Added OPENVPN_PLUGIN_TLS_FINAL plugin callback.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@862 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/openvpn-plugin.h b/openvpn-plugin.h
index 1f53eeaee105c667b25c69b11c066b19ea091726..b33316881f893aaf195b56e53c99236b0c6c5388 100644 (file)
--- a/openvpn-plugin.h
+++ b/openvpn-plugin.h
@@ -38,7 +38,8 @@
 #define OPENVPN_PLUGIN_CLIENT_DISCONNECT     7
 #define OPENVPN_PLUGIN_LEARN_ADDRESS         8
 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2     9
-#define OPENVPN_PLUGIN_N                     10
+#define OPENVPN_PLUGIN_TLS_FINAL             10
+#define OPENVPN_PLUGIN_N                     11
 
 /*
  * Build a mask out of a set of plug-in types.

diff --git a/plugin.c b/plugin.c
index 190b2c069face9e5b56f98ee60176e875f546769..e841dc77ef1fa26dc0ea8ac62bcee30f1cc578c7 100644 (file)
--- a/plugin.c
+++ b/plugin.c
@@ -87,6 +87,8 @@ plugin_type_name (const int type)
       return "PLUGIN_CLIENT_DISCONNECT";
     case OPENVPN_PLUGIN_LEARN_ADDRESS:
       return "PLUGIN_LEARN_ADDRESS";
+    case OPENVPN_PLUGIN_TLS_FINAL:
+      return "PLUGIN_TLS_FINAL";
     default:
       return "PLUGIN_???";
     }

diff --git a/ssl.c b/ssl.c
index 7be2394f2857daeff5b564806f673792abb17781..5f8b5d11b4c6bf0b0ba8a4a3c1bcf510be30180b 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -3087,7 +3087,17 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
   buf_clear (buf);
 
   /*
-   * generate tunnel keys if client
+   * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
+   * veto opportunity over authentication decision.
+   */
+  if (ks->authenticated && plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
+    {
+      if (plugin_call (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es))
+       ks->authenticated = false;
+    }
+
+  /*
+   * Generate tunnel keys if client
    */
   if (!session->opt->server)
     {