Re: [Openvpn-devel] [PATCH] [PATCH v5 1/1] Insert client connection data into PAM environment
Am 31.03.20 um 09:34 schrieb Paolo: > So, > as you asked, now a make the complete patch from diff from master and my > branch, making the change to remote lenght. > Your patch got mangled very badly for me: > -Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â || send_string(context->foreground_fd, > common_name) == -1) > +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â || > send_string(context->foreground_fd, > common_name) == -1 > +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â || > send_string(context->foreground_fd, remote) Can you try to resend it with git send email or even as an attachment that does not get reformatted would help. Arne signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] mbedTLS: Make sure TLS session survives move
From: Tom van Leeuwen
When a client disconnects from a server compiled with mbedTLS, the server
cannot process the PUSH_REQUEST from a new connection with the same client
IP and port number. This is the case when the client binds to a static port.
This behavior is initiated by move_session(), which copies the content of the
tls_session to a new session and re-initializes the old session once the new
session is authenticated.
This tls_session contains, among other things, an mbedtls_ssl_config and
bio_ctx structure. However, the mbedtls context has internal pointers to the
mbedtls_ssl_config and bio_ctx. When the session is moved, these internal
pointers point to the reinitialized session and as a result all received
packets that are stored in the bio_ctx of the moved session can never be read
by the mbedtls session. The PUSH_REQUEST is therefore never seen by the server.
Since there is no public method to update these internal pointers, this
patch dynamically allocates the mbedtls_ssl_config and bio_ctx and stores
the pointers to those structures in the tls_session instead.
Trac #880
Signed-off-by: Tom van Leeuwen
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 0f0b035b..4f194ad7 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1036,21 +1036,22 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
CLEAR(*ks_ssl);
/* Initialise SSL config */
-mbedtls_ssl_config_init(&ks_ssl->ssl_config);
-mbedtls_ssl_config_defaults(&ks_ssl->ssl_config, ssl_ctx->endpoint,
+ALLOC_OBJ_CLEAR(ks_ssl->ssl_config, mbedtls_ssl_config);
+mbedtls_ssl_config_init(ks_ssl->ssl_config);
+mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
#ifdef MBEDTLS_DEBUG_C
mbedtls_debug_set_threshold(3);
#endif
-mbedtls_ssl_conf_dbg(&ks_ssl->ssl_config, my_debug, NULL);
-mbedtls_ssl_conf_rng(&ks_ssl->ssl_config, mbedtls_ctr_drbg_random,
+mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL);
+mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random,
rand_ctx_get());
-mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &ssl_ctx->cert_profile);
+mbedtls_ssl_conf_cert_profile(ks_ssl->ssl_config, &ssl_ctx->cert_profile);
if (ssl_ctx->allowed_ciphers)
{
-mbedtls_ssl_conf_ciphersuites(&ks_ssl->ssl_config,
ssl_ctx->allowed_ciphers);
+mbedtls_ssl_conf_ciphersuites(ks_ssl->ssl_config,
ssl_ctx->allowed_ciphers);
}
/* Disable record splitting (for now). OpenVPN assumes records are sent
@@ -1058,35 +1059,35 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
* testing. Since OpenVPN is not susceptible to BEAST, we can just
* disable record splitting as a quick fix. */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
-mbedtls_ssl_conf_cbc_record_splitting(&ks_ssl->ssl_config,
+mbedtls_ssl_conf_cbc_record_splitting(ks_ssl->ssl_config,
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
/* Initialise authentication information */
if (is_server)
{
-mbed_ok(mbedtls_ssl_conf_dh_param_ctx(&ks_ssl->ssl_config,
+mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config,
ssl_ctx->dhm_ctx));
}
-mbed_ok(mbedtls_ssl_conf_own_cert(&ks_ssl->ssl_config, ssl_ctx->crt_chain,
+mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain,
ssl_ctx->priv_key));
/* Initialise SSL verification */
#if P2MP_SERVER
if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
{
-mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config,
MBEDTLS_SSL_VERIFY_OPTIONAL);
+mbedtls_ssl_conf_authmode(ks_ssl->ssl_config,
MBEDTLS_SSL_VERIFY_OPTIONAL);
}
else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
#endif
{
-mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config,
MBEDTLS_SSL_VERIFY_REQUIRED);
+mbedtls_ssl_conf_authmode(ks_ssl->ssl_config,
MBEDTLS_SSL_VERIFY_REQUIRED);
}
-mbedtls_ssl_conf_verify(&ks_ssl->ssl_config, verify_callback, session);
+mbedtls_ssl_conf_verify(ks_ssl->ssl_config, verify_callback, session);
/* TODO: mbed TLS does not currently support sending the CA chain to the
client */
-mbedtls_ssl_conf_ca_chain(&ks_ssl->ssl_config, ssl_ctx->ca_chain,
ssl_ctx->crl);
+mbedtls_ssl_conf_ca_chain(ks_ssl->ssl_config, ssl_ctx->ca_chain,
ssl_ctx->crl);
/* Initialize minimum TLS version */
{
@@ -1103,7 +1104,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
tls_version_to_major_minor(tls_version_min, &major, &minor);
}
-mbedtls_ssl_conf_min_version(&ks_ssl->ssl_config, major, minor);
+mbedtls_ssl_co
Re: [Openvpn-devel] [PATCH 11/12] openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo
Hi, > To summarize: the return value of find_adapters() call is ignored on purpose. Shouldn't return type be void if return value is not used? I'll ack it to not to further delay 2.5 release, but it would be good to get a follow-up patch with either void or return value being not ignored. Acked-by: Lev Stipakov ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] [PATCH v5 1/1] Insert client connection data into PAM environment
So,
as you asked, now a make the complete patch from diff from master and my
branch, making the change to remote lenght.
