2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 * @file Control Channel Verification Module
32 #if defined(USE_CRYPTO) && defined(USE_SSL)
36 #include "ssl_verify.h"
37 #include "ssl_verify_backend.h"
40 #include "ssl_verify_openssl.h"
43 /** Legal characters in an X509 name */
44 #define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL)
46 /** Legal characters in a common name */
47 #define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH)
49 /** Maximum length of common name */
50 #define TLS_USERNAME_LEN 64
53 string_mod_sslname (char *str
, const unsigned int restrictive_flags
, const unsigned int ssl_flags
)
55 if (ssl_flags
& SSLF_NO_NAME_REMAPPING
)
56 string_mod (str
, CC_PRINT
, CC_CRLF
, '_');
58 string_mod (str
, restrictive_flags
, 0, '_');
62 * Export the untrusted IP address and port to the environment
65 setenv_untrusted (struct tls_session
*session
)
67 setenv_link_socket_actual (session
->opt
->es
, "untrusted", &session
->untrusted_addr
, SA_IP_PORT
);
71 * Remove authenticated state from all sessions in the given tunnel
74 tls_deauthenticate (struct tls_multi
*multi
)
79 for (i
= 0; i
< TM_SIZE
; ++i
)
80 for (j
= 0; j
< KS_SIZE
; ++j
)
81 multi
->session
[i
].key
[j
].authenticated
= false;
86 * Set the given session's common_name
89 set_common_name (struct tls_session
*session
, const char *common_name
)
91 if (session
->common_name
)
93 free (session
->common_name
);
94 session
->common_name
= NULL
;
96 session
->common_name_hashval
= 0;
101 session
->common_name
= string_alloc (common_name
, NULL
);
104 const uint32_t len
= (uint32_t) strlen (common_name
);
106 session
->common_name_hashval
= hash_func ((const uint8_t*)common_name
, len
+1, 0);
108 session
->common_name_hashval
= 0;
115 * Retrieve the common name for the given tunnel's active session. If the
116 * common name is NULL or empty, return NULL if null is true, or "UNDEF" if
120 tls_common_name (const struct tls_multi
*multi
, const bool null
)
122 const char *ret
= NULL
;
124 ret
= multi
->session
[TM_ACTIVE
].common_name
;
125 if (ret
&& strlen (ret
))
134 * Lock the common name for the given tunnel.
137 tls_lock_common_name (struct tls_multi
*multi
)
139 const char *cn
= multi
->session
[TM_ACTIVE
].common_name
;
140 if (cn
&& !multi
->locked_cn
)
141 multi
->locked_cn
= string_alloc (cn
, NULL
);
145 * Lock the username for the given tunnel
148 tls_lock_username (struct tls_multi
*multi
, const char *username
)
150 if (multi
->locked_username
)
152 if (!username
|| strcmp (username
, multi
->locked_username
))
154 msg (D_TLS_ERRORS
, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
155 multi
->locked_username
,
158 /* disable the tunnel */
159 tls_deauthenticate (multi
);
166 multi
->locked_username
= string_alloc (username
, NULL
);
172 tls_username (const struct tls_multi
*multi
, const bool null
)
174 const char *ret
= NULL
;
176 ret
= multi
->locked_username
;
177 if (ret
&& strlen (ret
))
186 cert_hash_remember (struct tls_session
*session
, const int error_depth
, const unsigned char *sha1_hash
)
188 if (error_depth
>= 0 && error_depth
< MAX_CERT_DEPTH
)
190 if (!session
->cert_hash_set
)
191 ALLOC_OBJ_CLEAR (session
->cert_hash_set
, struct cert_hash_set
);
192 if (!session
->cert_hash_set
->ch
[error_depth
])
193 ALLOC_OBJ (session
->cert_hash_set
->ch
[error_depth
], struct cert_hash
);
195 struct cert_hash
*ch
= session
->cert_hash_set
->ch
[error_depth
];
196 memcpy (ch
->sha1_hash
, sha1_hash
, SHA_DIGEST_LENGTH
);
203 cert_hash_print (const struct cert_hash_set
*chs
, int msglevel
)
205 struct gc_arena gc
