]> git.ipfire.org Git - thirdparty/openvpn.git/blob - ssl_verify.c
projects / thirdparty / openvpn.git / blob
? search:


326b0052ce79c3040354c23d46d2c0ab642c01e8
[thirdparty/openvpn.git] / ssl_verify.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 */
25
26 /**
27 * @file Control Channel Verification Module
28 */
29
30 #include "syshead.h"
31
32 #if defined(USE_CRYPTO) && defined(USE_SSL)
33
34 #include "misc.h"
35 #include "manage.h"
36 #include "ssl_verify.h"
37 #include "ssl_verify_backend.h"
38
39 #ifdef USE_OPENSSL
40 #include "ssl_verify_openssl.h"
41 #endif
42
43 /** Legal characters in an X509 name */
44 #define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL)
45
46 /** Legal characters in a common name */
47 #define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH)
48
49 /** Maximum length of common name */
50 #define TLS_USERNAME_LEN 64
51
52 static void
53 string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
54 {
55 if (ssl_flags & SSLF_NO_NAME_REMAPPING)
56 string_mod (str, CC_PRINT, CC_CRLF, '_');
57 else
58 string_mod (str, restrictive_flags, 0, '_');
59 }
60
61 /*
62 * Export the untrusted IP address and port to the environment
63 */
64 static void
65 setenv_untrusted (struct tls_session *session)
66 {
67 setenv_link_socket_actual (session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
68 }
69
70 /*
71 * Remove authenticated state from all sessions in the given tunnel
72 */
73 static void
74 tls_deauthenticate (struct tls_multi *multi)
75 {
76 if (multi)
77 {
78 int i, j;
79 for (i = 0; i < TM_SIZE; ++i)
80 for (j = 0; j < KS_SIZE; ++j)
81 multi->session[i].key[j].authenticated = false;
82 }
83 }
84
85 /*
86 * Set the given session's common_name
87 */
88 static void
89 set_common_name (struct tls_session *session, const char *common_name)
90 {
91 if (session->common_name)
92 {
93 free (session->common_name);
94 session->common_name = NULL;
95 #ifdef ENABLE_PF
96 session->common_name_hashval = 0;
97 #endif
98 }
99 if (common_name)
100 {
101 session->common_name = string_alloc (common_name, NULL);
102 #ifdef ENABLE_PF
103 {
104 const uint32_t len = (uint32_t) strlen (common_name);
105 if (len)
106 session->common_name_hashval = hash_func ((const uint8_t*)common_name, len+1, 0);
107 else
108 session->common_name_hashval = 0;
109 }
110 #endif
111 }
112 }
113
114 /*
115 * Retrieve the common name for the given tunnel's active session. If the
116 * common name is NULL or empty, return NULL if null is true, or "UNDEF" if
117 * null is false.
118 */
119 const char *
120 tls_common_name (const struct tls_multi *multi, const bool null)
121 {
122 const char *ret = NULL;
123 if (multi)
124 ret = multi->session[TM_ACTIVE].common_name;
125 if (ret && strlen (ret))
126 return ret;
127 else if (null)
128 return NULL;
129 else
130 return "UNDEF";
131 }
132
133 /*
134 * Lock the common name for the given tunnel.
