From 77deccf2650a8d247eca6bb13f74d1d4bd2c8bf3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 12 Aug 2021 15:00:57 +0100 Subject: [PATCH] Use conn-trac lib and remove TLS-Crypt-V2 key serial temp-file Signed-off-by: Richard T Bonhomme --- easytls-client-disconnect.sh | 134 +++++++++++++++++++++-------------- 1 file changed, 80 insertions(+), 54 deletions(-) diff --git a/easytls-client-disconnect.sh b/easytls-client-disconnect.sh index 759c546..c059a83 100755 --- a/easytls-client-disconnect.sh +++ b/easytls-client-disconnect.sh @@ -26,7 +26,7 @@ VERBATUM_COPYRIGHT_HEADER_INCLUDE_NEGOTIABLE help_text () { help_msg=" - easytls-client-connect.sh + easytls-client-disconnect.sh This script is intended to be used by tls-crypt-v2 client keys generated by EasyTLS. See: https://github.com/TinCanTech/easy-tls @@ -106,7 +106,6 @@ die () fail_and_exit () { delete_metadata_files - #verbose_print "${status_msg}" print " ${status_msg}" print "${failure_msg}" print "${1}" @@ -156,20 +155,10 @@ format_number () # Allow connection connection_allowed () { - delete_metadata_files absolute_fail=0 update_status "disconnection success" } -# Update connection tacking - disconnect -conn_trac_disconnect () -{ - [ $ENABLE_CONN_TRAC ] || return 0 - "${EASYTLS_SED}" -i "/^${tlskey_serial}\$/d" "${EASYTLS_CONN_TRAC}" - update_status "TLS-Crypt-V2 key removed from conn-trac" - [ -s "${EASYTLS_CONN_TRAC}" ] || "${EASYTLS_RM}" -f "${EASYTLS_CONN_TRAC}" -} # => conn_trac_disconnect () - # Initialise init () { @@ -235,28 +224,40 @@ deps () # Test temp dir [ -d "${EASYTLS_tmp_dir}" ] || exit 60 + # Temp files name stub + temp_stub="${EASYTLS_tmp_dir}/easytls" + # Windows log - EASYTLS_WLOG="${EASYTLS_tmp_dir}/easytls-client-connect-${EASYTLS_srv_pid}.log." + EASYTLS_WLOG="${temp_stub}-client-disconnect-${EASYTLS_srv_pid}.log." - # TLS-Crypt-V2 key serial file - #EASYTLS_V2KEY_SERIAL_FILE="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.tks" - if [ -f "${auth_control_file}" ] - then - awk_script='{if(FNR == 1) print $1}' - tlskey_serial="$("${EASYTLS_AWK}" "${awk_script}" "${auth_control_file}")" - unset awk_script - else - # Not using auth-user-pass-verify - tlskey_serial="00000000000000000000000000000000" - fi - # Conn track - EASYTLS_CONN_TRAC="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.ct" + EASYTLS_CONN_TRAC="${temp_stub}-${EASYTLS_srv_pid}.ct" # Kill client file - EASYTLS_KILL_FILE="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.kc" + EASYTLS_KILL_FILE="${temp_stub}-${EASYTLS_srv_pid}.kc" } +# client metadata_string into variables +client_metadata_string_to_vars () +{ + c_tlskey_serial="${1%%-*}" + c_md_seed="${metadata_string#*-}" + #md_padding="${md_seed%%--*}" + c_md_easytls_ver="${1#*--}" + c_md_easytls="${md_easytls_ver%-*.*}" + + c_md_identity="${2%%-*}" + #md_srv_name="${2##*-}" + + c_md_serial="${3}" + c_md_date="${4}" + c_md_custom_g="${5}" + c_md_name="${6}" + c_md_subkey="${7}" + c_md_opt="${8}" + c_md_hwadds="${9}" +} # => metadata_string_to_vars () + ####################################### # Initialise @@ -349,6 +350,26 @@ else update_status "Not loaded: ${vars_file}" fi +# Write env file +[ $write_env ] && { + env_file="${temp_stub}-client-connect-${EASYTLS_srv_pid}.env" + if [ $EASYTLS_FOR_WINDOWS ]; then + set > "${env_file}" + else + env > "${env_file}" + fi + unset env_file + } + +# Source conn-trac lib +[ $ENABLE_CONN_TRAC ] && { + prog_dir="${0%/*}" + lib_file="${prog_dir}/easytls-conn-trac.lib" + [ -f "${lib_file}" ] || die "Missing ${lib_file}" + . "${lib_file}" + unset lib_file + } + # Update log message update_status "CN:${X509_0_CN}" @@ -362,36 +383,32 @@ client_serial="$(format_number "${tls_serial_hex_0}")" } # easytls client metadata file -#generic_metadata_file="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}-gm" -#client_metadata_file="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}-${client_serial}" +generic_metadata_file="${temp_stub}-gmd-${EASYTLS_srv_pid}" +client_metadata_file="${temp_stub}-cmd-${EASYTLS_srv_pid}-${client_serial}" # --tls-verify output to --client-connect -#generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}" -#client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}" - -# Check for kill signal -#if [ -f "${EASYTLS_KILL_FILE}" ] && \ -# "${EASYTLS_GREP}" -q "${client_serial}" "${EASYTLS_KILL_FILE}" -#then -# # Kill client -# fail_and_exit "KILL_CLIENT" 5 -#fi +generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}" +client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}" # Verify client_ext_md_file -#if [ -f "${client_ext_md_file}" ] -#then -# # Client cert serial matches -# update_status "X509 serial matched" -#else -# # cert serial does not match - ALWAYS fail -# [ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7 -#fi - -# Set hwaddr from Openvpn env -# This is not a dep. different clients may not push-peer-info -#push_hwaddr="$(format_number "${IV_HWADDR}")" -#[ -z "${push_hwaddr}" ] && \ -# push_hwaddr_missing=1 && update_status "hwaddr not pushed" +if [ -f "${client_ext_md_file}" ] +then + # Client cert serial matches + update_status "X509 serial matched" + # Get client metadata_string + metadata_string="$("${EASYTLS_CAT}" "${client_ext_md_file}")" + [ -n "${metadata_string}" ] || \ + fail_and_exit "failed to read client_ext_md_file" 18 + # Populate client metadata variables + client_metadata_string_to_vars $metadata_string + [ -n "${c_tlskey_serial}" ] || \ + fail_and_exit "failed to set c_tlskey_serial" 19 + unset metadata_string + update_status "client_ext_md_file loaded" +else + # cert serial does not match - ALWAYS fail + [ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7 +fi : << COMMENT # allow_no_check @@ -496,7 +513,16 @@ connection_allowed # There is only one way out of this... if [ $absolute_fail -eq 0 ] then - conn_trac_disconnect + # Update connection tracking + conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}" + conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}" + conn_trac_record="${conn_trac_record}=${untrusted_ip}" + conn_trac_record="${conn_trac_record}=${untrusted_port}" + conn_trac_disconnect "${conn_trac_record}" + + # Delete files which are no longer needed + delete_metadata_files + # All is well verbose_print " ${status_msg}" [ $EASYTLS_FOR_WINDOWS ] && "${EASYTLS_PRINTF}" "%s\n" \