8I9Cn/taq9FrIt5w8RraC7oRoT8W8sb+k=; b=K8INOFEaBIlLkPXmO8+I4XlUHu 5m2k48KJs5r/VUtR60r5sWUv2Rki54fPatr+9K8lMciyi/+vuP4bx7GcrFwsS1VIJxmW9MHJ0NYyK evv0uv1bQ70+ZP5ioMbknZR242cqpo27QQnDepIHPcS6rgIH39xooUcYzwYXUVnvKM6E=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dkYTwRhwzY8I9Cn/taq9FrIt5w8RraC7oRoT8W8sb+k=; b=LEFgZMzx/wvpckDsLVbF9HR4qs fHr1GlwOq3s1K097PfiNOMSRfasJppjXEbT+H+whJv64e96whJa0ag5tQwv5P1+gD1uhYpgHwnMkU ByibRwjnAhuE2Pa28q6b73tnDby0wdfSrRHIXPkwvGwEaPI4KUJidQSW8KhXbbBn5CcQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHY-00FmJy-M3 for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHN-000DMV-1l for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:05 +0200 Received: (nullmailer pid 25187 invoked by uid 10006); Tue, 19 May 2020 22:00:04 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:01 +0200 Message-Id: <20200519220004.25136-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHY-00FmJy-M3 Subject: [Openvpn-devel] [PATCH v3 2/5] Implement support for signalling IV_SSO to server X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- src/openvpn/ssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c2e9a4f3..f85ef3eb 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2333,7 +2333,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) if ((((strncmp(e->string, "UV_", 3)==0 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0) && session->opt->push_peer_info_detail >= 2) - || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)) + || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0) + || (strncmp(e->string,"IV_SSO=",sizeof("IV_SSO=")-1)==0) + ) && buf_safe(&out, strlen(e->string)+1)) { buf_printf(&out, "%s\n", e->string); From patchwork Tue May 19 12:00:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1116 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SOHrMCtXxF7JZgAAIUCqbw for ; Tue, 19 May 2020 18:01:15 -0400 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id gHwvLitXxF4YLgAAovjBpQ ; Tue, 19 May 2020 18:01:15 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTP id AOY3KCtXxF7AGgAA9crAow ; Tue, 19 May 2020 18:01:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 41e822f2-9a1c-11ea-b827-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:39710] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8F/4C-14618-A2754CE5; Tue, 19 May 2020 18:01:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAHw-00037O-Lp; Tue, 19 May 2020 22:00:40 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHf-000369-IP for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oAmyk0v5a273kYrKTUeDikBf7i1Jmq9sbCm6H5raMe4=; b=YuNenk3tYDbpT6bDIx4oJbjYDC nFLd9Ls+ZOx6MReZXK3Aay81po5DmGmjxpKzsthdB4mBXz4zFkjJf5JkTAqF7DcXPWN+RmStydv7h vVtTK8GKr8oLGBLOU6DAfm8srllfsFZKeDl7LEMdXnsPqg3VFNdaZ/eMVX6lruduqMmE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oAmyk0v5a273kYrKTUeDikBf7i1Jmq9sbCm6H5raMe4=; b=aNJs6NVYFRD/PBixceyrDfwgGp 1x4xfp95XGLjTQMGguhMp1IHKr61COw1/BoyrHDqIBsSBjEYJTEt+5p6gZanUqVWKORoiDouFcsjx nnxm2QOAGY8A9o5bJNoU8F+8MHScj5bPRI1j01ks2jWqv6Czqo/W0T1EU8jCZ/I3aKFI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHd-001DR3-N6 for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:23 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHN-000DMX-3r for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:05 +0200 Received: (nullmailer pid 25190 invoked by uid 10006); Tue, 19 May 2020 22:00:05 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:02 +0200 Message-Id: <20200519220004.25136-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHd-001DR3-N6 Subject: [Openvpn-devel] [PATCH v3 3/5] Implement sending response to challenge via CR_RESPONSE X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When a client announces its support to support text based challenge/response via IV_SSO=crtext,the client needs to also be able to reply to that response. This adds the "cr-response" management function to be able to do this. The answer should be base64 encoded. Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- doc/management-notes.txt | 14 ++++++++++++++ src/openvpn/init.c | 39 +++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.c | 39 ++++++++++++++++++++++++++++++++++++++- src/openvpn/manage.h | 1 + 4 files changed, 92 insertions(+), 1 deletion(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index e54e1082..a7ae84e3 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -806,6 +806,20 @@ To accept connecting to the host and port directly, use this command: proxy NONE +COMMAND -- cr-response (OpenVPN 2.5 or higher) +------------------------------------------------- +Provides support for sending responses a challenge/response +query via INFOMSG,CR_TEXT. The response should be base64 encoded: + + cr-response SGFsbG8gV2VsdCE= + +The document is intended to be used after the client received a +CR_TEXT challenge (see send-pending-auth section). The answer is +the answer to the challenge and depends on the challenge itself +for a TOTP challenge this would the number encoded as base64 or +just a string for a challenge like what "day is it today?". + + COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) ----------------------------------------------------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 70cd493a..2c8db68d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -291,6 +291,44 @@ ce_management_query_proxy(struct context *c) return ret; } +/** + * This method sends a custom control channel message + * + * This will write the control message + * + * command parm1,parm2,.. + * . + * to the control channel. + * + * @param arg The context struct + * @param command The command being sent + * @param parameters the parameters to the command + * @return if sending was successful + */ +static bool +management_callback_send_cc_message(void *arg, + const char *command, + const char *parameters) +{ + struct context *c = (struct context *) arg; + size_t len = strlen(command) + 1 + sizeof(parameters) + 1; + if (len > PUSH_BUNDLE_SIZE) + { + return false; + } + + struct gc_arena gc = gc_new(); + struct buffer buf = alloc_buf_gc(len, &gc); + ASSERT(buf_printf(&buf, "%s", command)); + if (parameters) + { + ASSERT(buf_printf(&buf, ",%s", parameters)); + } + bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH); + + gc_free(&gc); + return status; +} static bool management_callback_remote_cmd(void *arg, const char **p) @@ -3973,6 +4011,7 @@ init_management_callback_p2p(struct context *c) cb.show_net = management_show_net_callback; cb.proxy_cmd = management_callback_proxy_cmd; cb.remote_cmd = management_callback_remote_cmd; + cb.send_cc_message = management_callback_send_cc_message; #ifdef TARGET_ANDROID cb.network_change = management_callback_network_change; #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 195941ca..a72c7678 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -75,6 +75,7 @@ man_help(void) msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract)."); msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off)."); msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer."); + msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server"); msg(M_CLIENT, "exit|quit : Close management session."); msg(M_CLIENT, "forget-passwords : Forget passwords entered so far."); msg(M_CLIENT, "help : Print this message."); @@ -779,6 +780,27 @@ man_net(struct management *man) } } +static void +man_send_cc_message(struct management *man, const char *message, const char *parameters) +{ + if (man->persist.callback.send_cc_message) + { + const bool status = (*man->persist.callback.send_cc_message) + (man->persist.callback.arg, message, parameters); + if (status) + { + msg(M_CLIENT, "SUCCESS: command succeeded"); + } + else + { + msg(M_CLIENT, "ERROR: command failed"); + } + } + else + { + msg(M_CLIENT, "ERROR: This command is not supported by the current daemon mode"); + } +} #ifdef ENABLE_PKCS11 static void @@ -1144,7 +1166,15 @@ man_load_stats(struct management *man) } #define MN_AT_LEAST (1<<0) - +/** + * Checks if the correct number of arguments to a management command are present + * and otherwise prints an error and returns false. + * + * @param p pointer to the parameter array + * @param n number of arguments required + * @param flags if MN_AT_LEAST require at least n parameters and not exactly n + * @return Return whether p has n (or at least n) parameters + */ static bool man_need(struct management *man, const char **p, const int n, unsigned int flags) { @@ -1460,6 +1490,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_query_need_str(man, p[1], p[2]); } } + else if (streq(p[0], "cr-response")) + { + if (man_need(man, p, 1, 0)) + { + man_send_cc_message(man, "CR_RESPONSE", p[1]); + } + } else if (streq(p[0], "net")) { man_net(man); diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6f5f34c1..e1dabceb 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -164,6 +164,7 @@ struct management_callback int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); void (*delete_event) (void *arg, event_t event); int (*n_clients) (void *arg); + bool (*send_cc_message) (void *arg, const char *message, const char *parameter); #ifdef MANAGEMENT_DEF_AUTH bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg); bool (*client_auth) (void *arg, From patchwork Tue May 19 12:00:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1115 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SKojAypXxF5SZAAAIUCqbw for ; Tue, 19 May 2020 18:01:14 -0400 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 4OdzACpXxF6pQAAAvGGmqA ; Tue, 19 May 2020 18:01:14 -0400 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTP id GPgJNilXxF5nGgAA9crAow ; Tue, 19 May 