ocserv: user group not assigned when using certificate authentication
sskaje
sskaje at gmail.com
Wed Aug 27 21:06:19 PDT 2014
It’s a long mail with lots of code and logs, for short:
Issue 1: case insensitive match should be used in parse_reply() from src/worker-auth.c
Issue 2: groups read from cert is not assigned to ws->groupname, makes group selecting message prompted all the time.
code were committed on June.26
I was using ocserv cloned from git repo after my last bug reporting mail,
commit e48ad13e82f0340cb755815bfdf2ee8f802f9eac
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Wed Jun 25 10:11:00 2014 +0200
Set the applicable DNS and NBNS servers in complete_vpn_info().
Then I tried to upgrade to 0.8.4, “Please select your group” is prompted.(I downgraded to 0.8.1, 0.8.2, 0.8.3, same)
Debug message pasted.
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
ocserv[18925]: TLS[<9>]: ENC[0xebb060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Sent Packet[2] Application Data(23) in epoch 1 and length: 533
ocserv[18925]: TLS[<4>]: REC[0xebb060]: SSL 3.1 Application Data packet received. Epoch 0, length: 608
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Expected Packet Application Data(23)
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Received Packet Application Data(23) with length: 608
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Decrypted Packet[2] Application Data(23) with length: 578
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.09440
ocserv[18925]: worker: ip.ip.ip.ip:55081 User-agent: 'AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.'
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Host: sskaje.me:xxxx
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Accept: */*
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Accept-Encoding: identity
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Transcend-Version: 1
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Transcend-Version: 1
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UUIDUUIDUUIDUUIDUUIDUUIDUUID
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: X-Aggregate-Auth: 1
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Content-Length: 16
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP: Content-Type: application/x-www-form-urlencoded
ocserv[18925]: worker: ip.ip.ip.ip:55081 HTTP POST /auth
ocserv[18925]: worker: ip.ip.ip.ip:55081 POST body: 'group%5Flist=vpn'
ocserv[18925]: worker: ip.ip.ip.ip:55081 cannot find 'group%5flist' in client message
ocserv[18925]: worker: ip.ip.ip.ip:55081 cannot find 'group_list' in client message
ocserv[18925]: worker: ip.ip.ip.ip:55081 failed reading groupname
ocserv[18925]: worker: ip.ip.ip.ip:55081 user has not selected a group
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
ocserv[18925]: TLS[<9>]: ENC[0xebb060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Sent Packet[3] Application Data(23) in epoch 1 and length: 533
ocserv[18925]: TLS[<4>]: REC[0xebb060]: SSL 3.1 Alert packet received. Epoch 0, length: 32
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Expected Packet Application Data(23)
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Received Packet Alert(21) with length: 32
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Decrypted Packet[3] Alert(21) with length: 2
ocserv[18925]: TLS[<4>]: REC[0xebb060]: Alert[1|0] - Close notify - was received
POST body: 'group%5Flist=vpn'
cannot find 'group%5flist' in client message
cannot find 'group_list' in client message
failed reading groupname
user has not selected a group
As it’s shown above, Post body is
group%5Flist=vpn
in src/worker-auth.c, I added some lines of debug code(from 0.8.4 release):
#define GROUPNAME_FIELD "group%5flist"
#define GROUPNAME_FIELD2 "group_list"
#define GROUPNAME_FIELD_XML "group-select"
...
int post_auth_handler(worker_st * ws, unsigned http_ver)
...
ret = parse_reply(ws, req->body, req->body_length,
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
&groupname);
oclog(ws, LOG_DEBUG, "Groups ret: %d", ret);
if (ret > -1) {
oclog(ws, LOG_DEBUG, "Groupname: %s", groupname);
}
if (ret < 0) {
ret = parse_reply(ws, req->body, req->body_length,
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
&groupname);
oclog(ws, LOG_DEBUG, "Groups ret: %d", ret);
if (ret > -1) {
oclog(ws, LOG_DEBUG, "Groupname: %s", groupname);
}
oclog(ws, LOG_DEBUG, "body[len]: %s[%d]", req->body, (int)req->body_length);
}
oclog(ws, LOG_DEBUG, "groupname=%s, ws->config->default_select_group: %s, ws->groupname=%s", groupname, ws->config->default_select_group, ws->groupname);
if (ret < 0) {
oclog(ws, LOG_DEBUG, "failed reading groupname");
} else if (ws->config->default_select_group == NULL ||
strcmp(groupname, ws->config->default_select_group) != 0) {
snprintf(ws->groupname, sizeof(ws->groupname), "%s",
groupname);
ireq.group_name = ws->groupname;
oclog(ws, LOG_DEBUG, "Groupname in cmp: %s", groupname);
}
talloc_free(groupname);
...
oclog(ws, LOG_DEBUG, "cert_groups_size=%d, groupname=%s", ws->cert_groups_size, ws->groupname);
if (ws->cert_groups_size > 0 && ws->groupname[0] == 0) {
oclog(ws, LOG_DEBUG, "user has not selected a group");
return get_auth_handler2(ws, http_ver, "Please select your group");
}
...
both ret logged are -1 by default.
I changed GROUPNAME_FIELD to group%5Flist
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Length: 353
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Type: application/x-www-form-urlencoded
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP POST /
ocserv[11365]: worker: ip.ip.ip.ip:51690 POST body: '<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init">
<device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UUIDUUIDUUIDUUIDUUIDUUIDUUID">apple-ios</device-id>
<version who="vpn">3.0.09440</version>
<group-select>vpn</group-select>
<group-access>https://sskaje.me:xxxx/</group-access>
</config-auth>
'
ocserv[11365]: worker: ip.ip.ip.ip:51690 Groups ret: 0
ocserv[11365]: worker: ip.ip.ip.ip:51690 Groupname: vpn
ocserv[11365]: worker: ip.ip.ip.ip:51690 groupname=vpn, ws->config->default_select_group: vpn, ws->groupname=
ocserv[11365]: TLS[<2>]: ASSERT: common.c:1792
ocserv[11365]: TLS[<2>]: ASSERT: dn.c:310
ocserv[11365]: TLS[<2>]: ASSERT: dn.c:420
ocserv[11365]: TLS[<2>]: ASSERT: x509.c:507
ocserv[11365]: worker: ip.ip.ip.ip:51690 cert_groups_size=1, groupname=
ocserv[11365]: worker: ip.ip.ip.ip:51690 user has not selected a group
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
ocserv[11365]: TLS[<9>]: ENC[0x1d98060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Sent Packet[2] Application Data(23) in epoch 1 and length: 533
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: SSL 3.1 Application Data packet received. Epoch 0, length: 608
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Expected Packet Application Data(23)
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Received Packet Application Data(23) with length: 608
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Decrypted Packet[2] Application Data(23) with length: 578
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.09440
ocserv[11365]: worker: ip.ip.ip.ip:51690 User-agent: 'AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.'
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Host: sskaje.me:xxxx
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Accept: */*
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Accept-Encoding: identity
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Transcend-Version: 1
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Transcend-Version: 1
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UUIDUUIDUUIDUUIDUUIDUUIDUUID
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: X-Aggregate-Auth: 1
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Length: 16
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP: Content-Type: application/x-www-form-urlencoded
ocserv[11365]: worker: ip.ip.ip.ip:51690 HTTP POST /auth
ocserv[11365]: worker: ip.ip.ip.ip:51690 POST body: 'group%5Flist=vpn'
ocserv[11365]: worker: ip.ip.ip.ip:51690 Groups ret: 0
ocserv[11365]: worker: ip.ip.ip.ip:51690 Groupname: vpn
ocserv[11365]: worker: ip.ip.ip.ip:51690 groupname=vpn, ws->config->default_select_group: vpn, ws->groupname=
ocserv[11365]: worker: ip.ip.ip.ip:51690 cert_groups_size=1, groupname=
ocserv[11365]: worker: ip.ip.ip.ip:51690 user has not selected a group
ocserv[11365]: TLS[<4>]: REC[0x1d98060]: Preparing Packet Application Data(23) with length: 506 and min pad: 0
ocserv[11365]: TLS[<9>]: ENC[0x1d98060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
sskaje
http://sskaje.me/
sskaje at gmail.com
More information about the openconnect-devel
mailing list