135 */
136 void
137 tls_lock_common_name (struct tls_multi *multi)
138 {
139 const char *cn = multi->session[TM_ACTIVE].common_name;
140 if (cn && !multi->locked_cn)
141 multi->locked_cn = string_alloc (cn, NULL);
142 }
143
144 /*
145 * Lock the username for the given tunnel
146 */
147 static bool
148 tls_lock_username (struct tls_multi *multi, const char *username)
149 {
150 if (multi->locked_username)
151 {
152 if (!username || strcmp (username, multi->locked_username))
153 {
154 msg (D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
155 multi->locked_username,
156 np(username));
157
158 /* disable the tunnel */
159 tls_deauthenticate (multi);
160 return false;
161 }
162 }
163 else
164 {
165 if (username)
166 multi->locked_username = string_alloc (username, NULL);
167 }
168 return true;
169 }
170
171 const char *
172 tls_username (const struct tls_multi *multi, const bool null)
173 {
174 const char *ret = NULL;
175 if (multi)
176 ret = multi->locked_username;
177 if (ret && strlen (ret))
178 return ret;
179 else if (null)
180 return NULL;
181 else
182 return "UNDEF";
183 }
184
185 void
186 cert_hash_remember (struct tls_session *session, const int error_depth, const unsigned char *sha1_hash)
187 {
188 if (error_depth >= 0 && error_depth < MAX_CERT_DEPTH)
189 {
190 if (!session->cert_hash_set)
191 ALLOC_OBJ_CLEAR (session->cert_hash_set, struct cert_hash_set);
192 if (!session->cert_hash_set->ch[error_depth])
193 ALLOC_OBJ (session->cert_hash_set->ch[error_depth], struct cert_hash);
194 {
195 struct cert_hash *ch = session->cert_hash_set->ch[error_depth];
196 memcpy (ch->sha1_hash, sha1_hash, SHA_DIGEST_LENGTH);
197 }
198 }
199 }
200
201 #if 0
202 static void
203 cert_hash_print (const struct cert_hash_set *chs, int msglevel)
204 {
205 struct gc_arena gc = gc_new ();
206 msg (msglevel, "CERT_HASH");
207 if (chs)
208 {
209 int i;
210 for (i = 0; i < MAX_CERT_DEPTH; ++i)
211 {
212 const struct cert_hash *ch = chs->ch[i];
213 if (ch)
214 msg (msglevel, "%d:%s", i, format_hex(ch->sha1_hash, SHA_DIGEST_LENGTH, 0, &gc));
215 }
216 }
217 gc_free (&gc);
218 }
219 #endif
220
221 void
222 cert_hash_free (struct cert_hash_set *chs)
223 {
224 if (chs)
225 {
226 int i;
227 for (i = 0; i < MAX_CERT_DEPTH; ++i)
228 free (chs->ch[i]);
229 free (chs);
230 }
231 }
232
233 static bool
234 cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
235 {
236 if (chs1 && chs2)
237 {
238 int i;
239 for (i = 0; i < MAX_CERT_DEPTH; ++i)
240 {
241 const struct cert_hash *ch1 = chs1->ch[i];
242 const struct cert_hash *ch2 = chs2->ch[i];
243
244 if (!ch1 && !ch2)
245 continue;
246 else if (ch1 && ch2 && !memcmp (ch1->sha1_hash, ch2->sha1_hash, SHA_DIGEST_LENGTH))
247 continue;
248 else
249 return false;
250 }
251 return true;
252 }
253 else if (!chs1 && !chs2)
254 return true;
255 else
256 return false;
257 }
258
259 static struct cert_hash_set *
260 cert_hash_copy (const struct cert_hash_set *chs)
261 {
262 struct cert_hash_set *dest = NULL;
263 if (chs)
264 {
265 int i;
266 ALLOC_OBJ_CLEAR (dest, struct cert_hash_set);
267 for (i = 0; i < MAX_CERT_DEPTH; ++i)
268 {
269 const struct cert_hash *ch = chs->ch[i];
270 if (ch)
271 {
272 ALLOC_OBJ (dest->ch[i], struct cert_hash);
273 memcpy (dest->ch[i]->sha1_hash, ch->sha1_hash, SHA_DIGEST_LENGTH);
274 }
275 }
276 }
277 return dest;
278 }
279 void
280 tls_lock_cert_hash_set (struct tls_multi *multi)
281 {
282 const struct cert_hash_set *chs = multi->session[TM_ACTIVE].cert_hash_set;
283 if (chs && !multi->locked_cert_hash_set)
284 multi->locked_cert_hash_set = cert_hash_copy (chs);
285 }
286
287 /*
288 * Returns the string associated with the given certificate type.
289 */
290 static const char *
291 print_nsCertType (int type)
292 {
293 switch (type)
294 {
295 case NS_CERT_CHECK_SERVER:
296 return "SERVER";
297 case NS_CERT_CHECK_CLIENT:
298 return "CLIENT";
299 default:
300 return "?";
301 }
302 }
303
304 /*
305 * Verify the peer's certificate fields.
