[Openvpn-devel] [PATCH] Restrict options/configs for startup through interactive service
Hi, The pacth is in the next email. This is not yet tested extensively, but has passed some quick tests. A simple approach of parsing the options string is used instead of passing structs: the latter will break the GUI everytime a new option is added to the white-list. Current white-list is just what the GUI needs, but its easy to extend. - Only limited tests could be done with the stock GUI: - Because of GUI limitations, check the event viewer for startup errors (the GUI will just hang for 15 seconds and say connection failed) Thanks, Selva
[Openvpn-devel] [PATCH] Restrict options/configs for startup through interactive service
Windows only:
- Allow only a set of whitelisted options in the command line options passed by
interactive service clients unless
(i) user is the local Adminsitrator group
AND/OR
(ii) in a predefined group (see below)
Only the group membership is checked, the client process need not be running
with
any elevated privileges available to those groups.
- Restrict config files to config_dir or it sub directories unless (i) and/or
(ii) above
is truei. (config_dir is as defined in HKLM\Software\OpenVPN\config_dir)
- The predefined group may be set in the registry
HKLM\Software\OpenVPN\ovpn_admin_group
(default: "OpenVPN Administrators")
- The white-list of options is a simple flat array of option strings (without
leading --)
defined in validate.c
- Further options may be added to the whitelist without breaking the GUI -- the
startup
data is passed from the GUI to the service the same way as before.
Notes to GUI developers:
(i) If the user is an administrator, the service will grant all privileges even
if
the GUI is not running elevated. This is practically equivalent to
'highestAvailable' without the risks of running the GUI elevated.
(ii) If the option checks fail, openvpn is not started, but an error message
is passed back to the service pipe and written to event log. Currently the GUI
does
not read from the service pipe -- this needs fixing.
Signed-off-by: Selva Nair
---
src/openvpnserv/Makefile.am |3 +-
src/openvpnserv/common.c | 13 ++-
src/openvpnserv/interactive.c | 95 +++
src/openvpnserv/service.h |2 +
src/openvpnserv/validate.c| 207 +
src/openvpnserv/validate.h| 49 ++
6 files changed, 365 insertions(+), 4 deletions(-)
create mode 100644 src/openvpnserv/validate.c
create mode 100644 src/openvpnserv/validate.h
diff --git a/src/openvpnserv/Makefile.am b/src/openvpnserv/Makefile.am
index 4bb1c27..5aba53a 100644
--- a/src/openvpnserv/Makefile.am
+++ b/src/openvpnserv/Makefile.am
@@ -26,7 +26,7 @@ openvpnserv_CFLAGS = \
-municode -D_UNICODE \
-UNTDDI_VERSION -U_WIN32_WINNT \
-D_WIN32_WINNT=_WIN32_WINNT_VISTA
-openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lws2_32
+openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lshlwapi -lnetapi32
-lws2_32
endif
openvpnserv_SOURCES = \
@@ -34,4 +34,5 @@ openvpnserv_SOURCES = \
automatic.c \
interactive.c \
service.c service.h \
+validate.c validate.h \
openvpnserv_resources.rc
diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c
index a293796..dba4724 100644
--- a/src/openvpnserv/common.c
+++ b/src/openvpnserv/common.c
@@ -23,7 +23,7 @@
*/
#include
-
+#include
/*
* These are necessary due to certain buggy implementations of (v)snprintf,
* that don't guarantee null termination for size > 0.
@@ -53,7 +53,6 @@ openvpn_sntprintf (LPTSTR str, size_t size, LPCTSTR format,
...)
return len;
}
-
#define REG_KEY TEXT("SOFTWARE\\" PACKAGE_NAME)
static DWORD
@@ -114,6 +113,13 @@ GetOpenvpnSettings (settings_t *s)
if (error != ERROR_SUCCESS)
goto out;
+ /* read if present, else use default */
+ error = GetRegString (key, TEXT("ovpn_admin_group"), s->ovpn_admin_group,
sizeof (s->ovpn_admin_group));
+ if (error != ERROR_SUCCESS)
+ {
+openvpn_sntprintf(s->ovpn_admin_group, _countof(s->ovpn_admin_group),
OVPN_ADMIN_GROUP);
+error = 0; /* this error is not fatal */
+ }
/* set process priority */
if (!_tcsicmp (priority, TEXT("IDLE_PRIORITY_CLASS")))
s->priority = IDLE_PRIORITY_CLASS;
@@ -194,7 +200,8 @@ MsgToEventLog (DWORD flags, LPCTSTR format, ...)
if (hEventSource != NULL)
{
openvpn_sntprintf (msg[0], _countof (msg[0]),
- TEXT("%s error: %s"), APPNAME, err_msg);
+ TEXT("%s%s: %s"), APPNAME,
+ (flags & MSG_FLAGS_ERROR) ? TEXT(" error") :
TEXT(""), err_msg);
va_start (arglist, format);
openvpn_vsntprintf (msg[1], _countof (msg[1]), format, arglist);
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 0f3d1d4..7fc5376 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -33,8 +33,10 @@
#include
#include
#include
+#include
#include "openvpn-msg.h"
+#include "validate.h"
#define IO_TIMEOUT 2000 /*ms*/
@@ -292,6 +294,93 @@ ReturnOpenvpnOutput (HANDLE pipe, HANDLE ovpn_output,
DWORD count, LPHANDLE even
free (wide_output);
}
+/*
+ * Validate options against a white list. Also check the config_file is
+ * inside the config_dir. The white list is defined in validate.c
+ * Returns true on success
+ */
+static BOOL
+ValidateOptions (HANDLE pipe, const WCHAR *workdir, const WCHAR *options)
+{
+WCHAR **argv;
+int argc;
+WCHAR buf[256];
+BOOL ret = FALSE;
+int i;
+const WCHAR *msg1 = L"You have specified a config f
Re: [Openvpn-devel] Micro-sha-ft
Hi, We just got an EV certificate token thingy, which certainly does not have SHA-1. The problem is that the token makes it impossible to safely automate the signing process. So basically we have to turn off automated signing in openvpn-build and just sign the files we absolutely have to. This probably boils down to openvpn-installer-*.exe tap-windows6 drivers tap-windows6 installer It would be nice to sign openvpn-gui, but then openvpn-build would have to fetch a pre-built and signed openvpn-gui.exe instead of building and signing it itself. According to Microsoft documentation[*] we _could_ continue using non-EV certs (+ automated signing) for non-driver code, but that would probably mean paying for two certificates. I'll ask around to see if this is indeed the case. We decided to rekey our current non-EV certificate with SHA-2 - it will be valid until the upcoming September. This will buy us some time to think about our next move. So what I'll do next is: - Sign the tap-windows6 driver with the EV-cert - Start using the rekeyed non-EV cert for the rest of the signing This should solve all the certificate validation issues we currently have on Windows. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
Re: [Openvpn-devel] Has openvpn been fuzzed?
W dniu 18.02.2016 o 19:08, Gert Doering pisze: > Hi, > > On Thu, Feb 18, 2016 at 06:08:02PM +0100, Jacek Wielemborek wrote: >> Well the attacker could send a funny packet with a valid checksum, >> encrypted and authenticated, right? > > Indeed, but that would be someone we trust enough to let him talk to > our network - protects against Joe Random from the Internet crashing > our servers (or burning CPU resources trying to). > > But yeah. Mistakes do happen :-) - so software shouldn't ever crash > on malformed packets. > > gert > Crashing alone isn't as dangerous as having memory errors that could lead to arbitrary code execution. Especially if OpenVPN is run as root, which is probably the case quite often, given that one of its most common use cases requires privileges to set up its own network interfaces... signature.asc Description: OpenPGP digital signature
[Openvpn-devel] AFL-Fuzzing OpenVPN in inetd mode?
W dniu 18.02.2016 o 18:03, Gert Doering pisze: > Hi, > > On Thu, Feb 18, 2016 at 05:15:50PM +0100, Jacek Wielemborek wrote: >> The thing is that in order to fuzz it most efficiently, it would be good >> to modify the server to use stdin/stdout (or dev null) for network I/O >> and terminate after handling a single connection. Also, we would need to >> disable any checksums, compression or encryption. > > OpenVPN can be called from inetd, so it can sort of handle "an already > connected socket on stdin/stdout". > > "sort of" because the backend refuses most normal options in this case > (it can only handle tap interfaces, and no --ifconfig, because the > assumption is that this only makes sense if you attach to a pre-configured > bridge) - but for fuzzing the network side, this should work. I read up on inetd mode and couldn't find a working example. Could someone show me a setup where I could make it read a request from stdin and ideally make it terminate after a sample request? Then I could start trying to plug it into AFL. signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH] Restrict options/configs for startup through interactive service
Hi,
On Fri, Feb 19, 2016 at 01:51:02AM -0500, Selva Nair wrote:
> The pacth is in the next email.
