aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarl O. Pinc <kop@meme.com>2010-02-18 21:30:48 +0100
committerDavid Sommerseth <dazo@users.sourceforge.net>2010-04-29 20:22:07 +0200
commit060e88183badd38897c3eb3e1d7f940e66ca701e (patch)
tree52871863b6f80e250e8e15189cf47fa57f7b8b38
parentDo not randomize resolving of IP addresses in getaddr() (diff)
downloadopenvpn-060e88183badd38897c3eb3e1d7f940e66ca701e.tar.xz
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process. A resubmission of the patch sent to this list on 04/23/2009. The patch changes the verify-cn script sample to be used with --tls-verify so that instead of having to hardcode a cn to verify in the OpenVPN configuration file the allowed cns may be written into a separate file. This makes the process of verifying cns a whole lot more dynamic, to the point where it is useful in the real world. One problem with this patch is that it is backwards incompatible. I did not bother keeping the original calling interface as A) it's a sample script, and B) the original's functionality seems useless and equalivant functionality is easily available with the new script. The problem with the original is that there seems little point in verifying a client's cn when all the clients share one cn, as would have to be the case when the cn is hardcoded into the openvpn config file. This patch applies against the testing allmiscs branch, and should apply against any of the other testing branches as well. It works for me. I've tested it throughly but not used it extensively in production. Regards, Karl <kop@meme.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
Diffstat (limited to '')
-rwxr-xr-xsample-scripts/verify-cn42
1 files changed, 27 insertions, 15 deletions
diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn
index 5d56d95..f9fea0f 100755
--- a/sample-scripts/verify-cn
+++ b/sample-scripts/verify-cn
@@ -7,24 +7,28 @@
#
# For example in OpenVPN, you could use the directive:
#
-# tls-verify "./verify-cn Test-Client"
+# tls-verify "./verify-cn /etc/openvpn/allowed_clients"
#
# This would cause the connection to be dropped unless
-# the client common name is "Test-Client"
+# the client common name is listed on a line in the
+# allowed_clients file.
-die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3);
+die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
# Parse out arguments:
-# cn -- The common name which the client is required to have,
-# taken from the argument to the tls-verify directive
-# in the OpenVPN config file.
-# depth -- The current certificate chain depth. In a typical
-# bi-level chain, the root certificate will be at level
-# 1 and the client certificate will be at level 0.
-# This script will be called separately for each level.
-# x509 -- the X509 subject string as extracted by OpenVPN from
-# the client's provided certificate.
-($cn, $depth, $x509) = @ARGV;
+# cnfile -- The file containing the list of common names, one per
+# line, which the client is required to have,
+# taken from the argument to the tls-verify directive
+# in the OpenVPN config file.
+# The file can have blank lines and comment lines that begin
+# with the # character.
+# depth -- The current certificate chain depth. In a typical
+# bi-level chain, the root certificate will be at level
+# 1 and the client certificate will be at level 0.
+# This script will be called separately for each level.
+# x509 -- the X509 subject string as extracted by OpenVPN from
+# the client's provided certificate.
+($cnfile, $depth, $x509) = @ARGV;
if ($depth == 0) {
# If depth is zero, we know that this is the final
@@ -34,11 +38,19 @@ if ($depth == 0) {
# the X509 subject string.
if ($x509 =~ /\/CN=([^\/]+)/) {
+ $cn = $1;
# Accept the connection if the X509 common name
# string matches the passed cn argument.
- if ($cn eq $1) {
- exit 0;
+ open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates!
+ while (defined($line = <FH>)) {
+ if ($line !~ /^[[:space:]]*(#|$)/o) {
+ chop($line);
+ if ($line eq $cn) {
+ exit 0;
+ }
+ }
}
+ close(FH);
}
# Authentication failed -- Either we could not parse