OpenVPN
keyingmaterialexporter.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * This file implements a Sample (HTTP) SSO OpenVPN plugin module
26  *
27  * See the README file for build instructions.
28  */
29 
30 #include <stdio.h>
31 #include <string.h>
32 #include <stdlib.h>
33 
34 #include "openvpn-plugin.h"
35 
36 #ifndef MAXPATH
37 #define MAXPATH 1024
38 #endif
39 
40 #define ovpn_err(fmt, ...) \
41  plugin->log(PLOG_ERR, "SSO", fmt, ## __VA_ARGS__)
42 #define ovpn_dbg(fmt, ...) \
43  plugin->log(PLOG_DEBUG, "SSO", fmt, ## __VA_ARGS__)
44 #define ovpn_note(fmt, ...) \
45  plugin->log(PLOG_NOTE, "SSO", fmt, ## __VA_ARGS__)
46 
47 enum endpoint { CLIENT = 1, SERVER = 2 };
48 
49 struct plugin {
51  enum endpoint type;
52  int mask;
53 };
54 
55 struct session {
56  char user[48];
57  char key [48];
58 };
59 
60 /*
61  * Given an environmental variable name, search
62  * the envp array for its value, returning it
63  * if found or NULL otherwise.
64  */
65 
66 static const char *
67 get_env(const char *name, const char *envp[])
68 {
69  if (envp)
70  {
71  int i;
72  const int namelen = strlen(name);
73  for (i = 0; envp[i]; ++i)
74  {
75  if (!strncmp(envp[i], name, namelen))
76  {
77  const char *cp = envp[i] + namelen;
78  if (*cp == '=')
79  {
80  return cp + 1;
81  }
82  }
83  }
84  }
85  return NULL;
86 }
87 
89 openvpn_plugin_open_v3(const int version,
90  struct openvpn_plugin_args_open_in const *args,
92 {
93  struct plugin *plugin = calloc(1, sizeof(*plugin));
94 
95  if (plugin == NULL)
96  {
97  printf("PLUGIN: allocating memory for context failed\n");
99  }
100 
101  plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER;
102  plugin->log = args->callbacks->plugin_log;
103 
106 
107  ovpn_note("vpn endpoint type=%s",plugin->type == CLIENT ? "client" : "server");
108 
109  rv->type_mask = plugin->mask;
110  rv->handle = (void *)plugin;
111 
113 }
114 
115 static void
116 session_user_set(struct session *sess, X509 *x509)
117 {
118  int fn_nid;
119  ASN1_OBJECT *fn;
120  ASN1_STRING *val;
121  X509_NAME *x509_name;
122  X509_NAME_ENTRY *ent;
123  const char *objbuf;
124 
125  x509_name = X509_get_subject_name(x509);
126  int i, n = X509_NAME_entry_count(x509_name);
127  for (i = 0; i < n; ++i)
128  {
129  if (!(ent = X509_NAME_get_entry(x509_name, i)))
130  {
131  continue;
132  }
133  if (!(fn = X509_NAME_ENTRY_get_object(ent)))
134  {
135  continue;
136  }
137  if (!(val = X509_NAME_ENTRY_get_data(ent)))
138  {
139  continue;
140  }
141  if ((fn_nid = OBJ_obj2nid(fn)) == NID_undef)
142  {
143  continue;
144  }
145  if (!(objbuf = OBJ_nid2sn(fn_nid)))
146  {
147  continue;
148  }
149  unsigned char *buf = NULL;
150  if (ASN1_STRING_to_UTF8(&buf, val) < 0)
151  {
152  continue;
153  }
154 
155  if (!strncasecmp(objbuf, "CN", 2))
156  {
157  snprintf(sess->user, sizeof(sess->user) - 1, (char *)buf);
158  }
159 
160  OPENSSL_free(buf);
161  }
162 }
163 
164 static int
166 {
167  struct plugin *plugin = (struct plugin *)args->handle;
168  struct session *sess = (struct session *)args->per_client_context;
169 
170  /* we store cert subject for the server end point only */
171  if (plugin->type != SERVER)
172  {
174  }
175 
176  if (!args->current_cert)
177  {
178  ovpn_err("this example plugin requires client certificate");
180  }
181 
182  session_user_set(sess, args->current_cert);
183 
185 }
186 
187 static void
188 file_store(char *file, char *content)
189 {
190  FILE *f;
191  if (!(f = fopen(file, "w+")))
192  {
193  return;
194  }
195 
196  fprintf(f, "%s", content);
197  fclose(f);
198 }
199 
200 static void
202 {
203  struct plugin *plugin = (struct plugin *)args->handle;
204  struct session *sess = (struct session *)args->per_client_context;
205 
206  char file[MAXPATH];
