Added server-side --auth-user-pass-optional directive, to allow

connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2008-10-28 20:01:05 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2008-10-28 20:01:05 +0000
commit: 24ce3b27fb2c9fd53bd521e1dd524ad64e338e68 (patch)
tree: 7c15fb7c5ba8a9f0ab1a7c1834d356e677efd458 /ssl.c
parent: Change to pkitool/openssl.cnf so that calling scripts can (diff)
download: openvpn-24ce3b27fb2c9fd53bd521e1dd524ad64e338e68.tar.xz
1 files changed, 12 insertions, 9 deletions
diff --git a/ssl.c b/ssl.c
index c45674d..ebd03a6 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1555,7 +1555,7 @@ init_ssl (const struct options *options)
 
   /* Require peer certificate verification */
 #if P2MP_SERVER
-  if (options->client_cert_not_required)
+  if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
     {
       msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate");
     }
@@ -2958,7 +2958,7 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
   bool ret = false;
 
   /* Is username defined? */
-  if (strlen (up->username))
+  if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
     {
       /* Set environmental variables prior to calling script */
       setenv_str (session->opt->es, "script_type", "user-pass-verify");
@@ -3025,7 +3025,7 @@ verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up
   int retval = OPENVPN_PLUGIN_FUNC_ERROR;
 
   /* Is username defined? */
-  if (strlen (up->username))
+  if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
     {
       /* set username/password in private env space */
       setenv_str (session->opt->es, "username", raw_username);
@@ -3077,7 +3077,7 @@ verify_user_pass_management (struct tls_session *session, const struct user_pass
   int retval = KMDA_ERROR;
 
   /* Is username defined? */
-  if (strlen (up->username))
+  if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))
     {
       /* set username/password in private env space */
       setenv_str (session->opt->es, "username", raw_username);
@@ -3336,9 +3336,12 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
       if (!read_string (buf, up->username, USER_PASS_LEN)
 	  || !read_string (buf, up->password, USER_PASS_LEN))
 	{
-	  msg (D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
 	  CLEAR (*up);
-	  goto error;
+	  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
+	    {
+	      msg (D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
+	      goto error;
+	    }
 	}
 
       /* preserve raw username before string_mod remapping, for plugins */
@@ -3361,7 +3364,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
 	s2 = verify_user_pass_script (session, up);
 
       /* check sizing of username if it will become our common name */
-      if (session->opt->username_as_common_name && strlen (up->username) >= TLS_CN_LEN)
+      if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_CN_LEN)
 	{
 	  msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_CN_LEN);
 	  s1 = OPENVPN_PLUGIN_FUNC_ERROR;
@@ -3384,7 +3387,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
 	    ks->auth_deferred = true;
 #endif
 	    
-	  if (session->opt->username_as_common_name)
+	  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
 	    set_common_name (session, up->username);
 	  msg (D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s",
 #ifdef ENABLE_DEF_AUTH
@@ -3393,7 +3396,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
 	       "succeeded",
 #endif
 	       up->username,
-	       session->opt->username_as_common_name ? "[CN SET]" : "");
+	       (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : "");
 	}
       else
 	{
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2008-10-28 20:01:05 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2008-10-28 20:01:05 +0000
commit	24ce3b27fb2c9fd53bd521e1dd524ad64e338e68 (patch)
tree	7c15fb7c5ba8a9f0ab1a7c1834d356e677efd458 /ssl.c
parent	Change to pkitool/openssl.cnf so that calling scripts can (diff)
download	openvpn-24ce3b27fb2c9fd53bd521e1dd524ad64e338e68.tar.xz