summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Kubec <niel@rtfm.cz>2015-04-05 00:10:37 +0200
committerDavid Sommerseth <davids@redhat.com>2015-10-10 00:03:07 +0200
commitf7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec (patch)
treedb04092f643139b146b822522b1a52baa8f2edd0
parent84604e0bae7216b46642d5a1a443b86f712d53aa (diff)
downloadopenvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.zip
openvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.tar.gz
openvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.tar.xz
sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
A simple plug-in with a corresponding HTTP server and client which can authenticate an HTTP user based on the authentication already done via an established OpenVPN connection [DS: Renamed the module at commit time from sso to keyingmaterialexporter to avoid confusion with other Single-Sign-On solutions. Updated documentation and commits accordingly. Added --pull to the client config] Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
-rw-r--r--sample/sample-plugins/keying-material-exporter-demo/README68
-rwxr-xr-xsample/sample-plugins/keying-material-exporter-demo/build15
-rw-r--r--sample/sample-plugins/keying-material-exporter-demo/client.ovpn18
-rwxr-xr-xsample/sample-plugins/keying-material-exporter-demo/http-client.py20
-rwxr-xr-xsample/sample-plugins/keying-material-exporter-demo/http-server.py41
-rw-r--r--sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c269
-rw-r--r--sample/sample-plugins/keying-material-exporter-demo/server.ovpn18
7 files changed, 449 insertions, 0 deletions
diff --git a/sample/sample-plugins/keying-material-exporter-demo/README b/sample/sample-plugins/keying-material-exporter-demo/README
new file mode 100644
index 0000000..a245d23
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/README
@@ -0,0 +1,68 @@
+OpenVPN plugin examples. Daniel Kubec <niel@rtfm.cz>
+
+Examples provided:
+
+keyingmaterialexporter.c -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705]
+ (openvpn/doc/keying-material-exporter.txt)
+
+This example demonstrates authenticating a user over HTTP who have already
+established an OpenVPN connecting using the --keying-material-exporter
+feature.
+
+Requires:
+OpenVPN RFC-5705 Support, OpenSSL >= 1.0.1
+
+Files:
+ http-server.py -- Example HTTP Server listen 0.0.0.0:8080
+ http-client.py -- Example HTTP Client connect 10.8.0.1:8080 [GET /$SESSIONID]
+
+ server.ovpn -- Example HTTP SSO VPN Server configuration
+ client.ovpn -- Example HTTP SSO VPN Client configuration
+
+ keyingmaterialexporter.c,
+ keyingmaterialexporter.so -- Example OpenVPN Client and Server plugin
+
+To build:
+ ./build keyingmaterialexporter
+
+To use in OpenVPN:
+
+Enter openvpn/sample/sample-plugins/keyingmaterialexporter directory
+and in separate terminals, start these four processes:
+
+$ openvpn --config ./server.ovpn
+$ openvpn --config ./client.ovpn
+$ ./http-server.py
+$ ./http-client.py
+
+Test:
+
+openvpn --config ./server.ovpn
+##############################
+
+PLUGIN SSO: app session created
+PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0
+PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
+PLUGIN SSO: app session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd
+PLUGIN SSO: app session user: Test-Client
+
+openvpn --config ./client.ovpn
+##############################
+PLUGIN SSO: app session created
+PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0
+PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
+PLUGIN SSO: app session file: /tmp/openvpn_sso_user
+PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_FINAL status=0
+
+HTTP_SERVER:
+http-server.py
+################
+http server started
+session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd
+10.8.0.1 - - [02/Apr/2015 15:03:33] "GET /a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP/1.1" 200 -
+session user: Test-Client
+session key: a5885abc84d361803f58ede1ef9c0adf99e720cd
+
+HTTP_SERVER:
+http-client.py
+<html><body><h1>Greetings Test-Client. You are authorized</h1></body></html>
diff --git a/sample/sample-plugins/keying-material-exporter-demo/build b/sample/sample-plugins/keying-material-exporter-demo/build
new file mode 100755
index 0000000..bbb05f7
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/build
