Browse code
Refactored tls-verify-plugin code
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong authored on 2011/06/30 21:15:40Showing 6 changed files
| ... | ... |
@@ -22,7 +22,12 @@ |
| 22 | 22 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 23 | 23 |
*/ |
| 24 | 24 |
|
| 25 |
-#include <openssl/x509v3.h> |
|
| 25 |
+#ifndef OPENVPN_PLUGIN_H_ |
|
| 26 |
+#define OPENVPN_PLUGIN_H_ |
|
| 27 |
+ |
|
| 28 |
+#ifdef USE_OPENSSL |
|
| 29 |
+#include "ssl_verify_openssl.h" |
|
| 30 |
+#endif |
|
| 26 | 31 |
|
| 27 | 32 |
#define OPENVPN_PLUGIN_VERSION 3 |
| 28 | 33 |
|
| ... | ... |
@@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in |
| 272 | 272 |
openvpn_plugin_handle_t handle; |
| 273 | 273 |
void *per_client_context; |
| 274 | 274 |
int current_cert_depth; |
| 275 |
- X509 *current_cert; |
|
| 275 |
+ x509_cert_t *current_cert; |
|
| 276 | 276 |
}; |
| 277 | 277 |
|
| 278 | 278 |
|
| ... | ... |
@@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op |
| 700 | 700 |
|
| 701 | 701 |
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1) |
| 702 | 702 |
(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]); |
| 703 |
+ |
|
| 704 |
+#endif /* OPENVPN_PLUGIN_H_ */ |
| ... | ... |
@@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p, |
| 347 | 347 |
struct openvpn_plugin_string_list **retlist, |
| 348 | 348 |
const char **envp, |
| 349 | 349 |
int certdepth, |
| 350 |
- X509 *current_cert) |
|
| 350 |
+ x509_cert_t *current_cert) |
|
| 351 | 351 |
{
|
| 352 | 352 |
int status = OPENVPN_PLUGIN_FUNC_SUCCESS; |
| 353 | 353 |
|
| ... | ... |
@@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl, |
| 576 | 576 |
struct plugin_return *pr, |
| 577 | 577 |
struct env_set *es, |
| 578 | 578 |
int certdepth, |
| 579 |
- X509 *current_cert) |
|
| 579 |
+ x509_cert_t *current_cert) |
|
| 580 | 580 |
{
|
| 581 | 581 |
if (pr) |
| 582 | 582 |
plugin_return_init (pr); |
| ... | ... |
@@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl, |
| 122 | 122 |
struct plugin_return *pr, |
| 123 | 123 |
struct env_set *es, |
| 124 | 124 |
int current_cert_depth, |
| 125 |
- X509 *current_cert); |
|
| 125 |
+ x509_cert_t *current_cert); |
|
| 126 | 126 |
|
| 127 | 127 |
void plugin_list_close (struct plugin_list *pl); |
| 128 | 128 |
bool plugin_defined (const struct plugin_list *pl, const int type); |
| ... | ... |
@@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl, |
| 176 | 176 |
struct plugin_return *pr, |
| 177 | 177 |
struct env_set *es, |
| 178 | 178 |
int current_cert_depth, |
| 179 |
- X509 *current_cert) |
|
| 179 |
+ x509_cert_t *current_cert) |
|
| 180 | 180 |
{
|
| 181 | 181 |
return 0; |
| 182 | 182 |
} |
| ... | ... |
@@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
| 431 | 431 |
if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) |
| 432 | 432 |
goto err; |
| 433 | 433 |
|
| 434 |
- /* call --tls-verify plug-in(s) */ |
|
| 435 |
- if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY)) |
|
| 436 |
- {
|
|
| 437 |
- int ret; |
|
| 438 |
- |
|
| 439 |
- argv_printf (&argv, "%d %s", |
|
| 440 |
- cert_depth, |
|
| 441 |
- subject); |
|
| 442 |
- |
|
| 443 |
- ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert); |
|
| 444 |
- |
|
| 445 |
- if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) |
|
| 446 |
- {
|
|
| 447 |
- msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", |
|
| 448 |
- cert_depth, subject); |
|
| 449 |
- } |
|
| 450 |
- else |
|
| 451 |
- {
|
|
| 452 |
- msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", |
|
| 453 |
- cert_depth, subject); |
|
| 454 |
- goto err; /* Reject connection */ |
|
| 455 |
- } |
|
| 456 |
- } |
|
| 434 |
+ /* call --tls-verify plug-in(s), if registered */ |
|
| 435 |
+ if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) |
|
| 436 |
+ goto err; |
|
| 457 | 437 |
|
| 458 | 438 |
/* run --tls-verify script */ |
| 459 | 439 |
if (opt->verify_command) |
| ... | ... |
@@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, |
| 450 | 450 |
} |
| 451 | 451 |
} |
| 452 | 452 |
|
| 453 |
+/* |
|
| 454 |
+ * call --tls-verify plug-in(s) |
|
| 455 |
+ */ |
|
| 456 |
+int |
|
| 457 |
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
|
| 458 |
+ int cert_depth, x509_cert_t *cert, char *subject) |
|
| 459 |
+{
|
|
| 460 |
+ if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY)) |
|
| 461 |
+ {
|
|
| 462 |
+ int ret; |
|
| 463 |
+ struct argv argv = argv_new (); |
|
| 464 |
+ |
|
| 465 |
+ argv_printf (&argv, "%d %s", cert_depth, subject); |
|
| 466 |
+ |
|
| 467 |
+ ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); |
|
| 468 |
+ |
|
| 469 |
+ argv_reset (&argv); |
|
| 470 |
+ |
|
| 471 |
+ if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) |
|
| 472 |
+ {
|
|
| 473 |
+ msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", |
|
| 474 |
+ cert_depth, subject); |
|
| 475 |
+ } |
|
| 476 |
+ else |
|
| 477 |
+ {
|
|
| 478 |
+ msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", |
|
| 479 |
+ cert_depth, subject); |
|
| 480 |
+ return 1; /* Reject connection */ |
|
| 481 |
+ } |
|
| 482 |
+ } |
|
| 483 |
+ return 0; |
|
| 484 |
+} |
|
| 485 |
+ |
|
| 453 | 486 |
|
| 454 | 487 |
/* *************************************************************************** |
| 455 | 488 |
* Functions for the management of deferred authentication when using |
| ... | ... |
@@ -249,6 +249,8 @@ void |
| 249 | 249 |
verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, |
| 250 | 250 |
const char *subject, const char *common_name, |
| 251 | 251 |
const struct x509_track *x509_track); |
| 252 |
+int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
|
| 253 |
+ int cert_depth, x509_cert_t *cert, char *subject); |
|
| 252 | 254 |
|
| 253 | 255 |
#endif /* SSL_VERIFY_H_ */ |
| 254 | 256 |
|