306 *
307 * @param opt the tls options to verify against
308 * @param peer_cert the peer's certificate
309 * @param subject the peer's extracted subject name
310 * @param subject the peer's extracted common name
311 */
312 static result_t
313 verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
314 const char *subject, const char *common_name)
315 {
316 /* verify certificate nsCertType */
317 if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
318 {
319 if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
320 {
321 msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
322 print_nsCertType (opt->ns_cert_type));
323 }
324 else
325 {
326 msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
327 subject, print_nsCertType (opt->ns_cert_type));
328 return FAILURE; /* Reject connection */
329 }
330 }
331
332 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
333
334 /* verify certificate ku */
335 if (opt->remote_cert_ku[0] != 0)
336 {
337 if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
338 {
339 msg (D_HANDSHAKE, "VERIFY KU OK");
340 }
341 else
342 {
343 msg (D_HANDSHAKE, "VERIFY KU ERROR");
344 return FAILURE; /* Reject connection */
345 }
346 }
347
348 /* verify certificate eku */
349 if (opt->remote_cert_eku != NULL)
350 {
351 if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
352 {
353 msg (D_HANDSHAKE, "VERIFY EKU OK");
354 }
355 else
356 {
357 msg (D_HANDSHAKE, "VERIFY EKU ERROR");
358 return FAILURE; /* Reject connection */
359 }
360 }
361
362 #endif /* OPENSSL_VERSION_NUMBER */
363
364 /* verify X509 name or common name against --tls-remote */
365 if (opt->verify_x509name && strlen (opt->verify_x509name) > 0)
366 {
367 if (strcmp (opt->verify_x509name, subject) == 0
368 || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
369 msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
370 else
371 {
372 msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
373 subject, opt->verify_x509name);
374 return FAILURE; /* Reject connection */
375 }
376 }
377
378 return SUCCESS;
379 }
380
381 /*
382 * Export the subject, common_name, and raw certificate fields to the
383 * environment for later verification by scripts and plugins.
384 */
385 static void
386 verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
387 const char *subject, const char *common_name
388 #ifdef ENABLE_X509_TRACK
389 , const struct x509_track *x509_track
390 #endif
391 )
392 {
393 char envname[64];
394
395 /* Save X509 fields in environment */
396 #ifdef ENABLE_X509_TRACK
397 if (x509_track)
398 x509_setenv_track (x509_track, es, cert_depth, peer_cert);
399 else
400 #endif
401 x509_setenv (es, cert_depth, peer_cert);
402
403 /* export subject name string as environmental variable */
404 openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", cert_depth);
405 setenv_str (es, envname, subject);
406
407 #if 0
408 /* export common name string as environmental variable */
409 openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d", cert_depth);
410 setenv_str (es, envname, common_name);
411 #endif
412
413 #ifdef ENABLE_EUREPHIA
414 /* export X509 cert SHA1 fingerprint */
415 {
416 struct gc_arena gc = gc_new ();
417 unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);
418
419 openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
420 setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
421 ":", &gc));
422 x509_free_sha1_hash(sha1_hash);
423 gc_free(&gc);
424 }
425 #endif
426
427 /* export serial number as environmental variable,
428 use bignum in case serial number is large */
429 {
430 char *serial = x509_get_serial(peer_cert);
431 openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
432 setenv_str (es, envname, serial);
433 x509_free_serial(serial);
434 }
435 }
436
437 /*
438 * call --tls-verify plug-in(s)
439 */
440 static result_t
441 verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
442 int cert_depth, x509_cert_t *cert, char *subject)
443 {
444 if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY))
445 {
446 int ret;
447 struct argv argv = argv_new ();
448
449 argv_printf (&argv, "%d %s", cert_depth, subject);
450
451 ret = plugin_call_ssl (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
452
453 argv_reset (&argv);
454
455 if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
456 {
457 msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
458 cert_depth, subject);
459 }
460 else
461 {
462 msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
463 cert_depth, subject);
464 return FAILURE; /* Reject connection */
465 }
466 }
467 return SUCCESS;
468 }
469
470 static const char *
471 verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc)
472 {
473 FILE *peercert_file;
474 const char *peercert_filename="";
475
476 if(!tmp_dir)
477 return NULL;
478
479 /* create tmp file to store peer cert */
480 peercert_filename = create_temp_file (tmp_dir, "pcf", gc);
481
482 /* write peer-cert in tmp-file */
483 peercert_file = fopen(peercert_filename, "w+");
484 if(!peercert_file)
485 {
486 msg (M_ERR, "Failed to open temporary file : %s", peercert_filename);
487 return NULL;
488 }
489
490 if (SUCCESS != x509_write_pem(peercert_file, peercert))
491 msg (M_ERR, "Error writing PEM file containing certificate");
492
493 fclose(peercert_file);
494 return peercert_filename;
495 }
496
497
498 /*
499 * run --tls-verify script
500 */
501 static result_t
