From 27594eeae6f40a402bc3110f06d57975168e74e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 4 Jun 2015 19:20:15 +0200 Subject: ics-openvpn as a submodule! beautiful ics-openvpn is now officially on GitHub, and they track openssl and openvpn as submodules, so it's easier to update everything. Just a git submodule update --recursive. I've also set up soft links to native modules from ics-openvpn in app, so that we don't copy files in Gradle (which was causing problems with the submodules .git* files, not being copied). That makes the repo cleaner. --- app/openvpn/sample/sample-scripts/verify-cn | 64 ----------------------------- 1 file changed, 64 deletions(-) delete mode 100755 app/openvpn/sample/sample-scripts/verify-cn (limited to 'app/openvpn/sample/sample-scripts/verify-cn') diff --git a/app/openvpn/sample/sample-scripts/verify-cn b/app/openvpn/sample/sample-scripts/verify-cn deleted file mode 100755 index 6e747ef1..00000000 --- a/app/openvpn/sample/sample-scripts/verify-cn +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl - -# verify-cn -- a sample OpenVPN tls-verify script -# -# Return 0 if cn matches the common name component of -# subject, 1 otherwise. -# -# For example in OpenVPN, you could use the directive: -# -# tls-verify "./verify-cn /etc/openvpn/allowed_clients" -# -# This would cause the connection to be dropped unless -# the client common name is listed on a line in the -# allowed_clients file. - -die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); - -# Parse out arguments: -# cnfile -- The file containing the list of common names, one per -# line, which the client is required to have, -# taken from the argument to the tls-verify directive -# in the OpenVPN config file. -# The file can have blank lines and comment lines that begin -# with the # character. -# depth -- The current certificate chain depth. In a typical -# bi-level chain, the root certificate will be at level -# 1 and the client certificate will be at level 0. -# This script will be called separately for each level. -# x509 -- the X509 subject string as extracted by OpenVPN from -# the client's provided certificate. -($cnfile, $depth, $x509) = @ARGV; - -if ($depth == 0) { - # If depth is zero, we know that this is the final - # certificate in the chain (i.e. the client certificate), - # and the one we are interested in examining. - # If so, parse out the common name substring in - # the X509 subject string. - - if ($x509 =~ / CN=([^,]+)/) { - $cn = $1; - # Accept the connection if the X509 common name - # string matches the passed cn argument. - open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! - while (defined($line = )) { - if ($line !~ /^[[:space:]]*(#|$)/o) { - chop($line); - if ($line eq $cn) { - exit 0; - } - } - } - close(FH); - } - - # Authentication failed -- Either we could not parse - # the X509 subject string, or the common name in the - # subject string didn't match the passed cn argument. - exit 1; -} - -# If depth is nonzero, tell OpenVPN to continue processing -# the certificate chain. -exit 0; -- cgit v1.2.3