Skip to content

Commit 282ddba

Browse files
dsommerscron2
authored andcommittedMar 15, 2022
plug-ins: Disallow multiple deferred authentication plug-ins
The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail out when this is discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
1 parent d816207 commit 282ddba

File tree

2 files changed

+39
-3
lines changed

2 files changed

+39
-3
lines changed
 

‎doc/man-sections/plugin-options.rst

+9
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
5555
(such as tls-verify, auth-user-pass-verify, or client-connect), then
5656
every module and script must return success (:code:`0`) in order for the
5757
connection to be authenticated.
58+
59+
**WARNING**:
60+
Plug-ins may do deferred execution, meaning the plug-in will
61+
return the control back to the main OpenVPN process and provide
62+
the plug-in result later on via a different thread or process.
63+
OpenVPN does **NOT** support multiple authentication plug-ins
64+
**where more than one plugin** tries to do deferred authentication.
65+
If this behaviour is detected, OpenVPN will shut down upon first
66+
authentication.

‎src/openvpn/plugin.c

+30-3
Original file line numberDiff line numberDiff line change
@@ -802,7 +802,7 @@ plugin_call_ssl(const struct plugin_list *pl,
802802
const char **envp;
803803
const int n = plugin_n(pl);
804804
bool error = false;
805-
bool deferred = false;
805+
bool deferred_auth_done = false;
806806

807807
setenv_del(es, "script_type");
808808
envp = make_env_array(es, false, &gc);
@@ -824,7 +824,34 @@ plugin_call_ssl(const struct plugin_list *pl,
824824
break;
825825

826826
case OPENVPN_PLUGIN_FUNC_DEFERRED:
827-
deferred = true;
827+
if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
828+
&& deferred_auth_done)
829+
{
830+
/*
831+
* Do not allow deferred auth if a deferred auth has
832+
* already been started. This should allow a single
833+
* deferred auth call to happen, with one or more
834+
* auth calls with an instant authentication result.
835+
*
836+
* The plug-in API is not designed for multiple
837+
* deferred authentications to happen, as the
838+
* auth_control_file file will be shared across all
839+
* the plug-ins.
840+
*
841+
* Since this is considered a critical configuration
842+
* error, we bail out and exit the OpenVPN process.
843+
*/
844+
error = true;
845+
msg(M_FATAL,
846+
"Exiting due to multiple authentication plug-ins "
847+
"performing deferred authentication. Only one "
848+
"authentication plug-in doing deferred auth is "
849+
"allowed. Ignoring the result and stopping now, "
850+
"the current authentication result is not to be "
851+
"trusted.");
852+
break;
853+
}
854+
deferred_auth_done = true;
828855
break;
829856

830857
default:
@@ -844,7 +871,7 @@ plugin_call_ssl(const struct plugin_list *pl,
844871
{
845872
return OPENVPN_PLUGIN_FUNC_ERROR;
846873
}
847-
else if (deferred)
874+
else if (deferred_auth_done)
848875
{
849876
return OPENVPN_PLUGIN_FUNC_DEFERRED;
850877
}

0 commit comments

Comments
 (0)
Please sign in to comment.