[Openvpn-devel] [PATCH] Handle localized Administrators group name in windows

[Selva Nair]

Interactive service allows all configs and options if the user
is in "Administrators" group. This patch makes it work even if the
admin group is renamed or localized.

While at it, also remove two unused variables in validate.c.

Thanks to Leonardo Basilio  for testing
the patch on a localized version of windows and Samuli Seppänen
 for pointing out this issue.

Signed-off-by: Selva Nair 
---
 src/openvpnserv/validate.c |   45 +---
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index b5809b3..7458d75 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -57,8 +57,6 @@ static BOOL
 CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
 {
 WCHAR tmp[MAX_PATH];
-WCHAR widepath[MAX_PATH];
-WCHAR relpath[MAX_PATH];
 const WCHAR *config_file = NULL;
 const WCHAR *config_dir = NULL;

@@ -112,6 +110,36 @@ OptionLookup (const WCHAR *name, const WCHAR *white_list[])
 }

 /*
+ * The Administrators group may be localized or renamed by admins.
+ * Get the local name of the group using the SID.
+ */
+static BOOL
+GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
+{
+BOOL b = FALSE;
+PSID admin_sid = NULL;
+DWORD sid_size = SECURITY_MAX_SID_SIZE;
+SID_NAME_USE snu;
+
+WCHAR domain[MAX_NAME];
+DWORD dlen = _countof(domain);
+
+admin_sid = malloc(sid_size);
+if (!admin_sid)
+return FALSE;
+
+b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid,  
_size);
+if(b)
+{
+b = LookupAccountSidW(NULL, admin_sid, name, , domain, , 
);
+}
+
+free (admin_sid);
+
+return b;
+}
+
+/*
  * Check whether user is a member of Administrators group or
  * the group specified in s->ovpn_admin_group
  */
@@ -125,6 +153,7 @@ IsAuthorizedUser (SID *sid, settings_t *s)
 const WCHAR *admin_group[2];
 WCHAR username[MAX_NAME];
 WCHAR domain[MAX_NAME];
+WCHAR sysadmin_group[MAX_NAME];
 DWORD err, len = MAX_NAME;
 int i;
 BOOL ret = FALSE;
@@ -147,7 +176,17 @@ IsAuthorizedUser (SID *sid, settings_t *s)
 goto out;
 }

-admin_group[0] = SYSTEM_ADMIN_GROUP;
+if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
+{
+admin_group[0] = sysadmin_group;
+}
+else
+{
+MsgToEventLog (M_SYSERR, TEXT("Failed to get the name of 
Administrators group. Using the default."));
+/* use the default value */
+admin_group[0] = SYSTEM_ADMIN_GROUP;
+}
+
 #ifdef UNICODE
 admin_group[1] = s->ovpn_admin_group;
 #else
-- 
1.7.10.4

Re: [Openvpn-devel] Pushing multiple certificates from server

[ValdikSS]

On 03/05/2016 06:27 PM, Gert Doering wrote:
> Hi,
>
> On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote:
> If Connect works, and OpenVPN for Android does not, this hints at
> "PolarSSL vs. OpenSSL".
>
> Or at "we call the crypto library differently"...

Yes, PolarSSL build of OpenVPN 2.3 works also fine. Trying to find bug in an 
OpenSSL backend validation code…

>
> gert
>




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

[Gert Doering]

Hi,

On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote:
> Bad news:
> 
>   * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL 
> and PolarSSL backends. Maybe if I supply certificates in correct order, 
> client would

If Connect works, and OpenVPN for Android does not, this hints at
"PolarSSL vs. OpenSSL".

Or at "we call the crypto library differently"...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Pushing multiple certificates from server

[ValdikSS]

On 03/05/2016 12:58 AM, ValdikSS wrote:
> I have good news and bad news:
>
> Good news:
>
>   * OpenVPN sends all certificates from the server supplied for --server 
> directive (although with a small bug that a certificate which you have 
> private key
> for must be supplied on the top)
>   * OpenVPN Connect for Android can successfully connect to my server with a 
> chain
>
>
> Bad news:
>
>   * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL 
> and PolarSSL backends. Maybe if I supply certificates in correct order, client
> would work.
>

Sorry for misinformation, OpenVPN 2.3 and master with PolarSSL backend actually 
work. The problem is in OpenSSL backend.