= gc_new ();
206 msg (msglevel
, "CERT_HASH");
210 for (i
= 0; i
< MAX_CERT_DEPTH
; ++i
)
212 const struct cert_hash
*ch
= chs
->ch
[i
];
214 msg (msglevel
, "%d:%s", i
, format_hex(ch
->sha1_hash
, SHA_DIGEST_LENGTH
, 0, &gc
));
222 cert_hash_free (struct cert_hash_set
*chs
)
227 for (i
= 0; i
< MAX_CERT_DEPTH
; ++i
)
234 cert_hash_compare (const struct cert_hash_set
*chs1
, const struct cert_hash_set
*chs2
)
239 for (i
= 0; i
< MAX_CERT_DEPTH
; ++i
)
241 const struct cert_hash
*ch1
= chs1
->ch
[i
];
242 const struct cert_hash
*ch2
= chs2
->ch
[i
];
246 else if (ch1
&& ch2
&& !memcmp (ch1
->sha1_hash
, ch2
->sha1_hash
, SHA_DIGEST_LENGTH
))
253 else if (!chs1
&& !chs2
)
259 static struct cert_hash_set
*
260 cert_hash_copy (const struct cert_hash_set
*chs
)
262 struct cert_hash_set
*dest
= NULL
;
266 ALLOC_OBJ_CLEAR (dest
, struct cert_hash_set
);
267 for (i
= 0; i
< MAX_CERT_DEPTH
; ++i
)
269 const struct cert_hash
*ch
= chs
->ch
[i
];
272 ALLOC_OBJ (dest
->ch
[i
], struct cert_hash
);
273 memcpy (dest
->ch
[i
]->sha1_hash
, ch
->sha1_hash
, SHA_DIGEST_LENGTH
);
280 tls_lock_cert_hash_set (struct tls_multi
*multi
)
282 const struct cert_hash_set
*chs
= multi
->session
[TM_ACTIVE
].cert_hash_set
;
283 if (chs
&& !multi
->locked_cert_hash_set
)
284 multi
->locked_cert_hash_set
= cert_hash_copy (chs
);
288 * Returns the string associated with the given certificate type.
291 print_nsCertType (int type
)
295 case NS_CERT_CHECK_SERVER
:
297 case NS_CERT_CHECK_CLIENT
:
305 * Verify the peer's certificate fields.
307 * @param opt the tls options to verify against
308 * @param peer_cert the peer's certificate
309 * @param subject the peer's extracted subject name
310 * @param subject the peer's extracted common name
313 verify_peer_cert(const struct tls_options
*opt
, x509_cert_t
*peer_cert
,
314 const char *subject
, const char *common_name
)
316 /* verify certificate nsCertType */
317 if (opt
->ns_cert_type
!= NS_CERT_CHECK_NONE
)
319 if (SUCCESS
== x509_verify_ns_cert_type (peer_cert
, opt
->ns_cert_type
))
321 msg (D_HANDSHAKE
, "VERIFY OK: nsCertType=%s",
322 print_nsCertType (opt
->ns_cert_type
));
326 msg (D_HANDSHAKE
, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
327 subject
, print_nsCertType (opt
->ns_cert_type
));
328 return FAILURE
; /* Reject connection */
332 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
334 /* verify certificate ku */
335 if (opt
->remote_cert_ku
[0] != 0)
337 if (SUCCESS
== x509_verify_cert_ku (peer_cert
, opt
->remote_cert_ku
, MAX_PARMS
))
339 msg (D_HANDSHAKE
, "VERIFY KU OK");
343 msg (D_HANDSHAKE
, "VERIFY KU ERROR");
344 return FAILURE
; /* Reject connection */
348 /* verify certificate eku */
349 if (opt
->remote_cert_eku
!= NULL
)
351 if (SUCCESS
== x509_verify_cert_eku (peer_cert
, opt
->remote_cert_eku
))
353 msg (D_HANDSHAKE
, "VERIFY EKU OK");
357 msg (D_HANDSHAKE
, "VERIFY EKU ERROR");
358 return FAILURE
; /* Reject connection */
362 #endif /* OPENSSL_VERSION_NUMBER */
364 /* verify X509 name or common name against --tls-remote */
365 if (opt
->verify_x509name
&& strlen (opt
->verify_x509name
) > 0)
367 if (strcmp (opt
->verify_x509name
, subject
) == 0
368 || strncmp (opt
->verify_x509name
, common_name
, strlen (opt
->verify_x509name
)) == 0)
369 msg (D_HANDSHAKE
, "VERIFY X509NAME OK: %s", subject
);
372 msg (D_HANDSHAKE
, "VERIFY X509NAME ERROR: %s, must be %s",
373 subject
, opt
->verify_x509name
);
374 return FAILURE
; /* Reject connection */
382 * Export the subject, common_name, and raw certificate fields to the
383 * environment for later verification by scripts and plugins.
