From: Adriaan de Jong <dejong@fox-it.com>
Date: Tue, 28 Jun 2011 13:41:32 +0000 (+0200)
Subject: Refactored client_config_dir_exclusive function
X-Git-Tag: v2.3-alpha1~132
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88aaf1aefd91b3704b3b00eeddff3befdefbc2b8;p=thirdparty%2Fopenvpn.git

Refactored client_config_dir_exclusive function

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/ssl.c b/ssl.c
index 54d9f3055..fe1c277cb 100644
--- a/ssl.c
+++ b/ssl.c
@@ -3434,18 +3434,10 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
 	}
     }
 
-  /* verify --client-config-dir based authentication */
-  if (ks->authenticated && session->opt->client_config_dir_exclusive)
+  /* Perform final authentication checks */
+  if (ks->authenticated)
     {
-      const char *cn = session->common_name;
-      const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc);
-      if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path))
-	{
-	  ks->authenticated = false;
-	  msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
-	       session->common_name,
-	       path ? path : "UNDEF");
-	}
+      verify_final_auth_checks(multi, session);
     }
 
 #ifdef ENABLE_OCC
diff --git a/ssl_verify.c b/ssl_verify.c
index df22b5920..4d1935914 100644
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -36,3 +36,26 @@
 #ifdef USE_OPENSSL
 #include "ssl_verify_openssl.h"
 #endif
+
+void
+verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
+{
+  /* verify --client-config-dir based authentication */
+  if (session->opt->client_config_dir_exclusive)
+    {
+      struct key_state *ks = &session->key[KS_PRIMARY]; 	   /* primary key */
+      struct gc_arena gc = gc_new ();
+
+      const char *cn = session->common_name;
+      const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc);
+      if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path))
+	{
+	  ks->authenticated = false;
+	  msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
+	       session->common_name,
+	       path ? path : "UNDEF");
+	}
+
+      gc_free (&gc);
+    }
+}
diff --git a/ssl_verify.h b/ssl_verify.h
index 19e0bdc77..1944a0f16 100644
--- a/ssl_verify.h
+++ b/ssl_verify.h
@@ -40,5 +40,16 @@
 #include "ssl_verify_openssl.h"
 #endif
 
+/**
+ * Perform final authentication checks, including locking of the cn, the allowed
+ * certificate hashes, and whether a client config entry exists in the
+ * client config directory.
+ *
+ * @param multi		The TLS multi structure to verify locked structures.
+ * @param session	The current TLS session
+ *
+ */
+void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
+
 
 #endif /* SSL_VERIFY_H_ */