Refactored tls-verify-plugin code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2026-05-28 04:03:29 -04:00 · 2011-06-30 14:15:40 +02:00 · 2011-06-30 14:15:40 +02:00 · 75c67073ed
commit 75c67073ed
parent a4c926bb59
6 changed files with 51 additions and 29 deletions
--- a/openvpn-plugin.h
+++ b/openvpn-plugin.h
@ -22,7 +22,12 @@
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

-#include <openssl/x509v3.h>
+#ifndef OPENVPN_PLUGIN_H_
+#define OPENVPN_PLUGIN_H_
+
+#ifdef USE_OPENSSL
+#include "ssl_verify_openssl.h"
+#endif

 #define OPENVPN_PLUGIN_VERSION 3

@ -272,7 +277,7 @@ struct openvpn_plugin_args_func_in
  openvpn_plugin_handle_t handle;
  void *per_client_context;
  int current_cert_depth;
-  X509 *current_cert;
+  x509_cert_t *current_cert;
 };


@ -700,3 +705,5 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op

 OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1)
     (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]);
+
+#endif /* OPENVPN_PLUGIN_H_ */
--- a/plugin.c
+++ b/plugin.c
@ -347,7 +347,7 @@ plugin_call_item (const struct plugin *p,
 		  struct openvpn_plugin_string_list **retlist,
 		  const char **envp,
 		  int certdepth,
-		  X509 *current_cert)
+		  x509_cert_t *current_cert)
 {
  int status = OPENVPN_PLUGIN_FUNC_SUCCESS;

@ -576,7 +576,7 @@ plugin_call (const struct plugin_list *pl,
 	     struct plugin_return *pr,
 	     struct env_set *es,
             int certdepth,
-	     X509 *current_cert)
+	     x509_cert_t *current_cert)
 {
  if (pr)
    plugin_return_init (pr);
--- a/plugin.h
+++ b/plugin.h
@ -122,7 +122,7 @@ int plugin_call (const struct plugin_list *pl,
 		 struct plugin_return *pr,
 		 struct env_set *es,
 		 int current_cert_depth,
-		 X509 *current_cert);
+		 x509_cert_t *current_cert);

 void plugin_list_close (struct plugin_list *pl);
 bool plugin_defined (const struct plugin_list *pl, const int type);
@ -176,7 +176,7 @@ plugin_call (const struct plugin_list *pl,
 	     struct plugin_return *pr,
 	     struct env_set *es,
 	     int current_cert_depth,
-	     X509 *current_cert)
+	     x509_cert_t *current_cert)
 {
  return 0;
 }
--- a/ssl.c
+++ b/ssl.c
@ -431,29 +431,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
  if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
    goto err;

-  /* call --tls-verify plug-in(s) */
-  if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
-    {
-      int ret;
-
-      argv_printf (&argv, "%d %s",
-		   cert_depth,
-		   subject);
-
-      ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, opt->es, cert_depth, cert);
-
-      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
-	{
-	  msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
-	       cert_depth, subject);
-	}
-      else
-	{
-	  msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
-	       cert_depth, subject);
-	  goto err;		/* Reject connection */
-	}
-    }
+  /* call --tls-verify plug-in(s), if registered */
+  if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+    goto err;

  /* run --tls-verify script */
  if (opt->verify_command)
--- a/ssl_verify.c
+++ b/ssl_verify.c
@ -450,6 +450,39 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
  }
 }

+/*
+ * call --tls-verify plug-in(s)
+ */
+int
+verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject)
+{
+  if (plugin_defined (plugins, OPENVPN_PLUGIN_TLS_VERIFY))
+    {
+      int ret;
+      struct argv argv = argv_new ();
+
+      argv_printf (&argv, "%d %s", cert_depth, subject);
+
+      ret = plugin_call (plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
+
+      argv_reset (&argv);
+
+      if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
+	{
+	  msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
+	      cert_depth, subject);
+	}
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
+	      cert_depth, subject);
+	  return 1;		/* Reject connection */
+	}
+    }
+  return 0;
+}
+

 /* ***************************************************************************
 * Functions for the management of deferred authentication when using
--- a/ssl_verify.h
+++ b/ssl_verify.h
@ -249,6 +249,8 @@ void
 verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
    const char *subject, const char *common_name,
    const struct x509_track *x509_track);
+int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
+    int cert_depth, x509_cert_t *cert, char *subject);

 #endif /* SSL_VERIFY_H_ */