aboutsummaryrefslogtreecommitdiff
path: root/ssl.h
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-06-04 05:16:44 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-06-04 05:16:44 +0000
commit47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 (patch)
tree0f47ea714dda8312ee85fe7530ee231c59b91221 /ssl.h
parentFixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1 (diff)
downloadopenvpn-47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196.tar.xz
Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.h')
-rw-r--r--ssl.h48
1 files changed, 45 insertions, 3 deletions
diff --git a/ssl.h b/ssl.h
index a7876cb..2f8095f 100644
--- a/ssl.h
+++ b/ssl.h
@@ -370,11 +370,15 @@ struct key_state
* If bad username/password, TLS connection will come up but 'authenticated' will be false.
*/
bool authenticated;
+ time_t auth_deferred_expire;
+#ifdef ENABLE_DEF_AUTH
/* If auth_deferred is true, authentication is being deferred */
- char *auth_control_file;
bool auth_deferred;
- time_t auth_deferred_expire;
+ time_t acf_last_mod;
+ char *auth_control_file;
+ int auth_control_status;
+#endif
};
/*
@@ -498,6 +502,11 @@ struct tls_session
int verify_maxlevel;
char *common_name;
+
+#ifdef ENABLE_PF
+ uint32_t common_name_hashval;
+#endif
+
bool verified; /* true if peer certificate was verified against CA */
/* not-yet-authenticated incoming client */
@@ -569,8 +578,10 @@ struct tls_multi
*/
char *locked_cn;
+#ifdef ENABLE_DEF_AUTH
/* Time of last call to tls_authentication_status */
time_t tas_last;
+#endif
/*
* Our session objects.
@@ -657,7 +668,7 @@ bool tls_send_payload (struct tls_multi *multi,
bool tls_rec_payload (struct tls_multi *multi,
struct buffer *buf);
-const char *tls_common_name (struct tls_multi* multi, bool null);
+const char *tls_common_name (const struct tls_multi* multi, const bool null);
void tls_set_common_name (struct tls_multi *multi, const char *common_name);
void tls_lock_common_name (struct tls_multi *multi);
@@ -672,6 +683,17 @@ void tls_deauthenticate (struct tls_multi *multi);
* inline functions
*/
+static inline bool
+tls_test_auth_deferred_interval (const struct tls_multi *multi)
+{
+ if (multi)
+ {
+ const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ return now < ks->auth_deferred_expire;
+ }
+ return false;
+}
+
static inline int
tls_test_payload_len (const struct tls_multi *multi)
{
@@ -691,6 +713,26 @@ tls_set_single_session (struct tls_multi *multi)
multi->opt.single_session = true;
}
+#ifdef ENABLE_PF
+
+static inline bool
+tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
+{
+ if (multi)
+ {
+ const struct tls_session *s = &multi->session[TM_ACTIVE];
+ if (s->common_name && s->common_name[0] != '\0')
+ {
+ *cn = s->common_name;
+ *cn_hash = s->common_name_hashval;
+ return true;
+ }
+ }
+ return false;
+}
+
+#endif
+
/*
* protocol_dump() flags
*/