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -48,7 +48,7 @@
#include
#include
#include "utils.h"
-
+#include
#include
#define DEBUG(verb) ((verb) >= 4)
@@ -115,6 +115,7 @@ struct user_pass {
char password[128];
char common_name[128];
char response[128];
+ char remote[INET6_ADDRSTRLEN];
const struct name_value_list *name_value_list;
};
@@ -517,13 +518,19 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t
handle, const int type, const cha
const char *username = get_env("username", envp);
const char *password = get_env("password", envp);
const char *common_name = get_env("common_name", envp) ?
get_env("common_name", envp) : "";
+ const char *remote = get_env("untrusted_ip6", envp);
+
+ if (remote == NULL){
+ remote = get_env("untrusted_ip", envp); //if Null, try
to take ipv4 if not set ipv6
+ }
if (username && strlen(username) > 0 && password)
{
if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1
|| send_string(context->foreground_fd, username) == -1
|| send_string(context->foreground_fd, password) == -1
- || send_string(context->foreground_fd, common_name) == -1)
+ || send_string(context->foreground_fd, common_name) == -1
+ || send_string(context->foreground_fd, remote) == -1)
{
fprintf(stderr, "AUTH-PAM: Error sending auth info to
background process\n");
}
@@ -750,8 +757,16 @@ pam_auth(const char *service, const struct
user_pass *up)
status = pam_start(service, name_value_list_provided ? NULL :
up->username, &conv, &pamh);
if (status == PAM_SUCCESS)
{
+ /* Set PAM_RHOST environment variable */
+ if (*(up->remote))
+ {
+ status = pam_set_item(pamh, PAM_RHOST, up->remote);
+ }
/* Call PAM to verify username/password */
- status = pam_authenticate(pamh, 0);
+ if (status == PAM_SUCCESS)
+ {
+ status = pam_authenticate(pamh, 0);
+ }
if (status == PAM_SUCCESS)
{
status = pam_acct_mgmt(pamh, 0);
@@ -839,7 +854,8 @@ pam_server(int fd, const char *service, int verb,
const struct name_value_list *
case COMMAND_VERIFY:
if (recv_string(fd, up.username, sizeof(up.username)) == -1
|| recv_string(fd, up.password,
sizeof(up.password)) == -1
- || recv_string(fd, up.common_name,
sizeof(up.common_name)) == -1)
+ || recv_string(fd, up.common_name,
sizeof(up.common_name)) == -1
+ || recv_string(fd, up.remote, sizeof(up.remote)) == -1)
{
fprintf(stderr, "AUTH-PAM: BACKGROUND: read error
on command channel: code=%d, exiting\n",
command);
@@ -853,6 +869,7 @@ pam_server(int fd, const char *service, int verb,
const struct name_value_list *
up.username, up.password);
#else
fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n",
up.username);
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: REMOTE:
%s\n", up.remote);
#endif
}
Il 30/03/20 22:58, Selva Nair ha scritto:
> Hi,
>
> On Mon, Mar 30, 2020 at 8:59 AM Paolo Cerrito > wrote:
>
> 1) so remote was set to the maxlenght of ipv6 address defined into
> arpa/inet.h + 1 for string terminator
>
> 2) I refactored the call to get_env to take first ipv6 address, then
> only if it is NULL, i make a call for ipv4
> ---
> src/plugins/auth-pam/auth-pam.c | 8 +---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/plugins/auth-pam/auth-pam.c
> b/src/plugins/auth-pam/auth-pam.c
> index ae0d495a..cd91a33c 100644
> --- a/src/plugins/auth-pam/auth-pam.c
> +++ b/src/plugins/auth-pam/auth-pam.c
> @@ -48,7 +48,7 @@
> #include
> #include
> #include "utils.h"
> -
> +#include
>
> #include
>
> #define DEBUG(verb) ((verb) >= 4)
> @@ -115,7 +115,7 @@ struct user_pass {
> char password[128];
> char common_name[128];
> char response[128];
> - char remote[46]; //46 as ipv6 form n:n:n:n:n:n:d.d.d.d and +
> terminator \0
> + char remote[INET6_ADDRSTRLEN+1]; //INET6_ADDRSTRLEN is the
> lenght of ipv6 + terminator \0
>
>
> INET6_ADDRSTRLEN = 46 already includes space for nul termination
>
> More importantly, you have to provide a single updated patch
> preferably with version indicated in the subject and sent out with
> --in-reply-to referring to the previous version.
>
> Submitting incremental pieces of fixup co
