Hi,
As I can suppose, current openvas-server implementaion has broken
certificate-based authentication (I've tried with version 2.0.3 it
seems that svn trunk has the same behaviour).
I suggest than openvas-server have to perform these steps while
authenticate remote peer with the certificate:
0. Allow GNU TLS library to perform the check of the peer certificate
correctness.
1. Get the certificate distinguished name (DN) with help
of GNU TLS library
2. Check out the contents of the file
/var/lib/openvas/users/$username/auth/dname and compare the DN value
obtained from the peer certificate with the one stored in the file.
3. If these two values are matched, assume that user with $username is
sucessfully authenticated
But unfortunately I see that the variable x509_dname in the
`server_thread` function once initialized with the empty string never
ever tries to update its value. However the `check_user` function
performs authentication based on the contents of the x509_dname
variable.
I've made a quick and dirty patch which fix this behaviour (in
attachment) and it seems that this one works as expected for me. I want
to note however that this patch provides no error handling and I'm not
sure that this code works as expected in all cases.
--
Roman Imankulov
ro...@netangels.ru
diff -ru openvas-server-2.0.3.orig/openvasd/openvasd.c openvas-server-2.0.3/openvasd/openvasd.c
--- openvas-server-2.0.3.orig/openvasd/openvasd.c 2009-08-07 16:23:37.000000000 +0600
+++ openvas-server-2.0.3/openvasd/openvasd.c 2009-09-12 20:32:49.000000000 +0600
@@ -45,6 +45,8 @@
#include <harglists.h>
#include <nasl.h>
#include <hosts_gatherer.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#ifdef USE_LIBWRAP
#include <tcpd.h>
@@ -394,7 +396,28 @@
}
arg_add_value(globals, "ntp_caps", ARG_STRUCT, sizeof(*caps), caps);
-
+ /* Get X.509 cert subject name */
+ {
+ gnutls_session_t *session;
+ gnutls_x509_crt_t cert;
+ unsigned int cert_list_size = 0;
+ const gnutls_datum_t *cert_list;
+ unsigned int x509_dname_size = sizeof(x509_dname);
+
+ session = ovas_get_tlssession_from_connection(soc2);
+
+ if (gnutls_certificate_type_get(*session) != GNUTLS_CRT_X509) {
+ // ...
+ EXIT(0);
+ }
+ cert_list = gnutls_certificate_get_peers (*session, &cert_list_size);
+ gnutls_x509_crt_init (&cert);
+ gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
+ gnutls_x509_crt_get_dn (cert, x509_dname, &x509_dname_size);
+ gnutls_x509_crt_deinit (cert);
+
+ }
+
if(((perms = auth_check_user(globals, asciiaddr, x509_dname))==BAD_LOGIN_ATTEMPT)||
!perms)
{
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