386 verify_cert_set_env(struct env_set
*es
, x509_cert_t
*peer_cert
, int cert_depth
,
387 const char *subject
, const char *common_name
388 #ifdef ENABLE_X509_TRACK
389 , const struct x509_track
*x509_track
395 /* Save X509 fields in environment */
396 #ifdef ENABLE_X509_TRACK
398 x509_setenv_track (x509_track
, es
, cert_depth
, peer_cert
);
401 x509_setenv (es
, cert_depth
, peer_cert
);
403 /* export subject name string as environmental variable */
404 openvpn_snprintf (envname
, sizeof(envname
), "tls_id_%d", cert_depth
);
405 setenv_str (es
, envname
, subject
);
408 /* export common name string as environmental variable */
409 openvpn_snprintf (envname
, sizeof(envname
), "tls_common_name_%d", cert_depth
);
410 setenv_str (es
, envname
, common_name
);
413 #ifdef ENABLE_EUREPHIA
414 /* export X509 cert SHA1 fingerprint */
416 struct gc_arena gc
= gc_new ();
417 unsigned char *sha1_hash
= x509_get_sha1_hash(peer_cert
);
419 openvpn_snprintf (envname
, sizeof(envname
), "tls_digest_%d", cert_depth
);
420 setenv_str (es
, envname
, format_hex_ex(sha1_hash
, SHA_DIGEST_LENGTH
, 0, 1,
422 x509_free_sha1_hash(sha1_hash
);
427 /* export serial number as environmental variable,
428 use bignum in case serial number is large */
430 char *serial
= x509_get_serial(peer_cert
);
431 openvpn_snprintf (envname
, sizeof(envname
), "tls_serial_%d", cert_depth
);
432 setenv_str (es
, envname
, serial
);
433 x509_free_serial(serial
);
438 * call --tls-verify plug-in(s)
441 verify_cert_call_plugin(const struct plugin_list
*plugins
, struct env_set
*es
,
442 int cert_depth
, x509_cert_t
*cert
, char *subject
)
444 if (plugin_defined (plugins
, OPENVPN_PLUGIN_TLS_VERIFY
))
447 struct argv argv
= argv_new ();
449 argv_printf (&argv
, "%d %s", cert_depth
, subject
);
451 ret
= plugin_call_ssl (plugins
, OPENVPN_PLUGIN_TLS_VERIFY
, &argv
, NULL
, es
, cert_depth
, cert
);
455 if (ret
== OPENVPN_PLUGIN_FUNC_SUCCESS
)
457 msg (D_HANDSHAKE
, "VERIFY PLUGIN OK: depth=%d, %s",
458 cert_depth
, subject
);
462 msg (D_HANDSHAKE
, "VERIFY PLUGIN ERROR: depth=%d, %s",
463 cert_depth
, subject
);
464 return FAILURE
; /* Reject connection */
471 verify_cert_export_cert(x509_cert_t
*peercert
, const char *tmp_dir
, struct gc_arena
*gc
)
474 const char *peercert_filename
="";
479 /* create tmp file to store peer cert */
480 peercert_filename
= create_temp_file (tmp_dir
, "pcf", gc
);
482 /* write peer-cert in tmp-file */
483 peercert_file
= fopen(peercert_filename
, "w+");
486 msg (M_ERR
, "Failed to open temporary file : %s", peercert_filename
);
490 if (SUCCESS
!= x509_write_pem(peercert_file
, peercert
))
491 msg (M_ERR
, "Error writing PEM file containing certificate");
493 fclose(peercert_file
);
494 return peercert_filename
;
499 * run --tls-verify script
502 verify_cert_call_command(const char *verify_command
, struct env_set
*es
,
503 int cert_depth
, x509_cert_t
*cert
, char *subject
, const char *verify_export_cert
)
505 const char *tmp_file
= NULL
;
507 struct gc_arena gc
= gc_new();
508 struct argv argv
= argv_new ();
510 setenv_str (es
, "script_type", "tls-verify");
512 if (verify_export_cert
)
514 if ((tmp_file
=verify_cert_export_cert(cert
, verify_export_cert
, &gc
)))
516 setenv_str(es
, "peer_cert", tmp_file
);
520 argv_printf (&argv
, "%sc %d %s", verify_command
, cert_depth
, subject
);
522 argv_msg_prefix (D_TLS_DEBUG
, &argv
, "TLS: executing verify command");
523 ret
= openvpn_run_script (&argv
, es
, 0, "--tls-verify script");
525 if (verify_export_cert
)
528 delete_file(tmp_file
);
536 msg (D_HANDSHAKE
, "VERIFY SCRIPT OK: depth=%d, %s",
537 cert_depth
, subject
);
541 msg (D_HANDSHAKE
, "VERIFY SCRIPT ERROR: depth=%d, %s",
542 cert_depth
, subject
);
543 return FAILURE
; /* Reject connection */
547 * check peer cert against CRL directory
