OpenVPN
keyingmaterialexporter.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * This file implements a Sample (HTTP) SSO OpenVPN plugin module
26  *
27  * See the README file for build instructions.
28  */
29 
30 #include <stdio.h>
31 #include <string.h>
32 #include <stdlib.h>
33 
34 #include "openvpn-plugin.h"
35 
36 #ifndef MAXPATH
37 #define MAXPATH 1024
38 #endif
39 
40 #define ovpn_err(fmt, ...) \
41  plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__)
42 #define ovpn_dbg(fmt, ...) \
43  plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__)
44 #define ovpn_note(fmt, ...) \
45  plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__)
46 
47 enum endpoint { CLIENT = 1, SERVER = 2 };
48 
49 struct plugin {
51  enum endpoint type;
52  int mask;
53 };
54 
55 struct session {
56  char user[48];
57  char key [48];
58 };
59 
60 /*
61  * Given an environmental variable name, search
62  * the envp array for its value, returning it
63  * if found or NULL otherwise.
64  */
65 
66 static const char *
67 get_env(const char *name, const char *envp[])
68 {
69  if (envp)
70  {
71  int i;
72  const int namelen = strlen(name);
73  for (i = 0; envp[i]; ++i)
74  {
75  if (!strncmp(envp[i], name, namelen))
76  {
77  const char *cp = envp[i] + namelen;
78  if (*cp == '=')
79  {
80  return cp + 1;
81  }
82  }
83  }
84  }
85  return NULL;
86 }
87 
89 openvpn_plugin_open_v3(const int version,
90  struct openvpn_plugin_args_open_in const *args,
92 {
93  struct plugin *plugin = calloc(1, sizeof(*plugin));
94 
95  plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER;
96  plugin->log = args->callbacks->plugin_log;
97 
100 
101  ovpn_note("vpn endpoint type=%s",plugin->type == CLIENT ? "client" : "server");
102 
103  rv->type_mask = plugin->mask;
104  rv->handle = (void *)plugin;
105 
107 }
108 
109 static void
110 session_user_set(struct session *sess, X509 *x509)
111 {
112  int fn_nid;
113  ASN1_OBJECT *fn;
114  ASN1_STRING *val;
115  X509_NAME *x509_name;
116  X509_NAME_ENTRY *ent;
117  const char *objbuf;
118 
119  x509_name = X509_get_subject_name(x509);
120  int i, n = X509_NAME_entry_count(x509_name);
121  for (i = 0; i < n; ++i)
122  {
123  if (!(ent = X509_NAME_get_entry(x509_name, i)))
124  {
125  continue;
126  }
127  if (!(fn = X509_NAME_ENTRY_get_object(ent)))
128  {
129  continue;
130  }
131  if (!(val = X509_NAME_ENTRY_get_data(ent)))
132  {
133  continue;
134  }
135  if ((fn_nid = OBJ_obj2nid(fn)) == NID_undef)
136  {
137  continue;
138  }
139  if (!(objbuf = OBJ_nid2sn(fn_nid)))
140  {
141  continue;
142  }
143  unsigned char *buf = NULL;
144  if (ASN1_STRING_to_UTF8(&buf, val) < 0)
145  {
146  continue;
147  }
148 
149  if (!strncasecmp(objbuf, "CN", 2))
150  {
151  snprintf(sess->user, sizeof(sess->user) - 1, (char *)buf);
152  }
153 
154  OPENSSL_free(buf);
155  }
156 }
157 
158 static int
160 {
161  struct plugin *plugin = (struct plugin *)args->handle;
162  struct session *sess = (struct session *)args->per_client_context;
163 
164  /* we store cert subject for the server end point only */
165  if (plugin->type != SERVER)
166  {
168  }
169 
170  if (!args->current_cert)
171  {
172  ovpn_err("this example plugin requires client certificate");
174  }
175 
176  session_user_set(sess, args->current_cert);
177 
179 }
180 
181 static void
182 file_store(char *file, char *content)
183 {
184  FILE *f;
185  if (!(f = fopen(file, "w+")))
186  {
187  return;
188  }
189 
190  fprintf(f, "%s", content);
191  fclose(f);
192 }
193 
194 static void
196 {
197  struct plugin *plugin = (struct plugin *)args->handle;
198  struct session *sess = (struct session *)args->per_client_context;
199 
200  char file[MAXPATH];
