aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-10-24 01:08:30 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-10-24 01:08:30 +0000
commit71b557ba9d2f29f667bda60870993b83aa8d21a8 (patch)
treedf12700d8c371b8159e39232c7f7de7c4d1dc99e
parentAdded "setenv GENERIC_CONFIG" directive, for generic configs (diff)
downloadopenvpn-71b557ba9d2f29f667bda60870993b83aa8d21a8.tar.xz
On server, lock session username against changes in mid-session TLS
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--ssl.c31
-rw-r--r--ssl.h3
2 files changed, 31 insertions, 3 deletions
diff --git a/ssl.c b/ssl.c
index bc8b2da..847c5ec 100644
--- a/ssl.c
+++ b/ssl.c
@@ -898,6 +898,30 @@ tls_lock_common_name (struct tls_multi *multi)
multi->locked_cn = string_alloc (cn, NULL);
}
+static bool
+tls_lock_username (struct tls_multi *multi, const char *username)
+{
+ if (multi->locked_username)
+ {
+ if (!username || strcmp (username, multi->locked_username))
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
+ multi->locked_username,
+ np(username));
+
+ /* disable the tunnel */
+ tls_deauthenticate (multi);
+ return false;
+ }
+ }
+ else
+ {
+ if (username)
+ multi->locked_username = string_alloc (username, NULL);
+ }
+ return true;
+}
+
#ifdef ENABLE_DEF_AUTH
/* key_state_test_auth_control_file return values,
NOTE: acf_merge indexing depends on these values */
@@ -2417,6 +2441,9 @@ tls_multi_free (struct tls_multi *multi, bool clear)
if (multi->locked_cn)
free (multi->locked_cn);
+ if (multi->locked_username)
+ free (multi->locked_username);
+
for (i = 0; i < TM_SIZE; ++i)
tls_session_free (&multi->session[i], false);
@@ -3401,7 +3428,8 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
#ifdef PLUGIN_DEF_AUTH
|| s1 == OPENVPN_PLUGIN_FUNC_DEFERRED
#endif
- ) && s2 && man_def_auth != KMDA_ERROR)
+ ) && s2 && man_def_auth != KMDA_ERROR
+ && tls_lock_username (multi, up->username))
{
ks->authenticated = true;
#ifdef PLUGIN_DEF_AUTH
@@ -3412,7 +3440,6 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
#endif
-
if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
set_common_name (session, up->username);
#ifdef ENABLE_DEF_AUTH
diff --git a/ssl.h b/ssl.h
index 06cd246..7e0bfb5 100644
--- a/ssl.h
+++ b/ssl.h
@@ -589,9 +589,10 @@ struct tls_multi
int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
/*
- * Our locked common name (cannot change during the life of this tls_multi object)
+ * Our locked common name and username (cannot change during the life of this tls_multi object)
*/
char *locked_cn;
+ char *locked_username;
#ifdef ENABLE_DEF_AUTH
/*