207  snprintf(file, sizeof(file) - 1, "/tmp/openvpn_sso_%s", sess->key);
208  ovpn_note("app session file: %s", file);
209  file_store(file, sess->user);
210 }
211 
212 static void
214 {
215  struct plugin *plugin = (struct plugin *)args->handle;
216  struct session *sess = (struct session *)args->per_client_context;
217 
218  char *file = "/tmp/openvpn_sso_user";
219  ovpn_note("app session file: %s", file);
220  file_store(file, sess->key);
221 }
222 
223 static int
226 {
227  struct plugin *plugin = (struct plugin *)args->handle;
228  struct session *sess = (struct session *)args->per_client_context;
229 
230  const char *key;
231  if (!(key = get_env("exported_keying_material", args->envp)))
232  {
234  }
235 
236  snprintf(sess->key, sizeof(sess->key) - 1, "%s", key);
237  ovpn_note("app session key: %s", sess->key);
238 
239  switch (plugin->type)
240  {
241  case SERVER:
242  server_store(args);
243  break;
244 
245  case CLIENT:
246  client_store(args);
248  }
249 
250  ovpn_note("app session user: %s", sess->user);
252 }
253 
254 OPENVPN_EXPORT int
255 openvpn_plugin_func_v3(const int version,
256  struct openvpn_plugin_args_func_in const *args,
258 {
259  switch (args->type)
260  {
262  return tls_verify(args);
263 
265  return tls_final(args, rv);
266  }
268 }
269 
270 OPENVPN_EXPORT void *
272 {
273  struct plugin *plugin = (struct plugin *)handle;
274  struct session *sess = calloc(1, sizeof(*sess));
275 
276  ovpn_note("app session created");
277 
278  return (void *)sess;
279 }
280 
281 OPENVPN_EXPORT void
283 {
284  struct plugin *plugin = (struct plugin *)handle;
285  struct session *sess = (struct session *)ctx;
286 
287  ovpn_note("app session key: %s", sess->key);
288  ovpn_note("app session destroyed");
289 
290  free(sess);
291 }
292 
293 OPENVPN_EXPORT void
295 {
296  struct plugin *plugin = (struct plugin *)handle;
297  free(plugin);
298 }
Arguments used to transport variables to the plug-in.
#define ovpn_note(fmt,...)
OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *ctx)
openvpn_x509_cert_t * current_cert
OPENVPN_EXPORT int openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *rv)
openvpn_plugin_handle_t * handle
static int tls_final(struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv)
static void session_user_set(struct session *sess, X509 *x509)
#define OPENVPN_EXPORT
#define OPENVPN_PLUGIN_FUNC_SUCCESS
#define snprintf
Definition: config-msvc.h:134
static void server_store(struct openvpn_plugin_args_func_in const *args)
#define ovpn_err(fmt,...)
static const char * get_env(const char *name, const char *envp[])
OPENVPN_EXPORT int openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *args, struct openvpn_plugin_args_func_return *rv)
#define OPENVPN_PLUGIN_TLS_VERIFY
#define OPENVPN_PLUGIN_FUNC_ERROR
string f
Definition: http-client.py:6
Arguments used to transport variables to and from the plug-in.
OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
#define OPENVPN_PLUGIN_TLS_FINAL
openvpn_plugin_handle_t handle
OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
static void client_store(struct openvpn_plugin_args_func_in const *args)
void(* plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format,...) _ovpn_chk_fmt(3
static void file_store(char *file, char *content)
void * openvpn_plugin_handle_t
plugin_log_t log
Arguments used to transport variables to and from the plug-in.
#define strncasecmp
Definition: config-msvc.h:130
struct openvpn_plugin_callbacks * callbacks
#define free
Definition: cmocka.c:1850
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
enum endpoint type
Arguments used to transport variables from the plug-in back to the OpenVPN process.
#define OPENVPN_PLUGIN_MASK(x)
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
#define MAXPATH