Re: [Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

[Frank Lichtenheld]

> Antonio Quartulli  hat am 15.03.2022 16:11 geschrieben:
> Frank reported that we should use double space after the full-stop. 
> Honestly I'd prefer just single-space everywhere as it is more 
> "traditional".

Yeah, I also prefer one space but I actually grepped the code and while it
is somewhat inconsistent, double-space seems to be winning decisively right
now. And we definitely should not use both in the same message ;)

Regards,
--
Frank Lichtenheld


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: plug-ins: Disallow multiple deferred authentication plug-ins

[Gert Doering]

I have not done formal testing, just verified that the code change is
the same and that it compiles.  The "plugin.c" module did change quite
a bit since 2.4 (PF removal, argv overhaul, ENABLE_CRYPTO, etc.) but 
the code patched here - plugin_call_ssl() - is identical.

Your patch has been applied to the release/2.4 branch.

commit 58ec3bb4aac77131118dbbc39a65181e7847adee
Author: David Sommerseth
Date:   Tue Mar 15 16:53:43 2022 +0100

 plug-ins: Disallow multiple deferred authentication plug-ins

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: <20220315155344.37787-3-open...@sf.lists.topphemmelig.net>
 URL: 
https://www.mail-archive.com/search?l=mid=20220315155344.37787-3-open...@sf.lists.topphemmelig.net
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin

[Gert Doering]

Hi,

On Tue, Mar 15, 2022 at 04:53:44PM +0100, David Sommerseth wrote:
> From: David Sommerseth 
> 
> The use case for this plug-in is dubious now with the new multi-auth.c
> plugin available.  This new plugin is based on simple.c, but allows
> far more flexibility for testing.

As for 1/3 v5, we decided to not invest time into plugin maintenance
for 2.4 -> so, formal NAK for this one.  Just for the sake of the
archives.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins

[Gert Doering]

Hi,

On Tue, Mar 15, 2022 at 04:53:42PM +0100, David Sommerseth wrote:
> From: David Sommerseth 
> 
> This plugin allows setting username/passwords as well as configure
> deferred authentication behaviour as part of the runtime initialization.
> 
> With this plug-in it is easier to test various scenarios where multiple
> authentication plug-ins are active on the server side.
> 
> A test documentation was also added to describe various test cases and
> the expected results.
> 
> Signed-off-by: David Sommerseth 

We've discussed this on IRC, and decided to not invest further work
into 2.4 for this - the 2.5 plugin will work, but "fiddling with the
build stuff" is left as an excercise for the reader, as we consider
2.4 to be effectively "out of maintenance, only critical bugfixes".

Thus, formal NAK on this.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: plug-ins: Disallow multiple deferred authentication plug-ins

[Gert Doering]

This is the same patch that Antonio tested when it was still only
discussed on the security@ list (except for the "two spaces" comment 
fix).  Also, fixed a "do" -> "does" in plugin-options.rst.

As discussed before, I still think that "aborting the server process"
is excessive and we should just return OPENVPN_PLUGIN_FUNC_ERROR in
this case (with a proper log message), but we'll have to agree to
disagree on this one.  I have a patch to bring proper functionality
instead... :-)

I have not tested this particular scenario (Antonio has), just made
sure nothing else got broken.

I have not updated Changes.rst in the context of this patch - will
do that when preparing 2.5.6 release.

Your patch has been applied to the master and release/2.5 branch.

commit 282ddbac54f8d4923844f69983b38dd2b813a00a (master)
commit af3e382649d96ae77cc5e42be8270f355e5cfec5 (release/2.5)
Author: David Sommerseth
Date:   Sun Mar 13 20:31:53 2022 +0100

 plug-ins: Disallow multiple deferred authentication plug-ins

 Signed-off-by: David Sommerseth 
 Acked-by: Antonio Quartulli 
 Message-Id: <20220313193154.9350-3-open...@sf.lists.topphemmelig.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2.4 v5 1/3] sample-plugin: New plugin for testing multiple auth plugins

[David Sommerseth]

From: David Sommerseth 

This plugin allows setting username/passwords as well as configure
deferred authentication behaviour as part of the runtime initialization.

With this plug-in it is easier to test various scenarios where multiple
authentication plug-ins are active on the server side.

A test documentation was also added to describe various test cases and
the expected results.

Signed-off-by: David Sommerseth 

---
v3 - Flipped NULL==var/NULL!=var to (var)/(!var) in if() block
---
 doc/tests/authentication-plugins.md  | 153 +
 sample/sample-plugins/defer/README   |   8 +
 sample/sample-plugins/defer/multi-auth.c | 413 +++
 3 files changed, 574 insertions(+)
 create mode 100644 doc/tests/authentication-plugins.md
 create mode 100644 sample/sample-plugins/defer/multi-auth.c

diff --git a/doc/tests/authentication-plugins.md 
b/doc/tests/authentication-plugins.md
new file mode 100644
index ..1f5fb851
--- /dev/null
+++ b/doc/tests/authentication-plugins.md
@@ -0,0 +1,153 @@
+# TESTING OF MULTIPLE AUTHENTICATION PLUG-INS
+
+
+OpenVPN 2.x can support loading and authenticating users through multiple
+plug-ins at the same time.  But it can only support a single plug-in doing
+deferred authentication.  However, a plug-in supporting deferred
+authentication may be accompanied by other authentication plug-ins **not**
+doing deferred authentication.
+
+This is a test script useful to test the various combinations and order of
+plug-in execution.
+
+The configuration files are expected to be used from the root of the build
+directory.
+
+To build the needed authentication plug-in, run:
+
+ make -C sample/sample-plugins
+
+
+## Test configs
+
+* Client config
+
+  verb 4
+  dev tun
+  client
+  remote x.x.x.x
+  ca sample/sample-keys/ca.crt
+  cert sample/sample-keys/client.crt
+  key sample/sample-keys/client.key
+  auth-user-pass
+
+* Base server config (`base-server.conf`)
+
+  verb 4
+  dev tun
+  server 10.8.0.0 255.255.255.0
+  dh sample/sample-keys/dh2048.pem
+  ca sample/sample-keys/ca.crt
+  cert sample/sample-keys/server.crt
+  key sample/sample-keys/server.key
+
+
+## Test cases
+
+### Test: *sanity-1*
+
+This tests the basic authentication with an instant answer.
+
+ config base-server.conf
+ plugin multi-auth.so S1.1 0 foo bar
+
+ Expected results
+ - Username/password `foo`/`bar`: **PASS**
+ - Anything else: **FAIL**
+
+
+### Test: *sanity-2*
+
+This is similar to `sanity-1`, but does the authentication
+through two plug-ins providing an instant reply.
+
+ config base-server.conf
+ plugin multi-auth.so S2.1 0 foo bar
+ plugin multi-auth.so S2.2 0 foo bar
+
+ Expected results
+ - Username/password `foo`/`bar`: **PASS**
+ - Anything else: **FAIL**
+
+
+### Test: *sanity-3*
+
+This is also similar to `sanity-1`, but uses deferred authentication
+with a 1 second delay on the response.
+
+ plugin multi-auth.so S3.1 1000 foo bar
+
+ Expected results
+ - Username/password `foo`/`bar`: **PASS**
+ - Anything else: **FAIL**
+
+
+### Test: *case-a*
+
+Runs two authentications, the first one deferred by 1 second and the
+second one providing an instant response.
+
+ plugin multi-auth.so A.1 1000 foo bar
+ plugin multi-auth.so A.2 0 foo bar
+
+ Expected results
+ - Username/password `foo`/`bar`: **PASS**
+ - Anything else: **FAIL**
+
+
+### Test: *case-b*
+
+This is similar to `case-a`, but the instant authentication response
+is provided first before the deferred authentication.
+
+ plugin multi-auth.so B.1 0 foo bar
+ plugin multi-auth.so B.2 1000 test pass
+
+ Expected results
+ - **Always FAIL**
+ - This test should never pass, as each plug-in expects different
+   usernames and passwords.
+
+
+### Test: *case-c*
+
+This is similar to the two prior tests, but the authentication result
+is returned instantly in both steps.
+
+ plugin multi-auth.so C.1 0 foo bar
+ plugin multi-auth.so C.2 0 foo2 bar2
+
+ Expected results
+ - **Always FAIL**
+ - This test should never pass, as each plug-in expects different
+   usernames and passwords.
+
+
+### Test: *case-d*
+
+This is similar to the `case-b` test, but the order of deferred
+and instant response is reversed.
+
+plugin ./multi-auth.so D.1 2000 test pass
+plugin ./multi-auth.so D.2 0 foo bar
+
+ Expected results
+ - **Always FAIL**
+ - This test should never pass, as each plug-in expects different
+   usernames and passwords.
+
+
+### Test: *case-e*
+
+This test case will run two deferred authentication plug-ins.  This is
+**not** supported by OpenVPN, and should therefore fail instantly.
+
+plugin ./multi-auth.so E1 1000 test1 pass1
+plugin ./multi-auth.so E2 2000 test2 pass2
+
+ Expected results
+ - The OpenVPN server process should stop running
+ - An error about multiple deferred plug-ins being configured
+   should be seen in the server log.
+
+
diff --git 

[Openvpn-devel] [PATCH v2.4 v5 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

[David Sommerseth]

From: David Sommerseth 

The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted.  For now we bail
out when this discovered with an error in the log.

CVE: 2022-0547
Signed-off-by: David Sommerseth 

---
Note: The man page snippet is copied from the generated nroff formatting from
the git master generated man page.

v3 - flip CONSTANT==var to var==CONSTANT in if() clause
v4 - Use M_FATAL instead of M_ERR
v5 - Fix missing ) in if() clause
---
 doc/openvpn.8| 13 +
 src/openvpn/plugin.c | 33 ++---
 2 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 598d5fce..a6a5feb6 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, 
or
 client\-connect), then
 every module and script must return success (0) in order for
 the connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one of them\fP do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
 .\"*
 .TP
 .B \-\-keying\-material\-exporter label len
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0ab99ab5..a019ec77 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
 const int n = plugin_n(pl);
 bool success = false;
 bool error = false;
-bool deferred = false;
+bool deferred_auth_done = false;
 
 setenv_del(es, "script_type");
 envp = make_env_array(es, false, );
@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
 break;
 
 case OPENVPN_PLUGIN_FUNC_DEFERRED:
-deferred = true;
+if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+&& deferred_auth_done)
+{
+/*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started.  This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+error = true;
+msg(M_FATAL,
+"Exiting due to multiple authentication plug-ins "
+"performing deferred authentication. Only one "
+"authentication plug-in doing deferred auth is "
+"allowed.  Ignoring the result and stopping now, "
+"the current authentication result is not to be "
+"trusted.");
+break;
+}
+deferred_auth_done = true;
 break;
 
 default:
@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
 {
 return OPENVPN_PLUGIN_FUNC_ERROR;
 }
-else if (deferred)
+else if (deferred_auth_done)
 {
 return OPENVPN_PLUGIN_FUNC_DEFERRED;
 }
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2.4 v5 3/3] plug-ins: Remove defer/simple.c sample plugin

[David Sommerseth]

From: David Sommerseth 

The use case for this plug-in is dubious now with the new multi-auth.c
plugin available.  This new plugin is based on simple.c, but allows
far more flexibility for testing.

Signed-off-by: David Sommerseth 
---
 sample/sample-plugins/defer/README |   3 -
 sample/sample-plugins/defer/simple.c   | 541 -
 sample/sample-plugins/defer/simple.def |   6 -
 3 files changed, 550 deletions(-)
 delete mode 100644 sample/sample-plugins/defer/simple.c
 delete mode 100755 sample/sample-plugins/defer/simple.def

diff --git a/sample/sample-plugins/defer/README 
b/sample/sample-plugins/defer/README
index 4c032993..b20f4eea 100644
--- a/sample/sample-plugins/defer/README
+++ b/sample/sample-plugins/defer/README
@@ -2,9 +2,6 @@ OpenVPN plugin examples.
 
