Refactored tls-verify-plugin code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/openvpn-plugin.h b/openvpn-plugin.h
index 24aa36cbf48d792920ac79f6855ef1074929bb2d..8bbafa28ff2cac01e6da9915ea875620006e76a2 100644 (file)
--- a/openvpn-plugin.h
+++ b/openvpn-plugin.h
@@ -22,7 +22,12 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
-#include <openssl/x509v3.h>
+#ifndef OPENVPN_PLUGIN_H_
+#define OPENVPN_PLUGIN_H_
+
+#ifdef USE_OPENSSL
+#include "ssl_verify_openssl.h"
+#endif
 
 #define OPENVPN_PLUGIN_VERSION 3
 
@@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in
   openvpn_plugin_handle_t handle;
   void *per_client_context;
   int current_cert_depth;
-  X509 *current_cert;
+  x509_cert_t *current_cert;
 };
 
 
@@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op
 
 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1)
      (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]);
+
+#endif /* OPENVPN_PLUGIN_H_ */

diff --git a/plugin.c b/plugin.c
index 745ea514d4668b49293e7427578434e1d28b5462..6cbf6a0b957a2368adeab5445d58980c7f1f8f18 100644 (file)
--- a/plugin.c
+++ b/plugin.c
@@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p,
                  struct openvpn_plugin_string_list **retlist,
                  const char **envp,
                  int certdepth,
-                 X509 *current_cert)
+                 x509_cert_t *current_cert)
 {
   int status = OPENVPN_PLUGIN_FUNC_SUCCESS;
 
@@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl,
             struct plugin_return *pr,
             struct env_set *es,
              int certdepth,
-            X509 *current_cert)
+            x509_cert_t *current_cert)
 {
   if (pr)
     plugin_return_init (pr);

diff --git a/plugin.h b/plugin.h
index d6ff08dff210af868049090c1864195d08a03d1b..551814796bda399d8cacb9831c07d45fbeea5278 100644 (file)
--- a/plugin.h
+++ b/plugin.h
@@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl,
                 struct plugin_return *pr,
                 struct env_set *es,
                 int current_cert_depth,
-                X509 *current_cert);
+                x509_cert_t *current_cert);
 
 void plugin_list_close (struct plugin_list *pl);
 bool plugin_defined (const struct plugin_list *pl, const int type);
@@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl,
             struct plugin_return *pr,
             struct env_set *es,
             int current_cert_depth,
-            X509 *current_cert)
+            x509_cert_t *current_cert)
 {
   return 0;
 }

diff --git a/ssl.c b/ssl.c
index 8d1fd73384a1f7e2b6aa6a009afe3c890b2ba167..06ce30e336c2183e8795d2803e1949177eaa3df8 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
     goto err;
 
-  /* call --tls-verify plug-in(s) */
-  if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
-    {
-      int ret;
-
-      argv_printf (&argv, "%d %s",
-                  cert_depth,
-                  subject);
-
-      ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert);
-
-      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
-       {
-         msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
-              cert_depth, subject);
-       }
-      else
-       {
-         msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
-              cert_depth, subject);
-         goto err;             /* Reject connection */
-       }
-    }
+  /* call --tls-verify plug-in(s), if registered */
+  if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+    goto err;
 
   /* run --tls-verify script */
   if (opt->verify_command)

diff --git a/ssl_verify.c b/ssl_verify.c
index 9eda092d28a7c620b4a17628d743b67978756313..84b758b981285bf74b8c2924bdf79dc1c9dbfb3e 100644 (file)
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
   }
 }
 
+/*
+ * call --tls-verify plug-in(s)
+ */
+int
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject)
+{
+  if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY))
+    {
+      int ret;
+      struct argv argv = argv_new ();
+
+      argv_printf (&argv, "%d %s", cert_depth, subject);
+
+      ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
+
+      argv_reset (&argv);
+
+      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
+       {
+         msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
+             cert_depth, subject);
+       }
+      else
+       {
+         msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
+             cert_depth, subject);
+         return 1;             /* Reject connection */
+       }
+    }
+  return 0;
+}
+
 
 /* ***************************************************************************
  * Functions for the management of deferred authentication when using

diff --git a/ssl_verify.h b/ssl_verify.h
index acb27f5b4284c49b536013231673df6bd36bd004..91474e9ceb9215fe663bd09620a6e166e9dbe4a3 100644 (file)
--- a/ssl_verify.h
+++ b/ssl_verify.h
@@ -249,6 +249,8 @@ void
 verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
     const char *subject, const char *common_name,
     const struct x509_track *x509_track);
+int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject);
 
 #endif /* SSL_VERIFY_H_ */