summaryrefslogtreecommitdiffstats
path: root/plugin/eurephia-auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugin/eurephia-auth.c')
-rw-r--r--plugin/eurephia-auth.c68
1 files changed, 56 insertions, 12 deletions
diff --git a/plugin/eurephia-auth.c b/plugin/eurephia-auth.c
index 47ee55e..a491a44 100644
--- a/plugin/eurephia-auth.c
+++ b/plugin/eurephia-auth.c
@@ -33,8 +33,10 @@
#include <string.h>
#include <unistd.h>
+#define ENABLE_SSL
#include "openvpn-plugin.h"
#define EUREPHIA_FWINTF
+#include <certinfo.h>
#include <eurephiafw_struct.h>
#include <eurephia_context.h>
#include <eurephiadb.h>
@@ -237,7 +239,18 @@ OPENVPN_EXPORT int openvpn_plugin_open_v3(const int apiversion,
#warning MEMWATCH enabled
#endif
// Check that we are API compatible
- if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
+ if( apiversion != OPENVPN_PLUGINv3_STRUCTVER ) {
+ arguments->callbacks->plugin_log(PLOG_ERR, "eurephia",
+ "OpenVPN and eurephia's plug-in API is "
+ "not compatible.");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ // Check that OpenVPN uses OpenSSL
+ if( arguments->ssl_api != SSLAPI_OPENSSL ) {
+ arguments->callbacks->plugin_log(PLOG_ERR, "eurephia",
+ "OpenVPN is not compiled against OpenSSL. "
+ "eurephia requires OpenSSL.");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
@@ -279,7 +292,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
{
eurephiaCTX *ctx = (eurephiaCTX *) handle;
int result = 0;
-
+ certinfo *ci = NULL;
if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) {
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -294,6 +307,16 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
}
#endif
+ if( type != OPENVPN_PLUGIN_UP ) {
+ // Exctract certificate information from either environment variables
+ ci = parse_tlsid(GETENV_TLSID(ctx, envp, argv[1]),
+ GETENV_TLSDIGEST(ctx, envp, argv[1]));
+ if( ci == NULL ) {
+ eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ }
+
switch( type ) {
case OPENVPN_PLUGIN_UP:
result = detect_tunnel_type(ctx, envp); // Figure out what kind of tunnel type we got.
@@ -305,29 +328,30 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
break;
case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates
- result = eurephia_tlsverify(ctx, envp, argv[1]);
+ result = eurephia_tlsverify(ctx, envp, argv[1], ci);
break;
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password
- result = eurephia_userauth(ctx, envp);
+ result = eurephia_userauth(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login
- result = eurephia_connect(ctx, envp);
+ result = eurephia_connect(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout
- result = eurephia_disconnect(ctx, envp);
+ result = eurephia_disconnect(ctx, envp, ci);
break;
case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall
- result = eurephia_learn_address(ctx, argv[1], argv[2], envp);
+ result = eurephia_learn_address(ctx, argv[1], argv[2], envp, ci);
break;
default: // This should normally not be reached at all
eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", type);
break;
}
+ free_certinfo(ci);
return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR);
}
@@ -350,6 +374,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
{
eurephiaCTX *ctx = (eurephiaCTX *) args->handle;
int result = 0;
+ certinfo *ci = NULL;
if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) {
return OPENVPN_PLUGIN_FUNC_ERROR;
@@ -364,6 +389,21 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
}
#endif
+ if( args->type != OPENVPN_PLUGIN_UP ) {
+ // Exctract certificate information from either environment variables
+ // or the X.509 certificate if we have that available
+ if( args->current_cert != NULL ) {
+ ci = parse_x509_cert(args->current_cert);
+ } else {
+ ci = parse_tlsid(GETENV_TLSID(ctx, args->envp, args->argv[1]),
+ GETENV_TLSDIGEST(ctx, args->envp, args->argv[1]));
+ }
+ if( ci == NULL ) {
+ eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ }
+
switch( args->type ) {
case OPENVPN_PLUGIN_UP:
// Figure out what kind of tunnel type we got.
@@ -376,29 +416,33 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver,
break;
case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates
- result = eurephia_tlsverify(ctx, args->envp, args->argv[1]);
+ result = eurephia_tlsverify(ctx, args->envp, args->argv[1], ci);
break;
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password
- result = eurephia_userauth(ctx, args->envp);
+ result = eurephia_userauth(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login
- result = eurephia_connect(ctx, args->envp);
+ result = eurephia_connect(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout
- result = eurephia_disconnect(ctx, args->envp);
+ result = eurephia_disconnect(ctx, args->envp, ci);
break;
case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall
- result = eurephia_learn_address(ctx, args->argv[1], args->argv[2], args->envp);
+ result = eurephia_learn_address(ctx, args->argv[1],
+ args->argv[2],
+ args->envp, ci);
break;
default: // This should normally not be reached at all
eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", args->type);
break;
}
+ free_certinfo(ci);
+
return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR);
}
generated by cgit (git 2.34.1) at 2024-05-01 15:10:33 +0000