550 verify_check_crl_dir(const char *crl_dir
, x509_cert_t
*cert
)
554 char *serial
= x509_get_serial(cert
);
556 if (!openvpn_snprintf(fn
, sizeof(fn
), "%s%c%s", crl_dir
, OS_SPECIFIC_DIRSEP
, serial
))
558 msg (D_HANDSHAKE
, "VERIFY CRL: filename overflow");
559 x509_free_serial(serial
);
562 fd
= open (fn
, O_RDONLY
);
565 msg (D_HANDSHAKE
, "VERIFY CRL: certificate serial number %s is revoked", serial
);
566 x509_free_serial(serial
);
571 x509_free_serial(serial
);
577 verify_cert(struct tls_session
*session
, x509_cert_t
*cert
, int cert_depth
)
579 char *subject
= NULL
;
580 char common_name
[TLS_USERNAME_LEN
] = {0};
581 const struct tls_options
*opt
;
586 session
->verified
= false;
588 /* get the X509 name */
589 subject
= x509_get_subject(cert
);
592 msg (D_TLS_ERRORS
, "VERIFY ERROR: depth=%d, could not extract X509 "
593 "subject string from certificate", cert_depth
);
597 /* enforce character class restrictions in X509 name */
598 string_mod_sslname (subject
, X509_NAME_CHAR_CLASS
, opt
->ssl_flags
);
599 string_replace_leading (subject
, '-', '_');
601 /* extract the username (default is CN) */
602 if (SUCCESS
!= x509_get_username (common_name
, TLS_USERNAME_LEN
,
603 opt
->x509_username_field
, cert
))
607 msg (D_TLS_ERRORS
, "VERIFY ERROR: could not extract %s from X509 "
608 "subject string ('%s') -- note that the username length is "
609 "limited to %d characters",
610 opt
->x509_username_field
,
617 /* enforce character class restrictions in common name */
618 string_mod_sslname (common_name
, COMMON_NAME_CHAR_CLASS
, opt
->ssl_flags
);
620 /* warn if cert chain is too deep */
621 if (cert_depth
>= MAX_CERT_DEPTH
)
623 msg (D_TLS_ERRORS
, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth
, MAX_CERT_DEPTH
);
624 goto err
; /* Reject connection */
627 /* verify level 1 cert, i.e. the CA that signed our leaf cert */
628 if (cert_depth
== 1 && opt
->verify_hash
)
630 unsigned char *sha1_hash
= x509_get_sha1_hash(cert
);
631 if (memcmp (sha1_hash
, opt
->verify_hash
, SHA_DIGEST_LENGTH
))
633 msg (D_TLS_ERRORS
, "TLS Error: level-1 certificate hash verification failed");
634 x509_free_sha1_hash(sha1_hash
);
637 x509_free_sha1_hash(sha1_hash
);
640 /* save common name in session object */
642 set_common_name (session
, common_name
);
644 session
->verify_maxlevel
= max_int (session
->verify_maxlevel
, cert_depth
);
646 /* export certificate values to the environment */
647 verify_cert_set_env(opt
->es
, cert
, cert_depth
, subject
, common_name
648 #ifdef ENABLE_X509_TRACK
653 /* export current untrusted IP */
654 setenv_untrusted (session
);
656 /* If this is the peer's own certificate, verify it */
657 if (cert_depth
== 0 && SUCCESS
!= verify_peer_cert(opt
, cert
, subject
, common_name
))
660 /* call --tls-verify plug-in(s), if registered */
661 if (SUCCESS
!= verify_cert_call_plugin(opt
->plugins
, opt
->es
, cert_depth
, cert
, subject
))
664 /* run --tls-verify script */
665 if (opt
->verify_command
&& SUCCESS
!= verify_cert_call_command(opt
->verify_command
,
666 opt
->es
, cert_depth
, cert
, subject
, opt
->verify_export_cert
))
669 /* check peer cert against CRL */
672 if (opt
->ssl_flags
& SSLF_CRL_VERIFY_DIR
)
674 if (SUCCESS
!= verify_check_crl_dir(opt
->crl_file
, cert
))
679 if (SUCCESS
!= x509_verify_crl(opt
->crl_file
, cert
, subject
))
684 msg (D_HANDSHAKE
, "VERIFY OK: depth=%d, %s", cert_depth
, subject
);
685 session
->verified
= true;
688 x509_free_subject (subject
);
689 return (session
->verified
== true) ? SUCCESS
: FAILURE
;
693 session
->verified
= false;
697 /* ***************************************************************************
698 * Functions for the management of deferred authentication when using
699 * user/password authentication.