 Examples provided:
 
-simple.c -- using the --auth-user-pass-verify callback,
-test deferred authentication.
-
 multi-auth.c -- Test plug-in for testing multiple authentication
 plug-ins in the same OpenVPN server configuration.
 Only tested on Linux.
diff --git a/sample/sample-plugins/defer/simple.c 
b/sample/sample-plugins/defer/simple.c
deleted file mode 100644
index 6f08bedd..
--- a/sample/sample-plugins/defer/simple.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/*
- *  OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- *  Copyright (C) 2002-2018 OpenVPN Inc 
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2
- *  as published by the Free Software Foundation.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will test deferred authentication and packet filtering.
- *
- * Will run on Windows or *nix.
- *
- * Sample usage:
- *
- * setenv test_deferred_auth 20
- * setenv test_packet_filter 10
- * plugin plugin/defer/simple.so
- *
- * This will enable deferred authentication to occur 20
- * seconds after the normal TLS authentication process,
- * and will cause a packet filter file to be generated 10
- * seconds after the initial TLS negotiation, using
- * {common-name}.pf as the source.
- *
- * Sample packet filter configuration:
- *
- * [CLIENTS DROP]
- * +otherclient
- * [SUBNETS DROP]
- * +10.0.0.0/8
- * -10.10.0.8
- * [END]
- *
- * See the README file for build instructions.
- */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include "openvpn-plugin.h"
-
-/* Pointers to functions exported from openvpn */
-static plugin_log_t plugin_log = NULL;
-
-/*
- * Constants indicating minimum API and struct versions by the functions
- * in this plugin.  Consult openvpn-plugin.h, look for:
- * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER
- *
- * Strictly speaking, this sample code only requires plugin_log, a feature
- * of structver version 1.  However, '1' lines up with ancient versions
- * of openvpn that are past end-of-support.  As such, we are requiring
- * structver '5' here to indicate a desire for modern openvpn, rather
- * than a need for any particular feature found in structver beyond '1'.
- */
-#define OPENVPN_PLUGIN_VERSION_MIN 3
-#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
-
-/*
- * Our context, where we keep our state.
- */
-
-struct plugin_context {
-int test_deferred_auth;
-int test_packet_filter;
-};
-
-struct plugin_per_client_context {
-int n_calls;
-bool generated_pf_file;
-};
-
-/* module name for plugin_log() */
-static char *MODULE = "defer/simple";
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env(const char *name, const char *envp[])
-{
-if (envp)
-{
-int i;
-const int namelen = strlen(name);
-for (i = 0; envp[i]; ++i)
-{
-if (!strncmp(envp[i], name, namelen))
-{
-const char *cp = envp[i] + namelen;
-if (*cp == '=')
-{
-return cp + 1;
-}
-}
-}
-}
-return NULL;
-}
-
-/* used for safe printf of possible NULL strings */
-static const char *
-np(const char *str)
-{
-if (str)
-   

[Openvpn-devel] [PATCH v2.4 v5 0/3] Disable multiple deferred authentication plug-ins

[David Sommerseth]

From: David Sommerseth 

This is the same patch set as the v4 [1] patch set, just without the
embarrassing syntax error in the second patch.

[1] 

Message-Id: 20220313200715.13518-1-open...@sf.lists.topphemmelig.net

David Sommerseth (3):
  sample-plugin: New plugin for testing multiple auth plugins
  plug-ins: Disallow multiple deferred authentication plug-ins
  plug-ins: Remove defer/simple.c sample plugin

 doc/openvpn.8|  13 +
 doc/tests/authentication-plugins.md  | 153 +++
 sample/sample-plugins/defer/README   |   9 +-
 sample/sample-plugins/defer/multi-auth.c | 413 +
 sample/sample-plugins/defer/simple.c | 541 ---
 sample/sample-plugins/defer/simple.def   |   6 -
 src/openvpn/plugin.c |  33 +-
 7 files changed, 616 insertions(+), 552 deletions(-)
 create mode 100644 doc/tests/authentication-plugins.md
 create mode 100644 sample/sample-plugins/defer/multi-auth.c
 delete mode 100644 sample/sample-plugins/defer/simple.c
 delete mode 100755 sample/sample-plugins/defer/simple.def

-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: sample-plugin: New plugin for testing multiple auth plugins

[Gert Doering]

Diffing the patch against the previous one only circulated on the
seclist shows no differences except "mail headers", and I have reviewed
and tested that plugin for my "multiple deferred auth" (draft) patch.