>
>
> On 03/04/2016 12:04 AM, ValdikSS wrote:
>



signature.asc
Description: OpenPGP digital signature

[Openvpn-devel] [PATCH] Implement inlining of crl files

[Arne Schwabe]

While crl files can change regulary and it is usually not a good idea to 
statically include them into config files, handling multiple files and updating 
files on mobile files is tiresome/problematic. Inlining a static version of the 
crl file is better in these use cases than to use no crl at all.

OpenVPN 3 already supports inlining crl-verify, so  is already used 
in config files.
---
 doc/openvpn.8 |  2 +-
 src/openvpn/init.c|  1 +
 src/openvpn/options.c | 12 +---
 src/openvpn/options.h |  1 +
 src/openvpn/ssl_common.h  |  1 +
 src/openvpn/ssl_verify.c  |  2 +-
 src/openvpn/ssl_verify_backend.h  |  4 ++--
 src/openvpn/ssl_verify_openssl.c  |  7 +--
 src/openvpn/ssl_verify_polarssl.c | 19 +++
 9 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index d99aaf5..09cf018 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6498,7 +6498,7 @@ X509_1_C=KG
 .\"*
 .SH INLINE FILE SUPPORT
 OpenVPN allows including files in the main configuration for the
-.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret
+.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, 
\-\-secret, \-\-crl-verify
 and
 .B \-\-tls\-auth
 options.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d518cdc..f5e0811 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2326,6 +2326,7 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   to.verify_x509_type = (options->verify_x509_type & 0xff);
   to.verify_x509_name = options->verify_x509_name;
   to.crl_file = options->crl_file;
+  to.crl_file_inline = options->crl_file_inline;
   to.ssl_flags = options->ssl_flags;
   to.ns_cert_type = options->ns_cert_type;
   memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof 
(to.remote_cert_ku));
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4933d9f..3f0bc88 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2729,10 +2729,11 @@ options_postprocess_filechecks (struct options *options)
  "--pkcs12");

   if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
-errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, 
options->crl_file, R_OK|X_OK,
+errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE,
+options->crl_file, R_OK|X_OK,
"--crl-verify directory");
   else
-errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, 
options->crl_file, R_OK,
+errs |= check_file_access_chroot (options->chroot_dir, 
CHKACC_FILE|CHKACC_INLINE, options->crl_file, R_OK,
"--crl-verify");

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, 
options->tls_auth_file, R_OK,
@@ -6770,12 +6771,17 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_GENERAL);
   options->cipher_list = p[1];
 }
-  else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) 
|| !p[2]) && !p[3])
+  else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
+ || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && 
!p[3])
 {
   VERIFY_PERMISSION (OPT_P_GENERAL);
   if (p[2] && streq(p[2], "dir"))
options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
   options->crl_file = p[1];
+  if (streq (p[1], INLINE_FILE_TAG) && p[2])
+   {
+ options->crl_file_inline = p[2];
+   }
 }
   else if (streq (p[0], "tls-verify") && p[1])
 {
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index a64fcaf..e1f014f 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -508,6 +508,7 @@ struct options
   const char *ca_file_inline;
   const char *cert_file_inline;
   const char *extra_certs_file_inline;
+  const char *crl_file_inline;
   char *priv_key_file_inline;
   const char *dh_file_inline;
   const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 
file */
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 6e3d28c..4220e23 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -247,6 +247,7 @@ struct tls_options
   int verify_x509_type;
   const char *verify_x509_name;
   const char *crl_file;
+  const char *crl_file_inline;
   int ns_cert_type;
   unsigned remote_cert_ku[MAX_PARMS];
   const char *remote_cert_eku;
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index ccfa9d2..ea381f8 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -690,7 +690,7 @@ verify_cert(struct tls_session *session, 
openvpn_x509_cert_t *cert, int cert_dep
   }
   else
   {
-   if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
+   if (SUCCESS != x509_verify_crl(opt->crl_file, 

