Skip to content

Commit

Permalink
Use conn-trac lib and remove TLS-Crypt-V2 key serial temp-file
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
  • Loading branch information
TinCanTech committed Aug 12, 2021
1 parent 643937a commit 77deccf
Showing 1 changed file with 80 additions and 54 deletions.
134 changes: 80 additions & 54 deletions easytls-client-disconnect.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ VERBATUM_COPYRIGHT_HEADER_INCLUDE_NEGOTIABLE
help_text ()
{
help_msg="
easytls-client-connect.sh
easytls-client-disconnect.sh
This script is intended to be used by tls-crypt-v2 client keys
generated by EasyTLS. See: https://github.com/TinCanTech/easy-tls
Expand Down Expand Up @@ -106,7 +106,6 @@ die ()
fail_and_exit ()
{
delete_metadata_files
#verbose_print "${status_msg}"
print "<FAIL> ${status_msg}"
print "${failure_msg}"
print "${1}"
Expand Down Expand Up @@ -156,20 +155,10 @@ format_number ()
# Allow connection
connection_allowed ()
{
delete_metadata_files
absolute_fail=0
update_status "disconnection success"
}

# Update connection tacking - disconnect
conn_trac_disconnect ()
{
[ $ENABLE_CONN_TRAC ] || return 0
"${EASYTLS_SED}" -i "/^${tlskey_serial}\$/d" "${EASYTLS_CONN_TRAC}"
update_status "TLS-Crypt-V2 key removed from conn-trac"
[ -s "${EASYTLS_CONN_TRAC}" ] || "${EASYTLS_RM}" -f "${EASYTLS_CONN_TRAC}"
} # => conn_trac_disconnect ()

# Initialise
init ()
{
Expand Down Expand Up @@ -235,28 +224,40 @@ deps ()
# Test temp dir
[ -d "${EASYTLS_tmp_dir}" ] || exit 60

# Temp files name stub
temp_stub="${EASYTLS_tmp_dir}/easytls"

# Windows log
EASYTLS_WLOG="${EASYTLS_tmp_dir}/easytls-client-connect-${EASYTLS_srv_pid}.log."
EASYTLS_WLOG="${temp_stub}-client-disconnect-${EASYTLS_srv_pid}.log."

# TLS-Crypt-V2 key serial file
#EASYTLS_V2KEY_SERIAL_FILE="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.tks"
if [ -f "${auth_control_file}" ]
then
awk_script='{if(FNR == 1) print $1}'
tlskey_serial="$("${EASYTLS_AWK}" "${awk_script}" "${auth_control_file}")"
unset awk_script
else
# Not using auth-user-pass-verify
tlskey_serial="00000000000000000000000000000000"
fi

# Conn track
EASYTLS_CONN_TRAC="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.ct"
EASYTLS_CONN_TRAC="${temp_stub}-${EASYTLS_srv_pid}.ct"

# Kill client file
EASYTLS_KILL_FILE="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}.kc"
EASYTLS_KILL_FILE="${temp_stub}-${EASYTLS_srv_pid}.kc"
}

# client metadata_string into variables
client_metadata_string_to_vars ()
{
c_tlskey_serial="${1%%-*}"
c_md_seed="${metadata_string#*-}"
#md_padding="${md_seed%%--*}"
c_md_easytls_ver="${1#*--}"
c_md_easytls="${md_easytls_ver%-*.*}"

c_md_identity="${2%%-*}"
#md_srv_name="${2##*-}"

c_md_serial="${3}"
c_md_date="${4}"
c_md_custom_g="${5}"
c_md_name="${6}"
c_md_subkey="${7}"
c_md_opt="${8}"
c_md_hwadds="${9}"
} # => metadata_string_to_vars ()

#######################################

# Initialise
Expand Down Expand Up @@ -349,6 +350,26 @@ else
update_status "Not loaded: ${vars_file}"
fi

# Write env file
[ $write_env ] && {
env_file="${temp_stub}-client-connect-${EASYTLS_srv_pid}.env"
if [ $EASYTLS_FOR_WINDOWS ]; then
set > "${env_file}"
else
env > "${env_file}"
fi
unset env_file
}

# Source conn-trac lib
[ $ENABLE_CONN_TRAC ] && {
prog_dir="${0%/*}"
lib_file="${prog_dir}/easytls-conn-trac.lib"
[ -f "${lib_file}" ] || die "Missing ${lib_file}"
. "${lib_file}"
unset lib_file
}

# Update log message
update_status "CN:${X509_0_CN}"

Expand All @@ -362,36 +383,32 @@ client_serial="$(format_number "${tls_serial_hex_0}")"
}

# easytls client metadata file
#generic_metadata_file="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}-gm"
#client_metadata_file="${EASYTLS_tmp_dir}/easytls-${EASYTLS_srv_pid}-${client_serial}"
generic_metadata_file="${temp_stub}-gmd-${EASYTLS_srv_pid}"
client_metadata_file="${temp_stub}-cmd-${EASYTLS_srv_pid}-${client_serial}"

# --tls-verify output to --client-connect
#generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}"
#client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}"

# Check for kill signal
#if [ -f "${EASYTLS_KILL_FILE}" ] && \
# "${EASYTLS_GREP}" -q "${client_serial}" "${EASYTLS_KILL_FILE}"
#then
# # Kill client
# fail_and_exit "KILL_CLIENT" 5
#fi
generic_ext_md_file="${generic_metadata_file}-${untrusted_ip}-${untrusted_port}"
client_ext_md_file="${client_metadata_file}-${untrusted_ip}-${untrusted_port}"

# Verify client_ext_md_file
#if [ -f "${client_ext_md_file}" ]
#then
# # Client cert serial matches
# update_status "X509 serial matched"
#else
# # cert serial does not match - ALWAYS fail
# [ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7
#fi

# Set hwaddr from Openvpn env
# This is not a dep. different clients may not push-peer-info
#push_hwaddr="$(format_number "${IV_HWADDR}")"
#[ -z "${push_hwaddr}" ] && \
# push_hwaddr_missing=1 && update_status "hwaddr not pushed"
if [ -f "${client_ext_md_file}" ]
then
# Client cert serial matches
update_status "X509 serial matched"
# Get client metadata_string
metadata_string="$("${EASYTLS_CAT}" "${client_ext_md_file}")"
[ -n "${metadata_string}" ] || \
fail_and_exit "failed to read client_ext_md_file" 18
# Populate client metadata variables
client_metadata_string_to_vars $metadata_string
[ -n "${c_tlskey_serial}" ] || \
fail_and_exit "failed to set c_tlskey_serial" 19
unset metadata_string
update_status "client_ext_md_file loaded"
else
# cert serial does not match - ALWAYS fail
[ $ignore_x509_mismatch ] || fail_and_exit "CLIENT X509 SERIAL MISMATCH" 7
fi

: << COMMENT
# allow_no_check
Expand Down Expand Up @@ -496,7 +513,16 @@ connection_allowed
# There is only one way out of this...
if [ $absolute_fail -eq 0 ]
then
conn_trac_disconnect
# Update connection tracking
conn_trac_record="${c_tlskey_serial:-${g_tlskey_serial}}"
conn_trac_record="${conn_trac_record}=${c_md_serial:-${g_md_serial}}"
conn_trac_record="${conn_trac_record}=${untrusted_ip}"
conn_trac_record="${conn_trac_record}=${untrusted_port}"
conn_trac_disconnect "${conn_trac_record}"

# Delete files which are no longer needed
delete_metadata_files

# All is well
verbose_print "<EXOK> ${status_msg}"
[ $EASYTLS_FOR_WINDOWS ] && "${EASYTLS_PRINTF}" "%s\n" \
Expand Down

1 comment on commit 77deccf

@TinCanTech
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.