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../..}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/keying-material-exporter-demo/client.ovpn b/sample/sample-plugins/keying-material-exporter-demo/client.ovpn
new file mode 100644
index 0000000..f02087b
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/client.ovpn
@@ -0,0 +1,18 @@
+tls-client
+pull
+
+keying-material-exporter "EXPORTER_SSO_TEST" 16
+reneg-sec 0
+
+ca ../../sample-keys/ca.crt
+cert ../../sample-keys/client.crt
+key ../../sample-keys/client.key
+
+plugin ./keyingmaterialexporter.so
+
+remote 127.0.0.1 1194
+proto udp
+dev tun
+nobind
+
+verb 4
diff --git a/sample/sample-plugins/keying-material-exporter-demo/http-client.py b/sample/sample-plugins/keying-material-exporter-demo/http-client.py
new file mode 100755
index 0000000..e0570b3
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/http-client.py
@@ -0,0 +1,20 @@
+#!/usr/bin/python
+import sys
+import os
+import httplib
+
+f = '/tmp/openvpn_sso_user'
+with open (f, "r") as myfile:
+ session_key = myfile.read().replace('\n', '')
+
+conn = httplib.HTTPConnection("10.8.0.1:8080")
+conn.request("GET", "/" + session_key)
+r1 = conn.getresponse()
+
+if r1.status == 200:
+ body = r1.read().rstrip()
+ print body
+elif r1.status == 404:
+ print "Authentication failed"
+else:
+ print r1.status, r1.reason
diff --git a/sample/sample-plugins/keying-material-exporter-demo/http-server.py b/sample/sample-plugins/keying-material-exporter-demo/http-server.py
new file mode 100755
index 0000000..45381b5
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/http-server.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+import os
+
+class ExampleHTTPRequestHandler(BaseHTTPRequestHandler):
+
+ def do_GET(self):
+ session_key = os.path.basename(self.path)
+ file = '/tmp/openvpn_sso_' + session_key
+ print 'session file: ' + file
+ try:
+ f = open(file)
+ #send code 200 response
+ self.send_response(200)
+ #send header first
+ self.send_header('Content-type','text-html')
+ self.end_headers()
+ #send file content to client
+ user = f.read().rstrip()
+ print 'session user: ' + user
+ print 'session key: ' + session_key
+ self.wfile.write('<html><body><h1>Greetings ' + user \
+ + '. You are authorized' \
+ '</h1>' \
+ '</body></html>')
+ f.close()
+ return
+ except IOError:
+ self.send_error(404, 'authentication failed')
+
+def run():
+ #ip and port of servr
+ #by default http server port is 80
+ server_address = ('0.0.0.0', 8080)
+ httpd = HTTPServer(server_address, ExampleHTTPRequestHandler)
+ print('http server started')
+ httpd.serve_forever()
+ print('http server stopped')
+
+if __name__ == '__main__':
+ run()
diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
new file mode 100644
index 0000000..b0240b8
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@@ -0,0 +1,269 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a Sample (HTTP) SSO OpenVPN plugin module
+ *
+ * See the README file for build instructions.
+ */
+
+#define ENABLE_CRYPTO
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+#ifndef MAXPATH
+#define MAXPATH 1024
+#endif
+
+#define ovpn_err(fmt, ...) \
+ plugin->log(PLOG_ERR, "SSO", fmt , ## __VA_ARGS__)
+#define ovpn_dbg(fmt, ...) \
+ plugin->log(PLOG_DEBUG, "SSO", fmt , ## __VA_ARGS__)
+#define ovpn_note(fmt, ...) \
+ plugin->log(PLOG_NOTE, "SSO", fmt , ## __VA_ARGS__)
+
+enum endpoint { CLIENT = 1, SERVER = 2 };
+
+struct plugin {
+ plugin_log_t log;
+ enum endpoint type;
+ int mask;
+};
+
+struct session {
+ char user[48];
+ char key [48];
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+
+static const char *
+get_env(const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3 (const int version,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *rv)
+{
+ struct plugin *plugin = calloc (1, sizeof(*plugin));
+
+ plugin->type = get_env ("remote_1", args->envp) ? CLIENT : SERVER;
+ plugin->log = args->callbacks->plugin_log;
+
+ plugin->mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+ plugin->mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY);
+
+ ovpn_note("vpn endpoint type=%s",plugin->type == CLIENT ? "client":"server");
+
+ rv->type_mask = plugin->mask;
+ rv->handle = (void *)plugin;
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static void
+session_user_set(struct session *sess, X509 *x509)
