On 4/08/2023 6:30 am, Sean Gallagher wrote:
On 4/08/2023 2:04 am, Ondřej Kuzník wrote:
On Thu, Aug 03, 2023 at 10:00:37AM +1000, Sean Gallagher wrote:
Looking through the code, I see that dnX509peerNormalize() is called almost immediately after the TLS is established and that it may be handled by a callable handler installed by the register_certificate_map_function() entry point. This would be an ideal place to inspect the certificate. The only problem being it that there is no way to "reject" a certificate and force the connection to be closed.
It may be possible to use the ssl context passed into the dnX509peerNormalize() function to close the connection but this would not be very clean and likely have undesirable side effects. What would be good is if dnX509peerNormalize() could return a particular error code to signal that the connection should be immediately closed.
Calling SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN) sounds like it should do the trick? Next read will fail and so you never receive data that you consider "hostile"?
That sounds promising. Thanks. I might throw together some proof of concept and see if it works.
Sean.
Thinking it through, I see a few problems..
1) slapd doesn't call SSL directly, all calls seem to go through libldap - which implements a pluggable TLS switch. calling SSL directly is risky.
2) SSL_set_shutdown() doesn't seem to block reads.
3) It's not clear if the filehandle actually gets released. this could open up to a trivial DOS attack by exhausting the file handles. granted, this is a risk anyway.
Could I put forward another idea - a change to core that is less likely to lead to an avalanche of mods and is not externally visible. Something like:
int alien_credentials = 0; rc = dnX509peerNormalize( ssl, &authid, &alien_credentials ); if ( alien_credentials ) { connection_closing( c, "TLS alien client certificate rejected" ); connection_close( c ); connection_return( c ); return 0; }
Any existing uses of dnX509peerNormalize() would be unaware of the extra parameter and just ignore it.
Sean.