Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -3434,18 +3434,10 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
3434 | 3434 |
} |
3435 | 3435 |
} |
3436 | 3436 |
|
3437 |
- /* verify --client-config-dir based authentication */ |
|
3438 |
- if (ks->authenticated && session->opt->client_config_dir_exclusive) |
|
3437 |
+ /* Perform final authentication checks */ |
|
3438 |
+ if (ks->authenticated) |
|
3439 | 3439 |
{ |
3440 |
- const char *cn = session->common_name; |
|
3441 |
- const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc); |
|
3442 |
- if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path)) |
|
3443 |
- { |
|
3444 |
- ks->authenticated = false; |
|
3445 |
- msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", |
|
3446 |
- session->common_name, |
|
3447 |
- path ? path : "UNDEF"); |
|
3448 |
- } |
|
3440 |
+ verify_final_auth_checks(multi, session); |
|
3449 | 3441 |
} |
3450 | 3442 |
|
3451 | 3443 |
#ifdef ENABLE_OCC |
... | ... |
@@ -36,3 +36,26 @@ |
36 | 36 |
#ifdef USE_OPENSSL |
37 | 37 |
#include "ssl_verify_openssl.h" |
38 | 38 |
#endif |
39 |
+ |
|
40 |
+void |
|
41 |
+verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) |
|
42 |
+{ |
|
43 |
+ /* verify --client-config-dir based authentication */ |
|
44 |
+ if (session->opt->client_config_dir_exclusive) |
|
45 |
+ { |
|
46 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ |
|
47 |
+ struct gc_arena gc = gc_new (); |
|
48 |
+ |
|
49 |
+ const char *cn = session->common_name; |
|
50 |
+ const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc); |
|
51 |
+ if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path)) |
|
52 |
+ { |
|
53 |
+ ks->authenticated = false; |
|
54 |
+ msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", |
|
55 |
+ session->common_name, |
|
56 |
+ path ? path : "UNDEF"); |
|
57 |
+ } |
|
58 |
+ |
|
59 |
+ gc_free (&gc); |
|
60 |
+ } |
|
61 |
+} |
... | ... |
@@ -40,5 +40,16 @@ |
40 | 40 |
#include "ssl_verify_openssl.h" |
41 | 41 |
#endif |
42 | 42 |
|
43 |
+/** |
|
44 |
+ * Perform final authentication checks, including locking of the cn, the allowed |
|
45 |
+ * certificate hashes, and whether a client config entry exists in the |
|
46 |
+ * client config directory. |
|
47 |
+ * |
|
48 |
+ * @param multi The TLS multi structure to verify locked structures. |
|
49 |
+ * @param session The current TLS session |
|
50 |
+ * |
|
51 |
+ */ |
|
52 |
+void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); |
|
53 |
+ |
|
43 | 54 |
|
44 | 55 |
#endif /* SSL_VERIFY_H_ */ |