OpenVPN
Data Structures | Macros | Functions
ssl_verify.h File Reference
#include "syshead.h"
#include "misc.h"
#include "ssl_common.h"
#include "ssl_verify_openssl.h"
#include "ssl_verify_backend.h"
Include dependency graph for ssl_verify.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  cert_hash
 Structure containing the hash for a single certificate. More...
 
struct  cert_hash_set
 Structure containing the hashes for a full certificate chain. More...
 
struct  x509_track
 

Macros

#define MAX_CERT_DEPTH   16
 Maximum certificate depth we will allow. More...
 
#define VERIFY_X509_NONE   0
 
#define VERIFY_X509_SUBJECT_DN   1
 
#define VERIFY_X509_SUBJECT_RDN   2
 
#define VERIFY_X509_SUBJECT_RDN_PREFIX   3
 
#define TLS_AUTHENTICATION_SUCCEEDED   0
 
#define TLS_AUTHENTICATION_FAILED   1
 
#define TLS_AUTHENTICATION_DEFERRED   2
 
#define TLS_AUTHENTICATION_UNDEFINED   3
 
#define DECRYPT_KEY_ENABLED(multi, ks)   ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
 Check whether the ks key_state is ready to receive data channel packets. More...
 
#define XT_FULL_CHAIN   (1<<0)
 
#define NS_CERT_CHECK_NONE   (0)
 Do not perform Netscape certificate type verification. More...
 
#define NS_CERT_CHECK_SERVER   (1<<0)
 Do not perform Netscape certificate type verification. More...
 
#define NS_CERT_CHECK_CLIENT   (1<<1)
 Do not perform Netscape certificate type verification. More...
 
#define OPENVPN_KU_REQUIRED   (0xFFFF)
 Require keyUsage to be present in cert (0xFFFF is an invalid KU value) More...
 

Functions

int tls_authentication_status (struct tls_multi *multi, const int latency)
 
void key_state_rm_auth_control_file (struct key_state *ks)
 Remove the given key state's auth control file, if it exists. More...
 
void cert_hash_free (struct cert_hash_set *chs)
 Frees the given set of certificate hashes. More...
 
void tls_lock_cert_hash_set (struct tls_multi *multi)
 Locks the certificate hash set used in the given tunnel. More...
 
void tls_lock_common_name (struct tls_multi *multi)
 Locks the common name field for the given tunnel. More...
 
const char * tls_common_name (const struct tls_multi *multi, const bool null)
 Returns the common name field for the given tunnel. More...
 
const char * tls_username (const struct tls_multi *multi, const bool null)
 Returns the username field for the given tunnel. More...
 
bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
 Compares certificates hashes, returns true if hashes are equal. More...
 
void verify_user_pass (struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
 Verify the given username and password, using either an external script, a plugin, or the management interface. More...
 
void verify_final_auth_checks (struct tls_multi *multi, struct tls_session *session)
 Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory. More...
 
static const char * tls_client_reason (struct tls_multi *multi)
 
void tls_x509_clear_env (struct env_set *es)
 Remove any X509_ env variables from env_set es. More...
 

Macro Definition Documentation

◆ MAX_CERT_DEPTH

#define MAX_CERT_DEPTH   16

Maximum certificate depth we will allow.

Definition at line 53 of file ssl_verify.h.

Referenced by cert_hash_compare(), cert_hash_copy(), cert_hash_free(), cert_hash_remember(), and verify_cert().

◆ NS_CERT_CHECK_CLIENT

#define NS_CERT_CHECK_CLIENT   (1<<1)

Do not perform Netscape certificate type verification.

Definition at line 218 of file ssl_verify.h.

Referenced by add_option(), print_nsCertType(), and x509_verify_ns_cert_type().

◆ NS_CERT_CHECK_NONE

#define NS_CERT_CHECK_NONE   (0)

Do not perform Netscape certificate type verification.

Definition at line 214 of file ssl_verify.h.

Referenced by verify_peer_cert(), and x509_verify_ns_cert_type().

◆ NS_CERT_CHECK_SERVER

#define NS_CERT_CHECK_SERVER   (1<<0)

Do not perform Netscape certificate type verification.

Definition at line 216 of file ssl_verify.h.

Referenced by add_option(), do_option_warnings(), print_nsCertType(), and x509_verify_ns_cert_type().

◆ OPENVPN_KU_REQUIRED

#define OPENVPN_KU_REQUIRED   (0xFFFF)

Require keyUsage to be present in cert (0xFFFF is an invalid KU value)

Definition at line 221 of file ssl_verify.h.

Referenced by add_option(), and x509_verify_cert_ku().

◆ TLS_AUTHENTICATION_DEFERRED

#define TLS_AUTHENTICATION_DEFERRED   2

Definition at line 72 of file ssl_verify.h.

Referenced by tls_authentication_status().

◆ TLS_AUTHENTICATION_FAILED

#define TLS_AUTHENTICATION_FAILED   1

◆ TLS_AUTHENTICATION_SUCCEEDED

#define TLS_AUTHENTICATION_SUCCEEDED   0

◆ TLS_AUTHENTICATION_UNDEFINED

#define TLS_AUTHENTICATION_UNDEFINED   3

Definition at line 73 of file ssl_verify.h.

Referenced by tls_authentication_status().

◆ VERIFY_X509_NONE

#define VERIFY_X509_NONE   0

Definition at line 65 of file ssl_verify.h.

Referenced by add_option(), do_option_warnings(), and verify_peer_cert().

◆ VERIFY_X509_SUBJECT_DN

#define VERIFY_X509_SUBJECT_DN   1

Definition at line 66 of file ssl_verify.h.

Referenced by add_option(), and verify_peer_cert().

◆ VERIFY_X509_SUBJECT_RDN

#define VERIFY_X509_SUBJECT_RDN   2

Definition at line 67 of file ssl_verify.h.

Referenced by add_option(), and verify_peer_cert().

◆ VERIFY_X509_SUBJECT_RDN_PREFIX

#define VERIFY_X509_SUBJECT_RDN_PREFIX   3

Definition at line 68 of file ssl_verify.h.

Referenced by add_option(), and verify_peer_cert().

◆ XT_FULL_CHAIN

#define XT_FULL_CHAIN   (1<<0)

Definition at line 205 of file ssl_verify.h.

Referenced by x509_setenv_track(), and x509_track_add().

Function Documentation

◆ cert_hash_compare()

bool cert_hash_compare ( const struct cert_hash_set chs1,
const struct cert_hash_set chs2 
)

Compares certificates hashes, returns true if hashes are equal.

Parameters
chs1cert 1 hash set
chs2cert 2 hash set

Definition at line 284 of file ssl_verify.c.

References cert_hash_set::ch, MAX_CERT_DEPTH, and cert_hash::sha256_hash.

Referenced by multi_process_float(), and verify_final_auth_checks().

◆ cert_hash_free()

void cert_hash_free ( struct cert_hash_set chs)

Frees the given set of certificate hashes.

Parameters
chsThe certificate hash set to free.

Definition at line 270 of file ssl_verify.c.

References cert_hash_set::ch, and MAX_CERT_DEPTH.

Referenced by tls_multi_free(), and tls_session_free().

◆ key_state_rm_auth_control_file()

void key_state_rm_auth_control_file ( struct key_state ks)

Remove the given key state's auth control file, if it exists.

Parameters
ksThe key state the remove the file for

Referenced by key_state_free(), verify_cert(), and verify_user_pass_plugin().

◆ tls_authentication_status()

int tls_authentication_status ( struct tls_multi multi,
const int  latency 
)

◆ tls_client_reason()

static const char* tls_client_reason ( struct tls_multi multi)
inlinestatic

Definition at line 234 of file ssl_verify.h.

References tls_x509_clear_env().

Referenced by process_incoming_push_request().

◆ tls_common_name()

const char* tls_common_name ( const struct tls_multi multi,
const bool  null 
)

Returns the common name field for the given tunnel.

Parameters
multiThe tunnel to return the common name for
nullWhether null may be returned. If not, "UNDEF" will be returned.

Definition at line 163 of file ssl_verify.c.

References tls_session::common_name, tls_multi::session, and TM_ACTIVE.

Referenced by format_common_name(), learn_address_script(), management_callback_kill_by_cn(), multi_client_connect_setenv(), multi_connection_established(), multi_delete_dup(), multi_instance_string(), multi_print_status(), multi_process_float(), multi_select_virtual_addr(), and send_control_channel_string().

