Browse code
On server, lock session username against changes in mid-session TLS renegotiations -- this is similer to how the common name is also locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2009/10/24 10:08:30Showing 2 changed files
| ... | ... |
@@ -898,6 +898,30 @@ tls_lock_common_name (struct tls_multi *multi) |
| 898 | 898 |
multi->locked_cn = string_alloc (cn, NULL); |
| 899 | 899 |
} |
| 900 | 900 |
|
| 901 |
+static bool |
|
| 902 |
+tls_lock_username (struct tls_multi *multi, const char *username) |
|
| 903 |
+{
|
|
| 904 |
+ if (multi->locked_username) |
|
| 905 |
+ {
|
|
| 906 |
+ if (!username || strcmp (username, multi->locked_username)) |
|
| 907 |
+ {
|
|
| 908 |
+ msg (D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled", |
|
| 909 |
+ multi->locked_username, |
|
| 910 |
+ np(username)); |
|
| 911 |
+ |
|
| 912 |
+ /* disable the tunnel */ |
|
| 913 |
+ tls_deauthenticate (multi); |
|
| 914 |
+ return false; |
|
| 915 |
+ } |
|
| 916 |
+ } |
|
| 917 |
+ else |
|
| 918 |
+ {
|
|
| 919 |
+ if (username) |
|
| 920 |
+ multi->locked_username = string_alloc (username, NULL); |
|
| 921 |
+ } |
|
| 922 |
+ return true; |
|
| 923 |
+} |
|
| 924 |
+ |
|
| 901 | 925 |
#ifdef ENABLE_DEF_AUTH |
| 902 | 926 |
/* key_state_test_auth_control_file return values, |
| 903 | 927 |
NOTE: acf_merge indexing depends on these values */ |
| ... | ... |
@@ -2417,6 +2441,9 @@ tls_multi_free (struct tls_multi *multi, bool clear) |
| 2417 | 2417 |
if (multi->locked_cn) |
| 2418 | 2418 |
free (multi->locked_cn); |
| 2419 | 2419 |
|
| 2420 |
+ if (multi->locked_username) |
|
| 2421 |
+ free (multi->locked_username); |
|
| 2422 |
+ |
|
| 2420 | 2423 |
for (i = 0; i < TM_SIZE; ++i) |
| 2421 | 2424 |
tls_session_free (&multi->session[i], false); |
| 2422 | 2425 |
|
| ... | ... |
@@ -3401,7 +3428,8 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
| 3401 | 3401 |
#ifdef PLUGIN_DEF_AUTH |
| 3402 | 3402 |
|| s1 == OPENVPN_PLUGIN_FUNC_DEFERRED |
| 3403 | 3403 |
#endif |
| 3404 |
- ) && s2 && man_def_auth != KMDA_ERROR) |
|
| 3404 |
+ ) && s2 && man_def_auth != KMDA_ERROR |
|
| 3405 |
+ && tls_lock_username (multi, up->username)) |
|
| 3405 | 3406 |
{
|
| 3406 | 3407 |
ks->authenticated = true; |
| 3407 | 3408 |
#ifdef PLUGIN_DEF_AUTH |
| ... | ... |
@@ -3412,7 +3440,6 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
| 3412 | 3412 |
if (man_def_auth != KMDA_UNDEF) |
| 3413 | 3413 |
ks->auth_deferred = true; |
| 3414 | 3414 |
#endif |
| 3415 |
- |
|
| 3416 | 3415 |
if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) |
| 3417 | 3416 |
set_common_name (session, up->username); |
| 3418 | 3417 |
#ifdef ENABLE_DEF_AUTH |
| ... | ... |
@@ -589,9 +589,10 @@ struct tls_multi |
| 589 | 589 |
int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ |
| 590 | 590 |
|
| 591 | 591 |
/* |
| 592 |
- * Our locked common name (cannot change during the life of this tls_multi object) |
|
| 592 |
+ * Our locked common name and username (cannot change during the life of this tls_multi object) |
|
| 593 | 593 |
*/ |
| 594 | 594 |
char *locked_cn; |
| 595 |
+ char *locked_username; |
|
| 595 | 596 |
|
| 596 | 597 |
#ifdef ENABLE_DEF_AUTH |
| 597 | 598 |
/* |