502 verify_cert_call_command(const char *verify_command, struct env_set *es,
503 int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert)
504 {
505 const char *tmp_file = NULL;
506 int ret;
507 struct gc_arena gc = gc_new();
508 struct argv argv = argv_new ();
509
510 setenv_str (es, "script_type", "tls-verify");
511
512 if (verify_export_cert)
513 {
514 if ((tmp_file=verify_cert_export_cert(cert, verify_export_cert, &gc)))
515 {
516 setenv_str(es, "peer_cert", tmp_file);
517 }
518 }
519
520 argv_printf (&argv, "%sc %d %s", verify_command, cert_depth, subject);
521
522 argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command");
523 ret = openvpn_run_script (&argv, es, 0, "--tls-verify script");
524
525 if (verify_export_cert)
526 {
527 if (tmp_file)
528 delete_file(tmp_file);
529 }
530
531 gc_free(&gc);
532 argv_reset (&argv);
533
534 if (ret)
535 {
536 msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
537 cert_depth, subject);
538 return SUCCESS;
539 }
540
541 msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
542 cert_depth, subject);
543 return FAILURE; /* Reject connection */
544 }
545
546 /*
547 * check peer cert against CRL directory
548 */
549 static result_t
550 verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
551 {
552 char fn[256];
553 int fd;
554 char *serial = x509_get_serial(cert);
555
556 if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
557 {
558 msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
559 x509_free_serial(serial);
560 return FAILURE;
561 }
562 fd = open (fn, O_RDONLY);
563 if (fd >= 0)
564 {
565 msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
566 x509_free_serial(serial);
567 close(fd);
568 return FAILURE;
569 }
570
571 x509_free_serial(serial);
572
573 return SUCCESS;
574 }
575
576 result_t
577 verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
578 {
579 char *subject = NULL;
580 char common_name[TLS_USERNAME_LEN] = {0};
581 const struct tls_options *opt;
582
583 opt = session->opt;
584 ASSERT (opt);
585
586 session->verified = false;
587
588 /* get the X509 name */
589 subject = x509_get_subject(cert);
590 if (!subject)
591 {
592 msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
593 "subject string from certificate", cert_depth);
594 goto err;
595 }
596
597 /* enforce character class restrictions in X509 name */
598 string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags);
599 string_replace_leading (subject, '-', '_');
600
601 /* extract the username (default is CN) */
602 if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
603 opt->x509_username_field, cert))
604 {
605 if (!cert_depth)
606 {
607 msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 "
608 "subject string ('%s') -- note that the username length is "
609 "limited to %d characters",
610 opt->x509_username_field,
611 subject,
612 TLS_USERNAME_LEN);
613 goto err;
614 }
615 }
616
617 /* enforce character class restrictions in common name */
618 string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
619
620 /* warn if cert chain is too deep */
621 if (cert_depth >= MAX_CERT_DEPTH)
622 {
623 msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth, MAX_CERT_DEPTH);
624 goto err; /* Reject connection */
625 }
626
627 /* verify level 1 cert, i.e. the CA that signed our leaf cert */
628 if (cert_depth == 1 && opt->verify_hash)
629 {
630 unsigned char *sha1_hash = x509_get_sha1_hash(cert);
631 if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))
632 {
633 msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");
634 x509_free_sha1_hash(sha1_hash);
635 goto err;
636 }
637 x509_free_sha1_hash(sha1_hash);
638 }
639
640 /* save common name in session object */
641 if (cert_depth == 0)
642 set_common_name (session, common_name);
643
644 session->verify_maxlevel = max_int (session->verify_maxlevel, cert_depth);
645
646 /* export certificate values to the environment */
647 verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name
648 #ifdef ENABLE_X509_TRACK
649 , opt->x509_track
650 #endif
651 );
652
653 /* export current untrusted IP */
654 setenv_untrusted (session);
655
656 /* If this is the peer's own certificate, verify it */
657 if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name))
658 goto err;
659
660 /* call --tls-verify plug-in(s), if registered */
661 if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
662 goto err;
663
664 /* run --tls-verify script */
665 if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
666 opt->es, cert_depth, cert, subject, opt->verify_export_cert))
667 goto err;
668
669 /* check peer cert against CRL */
670 if (opt->crl_file)
671 {
672 if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
673 {
674 if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert))
675 goto err;
676 }
677 else
678 {
679 if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
680 goto err;
681 }
682 }
683
684 msg (D_HANDSHAKE, "VERIFY OK: depth=%d, %s", cert_depth, subject);
685 session->verified = true;
686
687 done:
688 x509_free_subject (subject);
689 return (session->verified == true) ? SUCCESS : FAILURE;
690
691 err:
692 tls_clear_error();
693 session->verified = false;
694 goto done;
695 }
696
697 /* ***************************************************************************
698 * Functions for the management of deferred authentication when using
699 * user/password authentication.
