diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-06-04 05:16:44 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-06-04 05:16:44 +0000 |
| commit | 47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 (patch) | |
| tree | 0f47ea714dda8312ee85fe7530ee231c59b91221 /ssl.h | |
| parent | Fixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1 (diff) | |
| download | openvpn-47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196.tar.xz | |
Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return
OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in
openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH.
Added a simple packet filter functionality that can be driven by
a plugin. See comments in openvpn-plugin.h for documentation.
Enabled by ENABLE_PF.
See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH
and ENABLE_PF.
"TLS Error: local/remote TLS keys are out of sync" is no longer a
fatal error for TCP-based sessions, since the error can arise
normally in the course of deferred authentication. In a related
change, allow packet-id sequence to begin at some number n > 0 for
TCP sessions, rather than strictly requiring sequence to begin
at 1.
Added a test to configure.ac for LoadLibrary function on Windows.
Modified "make dist" function to include all files from
install-win32 so that ./domake-win can be run from a
tarball-expanded directory.
setenv and setenv-safe directives may now omit a value argument
which defaults to "".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.h')
| -rw-r--r-- | ssl.h | 48 |
1 files changed, 45 insertions, 3 deletions
@@ -370,11 +370,15 @@ struct key_state * If bad username/password, TLS connection will come up but 'authenticated' will be false. */ bool authenticated; + time_t auth_deferred_expire; +#ifdef ENABLE_DEF_AUTH /* If auth_deferred is true, authentication is being deferred */ - char *auth_control_file; bool auth_deferred; - time_t auth_deferred_expire; + time_t acf_last_mod; + char *auth_control_file; + int auth_control_status; +#endif }; /* @@ -498,6 +502,11 @@ struct tls_session int verify_maxlevel; char *common_name; + +#ifdef ENABLE_PF + uint32_t common_name_hashval; +#endif + bool verified; /* true if peer certificate was verified against CA */ /* not-yet-authenticated incoming client */ @@ -569,8 +578,10 @@ struct tls_multi */ char *locked_cn; +#ifdef ENABLE_DEF_AUTH /* Time of last call to tls_authentication_status */ time_t tas_last; +#endif /* * Our session objects. @@ -657,7 +668,7 @@ bool tls_send_payload (struct tls_multi *multi, bool tls_rec_payload (struct tls_multi *multi, struct buffer *buf); -const char *tls_common_name (struct tls_multi* multi, bool null); +const char *tls_common_name (const struct tls_multi* multi, const bool null); void tls_set_common_name (struct tls_multi *multi, const char *common_name); void tls_lock_common_name (struct tls_multi *multi); @@ -672,6 +683,17 @@ void tls_deauthenticate (struct tls_multi *multi); * inline functions */ +static inline bool +tls_test_auth_deferred_interval (const struct tls_multi *multi) +{ + if (multi) + { + const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + return now < ks->auth_deferred_expire; + } + return false; +} + static inline int tls_test_payload_len (const struct tls_multi *multi) { @@ -691,6 +713,26 @@ tls_set_single_session (struct tls_multi *multi) multi->opt.single_session = true; } +#ifdef ENABLE_PF + +static inline bool +tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash) +{ + if (multi) + { + const struct tls_session *s = &multi->session[TM_ACTIVE]; + if (s->common_name && s->common_name[0] != '\0') + { + *cn = s->common_name; + *cn_hash = s->common_name_hashval; + return true; + } + } + return false; +} + +#endif + /* * protocol_dump() flags */ |