Re: [Openvpn-devel] Again: Feature implementation: Connection refusal based upon CN

2004-10-04 Thread James Yonan 
Vlada,

I think the idea for the patch is good, i.e. using the client-config-dir
as a kind of authenticator of common names.

I do have a concern though on your implementation.  You are conducting the
allow/deny test in multi_connection_established(). The problem is that
this function runs too late in the client instance initialization sequence
to be able to securely deny authentication.

There is a window of time between when the SSL/TLS state goes to S_ACTIVE
and when multi_connection_established is executed that you essentially
have a trusted session, and a malicious client could potentially exploit
that fact.  I think it would be better to put the test somewhere in ssl.c,
so that on failure, you can prevent the SSL/TLS state from advancing to
S_ACTIVE.  That is the idea behind verify_callback() and --tls-auth.

James


> Hello,
> 
> I'm writing again on the topic of my post sent several hours ago to the
> openvpn-users list. The post proposed the --ccd-exclusive option.
> 
> Since then I tried to setup chrooted openvpn server with the ccd
> directory in the jail as well as the tls-verify script which was
> checking the content of the ccd directory (see my previous post for the
> reason). Even when I hosted shell, tun device, some so's from /lib in
> the jail, openvpn was still unable to run my tls-verify script.
> 
> Nevertheless I didn't like the size of the jail directory after all. I
> decided to write the proposed feature on my own. So the 2.0-beta11
> source files, manual page was modified and an option helptexts was
> added. (I have to state, the work on such source text is a delight.)
> There was not clear to me, whether I kill the current instance
> gracefully, it needs some other eye to check it.
> 
> The implementation is tested. IMO it properly reacts on the removal and
> appearance of the CN-file in the client-config-directory.
> 
> I'm attaching the patch, because I hope someone else could find my
> contribution useful. Now I'm able to push the fixed IP addresses by the
> certificate CN as well as refuse non approved CN's from the single data
> source (ccd). My chroot jail now contains just a couple of non binary
> bytes. I'm happy for now. :-)
> 
> May I ask James to consider adding some form of this piece to the source
> of his wonderful program?
> 
> Vlada
> 
>

[Openvpn-devel] Again: Feature implementation: Connection refusal based upon CN

2004-10-04 Thread Vlada Macek 
Hello,

I'm writing again on the topic of my post sent several hours ago to the
openvpn-users list. The post proposed the --ccd-exclusive option.

Since then I tried to setup chrooted openvpn server with the ccd
directory in the jail as well as the tls-verify script which was
checking the content of the ccd directory (see my previous post for the
reason). Even when I hosted shell, tun device, some so's from /lib in
the jail, openvpn was still unable to run my tls-verify script.

Nevertheless I didn't like the size of the jail directory after all. I
decided to write the proposed feature on my own. So the 2.0-beta11
source files, manual page was modified and an option helptexts was
added. (I have to state, the work on such source text is a delight.)
There was not clear to me, whether I kill the current instance
gracefully, it needs some other eye to check it.

The implementation is tested. IMO it properly reacts on the removal and
appearance of the CN-file in the client-config-directory.

I'm attaching the patch, because I hope someone else could find my
contribution useful. Now I'm able to push the fixed IP addresses by the
certificate CN as well as refuse non approved CN's from the single data
source (ccd). My chroot jail now contains just a couple of non binary
bytes. I'm happy for now. :-)

May I ask James to consider adding some form of this piece to the source
of his wonderful program?