So, today only tested that it builds on both branches (it does).

If someone wants to spend a bit more time working on this plugin, I
think it could be improved by having the "how much delay?" "direct
or deferred?" and "fail or succeed?" behaviour controlled by 
UV_$prefix_VAR variable settings that can be "--push-peer-info"'ed 
from the client - so fully automated testing of all combinations
without modifying the server config and restarting.  But this is an
enhancement / feature wish, not a showstopper.

Your patch has been applied to the master and release/2.5 branch.

commit 79a111c7e16d157278495cb5f4c52eab2229b68e (master)
commit 08c6d9b016f9e8cf3f917e83bcd96f5a26345989 (release/2.5)
Author: David Sommerseth
Date:   Sun Mar 13 20:31:52 2022 +0100

 sample-plugin: New plugin for testing multiple auth plugins

 Signed-off-by: David Sommerseth 
 Acked-by: Antonio Quartulli 
 Message-Id: <20220313193154.9350-2-open...@sf.lists.topphemmelig.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23932.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: plugins: Remove defer/simple.c sample plugin

[Gert Doering]

This one does not need much brains to review - "does it apply" and
"does it break 'make distcheck'" (yes, and no).

The reason why this plugin is deleted is because the new multi-auth
plugin does mostly the same thing, "but more" - and it's 90% the same
code, so not much to be learned from the older one anymore.

For 2.5 and 2.4 branches, after some discussion on IRC, it makes sense
to leave defer/simple alone - it still has "PF" support, which 
defer/auth-multi does not have (and does not need).  So, unlike 
master, there is something to be learned from having both plugins,
and someone might even make use of the "simple" feature set...

Your patch has been applied to the master branch.

commit d816207bc2fe1ee5a04c394b215d50123cb25aad (master)
Author: David Sommerseth
Date:   Sun Mar 13 20:31:54 2022 +0100

 plugins: Remove defer/simple.c sample plugin

 Signed-off-by: David Sommerseth 
 Acked-by: Antonio Quartulli 
 Message-Id: <20220313193154.9350-4-open...@sf.lists.topphemmelig.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23933.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

[Gert Doering]

Hi,

On Sun, Mar 13, 2022 at 09:07:14PM +0100, David Sommerseth wrote:
>  case OPENVPN_PLUGIN_FUNC_DEFERRED:
> -deferred = true;
> +if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
> +&& deferred_auth_done)
> +{

As discussed on IRC, a fat finger sneaked into this and stole a bracket.

So, formally, NAK, as I won't change code, except in emergencies (which
this isn't)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

[Gert Doering]

Hi,

On Sun, Mar 13, 2022 at 09:07:13PM +0100, David Sommerseth wrote:
> From: David Sommerseth 
> 
> This plugin allows setting username/passwords as well as configure
> deferred authentication behaviour as part of the runtime initialization.
> 
> With this plug-in it is easier to test various scenarios where multiple
> authentication plug-ins are active on the server side.
> 
> A test documentation was also added to describe various test cases and
> the expected results.
> 
> Signed-off-by: David Sommerseth 

Well, not sure if we really want this new plugin in 2.4, but if we
want this, we need a v5 of this patch with correct build instructions
for 2.4 - as it is, it does not build (there is no Makefile in 
"sample/sample-plugins", and "build" does not set proper -I, so 
"config.h" cannot be found).

Thus, NAK.