700 *************************************************************************** */
701
702 #ifdef ENABLE_DEF_AUTH
703 /* key_state_test_auth_control_file return values,
704 NOTE: acf_merge indexing depends on these values */
705 #define ACF_UNDEFINED 0
706 #define ACF_SUCCEEDED 1
707 #define ACF_DISABLED 2
708 #define ACF_FAILED 3
709 #endif
710
711 #ifdef MANAGEMENT_DEF_AUTH
712 void
713 man_def_auth_set_client_reason (struct tls_multi *multi, const char *client_reason)
714 {
715 if (multi->client_reason)
716 {
717 free (multi->client_reason);
718 multi->client_reason = NULL;
719 }
720 if (client_reason && strlen (client_reason))
721 multi->client_reason = string_alloc (client_reason, NULL);
722 }
723
724 static inline unsigned int
725 man_def_auth_test (const struct key_state *ks)
726 {
727 if (management_enable_def_auth (management))
728 return ks->mda_status;
729 else
730 return ACF_DISABLED;
731 }
732 #endif
733
734 #ifdef PLUGIN_DEF_AUTH
735
736 /*
737 * auth_control_file functions
738 */
739
740 void
741 key_state_rm_auth_control_file (struct key_state *ks)
742 {
743 if (ks && ks->auth_control_file)
744 {
745 delete_file (ks->auth_control_file);
746 free (ks->auth_control_file);
747 ks->auth_control_file = NULL;
748 }
749 }
750
751 static void
752 key_state_gen_auth_control_file (struct key_state *ks, const struct tls_options *opt)
753 {
754 struct gc_arena gc = gc_new ();
755 const char *acf;
756
757 key_state_rm_auth_control_file (ks);
758 acf = create_temp_file (opt->tmp_dir, "acf", &gc);
759 if (acf) {
760 ks->auth_control_file = string_alloc (acf, NULL);
761 setenv_str (opt->es, "auth_control_file", ks->auth_control_file);
762 } /* FIXME: Should have better error handling? */
763
764 gc_free (&gc);
765 }
766
767 static unsigned int
768 key_state_test_auth_control_file (struct key_state *ks)
769 {
770 if (ks && ks->auth_control_file)
771 {
772 unsigned int ret = ks->auth_control_status;
773 if (ret == ACF_UNDEFINED)
774 {
775 FILE *fp = fopen (ks->auth_control_file, "r");
776 if (fp)
777 {
778 const int c = fgetc (fp);
779 if (c == '1')
780 ret = ACF_SUCCEEDED;
781 else if (c == '0')
782 ret = ACF_FAILED;
783 fclose (fp);
784 ks->auth_control_status = ret;
785 }
786 }
787 return ret;
788 }
789 return ACF_DISABLED;
790 }
791
792 #endif
793
794 /*
795 * Return current session authentication state. Return
796 * value is TLS_AUTHENTICATION_x.
797 */
798
799 int
800 tls_authentication_status (struct tls_multi *multi, const int latency)
801 {
802 bool deferred = false;
803 bool success = false;
804 bool active = false;
805
806 #ifdef ENABLE_DEF_AUTH
807 static const unsigned char acf_merge[] =
808 {
809 ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_UNDEFINED */
810 ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_SUCCEEDED */
811 ACF_UNDEFINED, /* s1=ACF_UNDEFINED s2=ACF_DISABLED */
812 ACF_FAILED, /* s1=ACF_UNDEFINED s2=ACF_FAILED */
813 ACF_UNDEFINED, /* s1=ACF_SUCCEEDED s2=ACF_UNDEFINED */
814 ACF_SUCCEEDED, /* s1=ACF_SUCCEEDED s2=ACF_SUCCEEDED */
