Viewing all changes in revision 7928.
- Committer: Daniel Wagner
- Date: 2019-11-14 16:27:49 UTC
- Revision ID: git-v1:be1b90c6db3d0c71a25369ac1fb8c5628ea28acc
openvpn: Rewrite plugin to support VPN agent and encrypted private keys
Co-authored-by: Matt Vogt <matthew.vogt@jollamobile.com>
Co-authored-by: Slava Monich <slava.monich@jolla.com>
This OpenVPN plugin rewrite contains numerous amount of fixes. Most
importantly VPN agent is used to query credentials as well as the
password for the encrypted private key.
VPN agent support is done utilizing the management interface of OpenVPN.
The management interface is opened at each connection attempt to get
the potential requests for credentials, or encrypted private key
password. OpenVPN process is started with the stored information and if
there is some credential missing it will be queried via management
interface.
Each credential failure increases the authentication failed error
counter in vpn-provider.c but does not indicate it as an error to be
signaled. This is because the authentication failures are handled within
the plugin->openvpn process and the openvpn process does not die in
between. In case the credentials or the private key password is wrong
OpenVPN requests them again via management channel. If the error would
be signaled, connmand would have wrong indication of what is actually
happening and would attempt to disconnect the VPN in question.
The new VPN agent functionality is utilized to advise the VPN agent not
to store the encrypted private key password. Encrypted private key
password is kept in memory only, during the connman-vpnd lifetime. On
some systems VPN agents may store the credentials into files and, thus
it is imperative to not to save the encrypted private key password using
the VPN agent as it is bad practice to have both encrypted file and its
password stored on same storage space. Use of the
vpn_agent_append_keep_credentials() is also needed to indicate VPN agent
that the credentials should not be affected by the request to input
encrypted private key password. It may be that some VPN agents would
react to the storage and retrieval prevention values as the existing
values should be removed.
The private key password errors are not recorded as authentication
errors but are handled internally within the plugin. The rationale is
that since VPN agent is affected by the authentication errors and the
VpnAgent.AuthFailure is sent in such case, and VPN agent is advised not
to store the private key password, handling of the errors related to
private key password should happen within the plugin. If the private key
password stored in memory is wrong, it will be still attempted on first
try but OpenVPN will requests new one via management interface after a
failed attempt. The encrypted private key password failures are not
reported by OpenVPN (at least version <= 2.4.5) via management interface
and following patch is required in order for the failures to be
reported: https://git.sailfishos.org/mer-core/openvpn/blob/
4f4b4af116292a207416c8a990392e35a6fc41af/rpm/privatekey-passphrase-
handling.diff - a note about this is added to README.
Since the management channel unix socket is to be used by both vpnd and
the OpenVPN process the socket is created under system temp (env
TMPDIR). If env TMPDIR is omitted or empty, /tmp is used instead.
Co-authored-by: Matt Vogt <matthew.vogt@jollamobile.com>
Co-authored-by: Slava Monich <slava.monich@jolla.com>
This OpenVPN plugin rewrite contains numerous amount of fixes. Most
importantly VPN agent is used to query credentials as well as the
password for the encrypted private key.
VPN agent support is done utilizing the management interface of OpenVPN.
The management interface is opened at each connection attempt to get
the potential requests for credentials, or encrypted private key
password. OpenVPN process is started with the stored information and if
there is some credential missing it will be queried via management
interface.
Each credential failure increases the authentication failed error
counter in vpn-provider.c but does not indicate it as an error to be
signaled. This is because the authentication failures are handled within
the plugin->openvpn process and the openvpn process does not die in
between. In case the credentials or the private key password is wrong
OpenVPN requests them again via management channel. If the error would
be signaled, connmand would have wrong indication of what is actually
happening and would attempt to disconnect the VPN in question.
The new VPN agent functionality is utilized to advise the VPN agent not
to store the encrypted private key password. Encrypted private key
password is kept in memory only, during the connman-vpnd lifetime. On
some systems VPN agents may store the credentials into files and, thus
it is imperative to not to save the encrypted private key password using
the VPN agent as it is bad practice to have both encrypted file and its
password stored on same storage space. Use of the
vpn_agent_append_keep_credentials() is also needed to indicate VPN agent
that the credentials should not be affected by the request to input
encrypted private key password. It may be that some VPN agents would
react to the storage and retrieval prevention values as the existing
values should be removed.
The private key password errors are not recorded as authentication
errors but are handled internally within the plugin. The rationale is
that since VPN agent is affected by the authentication errors and the
VpnAgent.AuthFailure is sent in such case, and VPN agent is advised not
to store the private key password, handling of the errors related to
private key password should happen within the plugin. If the private key
password stored in memory is wrong, it will be still attempted on first
try but OpenVPN will requests new one via management interface after a
failed attempt. The encrypted private key password failures are not
reported by OpenVPN (at least version <= 2.4.5) via management interface
and following patch is required in order for the failures to be
reported: https://git.sailfishos.org/mer-core/openvpn/blob/
4f4b4af116292a207416c8a990392e35a6fc41af/rpm/privatekey-passphrase-
handling.diff - a note about this is added to README.
Since the management channel unix socket is to be used by both vpnd and
the OpenVPN process the socket is created under system temp (env
TMPDIR). If env TMPDIR is omitted or empty, /tmp is used instead.
- files modified:
- README
expand all
collapse all
added
removed
