Hi Daniel,
as part of our many layers of security we have a policy to limit access
to the registered MAC addresses. As a result, I am utilizing this patch
to csd-post.sh. This might be useful to somebody else.
--- csd-post.sh.orig 2023-07-04 14:08:44.835890581 +0200
+++ csd-post.sh 2023-07-04 14:11:16.054802224 +0200
@@ -12,6 +12,23 @@
# server's security policy with lies. This script exists as an example
# to work from.
+if openssl version|awk '{ print $2 }' | grep -Eq '^3'; then
+ OPENSSL_CONF_FILE=$(mktemp)
+ cat << EOF > $OPENSSL_CONF_FILE
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+Options = UnsafeLegacyRenegotiation
+EOF
+ export OPENSSL_CONF=$OPENSSL_CONF_FILE
+fi
+
if ! xmlstarlet --version > /dev/null 2>&1; then
echo
"**********************************************************************
**" >&2
echo "WARNING: xmlstarlet not found in path; CSD token extraction
may not work" >&2
@@ -32,12 +49,45 @@
echo
"*********************************************************************"
>&2
fi
+USE_MACHINE_MAC=true
+if [[ "$USE_MACHINE_MAC" == "true" ]]; then
+ # Function to convert MAC address to the format FFFF.FFFF.FFFF
+ convert_mac_address() {
+ local mac_address=$1
+ echo "${mac_address//:}" | sed 's/^\([0-9A-Fa-f]\{4\}\)\([0-
9A-Fa-f]\{4\}\)\([0-9A-Fa-f]\{4\}\).*$/\1.\2.\3/'
+ }
+ macaddresses=()
+
+ while IFS= read -r -d '' device; do
+ device_name=$(basename "$device")
+ if [[ ! $device_name =~ (tap|virbr|lo|vpn) ]]; then
+ address_file="$device/address"
+ if [[ -f $address_file ]]; then
+ macaddress=$(< "$address_file")
+ macaddresses+=("$(convert_mac_address "$macaddress")")
+ fi
+ fi
+ done < <(find "/sys/class/net" -mindepth 1 -print0)
+
+ # Convert each value to the format FFFF.FFFF.FFFF
+ converted_values=""
+ IFS='|' read -ra value_array <<< "$values"
+ for value in "${macaddresses[@]}"; do
+ converted_value=$(convert_mac_address "$value")
+
converted_values+="endpoint.device.MAC[\"$converted_value\"]=\"true\";\
n"
+ done
+
+ # Print the converted values
+ mac_address=$(echo -e "$converted_values" | sed '$ s/.$//')
+
+else
+ mac_address='endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";'
+fi
export RESPONSE=$(mktemp /tmp/csdresponseXXXXXXX)
export RESULT=$(mktemp /tmp/csdresultXXXXXXX)
trap 'rm $RESPONSE $RESULT' EXIT
-
cat >> $RESPONSE <<EOF
endpoint.os.version="$(uname -s)";
endpoint.os.servicepack="$(uname -r)";
@@ -46,26 +96,7 @@
endpoint.device.protection="none";
endpoint.device.protection_version="3.1.03103";
endpoint.device.hostname="$(hostname)";
-endpoint.device.port["9217"]="true";
-endpoint.device.port["139"]="true";
-endpoint.device.port["53"]="true";
-endpoint.device.port["22"]="true";
-endpoint.device.port["631"]="true";
-endpoint.device.port["445"]="true";
-endpoint.device.port["9216"]="true";
-endpoint.device.tcp4port["9217"]="true";
-endpoint.device.tcp4port["139"]="true";
-endpoint.device.tcp4port["53"]="true";
-endpoint.device.tcp4port["22"]="true";
-endpoint.device.tcp4port["631"]="true";
-endpoint.device.tcp4port["445"]="true";
-endpoint.device.tcp4port["9216"]="true";
-endpoint.device.tcp6port["139"]="true";
-endpoint.device.tcp6port["53"]="true";
-endpoint.device.tcp6port["22"]="true";
-endpoint.device.tcp6port["631"]="true";
-endpoint.device.tcp6port["445"]="true";
-endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";
+$mac_address
endpoint.device.protection_extension="3.6.4900.2";
endpoint.fw["IPTablesFW"]={};
endpoint.fw["IPTablesFW"].exists="true";
@@ -74,6 +105,14 @@
endpoint.fw["IPTablesFW"].enabled="ok";
EOF
+for port in 9217 139 53 22 631 445 9216; do
+ cat >> $RESPONSE <<EOF ;
+endpoint.device.port["$port"]="true";
+endpoint.device.tcp4port["$port"]="true";
+endpoint.device.tcp6port["$port"]="true";
+EOF
+done
+
shift
TICKET=
@@ -174,5 +213,6 @@
curl $PINNEDPUBKEY -s -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" -H
'Expect: ' --data-binary @$RESPONSE "$URL" > $RESULT
cat $RESULT || :
+[ -f $OPENSSL_CONF_FILE ] && rm =f $OPENSSL_CONF_FILE
exit 0
On Fri, 2023-06-30 at 11:09 -0700, Daniel Lenski wrote:
> On Mon, Jun 26, 2023 at 4:56 AM Grant Williamson
> <traxto...@gmail.com> wrote:
> > I'm encountering an issue with the csd-post.sh script. When
> > attempting
> > to use it, I receive the error message: "You are attempting to use
> > a
> > digital certificate not assigned to this device." I would
> > appreciate
> > any insights on how to add support for when a server cross checks
> > the
> > MAC address functionality in the script.
>
> > Helps if I just try using what is there. Sorry.
> > endpoint.device.MAC["FFFF.FFFF.FFFF"]="true";
>
> Glad you figured out, but… wow.
>
> "Digital certificate not assigned to this device" is a very
> misleading/unclear/irrelevant error message for "you didn't tell us
> your MAC address."
>
> Unfortunately, OpenConnect has encountered many such similar cases
> where VPN servers send vague/misleading error messages when they
> reach
> an unexpected state
> (
> https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c#L672-
> 676).
> It appears that their developers and administrators only test them
> against their official clients, and don't consider what would happen
> if a different client sent a different set of information.
>
> (Needless to say, these kinds of flawed assumptions are also a rich
> source of security vulnerabilities. 😈)
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
