5
5
* packet encryption, packet authentication, and
6
6
* packet compression.
8
* Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
10
* Additions for eurephia plugin done by:
11
11
* David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2008-2009
1242
1242
#ifdef MANAGEMENT_DEF_AUTH
1244
* For deferred auth, this is where the management interface calls (on server)
1245
* to indicate auth failure/success.
1244
1248
tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
1648
1652
#ifdef ENABLE_MANAGEMENT
1649
1653
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1650
management_auth_failure (management, UP_TYPE_PRIVATE_KEY);
1654
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
1652
1656
msg (M_WARN|M_SSL, "Cannot load private key file %s", options->priv_key_file);
3081
flush_payload_buffer (struct tls_multi *multi, struct key_state *ks)
3084
while ((b = buffer_list_peek (ks->paybuf)))
3086
key_state_write_plaintext_const (multi, ks, b->data, b->len);
3087
buffer_list_pop (ks->paybuf);
3074
3092
* Macros for key_state_soft_reset & tls_process
3135
write_empty_string (struct buffer *buf)
3137
if (!buf_write_u16 (buf, 0))
3117
3143
read_string (struct buffer *buf, char *str, const unsigned int capacity)
3119
3145
const int len = buf_read_u16 (buf);
3155
read_string_alloc (struct buffer *buf)
3157
const int len = buf_read_u16 (buf);
3162
str = (char *) malloc(len);
3163
check_malloc_return(str);
3164
if (!buf_read (buf, str, len))
3174
read_string_discard (struct buffer *buf)
3176
char *data = read_string_alloc(buf);
3129
3182
* Authenticate a client using username/password.
3130
3183
* Runs on server.
3392
push_peer_info(struct buffer *buf, struct tls_session *session)
3394
struct gc_arena gc = gc_new ();
3397
#ifdef ENABLE_PUSH_PEER_INFO
3398
if (session->opt->push_peer_info) /* write peer info */
3400
struct env_set *es = session->opt->es;
3402
struct buffer out = alloc_buf_gc (512*3, &gc);
3405
buf_printf (&out, "IV_VER=%s\n", PACKAGE_VERSION);
3408
#if defined(TARGET_LINUX)
3409
buf_printf (&out, "IV_PLAT=linux\n");
3410
#elif defined(TARGET_SOLARIS)
3411
buf_printf (&out, "IV_PLAT=solaris\n");
3412
#elif defined(TARGET_OPENBSD)
3413
buf_printf (&out, "IV_PLAT=openbsd\n");
3414
#elif defined(TARGET_DARWIN)
3415
buf_printf (&out, "IV_PLAT=mac\n");
3416
#elif defined(TARGET_NETBSD)
3417
buf_printf (&out, "IV_PLAT=netbsd\n");
3418
#elif defined(TARGET_FREEBSD)
3419
buf_printf (&out, "IV_PLAT=freebsd\n");
3420
#elif defined(WIN32)
3421
buf_printf (&out, "IV_PLAT=win\n");
3426
bool get_default_gateway_mac_addr (unsigned char *macaddr);
3428
get_default_gateway_mac_addr (macaddr);
3429
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (macaddr, 6, 0, 1, ":", &gc));
3432
/* push env vars that begin with UV_ */
3433
for (e=es->list; e != NULL; e=e->next)
3437
if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
3438
buf_printf (&out, "%s\n", e->string);
3442
if (!write_string(buf, BSTR(&out), -1))
3448
if (!write_empty_string (buf)) /* no peer info */
3339
3459
key_method_2_write (struct buffer *buf, struct tls_session *session)
3341
3461
ASSERT (session->opt->key_method == 2);
3370
3490
purge_user_pass (&auth_user_pass, false);
3494
if (!write_empty_string (buf)) /* no username */
3496
if (!write_empty_string (buf)) /* no password */
3500
if (!push_peer_info (buf, session))
3374
3504
* generate tunnel keys if server
3515
3645
int s1 = OPENVPN_PLUGIN_FUNC_SUCCESS;
3516
3646
bool s2 = true;
3517
3647
char *raw_username;
3648
bool username_status, password_status;
3519
3650
/* get username/password from plaintext buffer */
3520
3651
ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc);
3521
if (!read_string (buf, up->username, USER_PASS_LEN)
3522
|| !read_string (buf, up->password, USER_PASS_LEN))
3652
username_status = read_string (buf, up->username, USER_PASS_LEN);
3653
password_status = read_string (buf, up->password, USER_PASS_LEN);
3654
if (!username_status || !password_status)
3525
3657
if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
3541
3673
/* call plugin(s) and/or script */
3542
3674
#ifdef MANAGEMENT_DEF_AUTH
3675
/* get peer info from control channel */
3676
free (multi->peer_info);
3677
multi->peer_info = read_string_alloc (buf);
3543
3679
if (man_def_auth == KMDA_DEF)
3544
3680
man_def_auth = verify_user_pass_management (session, up, raw_username);
3864
4003
/* Set outgoing address for data channel packets */
3865
4004
link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
4006
/* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
4007
flush_payload_buffer (multi, ks);
3867
4009
#ifdef MEASURE_TLS_HANDSHAKE_STATS
3868
4010
show_tls_performance_stats();
4963
5105
if (key_state_write_plaintext_const (multi, ks, data, size) == 1)
5111
ks->paybuf = buffer_list_new (0);
5112
buffer_list_push_data (ks->paybuf, data, (size_t)size);
4967
5116
ERR_clear_error ();