2020 18:01:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40db24d6-9a1c-11ea-a182-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:39690] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/8C-14180-92754CE5; Tue, 19 May 2020 18:01:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAHc-00035u-G5; Tue, 19 May 2020 22:00:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHa-00035h-5y for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JcQrXxENt+bcLGrewBlj1MwK4uyeNuJzACNXSQQZqew=; b=EoXeqL5sBW2Y2Hlh01CwZ7gFJV xCLyoQN0wG7BCX0azEz4kQnw6h00X9+hCQBUN5uMpu3f7Hz6gHr/YngcxzMc3ovoon5A5vChKNaum ikYNmkaq5jlcGh1jHxl07xtE5bfwyLoh2ohGHlhCUK+H064dXaERS9UEbnU4VHw0q8/w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JcQrXxENt+bcLGrewBlj1MwK4uyeNuJzACNXSQQZqew=; b=TG5uzDLojzbuFMhDACrNluomEO WNomctrCzLXq3T9QNXOyTJCzS0FdE4rsUz1iBYee1H47lsyuCpP5fjqAqhBImzT9V5O8nfYYlE38B z0ULvbcethMxW8XVL0WWTkCf+nrjlFJjaDxNnt0JmDLeSl6ZkWSc7hiL9mL838hf4hHc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHX-007z7Q-9R for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:18 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHN-000DMd-65 for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:05 +0200 Received: (nullmailer pid 25193 invoked by uid 10006); Tue, 19 May 2020 22:00:05 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:03 +0200 Message-Id: <20200519220004.25136-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHX-007z7Q-9R Subject: [Openvpn-devel] [PATCH v3 4/5] Implement sending AUTH_PENDING challenges to clients X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can currently be out of band (openurl) or a normal challenge/response two like TOTP (CR_TEXT). Unfortunately this patch spend so much time in review in openvpn2 that the corosponding IV_SSO commit in openvpn3 (34a3f264) already made its way to released products so changing this right now is difficult. https://github.com/OpenVPN/openvpn3/commit/34a3f264f56bd050d9b26d2e7163f88af9a559e2 Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- doc/management-notes.txt | 86 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/manage.c | 46 +++++++++++++++++++++ src/openvpn/manage.h | 3 ++ src/openvpn/multi.c | 19 +++++++++ src/openvpn/push.c | 24 +++++++++++ src/openvpn/push.h | 7 ++++ 6 files changed, 185 insertions(+) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index a7ae84e3..ce32b85f 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -592,6 +592,92 @@ interface to approve client connections. CID,KID -- client ID and Key ID. See documentation for ">CLIENT:" notification for more info. +COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) +---------------------------------------------------- + +Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message +to signal a pending authenticating to the client. A pending auth means +that the connecting requires extra authentication like a one time +password or doing a single sign one via web. + + client-pending-auth {CID} {EXTRA} + +The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. +The client is expected to inform the user that authentication is pending and +display the extra information. For the format of EXTRA see below +For the OpenVPN server this is stateless operation and needs to be +followed by a client-deny/client-auth[-nt] command (that is the result of the +out of band authentication). + +Before issuing a client-pending-auth to a client instead of a +client-auth/client-deny, the server should check the IV_SSO +environment variable if the method is support. The currently +defined method are crtext for challenge/response using text +(e.g. TOTP), openurl and proxy_url for opening an URL in the client to +continue authentication. A client supporting the first two methods would +set + + setenv IV_SSO openurl,crtext + +The variable name IV_SSO is historic as AUTH_PENDING was first used +to signal single sign on support. To keep compatiblity with existing +implementations the name IV_SSO is kept in lieu of a better name. + +openurl +======== +For a web based extra authentication (like for +SSO/SAML) EXTRA should be + + OPEN_URL:url + +and client should ask to the user to open the URL to continue. + +The space in a control message is limited, so this url should be kept +short to avoid issues. If a loger url is required a URL that redirects +to the longer URL should be sent instead. + +url_proxy +======== +To avoid issues with OpenVPN connection persist-tun and not able +to reach the web server, a method a virant of openurl via a HTTPS +Proxy exists. The client should announce url_proxy in its IV_SSO +and parse the PROXY_URL message. The format is + + PROXY_URL:::::url + +The proxy should be a literal IPv4 address or Ipv6 address in [] to avoid +ambiguity in parsing. A literal IP address is preferred as DNS might