Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.

2 files changed, 95 insertions, 0 deletions

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 74b640a..7408d50 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -71,6 +71,14 @@ $openvpn_dev_mode = array("tun", "tap");
 $openvpn_dh_lengths = array(
 	1024, 2048, 4096 );
 
+$openvpn_cert_depths = array(
+	1 => "One (Client+Server)",
+	2 => "Two (Client+Intermediate+Server)",
+	3 => "Three (Client+2xIntermediate+Server)",
+	4 => "Four (Client+3xIntermediate+Server)",
+	5 => "Five (Client+4xIntermediate+Server)"
+);
+
 $openvpn_server_modes = array(
 	'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
 	'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"),
@@ -447,6 +455,16 @@ function openvpn_reconfigure($mode, $settings) {
 				}
 				break;
 		}
+		if (is_numeric($settings['cert_depth'])) {
+			$sed = "";
+			$cert = lookup_cert($settings['certref']);
+			$servercn = cert_get_cn($cert['crt']);
+			$sed .= "\$server_cn = \"{$servercn}\";\\\n";
+			$sed .= "\$allowed_depth = {$settings['cert_depth']};\\\n";
+			mwexec("/bin/cat /etc/inc/openvpn.tls-verify.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php");
+			mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php");
+			$conf .= "tls-verify {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php\n";
+		}
 
 		// The local port to listen on
 		$conf .= "lport {$settings['local_port']}\n";
diff --git a/etc/inc/openvpn.tls-verify.php b/etc/inc/openvpn.tls-verify.php
new file mode 100644
index 0000000..dd01645
--- /dev/null
+++ b/etc/inc/openvpn.tls-verify.php
@@ -0,0 +1,77 @@
+#!/usr/local/bin/php -f
+<?php
+/* $Id$ */
+/*
+	openvpn.tls-verify.php
+
+	Copyright (C) 2011 Jim Pingle
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+
+	DISABLE_PHP_LINT_CHECKING
+*/
+/*
+	pfSense_BUILDER_BINARIES:	
+	pfSense_MODULE:	openvpn
+*/
+/*
+ * OpenVPN calls this script to validate a certificate
+ *  This script is called ONCE per DEPTH of the certificate chain
+ *  Normal operation would have two runs - one for the server certificate
+ *  and one for the client certificate. Beyond that, you're dealing with
+ *  intermediates.
+ */
+
+require_once("globals.inc");
+require_once("config.inc");
+require_once("interfaces.inc");
+
+openlog("openvpn", LOG_ODELAY, LOG_AUTH);
+
+/* read data from command line */
+$cert_depth = intval($argv[1]);
+$cert_subject = $argv[2];
+
+/* Reserved for future use in case we decide to verify CNs and such as well
+$subj = explode("/", $cert_subject);
+foreach ($subj at $s) {
+	list($n, $v) = explode("=", $s);
+	if ($n == "CN")
+		$common_name = $v;
+}
+*/
+
+/* Replaced by sed with proper variables used below ( $server_cn and $allowed_depth ). */
+//<template>
+
+if (isset($allowed_depth) && ($cert_depth > $allowed_depth)) {
+	syslog(LOG_WARNING, "Certificate depth {$cert_depth} exceeded max allowed depth of {$allowed_depth}.\n");
+	exit(1);
+}
+
+// Debug
+syslog(LOG_WARNING, "Found certificate {$argv[2]} with depth {$cert_depth}\n");
+
+exit(0);
+
+?>