[Openvpn-devel] [PATCH] Handle localized Administrators group name in windows
Interactive service allows all configs and options if the user is in "Administrators" group. This patch makes it work even if the admin group is renamed or localized. While at it, also remove two unused variables in validate.c. Thanks to Leonardo Basilio for testing the patch on a localized version of windows and Samuli Seppänen for pointing out this issue. Signed-off-by: Selva Nair --- src/openvpnserv/validate.c | 45 +--- 1 file changed, 42 insertions(+), 3 deletions(-) diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index b5809b3..7458d75 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -57,8 +57,6 @@ static BOOL CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s) { WCHAR tmp[MAX_PATH]; -WCHAR widepath[MAX_PATH]; -WCHAR relpath[MAX_PATH]; const WCHAR *config_file = NULL; const WCHAR *config_dir = NULL; @@ -112,6 +110,36 @@ OptionLookup (const WCHAR *name, const WCHAR *white_list[]) } /* + * The Administrators group may be localized or renamed by admins. + * Get the local name of the group using the SID. + */ +static BOOL +GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen) +{ +BOOL b = FALSE; +PSID admin_sid = NULL; +DWORD sid_size = SECURITY_MAX_SID_SIZE; +SID_NAME_USE snu; + +WCHAR domain[MAX_NAME]; +DWORD dlen = _countof(domain); + +admin_sid = malloc(sid_size); +if (!admin_sid) +return FALSE; + +b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size); +if(b) +{ +b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu); +} + +free (admin_sid); + +return b; +} + +/* * Check whether user is a member of Administrators group or * the group specified in s->ovpn_admin_group */ @@ -125,6 +153,7 @@ IsAuthorizedUser (SID *sid, settings_t *s) const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; WCHAR domain[MAX_NAME]; +WCHAR sysadmin_group[MAX_NAME]; DWORD err, len = MAX_NAME; int i; BOOL ret = FALSE; @@ -147,7 +176,17 @@ IsAuthorizedUser (SID *sid, settings_t *s) goto out; } -admin_group[0] = SYSTEM_ADMIN_GROUP; +if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) +{ +admin_group[0] = sysadmin_group; +} +else +{ +MsgToEventLog (M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default.")); +/* use the default value */ +admin_group[0] = SYSTEM_ADMIN_GROUP; +} + #ifdef UNICODE admin_group[1] = s->ovpn_admin_group; #else -- 1.7.10.4
Re: [Openvpn-devel] Pushing multiple certificates from server
On 03/05/2016 06:27 PM, Gert Doering wrote: > Hi, > > On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote: > If Connect works, and OpenVPN for Android does not, this hints at > "PolarSSL vs. OpenSSL". > > Or at "we call the crypto library differently"... Yes, PolarSSL build of OpenVPN 2.3 works also fine. Trying to find bug in an OpenSSL backend validation code… > > gert > signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] Pushing multiple certificates from server
Hi, On Sat, Mar 05, 2016 at 12:58:06AM +0300, ValdikSS wrote: > Bad news: > > * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL > and PolarSSL backends. Maybe if I supply certificates in correct order, > client would If Connect works, and OpenVPN for Android does not, this hints at "PolarSSL vs. OpenSSL". Or at "we call the crypto library differently"... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] Pushing multiple certificates from server
On 03/05/2016 12:58 AM, ValdikSS wrote: > I have good news and bad news: > > Good news: > > * OpenVPN sends all certificates from the server supplied for --server > directive (although with a small bug that a certificate which you have > private key > for must be supplied on the top) > * OpenVPN Connect for Android can successfully connect to my server with a > chain > > > Bad news: > > * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL > and PolarSSL backends. Maybe if I supply certificates in correct order, client > would work. > Sorry for misinformation, OpenVPN 2.3 and master with PolarSSL backend actually work. The problem is in OpenSSL backend. > > > On 03/04/2016 12:04 AM, ValdikSS wrote: > signature.asc Description: OpenPGP digital signature
[Openvpn-devel] [PATCH] Implement inlining of crl files
While crl files can change regulary and it is usually not a good idea to statically include them into config files, handling multiple files and updating files on mobile files is tiresome/problematic. Inlining a static version of the crl file is better in these use cases than to use no crl at all. OpenVPN 3 already supports inlining crl-verify, so is already used in config files. --- doc/openvpn.8 | 2 +- src/openvpn/init.c| 1 + src/openvpn/options.c | 12 +--- src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 2 +- src/openvpn/ssl_verify_backend.h | 4 ++-- src/openvpn/ssl_verify_openssl.c | 7 +-- src/openvpn/ssl_verify_polarssl.c | 19 +++ 9 files changed, 36 insertions(+), 13 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index d99aaf5..09cf018 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6498,7 +6498,7 @@ X509_1_C=KG .\"* .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the -.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret +.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, \-\-crl-verify and .B \-\-tls\-auth options. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d518cdc..f5e0811 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2326,6 +2326,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; + to.crl_file_inline = options->crl_file_inline; to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4933d9f..3f0bc88 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2729,10 +2729,11 @@ options_postprocess_filechecks (struct options *options) "--pkcs12"); if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) -errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, +errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, +options->crl_file, R_OK|X_OK, "--crl-verify directory"); else -errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK, +errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE, options->crl_file, R_OK, "--crl-verify"); errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK, @@ -6770,12 +6771,17 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->cipher_list = p[1]; } - else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]) && !p[3]) + else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) + || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[2] && streq(p[2], "dir")) options->ssl_flags |= SSLF_CRL_VERIFY_DIR; options->crl_file = p[1]; + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + options->crl_file_inline = p[2]; + } } else if (streq (p[0], "tls-verify") && p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a64fcaf..e1f014f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -508,6 +508,7 @@ struct options const char *ca_file_inline; const char *cert_file_inline; const char *extra_certs_file_inline; + const char *crl_file_inline; char *priv_key_file_inline; const char *dh_file_inline; const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 6e3d28c..4220e23 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -247,6 +247,7 @@ struct tls_options int verify_x509_type; const char *verify_x509_name; const char *crl_file; + const char *crl_file_inline; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index ccfa9d2..ea381f8 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -690,7 +690,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep } else { - if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject)) + if (SUCCESS != x509_verify_crl(opt->crl_file, opt->crl_file_inline,
Re: [Openvpn-devel] Pushing multiple certificates from server
On 03/05/2016 08:24 AM, ValdikSS wrote: > > > On 03/05/2016 04:36 AM, Jan Just Keijser wrote: > > I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it > became intermediate to my old CA (what you call extending trust), but also > issued > self-signed new CA. I issue server certificates with new CA. > > Current users trust only old CA, so to make them connect to the servers with > server certificates issued by new CA, we should either add cross-signed > (intermediate) certificate on the client side, or push it from server. The > latest I'm trying to achieve. > > New clients will get configuration files with new CA inside, and they would > be able to successfully connect, since intermediate certificate, pushed from > server, would be just ignored. Old clients would eventually update > configuration files too. After some time, we'll move all users to new CA and > remove > intermediate certificate from server. > > Just to clarify, both self-signed new CA and cross-signed new CA share the same private key. signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] Pushing multiple certificates from server
On 03/05/2016 04:36 AM, Jan Just Keijser wrote: > Hi, > > On 04/03/16 22:58, ValdikSS wrote: > how did you generate the cross-signed CA certs? I've looked around but all > cross-signing either requires you to use the same private key (i.e. bit size) > or > that you extend the trust of one CA with that of another. The first is of no > help as the key size needs to be different. The second (extending trust) does > not > work as you'd need to install this cross-trust CA at the client side. I > found this interesting example on how to generate cross-signed certs here: > https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it became intermediate to my old CA (what you call extending trust), but also issued self-signed new CA. I issue server certificates with new CA. Current users trust only old CA, so to make them connect to the servers with server certificates issued by new CA, we should either add cross-signed (intermediate) certificate on the client side, or push it from server. The latest I'm trying to achieve. New clients will get configuration files with new CA inside, and they would be able to successfully connect, since intermediate certificate, pushed from server, would be just ignored. Old clients would eventually update configuration files too. After some time, we'll move all users to new CA and remove intermediate certificate from server. > > > JJK > > signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] Pushing multiple certificates from server
Hi, On 04/03/16 22:58, ValdikSS wrote: I have good news and bad news: Good news: * OpenVPN sends all certificates from the server supplied for --server directive (although with a small bug that a certificate which you have private key for must be supplied on the top) * OpenVPN Connect for Android can successfully connect to my server with a chain Bad news: * OpenVPN 2.3 and master can't connect to this server, with both OpenSSL and PolarSSL backends. Maybe if I supply certificates in correct order, client would work. how did you generate the cross-signed CA certs? I've looked around but all cross-signing either requires you to use the same private key (i.e. bit size) or that you extend the trust of one CA with that of another. The first is of no help as the key size needs to be different. The second (extending trust) does not work as you'd need to install this cross-trust CA at the client side. I found this interesting example on how to generate cross-signed certs here: https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl JJK On 03/04/2016 12:04 AM, ValdikSS wrote: Hello everyone, I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit one without a hassle for a clients. From a X.509 perspective it shouldn't be a problem, and I already have new CA self-signed and cross-signed with old CA, it should work just fine. While there's no problem authenticating clients from both old and new CA using single instance (multiple certificates in --ca are supported, this information is documented), I need to send two certificates from OpenVPN server: server certificate, which is signed by new CA, and cross-signed new CA with old CA. This way it should work for clients either with old or new CA in configuration files. I can't manage server to send more than one certificate to the client. It seems that multiple certificates in --cert directive are supported only on client side. Am I missing something, is there a way to push multiple certificates from server? If there isn't a way currently, are there any protocol limitations which allows only one certificate to be sent? -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel