From ef0c3ffb0c85def725b7ef56fd99339b670ee60a Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Fri, 7 Jun 2013 17:33:12 +0200 Subject: plugin: Reworked the certinfo integration and use the X.509 certificate from OpenVPN The OpenVPN plug-in v3 API there is direct access to the X.509 certificate data. This patch starts the adoptation to make use of that, but also to preserve backwards compatibility. Signed-off-by: David Sommerseth --- plugin/eurephia-auth.c | 68 +++++++++++++++++++++----- plugin/eurephia.c | 130 ++++++++++++++++--------------------------------- plugin/eurephia.h | 10 ++-- 3 files changed, 103 insertions(+), 105 deletions(-) diff --git a/plugin/eurephia-auth.c b/plugin/eurephia-auth.c index 47ee55e..a491a44 100644 --- a/plugin/eurephia-auth.c +++ b/plugin/eurephia-auth.c @@ -33,8 +33,10 @@ #include #include +#define ENABLE_SSL #include "openvpn-plugin.h" #define EUREPHIA_FWINTF +#include #include #include #include @@ -237,7 +239,18 @@ OPENVPN_EXPORT int openvpn_plugin_open_v3(const int apiversion, #warning MEMWATCH enabled #endif // Check that we are API compatible - if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) { + if( apiversion != OPENVPN_PLUGINv3_STRUCTVER ) { + arguments->callbacks->plugin_log(PLOG_ERR, "eurephia", + "OpenVPN and eurephia's plug-in API is " + "not compatible."); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + // Check that OpenVPN uses OpenSSL + if( arguments->ssl_api != SSLAPI_OPENSSL ) { + arguments->callbacks->plugin_log(PLOG_ERR, "eurephia", + "OpenVPN is not compiled against OpenSSL. " + "eurephia requires OpenSSL."); return OPENVPN_PLUGIN_FUNC_ERROR; } @@ -279,7 +292,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, { eurephiaCTX *ctx = (eurephiaCTX *) handle; int result = 0; - + certinfo *ci = NULL; if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) { return OPENVPN_PLUGIN_FUNC_ERROR; @@ -294,6 +307,16 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, } #endif + if( type != OPENVPN_PLUGIN_UP ) { + // Exctract certificate information from either environment variables + ci = parse_tlsid(GETENV_TLSID(ctx, envp, argv[1]), + GETENV_TLSDIGEST(ctx, envp, argv[1])); + if( ci == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + } + switch( type ) { case OPENVPN_PLUGIN_UP: result = detect_tunnel_type(ctx, envp); // Figure out what kind of tunnel type we got. @@ -305,29 +328,30 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, break; case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates - result = eurephia_tlsverify(ctx, envp, argv[1]); + result = eurephia_tlsverify(ctx, envp, argv[1], ci); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password - result = eurephia_userauth(ctx, envp); + result = eurephia_userauth(ctx, envp, ci); break; case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login - result = eurephia_connect(ctx, envp); + result = eurephia_connect(ctx, envp, ci); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout - result = eurephia_disconnect(ctx, envp); + result = eurephia_disconnect(ctx, envp, ci); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall - result = eurephia_learn_address(ctx, argv[1], argv[2], envp); + result = eurephia_learn_address(ctx, argv[1], argv[2], envp, ci); break; default: // This should normally not be reached at all eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", type); break; } + free_certinfo(ci); return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR); } @@ -350,6 +374,7 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, { eurephiaCTX *ctx = (eurephiaCTX *) args->handle; int result = 0; + certinfo *ci = NULL; if( (ctx == NULL) || (ctx->dbc == NULL) || (ctx->dbc->dbhandle == NULL) ) { return OPENVPN_PLUGIN_FUNC_ERROR; @@ -364,6 +389,21 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, } #endif + if( args->type != OPENVPN_PLUGIN_UP ) { + // Exctract certificate information from either environment variables + // or the X.509 certificate if we have that available + if( args->current_cert != NULL ) { + ci = parse_x509_cert(args->current_cert); + } else { + ci = parse_tlsid(GETENV_TLSID(ctx, args->envp, args->argv[1]), + GETENV_TLSDIGEST(ctx, args->envp, args->argv[1])); + } + if( ci == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, "Failed to extract certificate info"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + } + switch( args->type ) { case OPENVPN_PLUGIN_UP: // Figure out what kind of tunnel type we got. @@ -376,29 +416,33 @@ OPENVPN_EXPORT int openvpn_plugin_func_v3(const int apiver, break; case OPENVPN_PLUGIN_TLS_VERIFY: // Validate certificates - result = eurephia_tlsverify(ctx, args->envp, args->argv[1]); + result = eurephia_tlsverify(ctx, args->envp, args->argv[1], ci); break; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: // Validate user name and password - result = eurephia_userauth(ctx, args->envp); + result = eurephia_userauth(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_CLIENT_CONNECT: // Register login - result = eurephia_connect(ctx, args->envp); + result = eurephia_connect(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: // Register logout - result = eurephia_disconnect(ctx, args->envp); + result = eurephia_disconnect(ctx, args->envp, ci); break; case OPENVPN_PLUGIN_LEARN_ADDRESS: // Log IP address, MAC address and update firewall - result = eurephia_learn_address(ctx, args->argv[1], args->argv[2], args->envp); + result = eurephia_learn_address(ctx, args->argv[1], + args->argv[2], + args->envp, ci); break; default: // This should normally not be reached at all eurephia_log(ctx, LOG_FATAL, 0, "Unknown OPENVPN_PLUGIN type: %i", args->type); break; } + free_certinfo(ci); + return (result == 1 ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR); } diff --git a/plugin/eurephia.c b/plugin/eurephia.c index 01f14fe..5777cd7 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -38,6 +38,7 @@ #include #include #include +#include #define EUREPHIA_FWINTF /**< Include the proper eurephiaFWINTF declaration in eurephiaCTX */ #include @@ -291,13 +292,12 @@ int eurephiaShutdown(eurephiaCTX *ctx) * * @return Returns 0 on failure and 1 on success. */ -int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str) +int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str, + certinfo *ci) { int result = 0; char *ipaddr; - char *tls_digest, *tls_id; unsigned int depth = atoi_nullsafe(depth_str); - certinfo *ci = NULL; DEBUG(ctx, 10, "** Function call: eurephia_tlsverify(...)"); @@ -317,22 +317,18 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str } // Check if certificate digest is blacklisted - tls_digest = GETENV_TLSDIGEST(ctx, env, depth); - if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) { + if( eDBblacklist_check(ctx, attempt_CERTIFICATE, ci->digest) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); - free_nullsafe(ctx, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); free_nullsafe(ctx, ipaddr); return 0; } // Check if certificate is registered and allowed - tls_id = GETENV_TLSID(ctx, env, depth); - ci = parse_tlsid(tls_id); - result = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, depth); + result = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, depth); if( result < 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); } if( result > 0 ) { @@ -343,12 +339,9 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str } else { eurephia_log(ctx, LOG_WARNING, 0, "Unknown certificate for: %s/%s/%s (depth %i, digest: %s)", - ci->org, ci->common_name, ci->email, depth, tls_digest); + ci->org, ci->common_name, ci->email, depth, ci->digest); } - free_nullsafe(ctx, tls_id); - free_nullsafe(ctx, tls_digest); free_nullsafe(ctx, ipaddr); - free_certinfo(ci); DEBUG(ctx, 10, "** Function result: eurephia_tlsverify(...) == %i", result > 0); return (result > 0); @@ -363,17 +356,16 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth_str * * @return Returns 0 on failure and 1 on success. */ -int eurephia_userauth(eurephiaCTX *ctx, const char **env) +int eurephia_userauth(eurephiaCTX *ctx, const char **env, certinfo *ci) { eurephiaSESSION *authsess = NULL; eDBauthMethodResult *authmeth = NULL; eAuthPlugin *authplug = NULL; eAuthResult *authres = NULL; int result = 0, certid = 0; - char *cname, *remport, *ipaddr = NULL; - char *tls_digest = NULL, *tls_id = NULL, *username = NULL; + char *remport, *ipaddr = NULL; + char *username = NULL; char *passwd = NULL, *pwdcache = NULL, *chkpwd = NULL; - certinfo *ci = NULL; DEBUG(ctx, 10, "** Function call: eurephia_userauth(...)"); @@ -395,12 +387,10 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) } // Check if certificate digest is blacklisted - tls_digest = GETENV_TLSDIGEST(ctx, env, 0); - if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) { + if( eDBblacklist_check(ctx, attempt_CERTIFICATE, ci->digest) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); free_nullsafe(ctx, ipaddr); - free_nullsafe(ctx, tls_digest); return 0; } @@ -408,30 +398,23 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) username = GETENV_USERNAME(ctx, env); if( eDBblacklist_check(ctx, attempt_USERNAME, username) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username); free_nullsafe(ctx, username); free_nullsafe(ctx, ipaddr); - free_nullsafe(ctx, tls_digest); return 0; } // Get certificate ID - tls_id = GETENV_TLSID(ctx, env, 0); - ci = parse_tlsid(tls_id); - certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, 0); + certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, 0); if( certid < 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username); - free_nullsafe(ctx, tls_id); free_nullsafe(ctx, username); free_nullsafe(ctx, ipaddr); - free_nullsafe(ctx, tls_digest); - free_certinfo(ci); return 0; } - free_certinfo(ci); // Do username/password/certificate authentication passwd = GETENV_PASSWORD(ctx, env); @@ -441,10 +424,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) memset(passwd, 0, strlen_nullsafe(passwd)); munlock(passwd, strlen_nullsafe(passwd)); free_nullsafe(ctx, passwd); - free_nullsafe(ctx, tls_id); free_nullsafe(ctx, username); free_nullsafe(ctx, ipaddr); - free_nullsafe(ctx, tls_digest); return 0; } @@ -453,11 +434,11 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // Get an authentication session, which is not a real session ticket // but it uses almost the same system - cname = GETENV_CNAME(ctx, env); remport = GETENV_UNTRUSTEDPORT(ctx, env); // an authentication session do not use assigned VPN address - authsess = eDBopen_session_seed(ctx, tls_digest, cname, username, NULL, NULL, + authsess = eDBopen_session_seed(ctx, ci->digest, ci->common_name, username, + NULL, NULL, ipaddr, remport); if( authsess == NULL ) { // No session found @@ -590,14 +571,14 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) /* If the authentication failed, register the failed attempt */ if( result < 0 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, ci->digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username); } if( result > 0 ) { // If we have a valid result, reset all attempt counters. eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_RESET, ipaddr); - eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest); + eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, ci->digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_RESET, username); if( !eDBset_session_value(ctx, authsess, "pwdcache", chkpwd) ) { @@ -612,12 +593,9 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) munlock(passwd, strlen_nullsafe(passwd)); eDBfree_session(ctx, authsess); free_nullsafe(ctx, remport); - free_nullsafe(ctx, cname); free_nullsafe(ctx, passwd); - free_nullsafe(ctx, tls_id); free_nullsafe(ctx, username); free_nullsafe(ctx, ipaddr); - free_nullsafe(ctx, tls_digest); free_nullsafe(ctx, chkpwd); DEBUG(ctx, 10, "** Function result: eurephia_userauth(...) = %i", (result>0)); return (result > 0); @@ -633,19 +611,14 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) * * @return Returns 0 on failure and 1 on success. */ -int eurephia_connect(eurephiaCTX *ctx, const char **env) { +int eurephia_connect(eurephiaCTX *ctx, const char **env, certinfo *ci) { eurephiaSESSION *session = NULL; - char *digest, *cname, *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport, - *proto, *tlsid; + char *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport, *proto; int certid = 0, uid = 0, accprofile = -1, ret = 0; - certinfo *ci = NULL; DEBUG(ctx, 10, "** Function call: eurephia_connect(...)"); // Fetch needed info - digest = GETENV_TLSDIGEST(ctx, env, 0); - tlsid = GETENV_TLSID(ctx, env, 0); - cname = GETENV_CNAME(ctx, env); uname = GETENV_USERNAME(ctx, env); vpnipaddr = GETENV_POOLIPADDR(ctx, env); vpnipmask = GETENV_POOLNETMASK(ctx, env); @@ -654,7 +627,8 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) { proto = GETENV_PROTO1(ctx, env); // Get a session ticket - session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, + session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, + uname, vpnipaddr, vpnipmask, remipaddr, remport); if( session == NULL ) { free_nullsafe(ctx, proto); @@ -663,32 +637,21 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) { free_nullsafe(ctx, vpnipaddr); free_nullsafe(ctx, vpnipmask); free_nullsafe(ctx, uname); - free_nullsafe(ctx, cname); - free_nullsafe(ctx, tlsid); - free_nullsafe(ctx, digest); return 0; } - // Get certificate info - ci = parse_tlsid(tlsid); - if( ci == NULL ) { - eurephia_log(ctx, LOG_FATAL, 1, "Could not parse the TLS ID string"); - eDBfree_session(ctx, session); - return 0; - } - certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, digest, 0); + certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, ci->digest, 0); if( certid < 1 ) { eurephia_log(ctx, LOG_WARNING, 0, "Failed to lookup certificate: %s/%s/%s [%s]", - ci->org, ci->common_name, ci->email, digest); - free_certinfo(ci); + ci->org, ci->common_name, ci->email, ci->digest); return 0; } uid = eDBget_uid(ctx, certid, uname); - free_certinfo(ci); // Register the session login accprofile = eDBget_accessprofile(ctx, uid, certid); - ret = eDBregister_login2(ctx, session, certid, accprofile, uid, proto, remipaddr, remport); + ret = eDBregister_login2(ctx, session, certid, accprofile, uid, proto, + remipaddr, remport); eDBfree_session(ctx, session); eurephia_log(ctx, LOG_INFO, 1, "User '%s' connected", uname); @@ -698,9 +661,6 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) { free_nullsafe(ctx, vpnipaddr); free_nullsafe(ctx, vpnipmask); free_nullsafe(ctx, uname); - free_nullsafe(ctx, cname); - free_nullsafe(ctx, tlsid); - free_nullsafe(ctx, digest); DEBUG(ctx, 10, "** Function result: eurephia_connect(...) = %i", ret); return ret; @@ -714,17 +674,15 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) { * * @return Returns 0 on failure and 1 on success. */ -int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { +int eurephia_disconnect(eurephiaCTX *ctx, const char **env, certinfo *ci) { eurephiaSESSION *session = NULL; - char *digest, *cname, *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport; + char *uname, *vpnipaddr, *vpnipmask, *remipaddr, *remport; char *bytes_sent, *bytes_rec, *duration; int ret = 0; DEBUG(ctx, 10, "** Function call: eurephia_disconnect(...)"); // Fetch needed info - digest = GETENV_TLSDIGEST(ctx, env, 0); - cname = GETENV_CNAME(ctx, env); uname = GETENV_USERNAME(ctx, env); vpnipaddr = GETENV_POOLIPADDR(ctx, env); vpnipmask = GETENV_POOLNETMASK(ctx, env); @@ -735,7 +693,8 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { duration = GETENV_TIMEDURATION(ctx, env); // Get a session ticket - session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, + session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname, + vpnipaddr, vpnipmask, remipaddr, remport); if( session == NULL ) { free_nullsafe(ctx, duration); @@ -746,8 +705,6 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { free_nullsafe(ctx, vpnipaddr); free_nullsafe(ctx, vpnipmask); free_nullsafe(ctx, uname); - free_nullsafe(ctx, cname); - free_nullsafe(ctx, digest); return 0; } @@ -762,10 +719,12 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { eurephia_log(ctx, LOG_INFO, 1, "User '%s' logged out", uname); // Get the authentication session and destroy it - session = eDBopen_session_seed(ctx, digest, cname, uname, NULL, NULL, remipaddr, remport); + session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname, + NULL, NULL, remipaddr, remport); if( !eDBdestroy_session(ctx, session) ) { - eurephia_log(ctx, LOG_WARNING, 0, "Could not destroy authentication session (%s/%s/%s)", - uname, cname, digest); + eurephia_log(ctx, LOG_WARNING, 0, + "Could not destroy authentication session (%s/%s/%s)", + uname, ci->common_name, ci->digest); } eDBfree_session(ctx, session); free_nullsafe(ctx, duration); @@ -776,8 +735,6 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { free_nullsafe(ctx, vpnipaddr); free_nullsafe(ctx, vpnipmask); free_nullsafe(ctx, uname); - free_nullsafe(ctx, cname); - free_nullsafe(ctx, digest); DEBUG(ctx, 10, "** Function result: eurephia_disconnect(...) = %i", ret); return ret; @@ -796,10 +753,10 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { * * @return Returns 0 on failure and 1 on success. */ -int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr, const char **env) { +int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr, + const char **env, certinfo *ci) { eurephiaSESSION *session = NULL; - char *digest = NULL, *cname = NULL, *uname = NULL, - *vpnipaddr = NULL, *vpnipmask = NULL, + char *uname = NULL, *vpnipaddr = NULL, *vpnipmask = NULL, *remipaddr = NULL, *remport = NULL; char *fwprofile = NULL, *fwdest = NULL; int ret = 0, fw_enabled = 0; @@ -824,8 +781,6 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien || ((ctx->tuntype == tuntype_TUN) && (strncmp(mode, "update", 6) == 0)) ) { // Fetch needed info - digest = GETENV_TLSDIGEST(ctx, env, 0); - cname = GETENV_CNAME(ctx, env); uname = GETENV_USERNAME(ctx, env); vpnipaddr = GETENV_POOLIPADDR(ctx, env); vpnipmask = GETENV_POOLNETMASK(ctx, env); @@ -833,7 +788,8 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien remport = GETENV_TRUSTEDPORT(ctx, env); // Get a session ticket - session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, + session = eDBopen_session_seed(ctx, ci->digest, ci->common_name, uname, + vpnipaddr, vpnipmask, remipaddr, remport); if( session == NULL ) { ret = 0; @@ -915,8 +871,6 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clien free_nullsafe(ctx, vpnipaddr); free_nullsafe(ctx, vpnipmask); free_nullsafe(ctx, uname); - free_nullsafe(ctx, cname); - free_nullsafe(ctx, digest); DEBUG(ctx, 10, "** Function result: eurephia_learn_address(ctx, '%s', '%.18s', ...) = %i", mode, clientaddr, ret); diff --git a/plugin/eurephia.h b/plugin/eurephia.h index dc6918e..8c9d36a 100644 --- a/plugin/eurephia.h +++ b/plugin/eurephia.h @@ -40,11 +40,11 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp, struct openvpn_plugin_callbacks const *ovpn_callbacks); int eurephiaShutdown(eurephiaCTX *ctx); -int eurephia_tlsverify(eurephiaCTX *ctx, const char **argv, const char *depth); -int eurephia_userauth(eurephiaCTX *ctx, const char **env); -int eurephia_connect(eurephiaCTX *ctx, const char **env); -int eurephia_disconnect(eurephiaCTX *ctx, const char **env); +int eurephia_tlsverify(eurephiaCTX *ctx, const char **argv, const char *depth, certinfo *ci); +int eurephia_userauth(eurephiaCTX *ctx, const char **env, certinfo *ci); +int eurephia_connect(eurephiaCTX *ctx, const char **env, certinfo *ci); +int eurephia_disconnect(eurephiaCTX *ctx, const char **env, certinfo *ci); int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macaddr, - const char **env); + const char **env, certinfo *ci); #endif /* !EUREPHIA_H_ */ -- cgit