From 24ce3b27fb2c9fd53bd521e1dd524ad64e338e68 Mon Sep 17 00:00:00 2001 From: james Date: Tue, 28 Oct 2008 20:01:05 +0000 Subject: Added server-side --auth-user-pass-optional directive, to allow connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5 --- options.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'options.c') diff --git a/options.c b/options.c index f7d8a93..05a6960 100644 --- a/options.c +++ b/options.c @@ -381,6 +381,8 @@ static const char usage_message[] = " run script cmd to verify. If method='via-env', pass\n" " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" + "--auth-user-pass-optional : Allow connections by clients that don't\n" + " specify a username/password.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" " concurrently connect.\n" @@ -965,10 +967,9 @@ show_p2mp_parms (const struct options *o) SHOW_INT (cf_per); SHOW_INT (max_clients); SHOW_INT (max_routes_per_client); - SHOW_BOOL (client_cert_not_required); - SHOW_BOOL (username_as_common_name) SHOW_STR (auth_user_pass_verify_script); SHOW_BOOL (auth_user_pass_verify_script_via_file); + SHOW_INT (ssl_flags); #if PORT_SHARE SHOW_STR (port_share_host); SHOW_INT (port_share_port); @@ -1702,10 +1703,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne || PLUGIN_OPTION_LIST (options) || MAN_CLIENT_AUTH_ENABLED (options)); const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; - if (options->client_cert_not_required && !ccnr) + if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr) msg (M_USAGE, "--client-cert-not-required %s", postfix); - if (options->username_as_common_name && !ccnr) + if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) msg (M_USAGE, "--username-as-common-name %s", postfix); + if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) + msg (M_USAGE, "--auth-user-pass-optional %s", postfix); } } else @@ -1735,10 +1738,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne msg (M_USAGE, "--duplicate-cn requires --mode server"); if (options->cf_max || options->cf_per) msg (M_USAGE, "--connect-freq requires --mode server"); - if (options->client_cert_not_required) + if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) msg (M_USAGE, "--client-cert-not-required requires --mode server"); - if (options->username_as_common_name) + if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) msg (M_USAGE, "--username-as-common-name requires --mode server"); + if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) + msg (M_USAGE, "--auth-user-pass-optional requires --mode server"); if (options->auth_user_pass_verify_script) msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); #if PORT_SHARE @@ -4559,12 +4564,17 @@ add_option (struct options *options, else if (streq (p[0], "client-cert-not-required")) { VERIFY_PERMISSION (OPT_P_GENERAL); - options->client_cert_not_required = true; + options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; } else if (streq (p[0], "username-as-common-name")) { VERIFY_PERMISSION (OPT_P_GENERAL); - options->username_as_common_name = true; + options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME; + } + else if (streq (p[0], "auth-user-pass-optional")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } else if (streq (p[0], "auth-user-pass-verify") && p[1]) { -- cgit