OpenVPN
ssl_verify.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_VERIFY_H_
30 #define SSL_VERIFY_H_
31 
32 #ifdef ENABLE_CRYPTO
33 
34 #include "syshead.h"
35 #include "misc.h"
36 #include "ssl_common.h"
37 
38 /* Include OpenSSL-specific code */
39 #ifdef ENABLE_CRYPTO_OPENSSL
40 #include "ssl_verify_openssl.h"
41 #endif
42 #ifdef ENABLE_CRYPTO_MBEDTLS
43 #include "ssl_verify_mbedtls.h"
44 #endif
45 
46 #include "ssl_verify_backend.h"
47 
48 /*
49  * Keep track of certificate hashes at various depths
50  */
51 
53 #define MAX_CERT_DEPTH 16
54 
56 struct cert_hash {
57  unsigned char sha256_hash[256/8];
58 };
59 
61 struct cert_hash_set {
62  struct cert_hash *ch[MAX_CERT_DEPTH];
63 };
64 
65 #define VERIFY_X509_NONE 0
66 #define VERIFY_X509_SUBJECT_DN 1
67 #define VERIFY_X509_SUBJECT_RDN 2
68 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
69 
70 #define TLS_AUTHENTICATION_SUCCEEDED 0
71 #define TLS_AUTHENTICATION_FAILED 1
72 #define TLS_AUTHENTICATION_DEFERRED 2
73 #define TLS_AUTHENTICATION_UNDEFINED 3
74 
75 /*
76  * Return current session authentication state. Return
77  * value is TLS_AUTHENTICATION_x.
78  *
79  * TODO: document this function
80  */
81 int tls_authentication_status(struct tls_multi *multi, const int latency);
82 
91 #define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
92 
99 
105 void cert_hash_free(struct cert_hash_set *chs);
106 
112 void tls_lock_cert_hash_set(struct tls_multi *multi);
113 
119 void tls_lock_common_name(struct tls_multi *multi);
120 
127 const char *tls_common_name(const struct tls_multi *multi, const bool null);
128 
135 const char *tls_username(const struct tls_multi *multi, const bool null);
136 
143 bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
144 
145 #ifdef ENABLE_PF
146 
156 static inline bool
157 tls_common_name_hash(const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
158 {
159  if (multi)
160  {
161  const struct tls_session *s = &multi->session[TM_ACTIVE];
162  if (s->common_name && s->common_name[0] != '\0')
163  {
164  *cn = s->common_name;
165  *cn_hash = s->common_name_hashval;
166  return true;
167  }
168  }
169  return false;
170 }
171 
172 #endif
173 
187 void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
188  struct tls_session *session);
189 
199 void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
200 
202 {
203  const struct x509_track *next;
204  const char *name;
205 #define XT_FULL_CHAIN (1<<0)
206  unsigned int flags;
207  int nid;
208 };
209 
210 /*
211  * Certificate checking for verify_nsCertType
212  */
214 #define NS_CERT_CHECK_NONE (0)
215 
216 #define NS_CERT_CHECK_SERVER (1<<0)
217 
218 #define NS_CERT_CHECK_CLIENT (1<<1)
219 
221 #define OPENVPN_KU_REQUIRED (0xFFFF)
222 
223 /*
224  * TODO: document
225  */
226 #ifdef MANAGEMENT_DEF_AUTH
227 bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
228 
229 void man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
230 
231 #endif
232 
233 static inline const char *
235 {
236 #ifdef ENABLE_DEF_AUTH
237  return multi->client_reason;
238 #else
239  return NULL;
240 #endif
241 }
242 
244 void tls_x509_clear_env(struct env_set *es);
245 
246 #endif /* ENABLE_CRYPTO */
247 
248 #endif /* SSL_VERIFY_H_ */
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:458
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:234
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:496
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:270
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:188
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:56
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:571
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:61
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:163
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1520
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1459
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
unsigned int flags
Definition: ssl_verify.h:206
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:53
unsigned __int32 uint32_t
Definition: config-msvc.h:121
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:936
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1270
const struct x509_track * next
Definition: ssl_verify.h:203
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:342
const char * name
Definition: ssl_verify.h:204
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:227
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:400
char * common_name
Definition: ssl_common.h:425
Definition: misc.h:49
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:284
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:57