Focusing on "only the CVE patch" for now.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4 3/3] plugins: Remove defer/simple.c sample plugin

[Antonio Quartulli]

Hi,

On 13/03/2022 20:31, David Sommerseth wrote:

From: David Sommerseth 

The use case for this plug-in is dubious now with the new multi-auth.c
plugin available.  This new plugin is based on simple.c, but allows
far more flexibility for testing.

Signed-off-by: David Sommerseth 


Same as the patch for master.

Acked-by: Antonio Quartulli 


--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

[Antonio Quartulli]

Hi,

On 13/03/2022 20:31, David Sommerseth wrote:

From: David Sommerseth 

The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted.  For now we bail
out when this discovered with an error in the log.

CVE: 2022-0547
Signed-off-by: David Sommerseth 


Same as the patch for master.

Acked-by: Antonio Quartulli 



+error = true;
+msg(M_FATAL,
+"Exiting due to multiple authentication plug-ins "
+"performing deferred authentication. Only one "
+"authentication plug-in doing deferred auth is "
+"allowed.  Ignoring the result and stopping now, "
+"the current authentication result is not to be "
+"trusted.");


Frank reported that we should use double space after the full-stop. 
Honestly I'd prefer just single-space everywhere as it is more 
"traditional".


This said, Gert can make the final decision and modify the patch on the fly.

Cheers,


--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

[Antonio Quartulli]

Hi,

On 13/03/2022 20:31, David Sommerseth wrote:

From: David Sommerseth 

This plugin allows setting username/passwords as well as configure
deferred authentication behaviour as part of the runtime initialization.

With this plug-in it is easier to test various scenarios where multiple
authentication plug-ins are active on the server side.

A test documentation was also added to describe various test cases and
the expected results.

Signed-off-by: David Sommerseth 


Same as the patch for master.

Acked-by: Antonio Quartulli 

--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 3/3] plug-ins: Remove defer/simple.c sample plugin

[Antonio Quartulli]

Hi,

On 13/03/2022 21:07, David Sommerseth wrote:

From: David Sommerseth 

The use case for this plug-in is dubious now with the new multi-auth.c
plugin available.  This new plugin is based on simple.c, but allows
far more flexibility for testing.

Signed-off-by: David Sommerseth 


Does nothing more than removing the simple auth plugin (superseded by 
the plugin in 1/2)


Acked-by: Antonio Quartulli 

--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

[Antonio Quartulli]

Hi,

On 13/03/2022 21:07, David Sommerseth wrote:

From: David Sommerseth 

The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted.  For now we bail
out when this discovered with an error in the log.

CVE: 2022-0547
Signed-off-by: David Sommerseth 


Tested and it does what it says on the lid.
The whole approach requires larger refactoring, but for now this is 
enough to close the hole.


Acked-by: Antonio Quartulli 



--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 1/3] sample-plugin: New plugin for testing multiple auth plugins

[Antonio Quartulli]

Hi,

On 13/03/2022 21:07, David Sommerseth wrote:

From: David Sommerseth 

This plugin allows setting username/passwords as well as configure
deferred authentication behaviour as part of the runtime initialization.

With this plug-in it is easier to test various scenarios where multiple
authentication plug-ins are active on the server side.

A test documentation was also added to describe various test cases and
the expected results.

Signed-off-by: David Sommerseth 


Tested and it greatly helps understanding various auth plugin 
combinations behaviours.


Acked-by: Antonio Quartulli 


--
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2 release/2.5] msvc: adjust build options to harden binaries

[Frank Lichtenheld]

Acked-by: Frank Lichtenheld 

Build tested on Win10 VS 2019. See notes below about the patch
dependency.