not +be available when the needs to open the url. The IP address will usually +be the address that client uses to connect to the server. For dual-homed +server, the server should respond with the same address that the client +connects to. + +This address is also usually excluded from being redirected over the VPN +by a host route. If the platform (like Android) uses another way of protecting +the VPN connection routing loops the client needs to also exclude the +connection to the proxy in the same manner. + +Should another IP be used the VPN configuration should include the route +statement to exclude that route from being routed over the VPN. + +crtext +======= + +The format of EXTRA is similar to the already used two step authentication +described in Challenge/Response Protocol section of this document. Since +most of the fields are not necessary or can be infered only the +and fields are used: + + CR_TEXT:: + +: a series of optional, comma-separated flags: + E : echo the response when the user types it. + R : a response is required. + +: the challenge text to be shown to the user. + + + COMMAND -- client-deny (OpenVPN 2.1 or higher) ----------------------------------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index a72c7678..3ebe72ec 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -105,6 +105,8 @@ man_help(void) msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID"); msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason"); msg(M_CLIENT, " text R and optional client reason text CR"); + msg(M_CLIENT, "client-pending-auth CID MSG : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg" + " to the client and wait for a final client-auth/client-deny"); msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)"); msg(M_CLIENT, "env-filter [level] : Set env-var filter level"); #ifdef MANAGEMENT_PF @@ -1001,6 +1003,43 @@ parse_kid(const char *str, unsigned int *kid) } } +/** + * Will send a notification to the client that succesful authentication + * will require an additional step (web based SSO/2-factor auth/etc) + * + * @param man The management interface struct + * @param cid_str The CID in string form + * @param extra The string to be send to the client containing + * the information of the additional steps + */ +static void +man_client_pending_auth(struct management *man, const char *cid_str, const char *extra) +{ + unsigned long cid = 0; + if (parse_cid(cid_str, &cid)) + { + if (man->persist.callback.client_pending_auth) + { + bool ret = (*man->persist.callback.client_pending_auth) + (man->persist.callback.arg, cid, extra); + + if (ret) + { + msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded"); + } + else + { + msg(M_CLIENT, "SUCCESS: client-pending-auth command failed." + " Extra paramter might be too long"); + } + } + else + { + msg(M_CLIENT, "ERROR: The client-pending-auth command is not supported by the current daemon mode"); + } + } +} + static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra) { @@ -1541,6 +1580,13 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha man_client_auth(man, p[1], p[2], true); } } + else if (streq(p[0], "client-pending-auth")) + { + if (man_need(man, p, 2, 0)) + { + man_client_pending_auth(man, p[1], p[2]); + } + } #ifdef MANAGEMENT_PF else if (streq(p[0], "client-pf")) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index e1dabceb..e28b11d1 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -174,6 +174,9 @@ struct management_callback const char *reason, const char *client_reason, struct buffer_list *cc_config); /* ownership transferred */ + bool (*client_pending_auth) (void *arg, + const unsigned long cid, + const char *url); char *(*get_peer_info) (void *arg, const unsigned long cid); #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 7f61350d..74e035e5 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3310,6 +3310,24 @@ management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg) } } +static bool +management_client_pending_auth(void *arg, + const unsigned long cid, + const char *extra) +{ + struct multi_context *m = (struct multi_context *) arg; + struct multi_instance *mi = lookup_by_cid(m, cid); + if (mi) + { + /* sends INFO_PRE and AUTH_PENDING messages to client */ + bool ret = send_auth_pending_messages(&mi->context, extra); + multi_schedule_context_wakeup(m, mi); + return ret; + } + return false; +} + + static bool management_client_auth(void *arg, const unsigned long cid, @@ -3417,6 +3435,7 @@ init_management_callback_multi(struct multi_context *m) #ifdef MANAGEMENT_DEF_AUTH cb.kill_by_cid = management_kill_by_cid; cb.client_auth = management_client_auth; + cb.client_pending_auth = management_client_pending_auth; cb.get_peer_info = management_get_peer_info; #endif #ifdef MANAGEMENT_PF diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 