diff options
Diffstat (limited to 'plugin/eurephia-auth.c')
-rw-r--r-- | plugin/eurephia-auth.c | 68 |
1 files changed, 56 insertions, 12 deletions
diff --git a/plugin/eurephia-auth.c b/plugin/eurephia-auth.c index 47ee55e..a491a44 100644 --- a/plugin/eurephia-auth.c +++ b/plugin/eurephia-auth.c @@ -33,8 +33,10 @@ #include <string.h> #include <unistd.h> +#define ENABLE_SSL #include "openvpn-plugin.h" #define EUREPHIA_FWINTF +#include <certinfo.h> #include <eurephiafw_struct.h> #include <eurephia_context.h> #include <eurephiadb.h> @@ -237,7 +239,18 @@ OPENVPN_EXPORT int openvpn_plugin_open_v3(const int apiversion, #warning MEMWATCH enabled #endif // Check that we are API compatible - if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) { + if( apiversion != OPENVPN_PLUGINv3_STRUCTVER ) { + arguments->callbacks->plugin_log(PLOG_ERR, "eurephia", + "OpenVPN and eurephia's plug-in API is " + "not compatible."); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + // Check that OpenVPN uses OpenSSL + if( arguments->ssl_api != SSLAPI_OPENSSL ) { + arguments->callbacks->plugin_log(PLOG_ERR, "eurephia", + "OpenVPN is not compiled against OpenSSL. " + "eurephia requires OpenSSL."); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -279,7 +292,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, { eurephiaCTX *ctx = (eurephiaCTX *) handle; int result = 0; - + certinfo *ci = NULL; if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) { return OPENVPN_PLUGIN_FUNC_ERROR; @@ -294,6 +307,16 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, } #endif + if( type != OPENVPN_PLUGIN_UP ) { + // Exctract certificate information from either environment variables + ci = parse_tlsid(GETENV_TLSID(ctx, envp, argv[1]), + GETENV_TLSDIGEST(ctx, envp, argv[1])); + if( ci == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + } + switch( type ) { case OPENVPN_PLUGIN_UP: result = detect_tunnel_type(ctx, envp); // Figure out what kind of tunnel type we got. @@ -305,29 +328,30 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, break; case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates - result = eurephia_tlsverify(ctx, envp, argv[1]); + result = eurephia_tlsverify(ctx, envp, argv[1], ci); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password - result = eurephia_userauth(ctx, envp); + result = eurephia_userauth(ctx, envp, ci); break; case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login - result = eurephia_connect(ctx, envp); + result = eurephia_connect(ctx, envp, ci); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout - result = eurephia_disconnect(ctx, envp); + result = eurephia_disconnect(ctx, envp, ci); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall - result = eurephia_learn_address(ctx, argv[1], argv[2], envp); + result = eurephia_learn_address(ctx, argv[1], argv[2], envp, ci); break; default: // This should normally not be reached at all eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", type); break; } + free_certinfo(ci); return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR); } @@ -350,6 +374,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, { eurephiaCTX *ctx = (eurephiaCTX *) args->handle; int result = 0; + certinfo *ci = NULL; if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) { return OPENVPN_PLUGIN_FUNC_ERROR; @@ -364,6 +389,21 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, } #endif + if( args->type != OPENVPN_PLUGIN_UP ) { + // Exctract certificate information from either environment variables + // or the X.509 certificate if we have that available + if( args->current_cert != NULL ) { + ci = parse_x509_cert(args->current_cert); + } else { + ci = parse_tlsid(GETENV_TLSID(ctx, args->envp, args->argv[1]), + GETENV_TLSDIGEST(ctx, args->envp, args->argv[1])); + } + if( ci == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + } + switch( args->type ) { case OPENVPN_PLUGIN_UP: // Figure out what kind of tunnel type we got. @@ -376,29 +416,33 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, break; case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates - result = eurephia_tlsverify(ctx, args->envp, args->argv[1]); + result = eurephia_tlsverify(ctx, args->envp, args->argv[1], ci); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password - result = eurephia_userauth(ctx, args->envp); + result = eurephia_userauth(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login - result = eurephia_connect(ctx, args->envp); + result = eurephia_connect(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout - result = eurephia_disconnect(ctx, args->envp); + result = eurephia_disconnect(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall - result = eurephia_learn_address(ctx, args->argv[1], args->argv[2], args->envp); + result = eurephia_learn_address(ctx, args->argv[1], + args->argv[2], + args->envp, ci); break; default: // This should normally not be reached at all eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", args->type); break; } + free_certinfo(ci); + return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR); } |