>
> This is not yet tested extensively, but has passed some quick tests.
> A simple approach of parsing the options string is used instead of passing
> structs:
> the latter will break the GUI everytime a new option is added to the
> white-list.
>
> Current white-list is just what the GUI needs, but its easy to extend.
Re-thinking the original argument, I agree that this is easier than
a fixed structure (if only because you'd need to ensure that GUI and
service are talking the same structure version...).
I like what your patch is doing - it's more than "just the whitelist"
but also the administrative restrictions ("if you are not administrator
or part of the OpenVPN Admin group, only configs from a well-known
directory, otherwise, do what you want").
From a C perspective, the code looks good to me.
I'm a bit reluctant to ACK & merge it, I'd like a few more eyes look
on this, from two angles
- is this feature-wise the way we want to go? It "works for me"
- are the windows bits of the code change sane? String manipulation and
wide strings and that stuff is something I have little experience with.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
[Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Hello, I am currently working on a project that requires SSL VPN to use session resumptions. I need to add the TLS Session Resumption functionality to OpenVPN. Any starters as in how I could achieve this? I know about the SSL_OP_NO_TICKET flag added to disable the resumption process. Will deleting it from the code enable SSL resumption automatically? Any kind of help is greatly appreciated. Please let me know. Thanks. -- Regards Shubham Chauhan
Re: [Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Am 19.02.16 um 14:32 schrieb Shubham Chauhan: > Hello, > > I am currently working on a project that requires SSL VPN to use > session resumptions. > > I need to add the TLS Session Resumption functionality to OpenVPN. Any > starters as in how I could achieve this? > I know about the SSL_OP_NO_TICKET flag added to disable the resumption > process. Will deleting it from the code enable SSL resumption > automatically? > VPN session and SSL session are not necessarily the same. You can restablish a VPN session with a new TLS session. I think OpenVPN will still insist on a full authentication in a new session, even with SSL_OP_NO_TICKET removed. I would have to the check the code myself to be sure. Arne
Re: [Openvpn-devel] [PATCH] Restrict options/configs for startup through interactive service
Hi,
Thanks for the quick feedback.
On Fri, Feb 19, 2016 at 6:37 AM, Gert Doering wrote:
> Hi,
>
> On Fri, Feb 19, 2016 at 01:51:02AM -0500, Selva Nair wrote:
> > The pacth is in the next email.
> >
> > This is not yet tested extensively, but has passed some quick tests.
> > A simple approach of parsing the options string is used instead of
> passing structs:
> > the latter will break the GUI everytime a new option is added to the
> white-list.
> >
> > Current white-list is just what the GUI needs, but its easy to extend.
>
> Re-thinking the original argument, I agree that this is easier than
> a fixed structure (if only because you'd need to ensure that GUI and
> service are talking the same structure version...).
>
> I like what your patch is doing - it's more than "just the whitelist"
> but also the administrative restrictions ("if you are not administrator
> or part of the OpenVPN Admin group, only configs from a well-known
> directory, otherwise, do what you want").
>
And the admin (or at install time) could even change the "wheel" group name
to "Users" and bless every user too.
>
> From a C perspective, the code looks good to me.
>
> I'm a bit reluctant to ACK & merge it, I'd like a few more eyes look
> on this, from two angles
>
> - is this feature-wise the way we want to go? It "works for me"
>
> - are the windows bits of the code change sane? String manipulation and
>wide strings and that stuff is something I have little experience with.
>
String conversions are indeed a pain. Could eliminate them if the code is
guaranteed to be compiled with -municode -D_UNICODE. Does anyone build a
non-unicode version on windows these days?
The whole of the service code will then need only one string conversion --
for passing the management password to stdin of openvpn.