700 *************************************************************************** */
702 #ifdef ENABLE_DEF_AUTH
703 /* key_state_test_auth_control_file return values,
704 NOTE: acf_merge indexing depends on these values */
705 #define ACF_UNDEFINED 0
706 #define ACF_SUCCEEDED 1
707 #define ACF_DISABLED 2
711 #ifdef MANAGEMENT_DEF_AUTH
713 man_def_auth_set_client_reason (struct tls_multi
*multi
, const char *client_reason
)
715 if (multi
->client_reason
)
717 free (multi
->client_reason
);
718 multi
->client_reason
= NULL
;
720 if (client_reason
&& strlen (client_reason
))
721 multi
->client_reason
= string_alloc (client_reason
, NULL
);
724 static inline unsigned int
725 man_def_auth_test (const struct key_state
*ks
)
727 if (management_enable_def_auth (management
))
728 return ks
->mda_status
;
734 #ifdef PLUGIN_DEF_AUTH
737 * auth_control_file functions
741 key_state_rm_auth_control_file (struct key_state
*ks
)
743 if (ks
&& ks
->auth_control_file
)
745 delete_file (ks
->auth_control_file
);
746 free (ks
->auth_control_file
);
747 ks
->auth_control_file
= NULL
;
752 key_state_gen_auth_control_file (struct key_state
*ks
, const struct tls_options
*opt
)
754 struct gc_arena gc
= gc_new ();
757 key_state_rm_auth_control_file (ks
);
758 acf
= create_temp_file (opt
->tmp_dir
, "acf", &gc
);
760 ks
->auth_control_file
= string_alloc (acf
, NULL
);
761 setenv_str (opt
->es
, "auth_control_file", ks
->auth_control_file
);
762 } /* FIXME: Should have better error handling? */
768 key_state_test_auth_control_file (struct key_state
*ks
)
770 if (ks
&& ks
->auth_control_file
)
772 unsigned int ret
= ks
->auth_control_status
;
773 if (ret
== ACF_UNDEFINED
)
775 FILE *fp
= fopen (ks
->auth_control_file
, "r");
778 const int c
= fgetc (fp
);
784 ks
->auth_control_status
= ret
;
795 * Return current session authentication state. Return
796 * value is TLS_AUTHENTICATION_x.
800 tls_authentication_status (struct tls_multi
*multi
, const int latency
)
802 bool deferred
= false;
803 bool success
= false;
806 #ifdef ENABLE_DEF_AUTH
807 static const unsigned char acf_merge
[] =
809 ACF_UNDEFINED
, /* s1=ACF_UNDEFINED s2=ACF_UNDEFINED */
810 ACF_UNDEFINED
, /* s1=ACF_UNDEFINED s2=ACF_SUCCEEDED */
811 ACF_UNDEFINED
, /* s1=ACF_UNDEFINED s2=ACF_DISABLED */
812 ACF_FAILED
, /* s1=ACF_UNDEFINED s2=ACF_FAILED */
813 ACF_UNDEFINED
, /* s1=ACF_SUCCEEDED s2=ACF_UNDEFINED */
814 ACF_SUCCEEDED
, /* s1=ACF_SUCCEEDED s2=ACF_SUCCEEDED */
815 ACF_SUCCEEDED
, /* s1=ACF_SUCCEEDED s2=ACF_DISABLED */
816 ACF_FAILED
, /* s1=ACF_SUCCEEDED s2=ACF_FAILED */
817 ACF_UNDEFINED
, /* s1=ACF_DISABLED s2=ACF_UNDEFINED */
818 ACF_SUCCEEDED
, /* s1=ACF_DISABLED s2=ACF_SUCCEEDED */
819 ACF_DISABLED
, /* s1=ACF_DISABLED s2=ACF_DISABLED */
820 ACF_FAILED
, /* s1=ACF_DISABLED s2=ACF_FAILED */
821 ACF_FAILED
, /* s1=ACF_FAILED s2=ACF_UNDEFINED */
822 ACF_FAILED
, /* s1=ACF_FAILED s2=ACF_SUCCEEDED */
823 ACF_FAILED
, /* s1=ACF_FAILED s2=ACF_DISABLED */
824 ACF_FAILED
/* s1=ACF_FAILED s2=ACF_FAILED */
826 #endif /* ENABLE_DEF_AUTH */
832 #ifdef ENABLE_DEF_AUTH
833 if (latency
&& multi
->tas_last
&& multi
->tas_last
+ latency
>= now
)
834 return TLS_AUTHENTICATION_UNDEFINED
;
835 multi
->tas_last
= now
;
836 #endif /* ENABLE_DEF_AUTH */
838 for (i
= 0; i
< KEY_SCAN_SIZE
; ++i
)
840 struct key_state
*ks
= multi
->key_scan
[i
];
841 if (DECRYPT_KEY_ENABLED (multi
, ks
))
844 if (ks
->authenticated
)
846 #ifdef ENABLE_DEF_AUTH
847 unsigned int s1
= ACF_DISABLED
;
848 unsigned int s2
= ACF_DISABLED
;
849 #ifdef PLUGIN_DEF_AUTH
850 s1
= key_state_test_auth_control_file (ks
);
851 #endif /* PLUGIN_DEF_AUTH */
852 #ifdef MANAGEMENT_DEF_AUTH
853 s2
= man_def_auth_test (ks
);
854 #endif /* MANAGEMENT_DEF_AUTH */
855 ASSERT (s1
< 4 && s2
< 4);
856 switch (acf_merge
[(s1
<<2) + s2
])
861 ks
->auth_deferred
= false;
864 if (now
< ks
->auth_deferred_expire
)
868 ks
->authenticated
= false;
873 #else /* !ENABLE_DEF_AUTH */
875 #endif /* ENABLE_DEF_AUTH */
882 dmsg (D_TLS_ERRORS
, "TAS: a=%d s=%d d=%d", active
, success
, deferred
);
886 return TLS_AUTHENTICATION_SUCCEEDED
;
887 else if (!active
|| deferred
)
888 return TLS_AUTHENTICATION_DEFERRED
;
890 return TLS_AUTHENTICATION_FAILED
;
893 #ifdef MANAGEMENT_DEF_AUTH
895 * For deferred auth, this is where the management interface calls (on server)
896 * to indicate auth failure/success.
899 tls_authenticate_key (struct tls_multi
*multi
, const unsigned int mda_key_id
, const bool auth
, const char *client_reason
)
905 man_def_auth_set_client_reason (multi
, client_reason
);
906 for (i
= 0; i
< KEY_SCAN_SIZE
; ++i
)
908 struct key_state
*ks
= multi
->key_scan
[i
];
909 if (ks
->mda_key_id
== mda_key_id
)
911 ks
->mda_status
= auth
? ACF_SUCCEEDED
: ACF_FAILED
;
921 /* ****************************************************************************
922 * Functions to verify username and password
924 * Authenticate a client using username/password.
927 * If you want to add new authentication methods,
928 * this is the place to start.
929 *************************************************************************** */
932 * Verify the user name and password using a script
935 verify_user_pass_script (struct tls_session
*session
, const struct user_pass
*up
)
937 struct gc_arena gc
= gc_new ();
938 struct argv argv
= argv_new ();
939 const char *tmp_file
= "";
942 /* Is username defined? */
943 if ((session
->opt
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) || strlen (up
->username
))
945 /* Set environmental variables prior to calling script */
946 setenv_str (session
->opt
->es
, "script_type", "user-pass-verify");
948 if (session
->opt
->auth_user_pass_verify_script_via_file
)
950 struct status_output
*so
;
952 tmp_file
= create_temp_file (session
->opt
->tmp_dir
, "up", &gc
);
954 so
= status_open (tmp_file
, 0, -1, NULL
, STATUS_OUTPUT_WRITE
);
955 status_printf (so
, "%s", up
->username
);
956 status_printf (so
, "%s", up
->password
);
957 if (!status_close (so
))
959 msg (D_TLS_ERRORS
, "TLS Auth Error: could not write username/password to file: %s",
964 msg (D_TLS_ERRORS
, "TLS Auth Error: could not create write "
965 "username/password to temp file");
970 setenv_str (session
->opt
->es
, "username", up
->username
);
971 setenv_str (session
->opt
->es
, "password", up
->password
);
974 /* setenv incoming cert common name for script */
975 setenv_str (session
->opt
->es
, "common_name", session
->common_name
);
977 /* setenv client real IP address */
978 setenv_untrusted (session
);
980 /* format command line */
981 argv_printf (&argv
, "%sc %s", session
->opt
->auth_user_pass_verify_script
, tmp_file
);
984 ret
= openvpn_run_script (&argv
, session
->opt
->es
, 0,
985 "--auth-user-pass-verify");
987 if (!session
->opt
->auth_user_pass_verify_script_via_file
)
988 setenv_del (session
->opt
->es
, "password");
992 msg (D_TLS_ERRORS
, "TLS Auth Error: peer provided a blank username");
996 if (tmp_file
&& strlen (tmp_file
) > 0)
997 delete_file (tmp_file
);
1005 * Verify the username and password using a plugin
1008 verify_user_pass_plugin (struct tls_session
*session
, const struct user_pass
*up
, const char *raw_username
)
1010 int retval
= OPENVPN_PLUGIN_FUNC_ERROR
;
1011 struct key_state
*ks
= &session
->key
[KS_PRIMARY
]; /* primary key */
1013 /* Is username defined? */
1014 if ((session
->opt
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) || strlen (up
->username
))
1016 /* set username/password in private env space */
1017 setenv_str (session
->opt
->es
, "username", raw_username
);
1018 setenv_str (session
->opt
->es
, "password", up
->password
);
1020 /* setenv incoming cert common name for script */
1021 setenv_str (session
->opt
->es
, "common_name", session
->common_name
);
1023 /* setenv client real IP address */
1024 setenv_untrusted (session
);
1026 #ifdef PLUGIN_DEF_AUTH
1027 /* generate filename for deferred auth control file */
1028 key_state_gen_auth_control_file (ks
, session
->opt
);
1032 retval
= plugin_call (session
->opt
->plugins
, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
, NULL
, NULL
, session
->opt
->es
);
1034 #ifdef PLUGIN_DEF_AUTH
1035 /* purge auth control filename (and file itself) for non-deferred returns */
1036 if (retval
!= OPENVPN_PLUGIN_FUNC_DEFERRED
)
1037 key_state_rm_auth_control_file (ks
);
1040 setenv_del (session
->opt
->es
, "password");
1041 setenv_str (session
->opt
->es
, "username", up
->username
);
1045 msg (D_TLS_ERRORS
, "TLS Auth Error (verify_user_pass_plugin): peer provided a blank username");
1052 #ifdef MANAGEMENT_DEF_AUTH
1054 * MANAGEMENT_DEF_AUTH internal ssl_verify.c status codes
1056 #define KMDA_ERROR 0
1057 #define KMDA_SUCCESS 1
1058 #define KMDA_UNDEF 2
1062 verify_user_pass_management (struct tls_session
*session
, const struct user_pass
*up
, const char *raw_username
)
1064 int retval
= KMDA_ERROR
;
1065 struct key_state
*ks
= &session
->key
[KS_PRIMARY
]; /* primary key */
1067 /* Is username defined? */
1068 if ((session
->opt
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) || strlen (up
->username
))
1070 /* set username/password in private env space */
1071 setenv_str (session
->opt
->es
, "username", raw_username
);
1072 setenv_str (session
->opt
->es
, "password", up
->password
);
1074 /* setenv incoming cert common name for script */
1075 setenv_str (session
->opt
->es
, "common_name", session
->common_name
);
1077 /* setenv client real IP address */
1078 setenv_untrusted (session
);
1081 management_notify_client_needing_auth (management
, ks
->mda_key_id
, session
->opt
->mda_context
, session
->opt
->es
);
1083 setenv_del (session
->opt
->es
, "password");
1084 setenv_str (session
->opt
->es
, "username", up
->username
);
1086 retval
= KMDA_SUCCESS
;
1090 msg (D_TLS_ERRORS
, "TLS Auth Error (verify_user_pass_management): peer provided a blank username");
1098 * Main username/password verification entry point
1101 verify_user_pass(struct user_pass
*up
, struct tls_multi
*multi
,
1102 struct tls_session
*session
)
1104 int s1
= OPENVPN_PLUGIN_FUNC_SUCCESS
;
1106 struct key_state
*ks
= &session
->key
[KS_PRIMARY
]; /* primary key */
1108 struct gc_arena gc
= gc_new ();
1111 #ifdef MANAGEMENT_DEF_AUTH
1112 int man_def_auth
= KMDA_UNDEF
;
1114 if (management_enable_def_auth (management
))
1115 man_def_auth
= KMDA_DEF
;
1118 /* preserve raw username before string_mod remapping, for plugins */
1119 ALLOC_ARRAY_CLEAR_GC (raw_username
, char, USER_PASS_LEN
, &gc
);
1120 strcpy (raw_username
, up
->username
);
1121 string_mod (raw_username
, CC_PRINT
, CC_CRLF
, '_');
1123 /* enforce character class restrictions in username/password */
1124 string_mod_sslname (up
->username
, COMMON_NAME_CHAR_CLASS
, session
->opt
->ssl_flags
);
1125 string_mod (up
->password
, CC_PRINT
, CC_CRLF
, '_');
1127 /* call plugin(s) and/or script */
1128 #ifdef MANAGEMENT_DEF_AUTH
1129 if (man_def_auth
== KMDA_DEF
)
1130 man_def_auth
= verify_user_pass_management (session