+{
+ int fn_nid;
+ ASN1_OBJECT *fn;
+ ASN1_STRING *val;
+ X509_NAME *x509_name;
+ X509_NAME_ENTRY *ent;
+ const char *objbuf;
+
+ x509_name = X509_get_subject_name (x509);
+ int i, n = X509_NAME_entry_count (x509_name);
+ for (i = 0; i < n; ++i)
+ {
+ if (!(ent = X509_NAME_get_entry (x509_name, i)))
+ continue;
+ if (!(fn = X509_NAME_ENTRY_get_object (ent)))
+ continue;
+ if (!(val = X509_NAME_ENTRY_get_data (ent)))
+ continue;
+ if ((fn_nid = OBJ_obj2nid (fn)) == NID_undef)
+ continue;
+ if (!(objbuf = OBJ_nid2sn (fn_nid)))
+ continue;
+ /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ unsigned char *buf = (unsigned char *)1;
+ if (ASN1_STRING_to_UTF8 (&buf, val) <= 0)
+ continue;
+
+ if (!strncasecmp(objbuf, "CN", 2))
+ snprintf(sess->user, sizeof(sess->user) - 1, (char *)buf);
+
+ OPENSSL_free (buf);
+ }
+}
+
+static int
+tls_verify(struct openvpn_plugin_args_func_in const *args)
+{
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
+
+ /* we store cert subject for the server end point only */
+ if (plugin->type != SERVER)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+
+ if (!args->current_cert) {
+ ovpn_err("this example plugin requires client certificate");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ session_user_set(sess, args->current_cert);
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static void
+file_store(char *file, char *content)
+{
+ FILE *f;
+ if (!(f = fopen(file, "w+")))
+ return;
+
+ fprintf(f, "%s", content);
+ fclose(f);
+}
+
+static void
+server_store(struct openvpn_plugin_args_func_in const *args)
+{
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
+
+ char file[MAXPATH];
+ snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key);
+ ovpn_note("app session file: %s", file);
+ file_store(file, sess->user);
+}
+
+static void
+client_store(struct openvpn_plugin_args_func_in const *args)
+{
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
+
+ char *file = "/tmp/openvpn_sso_user";
+ ovpn_note("app session file: %s", file);
+ file_store(file, sess->key);
+}
+
+static int
+tls_final(struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *rv)
+{
+ struct plugin *plugin = (struct plugin *)args->handle;
+ struct session *sess = (struct session *)args->per_client_context;
+
+ const char *key;
+ if (!(key = get_env ("exported_keying_material", args->envp)))
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+
+ snprintf(sess->key, sizeof(sess->key) - 1, "%s", key);
+ ovpn_note("app session key: %s", sess->key);
+
+ switch (plugin->type) {
+ case SERVER:
+ server_store(args);
+ break;
+ case CLIENT:
+ client_store(args);
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+
+ ovpn_note("app session user: %s", sess->user);
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v3 (const int version,
+ struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *rv)
+{
+ switch(args->type) {
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ return tls_verify(args);
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ return tls_final(args, rv);
+ }
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void *
+openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
+{
+ struct plugin *plugin = (struct plugin *)handle;
+ struct session *sess = calloc (1, sizeof(*sess));
+
+ ovpn_note("app session created");
+
+ return (void *)sess;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx)
+{
+ struct plugin *plugin = (struct plugin *)handle;
+ struct session *sess = (struct session *)ctx;
+
+ ovpn_note("app session key: %s", sess->key);
+ ovpn_note("app session destroyed");
+
+ free (sess);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin *plugin = (struct plugin *)handle;
+ free (plugin);
+}
diff --git a/sample/sample-plugins/keying-material-exporter-demo/server.ovpn b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn
new file mode 100644
index 0000000..5c670b1
--- /dev/null
+++ b/sample/sample-plugins/keying-material-exporter-demo/server.ovpn
@@ -0,0 +1,18 @@
+tls-server
+reneg-sec 0
+
+keying-material-exporter "EXPORTER_SSO_TEST" 16
+duplicate-cn
+
+plugin ./keyingmaterialexporter.so
+ca ../../sample-keys/ca.crt
+cert ../../sample-keys/server.crt
+key ../../sample-keys/server.key
+dh ../../sample-keys/dh2048.pem
+
+server 10.8.0.0 255.255.255.0
+port 1194
+proto udp
+dev tun
+
+verb 4