3 files changed, 15 insertions, 2 deletions

diff --git a/openvpn-plugin.h b/openvpn-plugin.h
index 1f53eea..b333168 100644
--- a/openvpn-plugin.h
+++ b/openvpn-plugin.h
@@ -38,7 +38,8 @@
 #define OPENVPN_PLUGIN_CLIENT_DISCONNECT     7
 #define OPENVPN_PLUGIN_LEARN_ADDRESS         8
 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2     9
-#define OPENVPN_PLUGIN_N                     10
+#define OPENVPN_PLUGIN_TLS_FINAL             10
+#define OPENVPN_PLUGIN_N                     11
 
 /*
  * Build a mask out of a set of plug-in types.
diff --git a/plugin.c b/plugin.c
index 190b2c0..e841dc7 100644
--- a/plugin.c
+++ b/plugin.c
@@ -87,6 +87,8 @@ plugin_type_name (const int type)
       return "PLUGIN_CLIENT_DISCONNECT";
     case OPENVPN_PLUGIN_LEARN_ADDRESS:
       return "PLUGIN_LEARN_ADDRESS";
+    case OPENVPN_PLUGIN_TLS_FINAL:
+      return "PLUGIN_TLS_FINAL";
     default:
       return "PLUGIN_???";
     }
diff --git a/ssl.c b/ssl.c
index 7be2394..5f8b5d1 100644
--- a/ssl.c
+++ b/ssl.c
@@ -3087,7 +3087,17 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
   buf_clear (buf);
 
   /*
-   * generate tunnel keys if client
+   * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
+   * veto opportunity over authentication decision.
+   */
+  if (ks->authenticated && plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
+    {
+      if (plugin_call (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es))
+	ks->authenticated = false;
+    }
+
+  /*
+   * Generate tunnel keys if client
    */
   if (!session->opt->server)
     {