, up
, raw_username
);
1132 if (plugin_defined (session
->opt
->plugins
, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
))
1133 s1
= verify_user_pass_plugin (session
, up
, raw_username
);
1134 if (session
->opt
->auth_user_pass_verify_script
)
1135 s2
= verify_user_pass_script (session
, up
);
1137 /* check sizing of username if it will become our common name */
1138 if ((session
->opt
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) && strlen (up
->username
) >= TLS_USERNAME_LEN
)
1140 msg (D_TLS_ERRORS
, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN
);
1141 s1
= OPENVPN_PLUGIN_FUNC_ERROR
;
1144 /* auth succeeded? */
1145 if ((s1
== OPENVPN_PLUGIN_FUNC_SUCCESS
1146 #ifdef PLUGIN_DEF_AUTH
1147 || s1
== OPENVPN_PLUGIN_FUNC_DEFERRED
1150 #ifdef MANAGEMENT_DEF_AUTH
1151 && man_def_auth
!= KMDA_ERROR
1153 && tls_lock_username (multi
, up
->username
))
1155 ks
->authenticated
= true;
1156 #ifdef PLUGIN_DEF_AUTH
1157 if (s1
== OPENVPN_PLUGIN_FUNC_DEFERRED
)
1158 ks
->auth_deferred
= true;
1160 #ifdef MANAGEMENT_DEF_AUTH
1161 if (man_def_auth
!= KMDA_UNDEF
)
1162 ks
->auth_deferred
= true;
1164 if ((session
->opt
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
))
1165 set_common_name (session
, up
->username
);
1166 #ifdef ENABLE_DEF_AUTH
1167 msg (D_HANDSHAKE
, "TLS: Username/Password authentication %s for username '%s' %s",
1168 ks
->auth_deferred
? "deferred" : "succeeded",
1170 (session
->opt
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) ? "[CN SET]" : "");
1172 msg (D_HANDSHAKE
, "TLS: Username/Password authentication %s for username '%s' %s",
1175 (session
->opt
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) ? "[CN SET]" : "");
1180 msg (D_TLS_ERRORS
, "TLS Auth Error: Auth Username/Password verification failed for peer");
1187 verify_final_auth_checks(struct tls_multi
*multi
, struct tls_session
*session
)
1189 struct key_state
*ks
= &session
->key
[KS_PRIMARY
]; /* primary key */
1191 /* While it shouldn't really happen, don't allow the common name to be NULL */
1192 if (!session
->common_name
)
1193 set_common_name (session
, "");
1195 /* Don't allow the CN to change once it's been locked */
1196 if (ks
->authenticated
&& multi
->locked_cn
)
1198 const char *cn
= session
->common_name
;
1199 if (cn
&& strcmp (cn
, multi
->locked_cn
))
1201 msg (D_TLS_ERRORS
, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
1205 /* change the common name back to its original value and disable the tunnel */
1206 set_common_name (session
, multi
->locked_cn
);
1207 tls_deauthenticate (multi
);
1211 /* Don't allow the cert hashes to change once they have been locked */
1212 if (ks
->authenticated
&& multi
->locked_cert_hash_set
)
1214 const struct cert_hash_set
*chs
= session
->cert_hash_set
;
1215 if (chs
&& !cert_hash_compare (chs
, multi
->locked_cert_hash_set
))
1217 msg (D_TLS_ERRORS
, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth",
1218 session
->common_name
);
1220 /* disable the tunnel */
1221 tls_deauthenticate (multi
);
1225 /* verify --client-config-dir based authentication */
1226 if (ks
->authenticated
&& session
->opt
->client_config_dir_exclusive
)
1228 struct gc_arena gc
= gc_new ();
1230 const char *cn
= session
->common_name
;
1231 const char *path
= gen_path (session
->opt
->client_config_dir_exclusive
, cn
, &gc
);
1232 if (!cn
|| !strcmp (cn
, CCD_DEFAULT
) || !test_file (path
))
1234 ks
->authenticated
= false;
1235 msg (D_TLS_ERRORS
, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
1236 session
->common_name
,
1237 path
? path
: "UNDEF");
1243 #endif /* defined(USE_CRYPTO) && defined(USE_SSL) */