◆ tls_lock_cert_hash_set()

void tls_lock_cert_hash_set ( struct tls_multi multi)

Locks the certificate hash set used in the given tunnel.

Parameters
multiThe tunnel to lock

Definition at line 342 of file ssl_verify.c.

References cert_hash_copy(), tls_session::cert_hash_set, tls_multi::locked_cert_hash_set, tls_multi::session, and TM_ACTIVE.

Referenced by multi_connection_established().

◆ tls_lock_common_name()

void tls_lock_common_name ( struct tls_multi multi)

Locks the common name field for the given tunnel.

Parameters
multiThe tunnel to lock

Definition at line 188 of file ssl_verify.c.

References tls_session::common_name, tls_multi::locked_cn, tls_multi::session, string_alloc(), and TM_ACTIVE.

Referenced by multi_connection_established().

◆ tls_username()

const char* tls_username ( const struct tls_multi multi,
const bool  null 
)

Returns the username field for the given tunnel.

Parameters
multiThe tunnel to return the username for
nullWhether null may be returned. If not, "UNDEF" will be returned.

Definition at line 227 of file ssl_verify.c.

References tls_multi::locked_username.

Referenced by multi_print_status().

◆ tls_x509_clear_env()

void tls_x509_clear_env ( struct env_set es)

Remove any X509_ env variables from env_set es.

Definition at line 1520 of file ssl_verify.c.

References env_set_del(), env_set::list, env_item::next, and env_item::string.

Referenced by tls_client_reason(), and tls_process().

◆ verify_final_auth_checks()

void verify_final_auth_checks ( struct tls_multi multi,
struct tls_session session 
)

Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory.

Parameters
multiThe TLS multi structure to verify locked structures.
sessionThe current TLS session

Definition at line 1459 of file ssl_verify.c.

References key_state::authenticated, CCD_DEFAULT, cert_hash_compare(), tls_session::cert_hash_set, tls_options::client_config_dir_exclusive, tls_session::common_name, D_TLS_ERRORS, gc_free(), gc_new(), gen_path(), tls_session::key, KS_PRIMARY, tls_multi::locked_cert_hash_set, tls_multi::locked_cn, msg, tls_session::opt, set_common_name(), test_file(), tls_deauthenticate(), and wipe_auth_token().

Referenced by key_method_2_read().

◆ verify_user_pass()

void verify_user_pass ( struct user_pass up,
struct tls_multi multi,
struct tls_session session 
)

Verify the given username and password, using either an external script, a plugin, or the management interface.

If authentication succeeds, the appropriate state is filled into the session's primary key state's authenticated field. Authentication may also be deferred, in which case the key state's auth_deferred field is filled in.

Parameters
upThe username and password to verify.
multiThe TLS multi structure to verify usernames against.
sessionThe current TLS session

Definition at line 1270 of file ssl_verify.c.

References ALLOC_ARRAY_CLEAR_GC, ASSERT, tls_multi::auth_token, tls_options::auth_token_generate, tls_options::auth_token_lifetime, tls_multi::auth_token_sent, AUTH_TOKEN_SIZE, tls_multi::auth_token_tstamp, tls_options::auth_user_pass_verify_script, key_state::authenticated, CC_CRLF, CC_PRINT, COMMON_NAME_CHAR_CLASS, compat_flag(), COMPAT_FLAG_QUERY, COMPAT_NAMES, D_HANDSHAKE, D_SHOW_KEYS, D_TLS_ERRORS, dmsg, gc_free(), gc_new(), tls_session::key, KS_PRIMARY, M_FATAL, memcmp_constant_time(), msg, now, openvpn_base64_encode(), tls_session::opt, user_pass::password, plugin_defined(), tls_options::plugins, rand_bytes(), set_common_name(), tls_options::ssl_flags, SSLF_USERNAME_AS_COMMON_NAME, string_mod(), string_mod_remap_name(), tls_deauthenticate(), tls_lock_username(), TLS_USERNAME_LEN, USER_PASS_LEN, user_pass::username, verify_user_pass_plugin(), verify_user_pass_script(), and wipe_auth_token().

Referenced by key_method_2_read().