Selva
Re: [Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Am 19.02.16 um 15:00 schrieb Shubham Chauhan: > Thank you for such a quick reply. > > I agree that VPN sessions and SSL sessions are not necessarily the same. > Let me be more specific with my question for a better discussion. > > In an active OpenVPN session, at regular intervals, a full SSL > handshake takes place (because the SSL session expires). I checked > this by capturing packets with "openvpn && ssl" filter. > In my implementation I don't want those regular full SSL negotiations > to take place. > It should ideally check if the SSL session key or the session context > is present in the cache (or some storage place), and if it is present, > then full handshake should NOT take place. Instead an abbreviated > handshake should take place which happens during TLS session resumption. > I am looking for changes in the code that can be made to do this task > (as minimal as possible). > > I understand the use of SSL_OP_NO_TICKET by OpenVPN against the triple > handshake vulnerability, but my project is really specific and wants > some specific functionality, which includes Session Resumptions. > Note that this interval is defined by --reneg-sec and you can disable them by setting that to 0. Arne
Re: [Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Thanks. I didn't knew about this. This will be helpful. I am specifically looking for enabling TLS session resumptions though. Resuming the session with session IDs stored in a cache at server side (the general process of an abbreviated handshake). On Feb 19, 2016 7:50 PM, "Arne Schwabe" wrote: > > > Am 19.02.16 um 15:00 schrieb Shubham Chauhan: > > Thank you for such a quick reply. > > > > I agree that VPN sessions and SSL sessions are not necessarily the same. > > Let me be more specific with my question for a better discussion. > > > > In an active OpenVPN session, at regular intervals, a full SSL > > handshake takes place (because the SSL session expires). I checked > > this by capturing packets with "openvpn && ssl" filter. > > In my implementation I don't want those regular full SSL negotiations > > to take place. > > It should ideally check if the SSL session key or the session context > > is present in the cache (or some storage place), and if it is present, > > then full handshake should NOT take place. Instead an abbreviated > > handshake should take place which happens during TLS session resumption. > > I am looking for changes in the code that can be made to do this task > > (as minimal as possible). > > > > I understand the use of SSL_OP_NO_TICKET by OpenVPN against the triple > > handshake vulnerability, but my project is really specific and wants > > some specific functionality, which includes Session Resumptions. > > > Note that this interval is defined by --reneg-sec and you can disable > them by setting that to 0. > > Arne >
Re: [Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Thank you for such a quick reply. I agree that VPN sessions and SSL sessions are not necessarily the same. Let me be more specific with my question for a better discussion. In an active OpenVPN session, at regular intervals, a full SSL handshake takes place (because the SSL session expires). I checked this by capturing packets with "openvpn && ssl" filter. In my implementation I don't want those regular full SSL negotiations to take place. It should ideally check if the SSL session key or the session context is present in the cache (or some storage place), and if it is present, then full handshake should NOT take place. Instead an abbreviated handshake should take place which happens during TLS session resumption. I am looking for changes in the code that can be made to do this task (as minimal as possible). I understand the use of SSL_OP_NO_TICKET by OpenVPN against the triple handshake vulnerability, but my project is really specific and wants some specific functionality, which includes Session Resumptions. Thanks On Fri, Feb 19, 2016 at 7:10 PM, Arne Schwabe wrote: > > > Am 19.02.16 um 14:32 schrieb Shubham Chauhan: > > Hello, > > > > I am currently working on a project that requires SSL VPN to use > > session resumptions. > > > > I need to add the TLS Session Resumption functionality to OpenVPN. Any > > starters as in how I could achieve this? > > I know about the SSL_OP_NO_TICKET flag added to disable the resumption > > process. Will deleting it from the code enable SSL resumption > > automatically? > > > VPN session and SSL session are not necessarily the same. You can > restablish a VPN session with a new TLS session. > > I think OpenVPN will still insist on a full authentication in a new > session, even with SSL_OP_NO_TICKET removed. I would have to the check > the code myself to be sure. > > Arne > -- Regards Shubham Chauhan 2013099 B.Tech CSE
Re: [Openvpn-devel] Enabling TLS Session Resumption in OpenVPN
Hi, On Fri, Feb 19, 2016 at 07:02:21PM +0530, Shubham Chauhan wrote: > I am currently working on a project that requires SSL VPN to use session > resumptions. > > I need to add the TLS Session Resumption functionality to OpenVPN. Any > starters as in how I could achieve this? > I know about the SSL_OP_NO_TICKET flag added to disable the resumption > process. Will deleting it from the code enable SSL resumption automatically? Unless I'm misunderstanding the lore, there are so many lurking risks in SSL session resumption that we're just not doing this, period. With peer-id TLS floating, there is not any need for it in OpenVPN anyway. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
[Openvpn-devel] openvpn-gui
Hi, We have a few pending pull requests in openvpn-gui. At least one of them (put --log first in the command line) is tiny and may be reviewed without getting sullied by association to windows:-) Could anyone from here please take a look? Here is a link: https://github.com/OpenVPN/openvpn-gui/pull/15 Thanks, Selva