815 ACF_SUCCEEDED, /* s1=ACF_SUCCEEDED s2=ACF_DISABLED */
816 ACF_FAILED, /* s1=ACF_SUCCEEDED s2=ACF_FAILED */
817 ACF_UNDEFINED, /* s1=ACF_DISABLED s2=ACF_UNDEFINED */
818 ACF_SUCCEEDED, /* s1=ACF_DISABLED s2=ACF_SUCCEEDED */
819 ACF_DISABLED, /* s1=ACF_DISABLED s2=ACF_DISABLED */
820 ACF_FAILED, /* s1=ACF_DISABLED s2=ACF_FAILED */
821 ACF_FAILED, /* s1=ACF_FAILED s2=ACF_UNDEFINED */
822 ACF_FAILED, /* s1=ACF_FAILED s2=ACF_SUCCEEDED */
823 ACF_FAILED, /* s1=ACF_FAILED s2=ACF_DISABLED */
824 ACF_FAILED /* s1=ACF_FAILED s2=ACF_FAILED */
825 };
826 #endif /* ENABLE_DEF_AUTH */
827
828 if (multi)
829 {
830 int i;
831
832 #ifdef ENABLE_DEF_AUTH
833 if (latency && multi->tas_last && multi->tas_last + latency >= now)
834 return TLS_AUTHENTICATION_UNDEFINED;
835 multi->tas_last = now;
836 #endif /* ENABLE_DEF_AUTH */
837
838 for (i = 0; i < KEY_SCAN_SIZE; ++i)
839 {
840 struct key_state *ks = multi->key_scan[i];
841 if (DECRYPT_KEY_ENABLED (multi, ks))
842 {
843 active = true;
844 if (ks->authenticated)
845 {
846 #ifdef ENABLE_DEF_AUTH
847 unsigned int s1 = ACF_DISABLED;
848 unsigned int s2 = ACF_DISABLED;
849 #ifdef PLUGIN_DEF_AUTH
850 s1 = key_state_test_auth_control_file (ks);
851 #endif /* PLUGIN_DEF_AUTH */
852 #ifdef MANAGEMENT_DEF_AUTH
853 s2 = man_def_auth_test (ks);
854 #endif /* MANAGEMENT_DEF_AUTH */
855 ASSERT (s1 < 4 && s2 < 4);
856 switch (acf_merge[(s1<<2) + s2])
857 {
858 case ACF_SUCCEEDED:
859 case ACF_DISABLED:
860 success = true;
861 ks->auth_deferred = false;
862 break;
863 case ACF_UNDEFINED:
864 if (now < ks->auth_deferred_expire)
865 deferred = true;
866 break;
867 case ACF_FAILED:
868 ks->authenticated = false;
869 break;
870 default:
871 ASSERT (0);
872 }
873 #else /* !ENABLE_DEF_AUTH */
874 success = true;
875 #endif /* ENABLE_DEF_AUTH */
876 }
877 }
878 }
879 }
880
881 #if 0
882 dmsg (D_TLS_ERRORS, "TAS: a=%d s=%d d=%d", active, success, deferred);
883 #endif
884
885 if (success)
886 return TLS_AUTHENTICATION_SUCCEEDED;
887 else if (!active || deferred)
888 return TLS_AUTHENTICATION_DEFERRED;
889 else
890 return TLS_AUTHENTICATION_FAILED;
891 }
892
893 #ifdef MANAGEMENT_DEF_AUTH
894 /*
895 * For deferred auth, this is where the management interface calls (on server)
896 * to indicate auth failure/success.
897 */
898 bool
899 tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
900 {
901 bool ret = false;
902 if (multi)
903 {
904 int i;
905 man_def_auth_set_client_reason (multi, client_reason);
906 for (i = 0; i < KEY_SCAN_SIZE; ++i)
907 {
908 struct key_state *ks = multi->key_scan[i];
909 if (ks->mda_key_id == mda_key_id)
910 {
911 ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
912 ret = true;
913 }
914 }
915 }
916 return ret;
917 }
918 #endif
919
920
921 /* ****************************************************************************
922 * Functions to verify username and password
923 *
924 * Authenticate a client using username/password.
925 * Runs on server.
926 *
927 * If you want to add new authentication methods,
928 * this is the place to start.