965dd139..a5fa87d8 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -265,6 +265,30 @@ send_auth_failed(struct context *c, const char *client_reason) gc_free(&gc); } +bool +send_auth_pending_messages(struct context *c, const char* extra) +{ + send_control_channel_string(c, "AUTH_PENDING", D_PUSH); + + static const char info_pre[] = "INFO_PRE,"; + + + size_t len = strlen(extra)+1 + sizeof(info_pre); + if (len > PUSH_BUNDLE_SIZE) + { + return false; + } + struct gc_arena gc = gc_new(); + + struct buffer buf = alloc_buf_gc(len, &gc); + buf_printf(&buf, info_pre); + buf_printf(&buf, "%s", extra); + send_control_channel_string(c, BSTR(&buf), D_PUSH); + + gc_free(&gc); + return true; +} + /* * Send restart message from server to client. */ diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 1898f238..42ab100d 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -70,6 +70,13 @@ void remove_iroutes_from_push_route_list(struct options *o); void send_auth_failed(struct context *c, const char *client_reason); +/** + * Sends the auth pending control messages to a client. See + * doc/management-notes.txt under client-pending-auth for + * more details on message format + */ +bool send_auth_pending_messages(struct context *c, const char *extra); + void send_restart(struct context *c, const char *kill_msg); /** From patchwork Tue May 19 12:00:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1114 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id CJNQHiFXxF5oZAAAIUCqbw for ; Tue, 19 May 2020 18:01:05 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id wFQJHiFXxF7IGQAApN4f7A ; Tue, 19 May 2020 18:01:05 -0400 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTP id MN55HSFXxF7FSAAAyH2SIw ; Tue, 19 May 2020 18:01:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3b82f324-9a1c-11ea-9ffd-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:36748] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 22/CB-27120-02754CE5; Tue, 19 May 2020 18:01:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jbAHb-0005aT-BM; Tue, 19 May 2020 22:00:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbAHZ-0005aE-TO for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=5SupCQxJcfUQHmbtJLMr68R7U45RJLSUm3Z8VsWd3GU=; b=hWGocr4vdbjQBywxa+dPkNwkvY ys/fvZs6Z/q5ANWP4PW8AJkWAXQGTPIHE6q3hj62hkon8i9+fDS6j8xCHLKuRtEASSx4LaVDqnO9j B21S0fKfVvvoHqTqrDx6kCKzZ2niF8p1y/iYekZ+qqUsgVy0Yy5beMHIvIjVU4BGt2ak=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5SupCQxJcfUQHmbtJLMr68R7U45RJLSUm3Z8VsWd3GU=; b=lXzlKJuB730EAt+6qSnMcXBz6t 8qf/th6w9E1qmr8Rw5ckfTjqhVO+qyIKU+MVc4v8ywkVkBjHHIHnKeKCzXwcdj5GGohtHj+IOJBIW uXTvxp9ag1ZlvO0kscmPkpGkzwPg2PSwXiJB1PCJv6xtYY+31oNIHwPS7a7G77Kda5+s=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jbAHX-007z7R-9R for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2020 22:00:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jbAHN-000DMh-89 for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2020 00:00:05 +0200 Received: (nullmailer pid 25196 invoked by uid 10006); Tue, 19 May 2020 22:00:05 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2020 00:00:04 +0200 Message-Id: <20200519220004.25136-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200519220004.25136-1-arne@rfc2549.org> References: <20200519220004.25136-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jbAHX-007z7R-9R Subject: [Openvpn-devel] [PATCH v3 5/5] Implement forwarding client CR_RESPONSE messages to management X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When signalling the client that it should do Challenge response without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server needs forward the response via the management console. Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- doc/management-notes.txt | 30 +++++++++++++++++++++++++++++- src/openvpn/forward.c | 4 ++++ src/openvpn/manage.c | 28 +++++++++++++++++++++++++++- src/openvpn/manage.h | 5 +++++ src/openvpn/push.c | 22 ++++++++++++++++++++++ src/openvpn/push.h | 2 ++ 6 files changed, 89 insertions(+), 2 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index ce32b85f..5cfbb70a 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -1052,7 +1052,7 @@ The ">CLIENT:" notification is enabled by the --management-client-auth OpenVPN configuration directive that gives the management interface client the responsibility to authenticate OpenVPN clients after their client certificate has been verified. CLIENT notifications may be multi-line, and -the sequentiality of a given CLIENT notification, its associated environmental +the sequentially of a given CLIENT notification, its associated environmental variables, and the terminating ">CLIENT:ENV,END" line are guaranteed to be atomic. @@ -1094,6 +1094,34 @@ CLIENT notification types: >CLIENT:ADDRESS,{CID},{ADDR},{PRI} +(5) Text based challenge/Response + + >CLIENT:CR_RESPONSE,{CID},{KID},{response_base64} + >CLIENT:ENV,name1=val1 + >CLIENT:ENV,name2=val2 + >CLIENT:ENV,... + >CLIENT:ENV,END + + Using the cr-response command on the client side will trigger this + message on the server side. + + CR_RESPONSE notification. The >CR_RESPONSE fulfils the same purpose as the + CRV1 response in the traditional challenge/response. See that section + below for more details. Since this still uses the same cid as the original + response, we do not use the username and opaque session data in this + response but only contains the actual response. + + It is important to note that OpenVPN2 merely passes the authentication + information and does not do any further checks. (E.g. if a CR was issued + before or if multiple CR responses were sent from the client or if + data has a valid base64 encoding) + + This interface should be be sufficient for almost all challenge/response + system that can be implemented with a single round and base64 encoding the + response. Mechanisms that need multiple rounds or more complex answers + should implement a different response type than CR_RESPONSE. + + Variables: CID -- Client ID, numerical ID for each connecting client, sequence = 0,1,2,... diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3b088f87..885cf126 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -403,6 +403,10 @@ check_incoming_control_channel_dowork(struct context *c) { server_pushed_info(c, &buf, 4); } + else if (buf_string_match_head_str(&buf, "CR_RESPONSE")) + { + receive_cr_response(c, &buf); + } else { msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 3ebe72ec..898cb3b3 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2908,7 +2908,7 @@ management_notify_generic(struct management *man, const char *str) #ifdef MANAGEMENT_DEF_AUTH static void -man_output_peer_info_env(struct management *man, struct man_def_auth_context *mdac) +man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac) { char line[256]; if (man->persist.callback.get_peer_info) @@ -2958,6 +2958,32 @@ management_notify_client_needing_auth(struct management *management, } } +void +management_notify_client_cr_response(unsigned mda_key_id, + const struct man_def_auth_context *mdac, + const struct env_set *es, + const char *response) +{ + struct gc_arena gc; + if (management) + { + gc = gc_new(); + + struct buffer out = alloc_buf_gc(256, &gc); + msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", + mdac->cid, mda_key_id, response); + man_output_extra_env(management, "CLIENT"); + if (management->connection.env_filter_level>0) + { + man_output_peer_info_env(management, mdac); + } + man_output_env(es, true, management->connection.env_filter_level, "CLIENT"); + management_notify_generic(management, BSTR(&out)); + + gc_free(&gc); + } +} + void management_connection_established(struct management *management, struct man_def_auth_context *mdac, diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index e28b11d1..8c824ca7 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -434,6 +434,11 @@ void management_learn_addr(struct management *management, const struct mroute_addr *addr, const bool primary); +void management_notify_client_cr_response(unsigned mda_key_id, + const struct man_def_auth_context *mdac, + const struct env_set *es, + const char *response); + #endif char *management_query_pk_sig(struct management *man, const char *b64_data, diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a5fa87d8..26460490 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -209,6 +209,28 @@ server_pushed_info(struct context *c, const struct buffer *buffer, msg(D_PUSH, "Info command was pushed by server ('%s')", m); } +void +receive_cr_response(struct context *c, const struct buffer *buffer) +{ + struct buffer buf = *buffer; + const char *m = ""; + + if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf)) + { + m = BSTR(&buf); + } +#ifdef MANAGEMENT_DEF_AUTH + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + struct man_def_auth_context *mda = session->opt->mda_context; + struct env_set *es = session->opt->es; + int key_id = session->key[KS_PRIMARY].key_id; + + + management_notify_client_cr_response(key_id, mda, es, m); +#endif + msg(D_PUSH, "CR response was sent by client ('%s')", m); +} + /** * Add an option to the given push list by providing a format string. * diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 42ab100d..2faf19a6 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -53,6 +53,8 @@ void server_pushed_signal(struct context *c, const struct buffer *buffer, const void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv); +void receive_cr_response(struct context *c, const struct buffer *buffer); + void incoming_push_message(struct context *c, const struct buffer *buffer); void clone_push_list(struct options *o);