Browse code
Refactored client_config_dir_exclusive function
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong authored on 2011/06/28 22:41:32Showing 3 changed files
| ... | ... |
@@ -3434,18 +3434,10 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
| 3434 | 3434 |
} |
| 3435 | 3435 |
} |
| 3436 | 3436 |
|
| 3437 |
- /* verify --client-config-dir based authentication */ |
|
| 3438 |
- if (ks->authenticated && session->opt->client_config_dir_exclusive) |
|
| 3437 |
+ /* Perform final authentication checks */ |
|
| 3438 |
+ if (ks->authenticated) |
|
| 3439 | 3439 |
{
|
| 3440 |
- const char *cn = session->common_name; |
|
| 3441 |
- const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc); |
|
| 3442 |
- if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path)) |
|
| 3443 |
- {
|
|
| 3444 |
- ks->authenticated = false; |
|
| 3445 |
- msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", |
|
| 3446 |
- session->common_name, |
|
| 3447 |
- path ? path : "UNDEF"); |
|
| 3448 |
- } |
|
| 3440 |
+ verify_final_auth_checks(multi, session); |
|
| 3449 | 3441 |
} |
| 3450 | 3442 |
|
| 3451 | 3443 |
#ifdef ENABLE_OCC |
| ... | ... |
@@ -36,3 +36,26 @@ |
| 36 | 36 |
#ifdef USE_OPENSSL |
| 37 | 37 |
#include "ssl_verify_openssl.h" |
| 38 | 38 |
#endif |
| 39 |
+ |
|
| 40 |
+void |
|
| 41 |
+verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) |
|
| 42 |
+{
|
|
| 43 |
+ /* verify --client-config-dir based authentication */ |
|
| 44 |
+ if (session->opt->client_config_dir_exclusive) |
|
| 45 |
+ {
|
|
| 46 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ |
|
| 47 |
+ struct gc_arena gc = gc_new (); |
|
| 48 |
+ |
|
| 49 |
+ const char *cn = session->common_name; |
|
| 50 |
+ const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc); |
|
| 51 |
+ if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path)) |
|
| 52 |
+ {
|
|
| 53 |
+ ks->authenticated = false; |
|
| 54 |
+ msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", |
|
| 55 |
+ session->common_name, |
|
| 56 |
+ path ? path : "UNDEF"); |
|
| 57 |
+ } |
|
| 58 |
+ |
|
| 59 |
+ gc_free (&gc); |
|
| 60 |
+ } |
|
| 61 |
+} |
| ... | ... |
@@ -40,5 +40,16 @@ |
| 40 | 40 |
#include "ssl_verify_openssl.h" |
| 41 | 41 |
#endif |
| 42 | 42 |
|
| 43 |
+/** |
|
| 44 |
+ * Perform final authentication checks, including locking of the cn, the allowed |
|
| 45 |
+ * certificate hashes, and whether a client config entry exists in the |
|
| 46 |
+ * client config directory. |
|
| 47 |
+ * |
|
| 48 |
+ * @param multi The TLS multi structure to verify locked structures. |
|
| 49 |
+ * @param session The current TLS session |
|
| 50 |
+ * |
|
| 51 |
+ */ |
|
| 52 |
+void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); |
|
| 53 |
+ |
|
| 43 | 54 |
|
| 44 | 55 |
#endif /* SSL_VERIFY_H_ */ |