929 *************************************************************************** */
930
931 /*
932 * Verify the user name and password using a script
933 */
934 static bool
935 verify_user_pass_script (struct tls_session *session, const struct user_pass *up)
936 {
937 struct gc_arena gc = gc_new ();
938 struct argv argv = argv_new ();
939 const char *tmp_file = "";
940 bool ret = false;
941
942 /* Is username defined? */
943 if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
944 {
945 /* Set environmental variables prior to calling script */
946 setenv_str (session->opt->es, "script_type", "user-pass-verify");
947
948 if (session->opt->auth_user_pass_verify_script_via_file)
949 {
950 struct status_output *so;
951
952 tmp_file = create_temp_file (session->opt->tmp_dir, "up", &gc);
953 if( tmp_file ) {
954 so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
955 status_printf (so, "%s", up->username);
956 status_printf (so, "%s", up->password);
957 if (!status_close (so))
958 {
959 msg (D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s",
960 tmp_file);
961 goto done;
962 }
963 } else {
964 msg (D_TLS_ERRORS, "TLS Auth Error: could not create write "
965 "username/password to temp file");
966 }
967 }
968 else
969 {
970 setenv_str (session->opt->es, "username", up->username);
971 setenv_str (session->opt->es, "password", up->password);
972 }
973
974 /* setenv incoming cert common name for script */
975 setenv_str (session->opt->es, "common_name", session->common_name);
976
977 /* setenv client real IP address */
978 setenv_untrusted (session);
979
980 /* format command line */
981 argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file);
982
983 /* call command */
984 ret = openvpn_run_script (&argv, session->opt->es, 0,
985 "--auth-user-pass-verify");
986
987 if (!session->opt->auth_user_pass_verify_script_via_file)
988 setenv_del (session->opt->es, "password");
989 }
990 else
991 {
992 msg (D_TLS_ERRORS, "TLS Auth Error: peer provided a blank username");
993 }
994
995 done:
996 if (tmp_file && strlen (tmp_file) > 0)
997 delete_file (tmp_file);
998
999 argv_reset (&argv);
1000 gc_free (&gc);
1001 return ret;
1002 }
1003
1004 /*
1005 * Verify the username and password using a plugin
1006 */
1007 static int
1008 verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username)
1009 {
1010 int retval = OPENVPN_PLUGIN_FUNC_ERROR;
1011 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1012
1013 /* Is username defined? */
1014 if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
1015 {
1016 /* set username/password in private env space */
1017 setenv_str (session->opt->es, "username", raw_username);
1018 setenv_str (session->opt->es, "password", up->password);
1019
1020 /* setenv incoming cert common name for script */
1021 setenv_str (session->opt->es, "common_name", session->common_name);
1022
1023 /* setenv client real IP address */
1024 setenv_untrusted (session);
1025
1026 #ifdef PLUGIN_DEF_AUTH
1027 /* generate filename for deferred auth control file */
1028 key_state_gen_auth_control_file (ks, session->opt);
1029 #endif
1030
1031 /* call command */
1032 retval = plugin_call (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
1033
1034 #ifdef PLUGIN_DEF_AUTH
1035 /* purge auth control filename (and file itself) for non-deferred returns */
1036 if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED)
1037 key_state_rm_auth_control_file (ks);
1038 #endif
1039
1040 setenv_del (session->opt->es, "password");
1041 setenv_str (session->opt->es, "username", up->username);
1042 }
1043 else
1044 {
1045 msg (D_TLS_ERRORS, "TLS Auth Error (verify_user_pass_plugin): peer provided a blank username");
1046 }
1047
1048 return retval;
1049 }
1050
1051
1052 #ifdef MANAGEMENT_DEF_AUTH
1053 /*
1054 * MANAGEMENT_DEF_AUTH internal ssl_verify.c status codes
1055 */
1056 #define KMDA_ERROR 0
1057 #define KMDA_SUCCESS 1
1058 #define KMDA_UNDEF 2
1059 #define KMDA_DEF 3
1060
1061 static int
1062 verify_user_pass_management (struct tls_session *session, const struct user_pass *up, const char *raw_username)
1063 {
1064 int retval = KMDA_ERROR;
1065 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1066
1067 /* Is username defined? */
1068 if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
1069 {
1070 /* set username/password in private env space */
1071 setenv_str (session->opt->es, "username", raw_username);
1072 setenv_str (session->opt->es, "password", up->password);
1073
1074 /* setenv incoming cert common name for script */
1075 setenv_str (session->opt->es, "common_name", session->common_name);
1076
1077 /* setenv client real IP address */
1078 setenv_untrusted (session);
1079
1080 if (management)
1081 management_notify_client_needing_auth (management, ks->mda_key_id, session->opt->mda_context, session->opt->es);
1082
1083 setenv_del (session->opt->es, "password");
1084 setenv_str (session->opt->es, "username", up->username);
1085
1086 retval = KMDA_SUCCESS;
1087 }
1088 else
1089 {
1090 msg (D_TLS_ERRORS, "TLS Auth Error (verify_user_pass_management): peer provided a blank username");
1091 }
1092
1093 return retval;
1094 }
1095 #endif
1096
1097 /*
1098 * Main username/password verification entry point
1099 */
1100 void
1101 verify_user_pass(struct user_pass *up, struct tls_multi *multi,
1102 struct tls_session *session)
1103 {
1104 int s1 = OPENVPN_PLUGIN_FUNC_SUCCESS;
1105 bool s2 = true;
1106 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1107
1108 struct gc_arena gc = gc_new ();
1109 char *raw_username;
1110
1111 #ifdef MANAGEMENT_DEF_AUTH
1112 int man_def_auth = KMDA_UNDEF;
1113
1114 if (management_enable_def_auth (management))
1115 man_def_auth = KMDA_DEF;
1116 #endif
1117
1118 /* preserve raw username before string_mod remapping, for plugins */
1119 ALLOC_ARRAY_CLEAR_GC (raw_username, char, USER_PASS_LEN, &gc);
1120 strcpy (raw_username, up->username);
1121 string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
1122
1123 /* enforce character class restrictions in username/password */
1124 string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags);
1125 string_mod (up->password, CC_PRINT, CC_CRLF, '_');
1126
1127 /* call plugin(s) and/or script */
1128 #ifdef MANAGEMENT_DEF_AUTH
1129 if (man_def_auth == KMDA_DEF)
1130 man_def_auth = verify_user_pass_management (session, up, raw_username);
1131 #endif
1132 if (plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY))
1133 s1 = verify_user_pass_plugin (session, up, raw_username);
1134 if (session->opt->auth_user_pass_verify_script)
1135 s2 = verify_user_pass_script (session, up);
1136
1137 /* check sizing of username if it will become our common name */
1138 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_USERNAME_LEN)
1139 {
1140 msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN);
1141 s1 = OPENVPN_PLUGIN_FUNC_ERROR;
1142 }
1143
1144 /* auth succeeded? */
1145 if ((s1 == OPENVPN_PLUGIN_FUNC_SUCCESS
1146 #ifdef PLUGIN_DEF_AUTH
1147 || s1 == OPENVPN_PLUGIN_FUNC_DEFERRED
1148 #endif
1149 ) && s2
1150 #ifdef MANAGEMENT_DEF_AUTH
1151 && man_def_auth != KMDA_ERROR
1152 #endif
1153 && tls_lock_username (multi, up->username))
1154 {
1155 ks->authenticated = true;
1156 #ifdef PLUGIN_DEF_AUTH
1157 if (s1 == OPENVPN_PLUGIN_FUNC_DEFERRED)
1158 ks->auth_deferred = true;
1159 #endif
1160 #ifdef MANAGEMENT_DEF_AUTH
1161 if (man_def_auth != KMDA_UNDEF)
1162 ks->auth_deferred = true;
1163 #endif
1164 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
1165 set_common_name (session, up->username);
1166 #ifdef ENABLE_DEF_AUTH
1167 msg (D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s",
1168 ks->auth_deferred ? "deferred" : "succeeded",
1169 up->username,
1170 (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : "");
1171 #else
1172 msg (D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s",
1173 "succeeded",
1174 up->username,
1175 (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : "");
1176 #endif
1177 }
1178 else
1179 {
1180 msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer");
1181 }
1182
1183 gc_free (&gc);
1184 }
1185
1186 void
1187 verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
1188 {
1189 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1190
1191 /* While it shouldn't really happen, don't allow the common name to be NULL */
1192 if (!session->common_name)
1193 set_common_name (session, "");
1194
1195 /* Don't allow the CN to change once it's been locked */
1196 if (ks->authenticated && multi->locked_cn)
1197 {
1198 const char *cn = session->common_name;
1199 if (cn && strcmp (cn, multi->locked_cn))
1200 {
1201 msg (D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
1202 multi->locked_cn,
1203 cn);
1204
1205 /* change the common name back to its original value and disable the tunnel */
1206 set_common_name (session, multi->locked_cn);
1207 tls_deauthenticate (multi);
1208 }
1209 }
1210
1211 /* Don't allow the cert hashes to change once they have been locked */
1212 if (ks->authenticated && multi->locked_cert_hash_set)
1213 {
1214 const struct cert_hash_set *chs = session->cert_hash_set;
1215 if (chs && !cert_hash_compare (chs, multi->locked_cert_hash_set))
1216 {
1217 msg (D_TLS_ERRORS, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth",
1218 session->common_name);
1219
1220 /* disable the tunnel */
1221 tls_deauthenticate (multi);
1222 }
1223 }
1224
1225 /* verify --client-config-dir based authentication */
1226 if (ks->authenticated && session->opt->client_config_dir_exclusive)
1227 {
1228 struct gc_arena gc = gc_new ();
1229
1230 const char *cn = session->common_name;
1231 const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc);
1232 if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path))
1233 {
1234 ks->authenticated = false;
1235 msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
1236 session->common_name,
1237 path ? path : "UNDEF");
1238 }
1239
1240 gc_free (&gc);
1241 }
1242 }
1243 #endif /* defined(USE_CRYPTO) && defined(USE_SSL) */
Mirror of https://github.com/OpenVPN/openvpn.git