diff options
-rw-r--r-- | openvpn-plugin.h | 11 | ||||
-rw-r--r-- | plugin.c | 4 | ||||
-rw-r--r-- | plugin.h | 4 | ||||
-rw-r--r-- | ssl.c | 26 | ||||
-rw-r--r-- | ssl_verify.c | 33 | ||||
-rw-r--r-- | ssl_verify.h | 2 |
6 files changed, 51 insertions, 29 deletions
diff --git a/openvpn-plugin.h b/openvpn-plugin.h index 24aa36c..8bbafa2 100644 --- a/openvpn-plugin.h +++ b/openvpn-plugin.h @@ -22,7 +22,12 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#include <openssl/x509v3.h> +#ifndef OPENVPN_PLUGIN_H_ +#define OPENVPN_PLUGIN_H_ + +#ifdef USE_OPENSSL +#include "ssl_verify_openssl.h" +#endif #define OPENVPN_PLUGIN_VERSION 3 @@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in openvpn_plugin_handle_t handle; void *per_client_context; int current_cert_depth; - X509 *current_cert; + x509_cert_t *current_cert; }; @@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1) (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]); + +#endif /* OPENVPN_PLUGIN_H_ */ @@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p, struct openvpn_plugin_string_list **retlist, const char **envp, int certdepth, - X509 *current_cert) + x509_cert_t *current_cert) { int status = OPENVPN_PLUGIN_FUNC_SUCCESS; @@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl, struct plugin_return *pr, struct env_set *es, int certdepth, - X509 *current_cert) + x509_cert_t *current_cert) { if (pr) plugin_return_init (pr); @@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl, struct plugin_return *pr, struct env_set *es, int current_cert_depth, - X509 *current_cert); + x509_cert_t *current_cert); void plugin_list_close (struct plugin_list *pl); bool plugin_defined (const struct plugin_list *pl, const int type); @@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl, struct plugin_return *pr, struct env_set *es, int current_cert_depth, - X509 *current_cert) + x509_cert_t *current_cert) { return 0; } @@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) goto err; - /* call --tls-verify plug-in(s) */ - if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY)) - { - int ret; - - argv_printf (&argv, "%d %s", - cert_depth, - subject); - - ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert); - - if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) - { - msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", - cert_depth, subject); - } - else - { - msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", - cert_depth, subject); - goto err; /* Reject connection */ - } - } + /* call --tls-verify plug-in(s), if registered */ + if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) + goto err; /* run --tls-verify script */ if (opt->verify_command) diff --git a/ssl_verify.c b/ssl_verify.c index 9eda092..84b758b 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, } } +/* + * call --tls-verify plug-in(s) + */ +int +verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, + int cert_depth, x509_cert_t *cert, char *subject) +{ + if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY)) + { + int ret; + struct argv argv = argv_new (); + + argv_printf (&argv, "%d %s", cert_depth, subject); + + ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert); + + argv_reset (&argv); + + if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) + { + msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s", + cert_depth, subject); + } + else + { + msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", + cert_depth, subject); + return 1; /* Reject connection */ + } + } + return 0; +} + /* *************************************************************************** * Functions for the management of deferred authentication when using diff --git a/ssl_verify.h b/ssl_verify.h index acb27f5..91474e9 100644 --- a/ssl_verify.h +++ b/ssl_verify.h @@ -249,6 +249,8 @@ void verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, const char *subject, const char *common_name, const struct x509_track *x509_track); +int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, + int cert_depth, x509_cert_t *cert, char *subject); #endif /* SSL_VERIFY_H_ */ |