201  snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key);
202  ovpn_note("app session file: %s", file);
203  file_store(file, sess->user);
204 }
205 
206 static void
208 {
209  struct plugin *plugin = (struct plugin *)args->handle;
210  struct session *sess = (struct session *)args->per_client_context;
211 
212  char *file = "/tmp/openvpn_sso_user";
213  ovpn_note("app session file: %s", file);
214  file_store(file, sess->key);
215 }
216 
217 static int
220 {
221  struct plugin *plugin = (struct plugin *)args->handle;
222  struct session *sess = (struct session *)args->per_client_context;
223 
224  const char *key;
225  if (!(key = get_env("exported_keying_material", args->envp)))
226  {
228  }
229 
230  snprintf(sess->key, sizeof(sess->key) - 1, "%s", key);
231  ovpn_note("app session key: %s", sess->key);
232 
233  switch (plugin->type)
234  {
235  case SERVER:
236  server_store(args);
237  break;
238 
239  case CLIENT:
240  client_store(args);
242  }
243 
244  ovpn_note("app session user: %s", sess->user);
246 }
247 
248 OPENVPN_EXPORT int
249 openvpn_plugin_func_v3(const int version,
250  struct openvpn_plugin_args_func_in const *args,
252 {
253  switch (args->type)
254  {
256  return tls_verify(args);
257 
259  return tls_final(args, rv);
260  }
262 }
263 
264 OPENVPN_EXPORT void *
266 {
267  struct plugin *plugin = (struct plugin *)handle;
268  struct session *sess = calloc(1, sizeof(*sess));
269 
270  ovpn_note("app session created");
271 
272  return (void *)sess;
273 }
274 
275 OPENVPN_EXPORT void
277 {
278  struct plugin *plugin = (struct plugin *)handle;
279  struct session *sess = (struct session *)ctx;
280 
281  ovpn_note("app session key: %s", sess->key);
282  ovpn_note("app session destroyed");
283 
284  free(sess);
285 }
286 
287 OPENVPN_EXPORT void
289 {
290  struct plugin *plugin = (struct plugin *)handle;
291  free(plugin);
292 }
Arguments used to transport variables to the plug-in.
#define ovpn_note(fmt,...)
OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx)
openvpn_x509_cert_t * current_cert
OPENVPN_EXPORT int openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *rv)
openvpn_plugin_handle_t * handle
static int tls_final(struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv)
static void session_user_set(struct session *sess, X509 *x509)
#define OPENVPN_EXPORT
#define OPENVPN_PLUGIN_FUNC_SUCCESS
#define snprintf
Definition: config-msvc.h:97
static void server_store(struct openvpn_plugin_args_func_in const *args)
#define ovpn_err(fmt,...)
static const char * get_env(const char *name, const char *envp[])
OPENVPN_EXPORT int openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv)
#define OPENVPN_PLUGIN_TLS_VERIFY
#define OPENVPN_PLUGIN_FUNC_ERROR
string f
Definition: http-client.py:6
Arguments used to transport variables to and from the plug-in.
OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
#define OPENVPN_PLUGIN_TLS_FINAL
openvpn_plugin_handle_t handle
OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
static void client_store(struct openvpn_plugin_args_func_in const *args)
void(* plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format,...) _ovpn_chk_fmt(3
static void file_store(char *file, char *content)
void * openvpn_plugin_handle_t
plugin_log_t log
Arguments used to transport variables to and from the plug-in.
#define strncasecmp
Definition: config-msvc.h:93
struct openvpn_plugin_callbacks * callbacks
#define free
Definition: cmocka.c:1850
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
enum endpoint type
Arguments used to transport variables from the plug-in back to the OpenVPN process.
#define OPENVPN_PLUGIN_MASK(x)
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
#define MAXPATH