From 47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 Mon Sep 17 00:00:00 2001 From: james Date: Wed, 4 Jun 2008 05:16:44 +0000 Subject: Incremented version to 2.1_rc7d. Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ssl.h | 48 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 3 deletions(-) (limited to 'ssl.h') diff --git a/ssl.h b/ssl.h index a7876cb..2f8095f 100644 --- a/ssl.h +++ b/ssl.h @@ -370,11 +370,15 @@ struct key_state * If bad username/password, TLS connection will come up but 'authenticated' will be false. */ bool authenticated; + time_t auth_deferred_expire; +#ifdef ENABLE_DEF_AUTH /* If auth_deferred is true, authentication is being deferred */ - char *auth_control_file; bool auth_deferred; - time_t auth_deferred_expire; + time_t acf_last_mod; + char *auth_control_file; + int auth_control_status; +#endif }; /* @@ -498,6 +502,11 @@ struct tls_session int verify_maxlevel; char *common_name; + +#ifdef ENABLE_PF + uint32_t common_name_hashval; +#endif + bool verified; /* true if peer certificate was verified against CA */ /* not-yet-authenticated incoming client */ @@ -569,8 +578,10 @@ struct tls_multi */ char *locked_cn; +#ifdef ENABLE_DEF_AUTH /* Time of last call to tls_authentication_status */ time_t tas_last; +#endif /* * Our session objects. @@ -657,7 +668,7 @@ bool tls_send_payload (struct tls_multi *multi, bool tls_rec_payload (struct tls_multi *multi, struct buffer *buf); -const char *tls_common_name (struct tls_multi* multi, bool null); +const char *tls_common_name (const struct tls_multi* multi, const bool null); void tls_set_common_name (struct tls_multi *multi, const char *common_name); void tls_lock_common_name (struct tls_multi *multi); @@ -672,6 +683,17 @@ void tls_deauthenticate (struct tls_multi *multi); * inline functions */ +static inline bool +tls_test_auth_deferred_interval (const struct tls_multi *multi) +{ + if (multi) + { + const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + return now < ks->auth_deferred_expire; + } + return false; +} + static inline int tls_test_payload_len (const struct tls_multi *multi) { @@ -691,6 +713,26 @@ tls_set_single_session (struct tls_multi *multi) multi->opt.single_session = true; } +#ifdef ENABLE_PF + +static inline bool +tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash) +{ + if (multi) + { + const struct tls_session *s = &multi->session[TM_ACTIVE]; + if (s->common_name && s->common_name[0] != '\0') + { + *cn = s->common_name; + *cn_hash = s->common_name_hashval; + return true; + } + } + return false; +} + +#endif + /* * protocol_dump() flags */ -- cgit