> Lev Stipakov  hat am 19.02.2022 00:52 geschrieben:
> 
>  
> From: Lev Stipakov 
> 
>  - enable hardware-enforced stack protection on
> compatible hardware/software (/CETCOMPAT linker option)
> 
>  - hash object files with SHA256 (/ZH:SHA_256 compiler option)
> 
>  - enable SDL. The required to add
> 
> _CRT_NONSTDC_NO_DEPRECATE
> _CRT_SECURE_NO_WARNINGS
> _WINSOCK_DEPRECATED_NO_WARNINGS
> 
> preprocessor definitions. I don't feel like replacing strdup (which is
> correct POSIX function) and inet_ntoa (we always pass IPv4 address to
> it, inet_ntop will make code more complex)
> 
> Above issues were discovered by bitskim.
> 
> Before applying this patch, this one must be applied from master:
> 
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html

Notes:
- This is e5e9a07e8baee4065b7dfd65736bfa77b8329cfc
- Automatic cherry-pick fails due to trivial conflict in copyright years
- Author of e5e9a07e8baee4065b7dfd65736bfa77b8329cfc is
  "Author: Simon Rozman via Openvpn-devel "
  so that is something that could be cleaned up on cherry-pick.

Regards,
--
Frank Lichtenheld


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] msvc: adjust build options to harden binaries

[Frank Lichtenheld]

Acked-By: Frank Lichtenheld 

Build-tested on Win 10 with VS 2019.

> Lev Stipakov  hat am 19.02.2022 00:50 geschrieben:
> 
>  
> From: Lev Stipakov 
> 
>  - enable hardware-enforced stack protection on
> compatible hardware/software (/CETCOMPAT linker option)
> 
>  - hash object files with SHA256 (/ZH:SHA_256 compiler option)
> 
>  - enable SDL. The required to add
> 
> _CRT_NONSTDC_NO_DEPRECATE
> _CRT_SECURE_NO_WARNINGS
> _WINSOCK_DEPRECATED_NO_WARNINGS
> 
> preprocessor definitions. I don't feel like replacing strdup (which is
> correct POSIX function) and inet_ntoa (we always pass IPv4 address to
> it, inet_ntop will make code more complex)
> 
> Above issues were discovered by bitskim.

Regards,
--
Frank Lichtenheld


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH master+release/2.5] vcpkg-ports/pkcs11-helper: adapt to new upstream URL

[Samuli Seppänen]

Based on my testing this fixes the Windows build issues.

ACK.

Il 14.3.2022 14.03, Lev Stipakov ha scritto:

From: Lev Stipakov 

Signed-off-by: Lev Stipakov 
---
  contrib/vcpkg-ports/pkcs11-helper/CONTROL| 2 +-
  contrib/vcpkg-ports/pkcs11-helper/portfile.cmake | 8 
  2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/contrib/vcpkg-ports/pkcs11-helper/CONTROL 
b/contrib/vcpkg-ports/pkcs11-helper/CONTROL
index 6a5077fd..ff116364 100644
--- a/contrib/vcpkg-ports/pkcs11-helper/CONTROL
+++ b/contrib/vcpkg-ports/pkcs11-helper/CONTROL
@@ -1,4 +1,4 @@
  Source: pkcs11-helper
-Version: 1.28-3
+Version: 1.28-4
  Homepage: https://github.com/OpenSC/pkcs11-helper
  Description: pkcs11-helper is a library that simplifies the interaction with 
PKCS#11 providers for end-user applications.
diff --git a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake 
b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
index 0723344e..4a9cd20c 100644
--- a/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
+++ b/contrib/vcpkg-ports/pkcs11-helper/portfile.cmake
@@ -1,9 +1,9 @@
-set(VERSION 1.28)
+set(VERSION 1.28.0)
  
  vcpkg_download_distfile(ARCHIVE

-URLS 
"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.0.tar.bz2;
-FILENAME "pkcs11-helper-${VERSION}.tar.bz2"
-SHA512 
11b8e554d9223ab9305a3ad7e2b6a9bbece1c09ca8d49276618dec31eefdccf6a32b0db85a28a90334ea42fe809beec83514a31930b79bdbefa368ed4658945b
+URLS 
"https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.gz;
+FILENAME "pkcs11-helper-${VERSION}.tar.gz"
+SHA512 
1c1cc7f83ed360fabdcfa68d0eafa7d25be03e68c6a202e7ad2907feb472663bb34e12b9e162344ec221a4298abc02acdc75f0f45d9a89657aa7ac55e59badd5
  )
  
  vcpkg_extract_source_archive_ex(



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel