Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -22,7 +22,12 @@ |
22 | 22 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
23 | 23 |
*/ |
24 | 24 |
|
25 |
-#include <openssl/x509v3.h> |
|
25 |
+#ifndef OPENVPN_PLUGIN_H_ |
|
26 |
+#define OPENVPN_PLUGIN_H_ |
|
27 |
+ |
|
28 |
+#ifdef USE_OPENSSL |
|
29 |
+#include "ssl_verify_openssl.h" |
|
30 |
+#endif |
|
26 | 31 |
|
27 | 32 |
#define OPENVPN_PLUGIN_VERSION 3 |
28 | 33 |
|
... | ... |
@@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in |
272 | 272 |
openvpn_plugin_handle_t handle; |
273 | 273 |
void *per_client_context; |
274 | 274 |
int current_cert_depth; |
275 |
- X509 *current_cert; |
|
275 |
+ x509_cert_t *current_cert; |
|
276 | 276 |
}; |
277 | 277 |
|
278 | 278 |
|
... | ... |
@@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op |
700 | 700 |
|
701 | 701 |
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1) |
702 | 702 |
(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]); |
703 |
+ |
|
704 |
+#endif /* OPENVPN_PLUGIN_H_ */ |
... | ... |
@@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p, |
347 | 347 |
struct openvpn_plugin_string_list **retlist, |
348 | 348 |
const char **envp, |
349 | 349 |
int certdepth, |
350 |
- X509 *current_cert) |
|
350 |
+ x509_cert_t *current_cert) |
|
351 | 351 |
{ |
352 | 352 |
int status = OPENVPN_PLUGIN_FUNC_SUCCESS; |
353 | 353 |
|
... | ... |
@@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl, |
576 | 576 |
struct plugin_return *pr, |
577 | 577 |
struct env_set *es, |
578 | 578 |
int certdepth, |
579 |
- X509 *current_cert) |
|
579 |
+ x509_cert_t *current_cert) |
|
580 | 580 |
{ |
581 | 581 |
if (pr) |
582 | 582 |
plugin_return_init (pr); |
... | ... |
@@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl, |
122 | 122 |
struct plugin_return *pr, |
123 | 123 |
struct env_set *es, |
124 | 124 |
int current_cert_depth, |
125 |
- X509 *current_cert); |
|
125 |
+ x509_cert_t *current_cert); |
|
126 | 126 |
|
127 | 127 |
void plugin_list_close (struct plugin_list *pl); |
128 | 128 |
bool plugin_defined (const struct plugin_list *pl, const int type); |
... | ... |
@@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl, |
176 | 176 |
struct plugin_return *pr, |
177 | 177 |
struct env_set *es, |
178 | 178 |
int current_cert_depth, |
179 |
- X509 *current_cert) |
|
179 |
+ x509_cert_t *current_cert) |
|
180 | 180 |
{ |
181 | 181 |
return 0; |
182 | 182 |
} |
... | ... |
@@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
431 | 431 |
if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) |
432 | 432 |
goto err; |
433 | 433 |
|
434 |
- /* call --tls-verify plug-in(s) */ |
|
435 |
- if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY)) |
|
436 |
- { |
|
437 |
- int ret; |
|
438 |
- |
|
439 |
- argv_printf (&argv, "%d %s", |
|
440 |
- cert_depth, |
|
441 |
- subject); |
|
442 |
- |
|
443 |
- ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert); |
|
444 |
- |
|
445 |
- if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) |
|
446 |
- { |
|
447 |
- msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", |
|
448 |
- cert_depth, subject); |
|
449 |
- } |
|
450 |
- else |
|
451 |
- { |
|
452 |
- msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", |
|
453 |
- cert_depth, subject); |
|
454 |
- goto err; /* Reject connection */ |
|
455 |
- } |
|
456 |
- } |
|
434 |
+ /* call --tls-verify plug-in(s), if registered */ |
|
435 |
+ if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) |
|
436 |
+ goto err; |
|
457 | 437 |
|
458 | 438 |
/* run --tls-verify script */ |
459 | 439 |
if (opt->verify_command) |
... | ... |
@@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, |
450 | 450 |
} |
451 | 451 |
} |
452 | 452 |
|
453 |
+/* |
|
454 |
+ * call --tls-verify plug-in(s) |
|
455 |
+ */ |
|
456 |
+int |
|
457 |
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
|
458 |
+ int cert_depth, x509_cert_t *cert, char *subject) |
|
459 |
+{ |
|
460 |
+ if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY)) |
|
461 |
+ { |
|
462 |
+ int ret; |
|
463 |
+ struct argv argv = argv_new (); |
|
464 |
+ |
|
465 |
+ argv_printf (&argv, "%d %s", cert_depth, subject); |
|
466 |
+ |
|
467 |
+ ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); |
|
468 |
+ |
|
469 |
+ argv_reset (&argv); |
|
470 |
+ |
|
471 |
+ if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) |
|
472 |
+ { |
|
473 |
+ msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", |
|
474 |
+ cert_depth, subject); |
|
475 |
+ } |
|
476 |
+ else |
|
477 |
+ { |
|
478 |
+ msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", |
|
479 |
+ cert_depth, subject); |
|
480 |
+ return 1; /* Reject connection */ |
|
481 |
+ } |
|
482 |
+ } |
|
483 |
+ return 0; |
|
484 |
+} |
|
485 |
+ |
|
453 | 486 |
|
454 | 487 |
/* *************************************************************************** |
455 | 488 |
* Functions for the management of deferred authentication when using |
... | ... |
@@ -249,6 +249,8 @@ void |
249 | 249 |
verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, |
250 | 250 |
const char *subject, const char *common_name, |
251 | 251 |
const struct x509_track *x509_track); |
252 |
+int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
|
253 |
+ int cert_depth, x509_cert_t *cert, char *subject); |
|
252 | 254 |
|
253 | 255 |
#endif /* SSL_VERIFY_H_ */ |
254 | 256 |
|