ocserv: user group not assigned when using certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It?s a long mail with lots of code and logs, for short:
Issue 1: case insensitive match should be used in parse_reply() from src/worker-auth.c
Issue 2: groups read from cert is not assigned to ws->groupname, makes group selecting message prompted all the time.

code were committed on June.26


I was using ocserv cloned from git repo after my last bug reporting mail, 

	commit e48ad13e82f0340cb755815bfdf2ee8f802f9eac
	Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
	Date:   Wed Jun 25 10:11:00 2014 +0200

		Set the applicable DNS and NBNS servers in complete_vpn_info().


Then I tried to upgrade to 0.8.4, ?Please select your group? is prompted.(I downgraded to 0.8.1, 0.8.2, 0.8.3, same)
Debug message pasted.

	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
	ocserv[18925]: TLS[<9>]: ENC[0xebb060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Sent Packet[2] Application Data(23) in epoch 1 and length: 533
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: SSL 3.1 Application Data packet received. Epoch 0, length: 608
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Expected Packet Application Data(23)
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Received Packet Application Data(23) with length: 608
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Decrypted Packet[2] Application Data(23) with length: 578
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.09440
	ocserv[18925]: worker: ip.ip.ip.ip:55081 User-agent: 'AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.'
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Host: sskaje.me:xxxx
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Accept: */*
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Accept-Encoding: identity
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Transcend-Version: 1
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Transcend-Version: 1
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UUIDUUIDUUIDUUIDUUIDUUIDUUID
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Aggregate-Auth: 1
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Content-Length: 16
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Content-Type: application/x-www-form-urlencoded
	ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP POST /auth
	ocserv[18925]: worker: ip.ip.ip.ip:55081 POST body: 'group%5Flist=vpn'
	ocserv[18925]: worker: ip.ip.ip.ip:55081 cannot find 'group%5flist' in client message
	ocserv[18925]: worker: ip.ip.ip.ip:55081 cannot find 'group_list' in client message
	ocserv[18925]: worker: ip.ip.ip.ip:55081 failed reading groupname
	ocserv[18925]: worker: ip.ip.ip.ip:55081 user has not selected a group
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
	ocserv[18925]: TLS[<9>]: ENC[0xebb060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Sent Packet[3] Application Data(23) in epoch 1 and length: 533
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: SSL 3.1 Alert packet received. Epoch 0, length: 32
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Expected Packet Application Data(23)
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Received Packet Alert(21) with length: 32
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Decrypted Packet[3] Alert(21) with length: 2
	ocserv[18925]: TLS[<4>]: REC[0xebb060]: Alert[1|0] - Close notify - was received


POST body: 'group%5Flist=vpn'
cannot find 'group%5flist' in client message
cannot find 'group_list' in client message
failed reading groupname
user has not selected a group

As it?s shown above, Post body is 
	group%5Flist=vpn

in src/worker-auth.c, I added some lines of debug code(from 0.8.4 release):

	#define GROUPNAME_FIELD "group%5flist"
	#define GROUPNAME_FIELD2 "group_list"
	#define GROUPNAME_FIELD_XML "group-select"
	...
	int post_auth_handler(worker_st * ws, unsigned http_ver)
	...

			ret = parse_reply(ws, req->body, req->body_length,
					GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
					GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
					&groupname);
				oclog(ws, LOG_DEBUG, "Groups ret: %d", ret);
				if (ret > -1) {
					oclog(ws, LOG_DEBUG, "Groupname: %s", groupname);
				}
			if (ret < 0) {
				ret = parse_reply(ws, req->body, req->body_length,
						GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
						GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
						&groupname);
				oclog(ws, LOG_DEBUG, "Groups ret: %d", ret);
				if (ret > -1) {
					oclog(ws, LOG_DEBUG, "Groupname: %s", groupname);
				}
				oclog(ws, LOG_DEBUG, "body[len]: %s[%d]", req->body, (int)req->body_length);
			}

			oclog(ws, LOG_DEBUG, "groupname=%s, ws->config->default_select_group: %s, ws->groupname=%s", groupname, ws->config->default_select_group, ws->groupname);
			if (ret < 0) {
				oclog(ws, LOG_DEBUG, "failed reading groupname");
			} else if (ws->config->default_select_group == NULL ||
				   strcmp(groupname, ws->config->default_select_group) != 0) {
				snprintf(ws->groupname, sizeof(ws->groupname), "%s",
					groupname);
				ireq.group_name = ws->groupname;
				oclog(ws, LOG_DEBUG, "Groupname in cmp: %s", groupname);

			}
			talloc_free(groupname);

	...


				oclog(ws, LOG_DEBUG, "cert_groups_size=%d, groupname=%s", ws->cert_groups_size, ws->groupname);
				if (ws->cert_groups_size > 0 && ws->groupname[0] == 0) {
					oclog(ws, LOG_DEBUG, "user has not selected a group");
					return get_auth_handler2(ws, http_ver, "Please select your group");
				}

	...


both ret logged are -1 by default.
I changed GROUPNAME_FIELD to  group%5Flist 


	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Length: 353
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Type: application/x-www-form-urlencoded
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP POST /
	ocserv[11365]: worker: ip.ip.ip.ip:51690 POST body: '<?xml version="1.0" encoding="UTF-8"?>
	<config-auth client="vpn" type="init">
	<device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UUIDUUIDUUIDUUIDUUIDUUIDUUID">apple-ios</device-id>
	<version who="vpn">3.0.09440</version>
	<group-select>vpn</group-select>
	<group-access>https://sskaje.me:xxxx/</group-access>
	</config-auth>
	'
	ocserv[11365]: worker: ip.ip.ip.ip:51690 Groups ret: 0
	ocserv[11365]: worker: ip.ip.ip.ip:51690 Groupname: vpn
	ocserv[11365]: worker: ip.ip.ip.ip:51690 groupname=vpn, ws->config->default_select_group: vpn, ws->groupname=
	ocserv[11365]: TLS[<2>]: ASSERT: common.c:1792
	ocserv[11365]: TLS[<2>]: ASSERT: dn.c:310
	ocserv[11365]: TLS[<2>]: ASSERT: dn.c:420
	ocserv[11365]: TLS[<2>]: ASSERT: x509.c:507
	ocserv[11365]: worker: ip.ip.ip.ip:51690 cert_groups_size=1, groupname=
	ocserv[11365]: worker: ip.ip.ip.ip:51690 user has not selected a group
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
	ocserv[11365]: TLS[<9>]: ENC[0x1d98060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Sent Packet[2] Application Data(23) in epoch 1 and length: 533
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: SSL 3.1 Application Data packet received. Epoch 0, length: 608
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Expected Packet Application Data(23)
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Received Packet Application Data(23) with length: 608
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Decrypted Packet[2] Application Data(23) with length: 578
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.09440
	ocserv[11365]: worker: ip.ip.ip.ip:51690 User-agent: 'AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.'
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Host: sskaje.me:xxxx
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Accept: */*
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Accept-Encoding: identity
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Transcend-Version: 1
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Transcend-Version: 1
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UUIDUUIDUUIDUUIDUUIDUUIDUUID
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Aggregate-Auth: 1
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Length: 16
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Type: application/x-www-form-urlencoded
	ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP POST /auth
	ocserv[11365]: worker: ip.ip.ip.ip:51690 POST body: 'group%5Flist=vpn'
	ocserv[11365]: worker: ip.ip.ip.ip:51690 Groups ret: 0
	ocserv[11365]: worker: ip.ip.ip.ip:51690 Groupname: vpn
	ocserv[11365]: worker: ip.ip.ip.ip:51690 groupname=vpn, ws->config->default_select_group: vpn, ws->groupname=
	ocserv[11365]: worker: ip.ip.ip.ip:51690 cert_groups_size=1, groupname=
	ocserv[11365]: worker: ip.ip.ip.ip:51690 user has not selected a group
	ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
	ocserv[11365]: TLS[<9>]: ENC[0x1d98060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1





sskaje
http://sskaje.me/
sskaje at gmail.com


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux