summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Sommerseth <dazo@users.sourceforge.net>2013-06-07 17:33:12 +0200
committerDavid Sommerseth <dazo@users.sourceforge.net>2013-06-07 17:33:12 +0200
commitef0c3ffb0c85def725b7ef56fd99339b670ee60a (patch)
tree007d43817b4b7a83a8996f599454fca69fec99b7
parent76843b2216ade6e815cb07ba10c2651476a3bfee (diff)
downloadeurephia-ef0c3ffb0c85def725b7ef56fd99339b670ee60a.tar.gz
eurephia-ef0c3ffb0c85def725b7ef56fd99339b670ee60a.tar.xz
eurephia-ef0c3ffb0c85def725b7ef56fd99339b670ee60a.zip
plugin: Reworked the certinfo integration and use the X.509 certificate from OpenVPN
The OpenVPN plug-in v3 API there is direct access to the X.509 certificate data. This patch starts the adoptation to make use of that, but also to preserve backwards compatibility. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat
-rw-r--r--plugin/eurephia-auth.c68
-rw-r--r--plugin/eurephia.c130
-rw-r--r--plugin/eurephia.h10
3 files changed, 103 insertions, 105 deletions
diff --git a/plugin/eurephia-auth.c b/plugin/eurephia-auth.c
index 47ee55e..a491a44 100644
--- a/plugin/eurephia-auth.c
+++ b/plugin/eurephia-auth.c
@@ -33,8 +33,10 @@
#include <string.h>
#include <unistd.h>
+#define ENABLE_SSL
#include "openvpn-plugin.h"
#define EUREPHIA_FWINTF
+#include <certinfo.h>
#include <eurephiafw_struct.h>
#include <eurephia_context.h>
#include <eurephiadb.h>
@@ -237,7 +239,18 @@ OPENVPN_EXPORT int openvpn_plugin_open_v3(const int apiversion,
#warning MEMWATCH enabled
#endif
// Check that we are API compatible
- if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
+ if( apiversion != OPENVPN_PLUGINv3_STRUCTVER ) {
+ arguments->callbacks->plugin_log(PLOG_ERR, "eurephia",
+ "OpenVPN and eurephia's plug-in API is "
+ "not compatible.");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ // Check that OpenVPN uses OpenSSL
+ if( arguments->ssl_api != SSLAPI_OPENSSL ) {
+ arguments->callbacks->plugin_log(PLOG_ERR, "eurephia",
+ "OpenVPN is not compiled against OpenSSL. "
+ "eurephia requires OpenSSL.");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -279,7 +292,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
{
eurephiaCTX *ctx = (eurephiaCTX *) handle;
int result = 0;
-
+ certinfo *ci = NULL;
if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) {
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -294,6 +307,16 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
}
#endif
+ if( type != OPENVPN_PLUGIN_UP ) {
+ // Exctract certificate information from either environment variables
+ ci = parse_tlsid(GETENV_TLSID(ctx, envp, argv[1]),
+ GETENV_TLSDIGEST(ctx, envp, argv[1]));
+ if( ci == NULL ) {
+ eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ }
+
switch( type ) {
case OPENVPN_PLUGIN_UP:
result = detect_tunnel_type(ctx, envp); // Figure out what kind of tunnel type we got.
@@ -305,29 +328,30 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
break;
case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates
- result = eurephia_tlsverify(ctx, envp, argv[1]);
+ result = eurephia_tlsverify(ctx, envp, argv[1], ci);
break;
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password
- result = eurephia_userauth(ctx, envp);
+ result = eurephia_userauth(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login
- result = eurephia_connect(ctx, envp);
+ result = eurephia_connect(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout
- result = eurephia_disconnect(ctx, envp);
+ result = eurephia_disconnect(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall
- result = eurephia_learn_address(ctx, argv[1], argv[2], envp);
+ result = eurephia_learn_address(ctx, argv[1], argv[2], envp, ci);
break;
default: // This should normally not be reached at all
eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", type);
break;
}
+ free_certinfo(ci);
return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR);
}
@@ -350,6 +374,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
{
eurephiaCTX *ctx = (eurephiaCTX *) args->handle;
int result = 0;
+ certinfo *ci = NULL;
if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) {
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -364,6 +389,21 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
}
#endif
+ if( args->type != OPENVPN_PLUGIN_UP ) {
+ // Exctract certificate information from either environment variables
+ // or the X.509 certificate if we have that available
+ if( args->current_cert != NULL ) {
+ ci = parse_x509_cert(args->current_cert);
+ } else {
+ ci = parse_tlsid(GETENV_TLSID(ctx, args->envp, args->argv[1]),
+ GETENV_TLSDIGEST(ctx, args->envp, args->argv[1]));
+ }
+ if( ci == NULL ) {
+ eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ }
+
switch( args->type ) {
case OPENVPN_PLUGIN_UP:
// Figure out what kind of tunnel type we got.
@@ -376,29 +416,33 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
break;
case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates
- result = eurephia_tlsverify(ctx, args->envp, args->argv[1]);
+ result = eurephia_tlsverify(ctx, args->envp, args->argv[1], ci);
break;
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password
- result = eurephia_userauth(ctx, args->envp);
+ result = eurephia_userauth(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login
- result = eurephia_connect(ctx, args->envp);
+ result = eurephia_connect(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout
- result = eurephia_disconnect(ctx, args->envp);
+ result = eurephia_disconnect(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall
- result = eurephia_learn_address(ctx, args->argv[1], args->argv[2], args->envp);
+ result = eurephia_learn_address(ctx, args->argv[1],
+ args->argv[2],
+ args->envp, ci);
break;
default: // This should normally not be reached at all
eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", args->type);
break;
}
+ free_certinfo(ci);
+
return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR);
}
diff --git a/plugin/eurephia.c b/plugin/eurephia.c
index 01f14fe..5777cd7 100644
--- a/plugin/eurephia.c
+++ b/plugin/eurephia.c
@@ -38,6 +38,7 @@
#include <unistd.h>
#include <assert.h>
#include <errno.h>
+#include <openssl/x509.h>
#define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */
#include <eurephiafw_struct.h>
@@ -291,13 +292,12 @@ int eurephiaShutdown(eurephiaCTX *ctx)
*
* @return Returns 0 on failure and 1 on success.
*/
-int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str)
+int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str,
+ certinfo *ci)
{
int result = 0;
char *ipaddr;
- char *tls_digest, *tls_id;
unsigned int depth = atoi_nullsafe(depth_str);
- certinfo *ci = NULL;
DEBUG(ctx, 10, "** Function call: eurephia_tlsverify(...)");
@@ -317,22 +317,18 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str
}
// Check if certificate digest is blacklisted
- tls_digest = GETENV_TLSDIGEST(ctx, env, depth);
- if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) {
+ if( eDBblacklist_check(ctx, attempt_CERTIFICATE, ci->digest) == 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
- free_nullsafe(ctx, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
free_nullsafe(ctx, ipaddr);
return 0;
}
// Check if certificate is registered and allowed
- tls_id = GETENV_TLSID(ctx, env, depth);
- ci = parse_tlsid(tls_id);
- result = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, depth);
+ result = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, depth);
if( result < 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
}
if( result > 0 ) {
@@ -343,12 +339,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str
} else {
eurephia_log(ctx, LOG_WARNING, 0,
"Unknown certificate for: %s/%s/%s (depth %i, digest: %s)",
- ci->org, ci->common_name, ci->email, depth, tls_digest);
+ ci->org, ci->common_name, ci->email, depth, ci->digest);
}
- free_nullsafe(ctx, tls_id);
- free_nullsafe(ctx, tls_digest);
free_nullsafe(ctx, ipaddr);
- free_certinfo(ci);
DEBUG(ctx, 10, "** Function result: eurephia_tlsverify(...) == %i", result > 0);
return (result > 0);
@@ -363,17 +356,16 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str
*
* @return Returns 0 on failure and 1 on success.
*/
-int eurephia_userauth(eurephiaCTX *ctx, const char **env)
+int eurephia_userauth(eurephiaCTX *ctx, const char **env, certinfo *ci)
{
eurephiaSESSION *authsess = NULL;
eDBauthMethodResult *authmeth = NULL;
eAuthPlugin *authplug = NULL;
eAuthResult *authres = NULL;
int result = 0, certid = 0;
- char *cname, *remport, *ipaddr = NULL;
- char *tls_digest = NULL, *tls_id = NULL, *username = NULL;
+ char *remport, *ipaddr = NULL;
+ char *username = NULL;
char *passwd = NULL, *pwdcache = NULL, *chkpwd = NULL;
- certinfo *ci = NULL;
DEBUG(ctx, 10, "** Function call: eurephia_userauth(...)");
@@ -395,12 +387,10 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
}
// Check if certificate digest is blacklisted
- tls_digest = GETENV_TLSDIGEST(ctx, env, 0);
- if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) {
+ if( eDBblacklist_check(ctx, attempt_CERTIFICATE, ci->digest) == 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
free_nullsafe(ctx, ipaddr);
- free_nullsafe(ctx, tls_digest);
return 0;
}
@@ -408,30 +398,23 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
username = GETENV_USERNAME(ctx, env);
if( eDBblacklist_check(ctx, attempt_USERNAME, username) == 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username);
free_nullsafe(ctx, username);
free_nullsafe(ctx, ipaddr);
- free_nullsafe(ctx, tls_digest);
return 0;
}
// Get certificate ID
- tls_id = GETENV_TLSID(ctx, env, 0);
- ci = parse_tlsid(tls_id);
- certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, 0);
+ certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, 0);
if( certid < 1 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username);
- free_nullsafe(ctx, tls_id);
free_nullsafe(ctx, username);
free_nullsafe(ctx, ipaddr);
- free_nullsafe(ctx, tls_digest);
- free_certinfo(ci);
return 0;
}
- free_certinfo(ci);
// Do username/password/certificate authentication
passwd = GETENV_PASSWORD(ctx, env);
@@ -441,10 +424,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
memset(passwd, 0, strlen_nullsafe(passwd));
munlock(passwd, strlen_nullsafe(passwd));
free_nullsafe(ctx, passwd);
- free_nullsafe(ctx, tls_id);
free_nullsafe(ctx, username);
free_nullsafe(ctx, ipaddr);
- free_nullsafe(ctx, tls_digest);
return 0;
}
@@ -453,11 +434,11 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
// Get an authentication session, which is not a real session ticket
// but it uses almost the same system
- cname = GETENV_CNAME(ctx, env);
remport = GETENV_UNTRUSTEDPORT(ctx, env);
// an authentication session do not use assigned VPN address
- authsess = eDBopen_session_seed(ctx, tls_digest, cname, username, NULL, NULL,
+ authsess = eDBopen_session_seed(ctx, ci->digest, ci->common_name, username,
+ NULL, NULL,
ipaddr, remport);
if( authsess == NULL ) {
// No session found
@@ -590,14 +571,14 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
/* If the authentication failed, register the failed attempt */
if( result < 0 ) {
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest);
eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username);
}
if( result > 0 ) {
// If we have a valid result, reset all attempt counters.
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_RESET, ipaddr);
- eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest);
+ eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, ci->digest);
eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_RESET, username);
if( !eDBset_session_value(ctx, authsess, "pwdcache", chkpwd) ) {
@@ -612,12 +593,9 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
munlock(passwd, strlen_nullsafe(passwd));
eDBfree_session(ctx, authsess);
free_nullsafe(ctx, remport);
- free_nullsafe(ctx, cname);
free_nullsafe(ctx, passwd);
- free_nullsafe(ctx, tls_id);
free_nullsafe(ctx, username);
free_nullsafe(ctx, ipaddr);
- free_nullsafe(ctx, tls_digest);
free_nullsafe(ctx, chkpwd);
DEBUG(ctx, 10, "** Function result: eurephia_userauth(...) = %i", (result>0));
return (result > 0);
@@ -633,19 +611,14 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
*
* @return Returns 0 on failure and 1 on success.
*/
-int eurephia_connect(eurephiaCTX *ctx, const char **env) {
+int eurephia_connect(eurephiaCTX *ctx, const char **env, certinfo *ci) {
eurephiaSESSION *session = NULL;
- char *digest, *cname, *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport,
- *proto, *tlsid;
+ char *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport, *proto;
int certid = 0, uid = 0, accprofile = -1, ret = 0;
- certinfo *ci = NULL;
DEBUG(ctx, 10, "** Function call: eurephia_connect(...)");
// Fetch needed info
- digest = GETENV_TLSDIGEST(ctx, env, 0);
- tlsid = GETENV_TLSID(ctx, env, 0);
- cname = GETENV_CNAME(ctx, env);
uname = GETENV_USERNAME(ctx, env);
vpnipaddr = GETENV_POOLIPADDR(ctx, env);
vpnipmask = GETENV_POOLNETMASK(ctx, env);
@@ -654,7 +627,8 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) {
proto = GETENV_PROTO1(ctx, env);
// Get a session ticket
- session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask,
+ session = eDBopen_session_seed(ctx, ci->digest, ci->common_name,
+ uname, vpnipaddr, vpnipmask,
remipaddr, remport);
if( session == NULL ) {
free_nullsafe(ctx, proto);
@@ -663,32 +637,21 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) {
free_nullsafe(ctx, vpnipaddr);
free_nullsafe(ctx, vpnipmask);
free_nullsafe(ctx, uname);
- free_nullsafe(ctx, cname);
- free_nullsafe(ctx, tlsid);
- free_nullsafe(ctx, digest);
return 0;
}
- // Get certificate info
- ci = parse_tlsid(tlsid);
- if( ci == NULL ) {
- eurephia_log(ctx, LOG_FATAL, 1, "Could not parse the TLS ID string");
- eDBfree_session(ctx, session);
- return 0;
- }
- certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, digest, 0);
+ certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, 0);
if( certid < 1 ) {
eurephia_log(ctx, LOG_WARNING, 0, "Failed to lookup certificate: %s/%s/%s [%s]",
- ci->org, ci->common_name, ci->email, digest);
- free_certinfo(ci);
+ ci->org, ci->common_name, ci->email, ci->digest);
return 0;
}
uid = eDBget_uid(ctx, certid, uname);
- free_certinfo(ci);
// Register the session login
accprofile = eDBget_accessprofile(ctx, uid, certid);
- ret = eDBregister_login2(ctx, session, certid, accprofile, uid, proto, remipaddr, remport);
+ ret = eDBregister_login2(ctx, session, certid, accprofile, uid, proto,
+ remipaddr, remport);
eDBfree_session(ctx, session);
eurephia_log(ctx, LOG_INFO, 1, "User '%s' connected", uname);
@@ -698,9 +661,6 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) {
free_nullsafe(ctx, vpnipaddr);
free_nullsafe(ctx, vpnipmask);
free_nullsafe(ctx, uname);
- free_nullsafe(ctx, cname);
- free_nullsafe(ctx, tlsid);
- free_nullsafe(ctx, digest);
DEBUG(ctx, 10, "** Function result: eurephia_connect(...) = %i", ret);
return ret;
@@ -714,17 +674,15 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) {
*
* @return Returns 0 on failure and 1 on success.
*/
-int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
+int eurephia_disconnect(eurephiaCTX *ctx, const char **env, certinfo *ci) {
eurephiaSESSION *session = NULL;
- char *digest, *cname, *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport;
+ char *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport;
char *bytes_sent, *bytes_rec, *duration;
int ret = 0;
DEBUG(ctx, 10, "** Function call: eurephia_disconnect(...)");
// Fetch needed info
- digest = GETENV_TLSDIGEST(ctx, env, 0);
- cname = GETENV_CNAME(ctx, env);
uname = GETENV_USERNAME(ctx, env);
vpnipaddr = GETENV_POOLIPADDR(ctx, env);
vpnipmask = GETENV_POOLNETMASK(ctx, env);
@@ -735,7 +693,8 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
duration = GETENV_TIMEDURATION(ctx, env);
// Get a session ticket
- session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask,
+ session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname,
+ vpnipaddr, vpnipmask,
remipaddr, remport);
if( session == NULL ) {
free_nullsafe(ctx, duration);
@@ -746,8 +705,6 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
free_nullsafe(ctx, vpnipaddr);
free_nullsafe(ctx, vpnipmask);
free_nullsafe(ctx, uname);
- free_nullsafe(ctx, cname);
- free_nullsafe(ctx, digest);
return 0;
}
@@ -762,10 +719,12 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
eurephia_log(ctx, LOG_INFO, 1, "User '%s' logged out", uname);
// Get the authentication session and destroy it
- session = eDBopen_session_seed(ctx, digest, cname, uname, NULL, NULL, remipaddr, remport);
+ session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname,
+ NULL, NULL, remipaddr, remport);
if( !eDBdestroy_session(ctx, session) ) {
- eurephia_log(ctx, LOG_WARNING, 0, "Could not destroy authentication session (%s/%s/%s)",
- uname, cname, digest);
+ eurephia_log(ctx, LOG_WARNING, 0,
+ "Could not destroy authentication session (%s/%s/%s)",
+ uname, ci->common_name, ci->digest);
}
eDBfree_session(ctx, session);
free_nullsafe(ctx, duration);
@@ -776,8 +735,6 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
free_nullsafe(ctx, vpnipaddr);
free_nullsafe(ctx, vpnipmask);
free_nullsafe(ctx, uname);
- free_nullsafe(ctx, cname);
- free_nullsafe(ctx, digest);
DEBUG(ctx, 10, "** Function result: eurephia_disconnect(...) = %i", ret);
return ret;
@@ -796,10 +753,10 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
*
* @return Returns 0 on failure and 1 on success.
*/
-int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr, const char **env) {
+int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr,
+ const char **env, certinfo *ci) {
eurephiaSESSION *session = NULL;
- char *digest = NULL, *cname = NULL, *uname = NULL,
- *vpnipaddr = NULL, *vpnipmask = NULL,
+ char *uname = NULL, *vpnipaddr = NULL, *vpnipmask = NULL,
*remipaddr = NULL, *remport = NULL;
char *fwprofile = NULL, *fwdest = NULL;
int ret = 0, fw_enabled = 0;
@@ -824,8 +781,6 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien
|| ((ctx->tuntype == tuntype_TUN) && (strncmp(mode, "update", 6) == 0)) ) {
// Fetch needed info
- digest = GETENV_TLSDIGEST(ctx, env, 0);
- cname = GETENV_CNAME(ctx, env);
uname = GETENV_USERNAME(ctx, env);
vpnipaddr = GETENV_POOLIPADDR(ctx, env);
vpnipmask = GETENV_POOLNETMASK(ctx, env);
@@ -833,7 +788,8 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien
remport = GETENV_TRUSTEDPORT(ctx, env);
// Get a session ticket
- session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask,
+ session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname,
+ vpnipaddr, vpnipmask,
remipaddr, remport);
if( session == NULL ) {
ret = 0;
@@ -915,8 +871,6 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien
free_nullsafe(ctx, vpnipaddr);
free_nullsafe(ctx, vpnipmask);
free_nullsafe(ctx, uname);
- free_nullsafe(ctx, cname);
- free_nullsafe(ctx, digest);
DEBUG(ctx, 10, "** Function result: eurephia_learn_address(ctx, '%s', '%.18s', ...) = %i",
mode, clientaddr, ret);
diff --git a/plugin/eurephia.h b/plugin/eurephia.h
index dc6918e..8c9d36a 100644
--- a/plugin/eurephia.h
+++ b/plugin/eurephia.h
@@ -40,11 +40,11 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp,
struct openvpn_plugin_callbacks const *ovpn_callbacks);
int eurephiaShutdown(eurephiaCTX *ctx);
-int eurephia_tlsverify(eurephiaCTX *ctx, const char **argv, const char *depth);
-int eurephia_userauth(eurephiaCTX *ctx, const char **env);
-int eurephia_connect(eurephiaCTX *ctx, const char **env);
-int eurephia_disconnect(eurephiaCTX *ctx, const char **env);
+int eurephia_tlsverify(eurephiaCTX *ctx, const char **argv, const char *depth, certinfo *ci);
+int eurephia_userauth(eurephiaCTX *ctx, const char **env, certinfo *ci);
+int eurephia_connect(eurephiaCTX *ctx, const char **env, certinfo *ci);
+int eurephia_disconnect(eurephiaCTX *ctx, const char **env, certinfo *ci);
int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macaddr,
- const char **env);
+ const char **env, certinfo *ci);
#endif /* !EUREPHIA_H_ */
generated by cgit (git 2.34.1) at 2024-04-18 15:13:17 +0000