Refactored tls-verify-plugin code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

6 files changed, 51 insertions, 29 deletions

diff --git a/openvpn-plugin.h b/openvpn-plugin.h
index 24aa36c..8bbafa2 100644
--- a/openvpn-plugin.h
+++ b/openvpn-plugin.h
@@ -22,7 +22,12 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
-#include <openssl/x509v3.h>
+#ifndef OPENVPN_PLUGIN_H_
+#define OPENVPN_PLUGIN_H_
+
+#ifdef USE_OPENSSL
+#include "ssl_verify_openssl.h"
+#endif
 
 #define OPENVPN_PLUGIN_VERSION 3
 
@@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in
   openvpn_plugin_handle_t handle;
   void *per_client_context;
   int current_cert_depth;
-  X509 *current_cert;
+  x509_cert_t *current_cert;
 };
 
 
@@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op
 
 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1)
      (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]);
+
+#endif /* OPENVPN_PLUGIN_H_ */
diff --git a/plugin.c b/plugin.c
index 745ea51..6cbf6a0 100644
--- a/plugin.c
+++ b/plugin.c
@@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p,
 		  struct openvpn_plugin_string_list **retlist,
 		  const char **envp,
 		  int certdepth,
-		  X509 *current_cert)
+		  x509_cert_t *current_cert)
 {
   int status = OPENVPN_PLUGIN_FUNC_SUCCESS;
 
@@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl,
 	     struct plugin_return *pr,
 	     struct env_set *es,
              int certdepth,
-	     X509 *current_cert)
+	     x509_cert_t *current_cert)
 {
   if (pr)
     plugin_return_init (pr);
diff --git a/plugin.h b/plugin.h
index d6ff08d..5518147 100644
--- a/plugin.h
+++ b/plugin.h
@@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl,
 		 struct plugin_return *pr,
 		 struct env_set *es,
 		 int current_cert_depth,
-		 X509 *current_cert);
+		 x509_cert_t *current_cert);
 
 void plugin_list_close (struct plugin_list *pl);
 bool plugin_defined (const struct plugin_list *pl, const int type);
@@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl,
 	     struct plugin_return *pr,
 	     struct env_set *es,
 	     int current_cert_depth,
-	     X509 *current_cert)
+	     x509_cert_t *current_cert)
 {
   return 0;
 }
diff --git a/ssl.c b/ssl.c
index 8d1fd73..06ce30e 100644
--- a/ssl.c
+++ b/ssl.c
@@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
     goto err;
 
-  /* call --tls-verify plug-in(s) */
-  if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
-    {
-      int ret;
-
-      argv_printf (&argv, "%d %s",
-		   cert_depth,
-		   subject);
-
-      ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert);
-
-      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
-	{
-	  msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
-	       cert_depth, subject);
-	}
-      else
-	{
-	  msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
-	       cert_depth, subject);
-	  goto err;		/* Reject connection */
-	}
-    }
+  /* call --tls-verify plug-in(s), if registered */
+  if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+    goto err;
 
   /* run --tls-verify script */
   if (opt->verify_command)
diff --git a/ssl_verify.c b/ssl_verify.c
index 9eda092..84b758b 100644
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
   }
 }
 
+/*
+ * call --tls-verify plug-in(s)
+ */
+int
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject)
+{
+  if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY))
+    {
+      int ret;
+      struct argv argv = argv_new ();
+
+      argv_printf (&argv, "%d %s", cert_depth, subject);
+
+      ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
+
+      argv_reset (&argv);
+
+      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
+	{
+	  msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
+	      cert_depth, subject);
+	}
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
+	      cert_depth, subject);
+	  return 1;		/* Reject connection */
+	}
+    }
+  return 0;
+}
+
 
 /* ***************************************************************************
  * Functions for the management of deferred authentication when using
diff --git a/ssl_verify.h b/ssl_verify.h
index acb27f5..91474e9 100644
--- a/ssl_verify.h
+++ b/ssl_verify.h
@@ -249,6 +249,8 @@ void
 verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
     const char *subject, const char *common_name,
     const struct x509_track *x509_track);
+int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject);
 
 #endif /* SSL_VERIFY_H_ */