diff options
| -rw-r--r-- | forward.c | 4 | ||||
| -rwxr-xr-x | sample-scripts/verify-cn | 42 | ||||
| -rw-r--r-- | socket.c | 5 |
3 files changed, 31 insertions, 20 deletions
@@ -755,7 +755,7 @@ process_incoming_link (struct context *c) /* log incoming packet */ #ifdef LOG_RW - if (c->c2.log_rw) + if (c->c2.log_rw && c->c2.buf.len > 0) fprintf (stderr, "R"); #endif msg (D_LINK_RW, "%s READ [%d] from %s: %s", @@ -965,7 +965,7 @@ process_incoming_tun (struct context *c) c->c2.tun_read_bytes += c->c2.buf.len; #ifdef LOG_RW - if (c->c2.log_rw) + if (c->c2.log_rw && c->c2.buf.len > 0) fprintf (stderr, "r"); #endif diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn index 5d56d95..f9fea0f 100755 --- a/sample-scripts/verify-cn +++ b/sample-scripts/verify-cn @@ -7,24 +7,28 @@ # # For example in OpenVPN, you could use the directive: # -# tls-verify "./verify-cn Test-Client" +# tls-verify "./verify-cn /etc/openvpn/allowed_clients" # # This would cause the connection to be dropped unless -# the client common name is "Test-Client" +# the client common name is listed on a line in the +# allowed_clients file. -die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); +die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3); # Parse out arguments: -# cn -- The common name which the client is required to have, -# taken from the argument to the tls-verify directive -# in the OpenVPN config file. -# depth -- The current certificate chain depth. In a typical -# bi-level chain, the root certificate will be at level -# 1 and the client certificate will be at level 0. -# This script will be called separately for each level. -# x509 -- the X509 subject string as extracted by OpenVPN from -# the client's provided certificate. -($cn, $depth, $x509) = @ARGV; +# cnfile -- The file containing the list of common names, one per +# line, which the client is required to have, +# taken from the argument to the tls-verify directive +# in the OpenVPN config file. +# The file can have blank lines and comment lines that begin +# with the # character. +# depth -- The current certificate chain depth. In a typical +# bi-level chain, the root certificate will be at level +# 1 and the client certificate will be at level 0. +# This script will be called separately for each level. +# x509 -- the X509 subject string as extracted by OpenVPN from +# the client's provided certificate. +($cnfile, $depth, $x509) = @ARGV; if ($depth == 0) { # If depth is zero, we know that this is the final @@ -34,11 +38,19 @@ if ($depth == 0) { # the X509 subject string. if ($x509 =~ /\/CN=([^\/]+)/) { + $cn = $1; # Accept the connection if the X509 common name # string matches the passed cn argument. - if ($cn eq $1) { - exit 0; + open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! + while (defined($line = <FH>)) { + if ($line !~ /^[[:space:]]*(#|$)/o) { + chop($line); + if ($line eq $cn) { + exit 0; + } + } } + close(FH); } # Authentication failed -- Either we could not parse @@ -212,12 +212,11 @@ getaddr (unsigned int flags, ++n; ASSERT (n >= 2); - msg (D_RESOLVE_ERRORS, "RESOLVE: NOTE: %s resolves to %d addresses, choosing one by random", + msg (D_RESOLVE_ERRORS, "RESOLVE: NOTE: %s resolves to %d addresses, choosing the first resolved IP address", hostname, n); - /* choose address randomly, for basic load-balancing capability */ - ia.s_addr = *(in_addr_t *) (h->h_addr_list[get_random () % n]); + ia.s_addr = *(in_addr_t *) (h->h_addr_list[0]); } } |