Vlada

diff -b -U2 openvpn-2.0_beta11-original/multi.c openvpn-2.0_beta11/multi.c
--- openvpn-2.0_beta11-original/multi.c Mon Oct  4 20:56:44 2004
+++ openvpn-2.0_beta11/multi.c  Mon Oct  4 21:31:48 2004
@@ -847,5 +847,5 @@
  * Called as soon as the SSL/TLS connection authenticates.
  */
-static void
+static bool
 multi_connection_established (struct multi_context *m, struct multi_instance 
*mi)
 {
@@ -946,6 +946,18 @@
 );

-  if (!test_file (dynamic_config_file))
+  if (!test_file (dynamic_config_file)) {
dynamic_config_file = NULL;
+
+   /*
+* In case we have --ccd-exclusive set and didn't find
+* appropriate dynamic config file, we kill the instance.
+*/
+   if (mi->context.options.ccd_exclusive == true) {
+ msg (D_MULTI_ERRORS, "MULTI: Dynamic config file not found and 
--ccd-exclusive set, terminating the instance.");
+ mutex_unlock_static (L_SCRIPT);
+ gc_free ();
+ return false;
+   }
+  }
 }

@@ -1054,4 +1066,6 @@
   mutex_unlock_static (L_SCRIPT);
   gc_free ();
+
+  return true;
 }

@@ -1194,9 +1208,14 @@
  if (!mi->connection_established_flag && CONNECTION_ESTABLISHED 
(>context))
{
- multi_connection_established (m, mi);
+  if (multi_connection_established (m, mi) != true) {
+multi_close_instance (m, mi, false);
+ret = false;
+  }
  mi->connection_established_flag = true;
}
}
 }
+
+  if (ret == true) {
   if (IS_SIG (>context))
 {
@@ -1223,4 +1242,5 @@
 #endif
 }
+  }

   if (flags & MPP_RECORD_TOUCH && m->mpp_touched)
diff -b -U2 openvpn-2.0_beta11-original/openvpn.8 openvpn-2.0_beta11/openvpn.8
--- openvpn-2.0_beta11-original/openvpn.8   Mon Oct  4 20:56:44 2004
+++ openvpn-2.0_beta11/openvpn.8Mon Oct  4 21:42:13 2004
@@ -106,4 +106,5 @@
 [\ \fB\-\-cipher\fR\ \fIalg\fR\ ]
 [\ \fB\-\-client\-config\-dir\fR\ \fIdir\fR\ ]
+[\ \fB\-\-ccd\-exclusive\fR\ ]
 [\ \fB\-\-client\-connect\fR\ ]
 [\ \fB\-\-client\-connect\fR\ \fIscript\fR\ ]
@@ -2169,4 +2170,12 @@
 and
 .B --config.
+.\"*
+.TP
+.B --ccd-exclusive
+Refuse the connection from client whose
+X509 Common Name is
+.B not
+found in the directory specified by
+.B --client-config-dir.
 .\"*
 .TP
diff -b -U2 openvpn-2.0_beta11-original/options.c openvpn-2.0_beta11/options.c
--- openvpn-2.0_beta11-original/options.c   Mon Oct  4 20:56:44 2004
+++ openvpn-2.0_beta11/options.cMon Oct  4 21:07:05 2004
@@ -267,4 +267,5 @@
   "--client-disconnect cmd : Run script cmd on client disconnection.\n"
   "--client-config-dir dir : Directory for custom client config files.\n"
+  "--ccd-exclusive : Refuses the conn when its custom client config is not 
found.\n"
   "--tmp-dir dir   : Temporary directory, used for --client-connect return 
file.\n"
   "--hash-size r v : Set the size of the real address hash table to r and 
the\n"
@@ -680,4 +681,5 @@
   SHOW_STR (client_disconnect_script);
   SHOW_STR (client_config_dir);
+  SHOW_BOOL (ccd_exclusive);
   SHOW_STR (tmp_dir);
   SHOW_BOOL (push_ifconfig_defined);
@@ -1183,4 +1185,6 @@
   if (options->explicit_exit_notification)
msg (M_USAGE, "Options error: --explicit-exit-notify cannot be used 
with --mode server");
+  if (options->ccd_exclusive && !options->client_config_dir)
+   msg (M_USAGE, "Options error: --ccd-exclusive cannot be used without