Re: [Openvpn-devel] Pushing multiple certificates from server

[ValdikSS]

On 03/05/2016 08:24 AM, ValdikSS wrote:
>
>
> On 03/05/2016 04:36 AM, Jan Just Keijser wrote:
>
> I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it 
> became intermediate to my old CA (what you call extending trust), but also 
> issued
> self-signed new CA. I issue server certificates with new CA.
>
> Current users trust only old CA, so to make them connect to the servers with 
> server certificates issued by new CA, we should either add cross-signed
> (intermediate) certificate on the client side, or push it from server. The 
> latest I'm trying to achieve.
>
> New clients will get configuration files with new CA inside, and they would 
> be able to successfully connect, since intermediate certificate, pushed from
> server, would be just ignored. Old clients would eventually update 
> configuration files too. After some time, we'll move all users to new CA and 
> remove
> intermediate certificate from server.
>
>
Just to clarify, both self-signed new CA and cross-signed new CA share the same 
private key.


signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

[ValdikSS]

On 03/05/2016 04:36 AM, Jan Just Keijser wrote:
> Hi,
>
> On 04/03/16 22:58, ValdikSS wrote:
> how did you generate the cross-signed CA certs? I've looked around but all 
> cross-signing either requires you to use the same private key (i.e. bit size) 
> or
> that you extend the trust of one CA with that of another. The first is of no 
> help as the key size needs to be different. The second (extending trust) does 
> not
> work as you'd need to install this cross-trust CA at the client side.  I 
> found this interesting example on how to generate cross-signed certs here:
>   https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl

I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it 
became intermediate to my old CA (what you call extending trust), but also 
issued
self-signed new CA. I issue server certificates with new CA.

Current users trust only old CA, so to make them connect to the servers with 
server certificates issued by new CA, we should either add cross-signed
(intermediate) certificate on the client side, or push it from server. The 
latest I'm trying to achieve.

New clients will get configuration files with new CA inside, and they would be 
able to successfully connect, since intermediate certificate, pushed from 
server,
would be just ignored. Old clients would eventually update configuration files 
too. After some time, we'll move all users to new CA and remove intermediate
certificate from server.

>
>
> JJK
>
>



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Pushing multiple certificates from server

[Jan Just Keijser]

Hi,

On 04/03/16 22:58, ValdikSS wrote:

I have good news and bad news:

Good news:

  * OpenVPN sends all certificates from the server supplied for
--server directive (although with a small bug that a certificate
which you have private key for must be supplied on the top)
  * OpenVPN Connect for Android can successfully connect to my server
with a chain


Bad news:

  * OpenVPN 2.3 and master can't connect to this server, with both
OpenSSL and PolarSSL backends. Maybe if I supply certificates in
correct order, client would work.



how did you generate the cross-signed CA certs? I've looked around but 
all cross-signing either requires you to use the same private key (i.e. 
bit size) or that you extend the trust of one CA with that of another. 
The first is of no help as the key size needs to be different. The 
second (extending trust) does not work as you'd need to install this 
cross-trust CA at the client side.  I found this interesting example on 
how to generate cross-signed certs here:

https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl


JJK


On 03/04/2016 12:04 AM, ValdikSS wrote:

Hello everyone,

I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit 
one without a hassle for a clients.
 From a X.509 perspective it shouldn't be a problem, and I already have new CA 
self-signed and cross-signed with old CA, it should work just fine.

While there's no problem authenticating clients from both old and new CA using 
single instance (multiple certificates in --ca are supported, this information 
is
documented), I need to send two certificates from OpenVPN server: server 
certificate, which is signed by new CA, and cross-signed new CA with old CA. 
This way
it should work for clients either with old or new CA in configuration files.

I can't manage server to send more than one certificate to the client. It seems 
that multiple certificates in --cert directive are supported only on client
side. Am I missing something, is there a way to push multiple certificates from 
server? If there isn't a way currently, are there any protocol limitations which
allows only one certificate to be sent?






--


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel