Incremented version to 2.1_rc7d.

Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED.  See comments in
openvpn-plugin.h for documentation.  Enabled by ENABLE_DEF_AUTH.

Added a simple packet filter functionality that can be driven by
a plugin.  See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.

See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.

"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication.  In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.

Added a test to configure.ac for LoadLibrary function on Windows.

Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.

setenv and setenv-safe directives may now omit a value argument
which defaults to "".


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 45 insertions, 3 deletions

diff --git a/ssl.h b/ssl.h
index a7876cb..2f8095f 100644
--- a/ssl.h
+++ b/ssl.h
@@ -370,11 +370,15 @@ struct key_state
    * If bad username/password, TLS connection will come up but 'authenticated' will be false.
    */
   bool authenticated;
+  time_t auth_deferred_expire;
 
+#ifdef ENABLE_DEF_AUTH
   /* If auth_deferred is true, authentication is being deferred */
-  char *auth_control_file;
   bool auth_deferred;
-  time_t auth_deferred_expire;
+  time_t acf_last_mod;
+  char *auth_control_file;
+  int auth_control_status;
+#endif
 };
 
 /*
@@ -498,6 +502,11 @@ struct tls_session
   int verify_maxlevel;
 
   char *common_name;
+
+#ifdef ENABLE_PF
+  uint32_t common_name_hashval;
+#endif
+
   bool verified;                /* true if peer certificate was verified against CA */
 
   /* not-yet-authenticated incoming client */
@@ -569,8 +578,10 @@ struct tls_multi
    */
   char *locked_cn;
 
+#ifdef ENABLE_DEF_AUTH
   /* Time of last call to tls_authentication_status */
   time_t tas_last;
+#endif
 
   /*
    * Our session objects.
@@ -657,7 +668,7 @@ bool tls_send_payload (struct tls_multi *multi,
 bool tls_rec_payload (struct tls_multi *multi,
 		      struct buffer *buf);
 
-const char *tls_common_name (struct tls_multi* multi, bool null);
+const char *tls_common_name (const struct tls_multi* multi, const bool null);
 void tls_set_common_name (struct tls_multi *multi, const char *common_name);
 void tls_lock_common_name (struct tls_multi *multi);
 
@@ -672,6 +683,17 @@ void tls_deauthenticate (struct tls_multi *multi);
  * inline functions
  */
 
+static inline bool
+tls_test_auth_deferred_interval (const struct tls_multi *multi)
+{
+  if (multi)
+    {
+      const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+      return now < ks->auth_deferred_expire;
+    }
+  return false;
+}
+
 static inline int
 tls_test_payload_len (const struct tls_multi *multi)
 {
@@ -691,6 +713,26 @@ tls_set_single_session (struct tls_multi *multi)
     multi->opt.single_session = true;
 }
 
+#ifdef ENABLE_PF
+
+static inline bool
+tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
+{
+  if (multi)
+    {
+      const struct tls_session *s = &multi->session[TM_ACTIVE];
+      if (s->common_name && s->common_name[0] != '\0')
+	{
+	  *cn = s->common_name;
+	  *cn_hash = s->common_name_hashval;
+	  return true;
+	}
+    }
+  return false;
+}
+
+#endif
+
 /*
  * protocol_dump() flags
  */