OpenVPN
Macros | Functions
ssl_verify.c File Reference
#include "syshead.h"
#include "base64.h"
#include "manage.h"
#include "otime.h"
#include "run_command.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"
#include "ssl_verify_openssl.h"
#include "auth_token.h"
#include "push.h"
Include dependency graph for ssl_verify.c:

Go to the source code of this file.

Macros

#define TLS_USERNAME_LEN   64
 Maximum length of common name. More...
 
#define ACF_UNDEFINED   0
 
#define ACF_SUCCEEDED   1
 
#define ACF_DISABLED   2
 
#define ACF_FAILED   3
 
#define KMDA_ERROR   0
 
#define KMDA_SUCCESS   1
 
#define KMDA_UNDEF   2
 
#define KMDA_DEF   3
 

Functions

static void string_mod_remap_name (char *str)
 
static void setenv_untrusted (struct tls_session *session)
 
static void tls_deauthenticate (struct tls_multi *multi)
 
static void set_common_name (struct tls_session *session, const char *common_name)
 
const char * tls_common_name (const struct tls_multi *multi, const bool null)
 Returns the common name field for the given tunnel. More...
 
void tls_lock_common_name (struct tls_multi *multi)
 Locks the common name field for the given tunnel. More...
 
static bool tls_lock_username (struct tls_multi *multi, const char *username)
 
const char * tls_username (const struct tls_multi *multi, const bool null)
 Returns the username field for the given tunnel. More...
 
void cert_hash_remember (struct tls_session *session, const int error_depth, const struct buffer *cert_hash)
 
void cert_hash_free (struct cert_hash_set *chs)
 Frees the given set of certificate hashes. More...
 
bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
 Compares certificates hashes, returns true if hashes are equal. More...
 
static struct cert_hash_setcert_hash_copy (const struct cert_hash_set *chs)
 
void tls_lock_cert_hash_set (struct tls_multi *multi)
 Locks the certificate hash set used in the given tunnel. More...
 
static const char * print_nsCertType (int type)
 
static result_t verify_peer_cert (const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject, const char *common_name)
 
static void verify_cert_set_env (struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, const char *subject, const char *common_name, const struct x509_track *x509_track)
 
static result_t verify_cert_call_plugin (const struct plugin_list *plugins, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject)
 
static const char * verify_cert_export_cert (openvpn_x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc)
 
static result_t verify_cert_call_command (const char *verify_command, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject, const char *verify_export_cert)
 
static result_t verify_check_crl_dir (const char *crl_dir, openvpn_x509_cert_t *cert, const char *subject, int cert_depth)
 
result_t verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
 
void auth_set_client_reason (struct tls_multi *multi, const char *client_reason)
 Sets the reason why authentication of a client failed. More...
 
static unsigned int man_def_auth_test (const struct key_state *ks)
 
void key_state_rm_auth_control_file (struct key_state *ks)
 Remove the given key state's auth control file, if it exists. More...
 
static bool key_state_gen_auth_control_file (struct key_state *ks, const struct tls_options *opt)
 
static unsigned int key_state_test_auth_control_file (struct key_state *ks)
 
int tls_authentication_status (struct tls_multi *multi, const int latency)
 
bool tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
 
static bool verify_user_pass_script (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 
static int verify_user_pass_plugin (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 
static int verify_user_pass_management (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 
static bool set_verify_user_pass_env (struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
 
void verify_user_pass (struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
 Verify the given username and password, using either an external script, a plugin, or the management interface. More...
 
void verify_final_auth_checks (struct tls_multi *multi, struct tls_session *session)
 Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory. More...
 
void tls_x509_clear_env (struct env_set *es)
 Remove any X509_ env variables from env_set es. More...
 

Macro Definition Documentation

◆ ACF_DISABLED

#define ACF_DISABLED   2

◆ ACF_FAILED

#define ACF_FAILED   3

◆ ACF_SUCCEEDED

#define ACF_SUCCEEDED   1

◆ ACF_UNDEFINED

#define ACF_UNDEFINED   0

Definition at line 834 of file ssl_verify.c.

Referenced by key_state_test_auth_control_file(), and tls_authentication_status().

◆ KMDA_DEF

#define KMDA_DEF   3

Definition at line 1180 of file ssl_verify.c.

Referenced by verify_user_pass().

◆ KMDA_ERROR

#define KMDA_ERROR   0

Definition at line 1177 of file ssl_verify.c.

Referenced by verify_user_pass(), and verify_user_pass_management().

◆ KMDA_SUCCESS

#define KMDA_SUCCESS   1

Definition at line 1178 of file ssl_verify.c.

Referenced by verify_user_pass_management().

◆ KMDA_UNDEF

#define KMDA_UNDEF   2

Definition at line 1179 of file ssl_verify.c.

Referenced by verify_user_pass().

◆ TLS_USERNAME_LEN

#define TLS_USERNAME_LEN   64

Maximum length of common name.

Definition at line 51 of file ssl_verify.c.

Referenced by verify_cert(), and verify_user_pass().

Function Documentation

◆ auth_set_client_reason()

void auth_set_client_reason ( struct tls_multi multi,
const char *  client_reason 
)

Sets the reason why authentication of a client failed.

This be will send to the client when the AUTH_FAILED message is sent An example would be "SESSION: Token expired"

Parameters
multiThe multi tls struct
client_reasonThe string to send to the client as part of AUTH_FAILED

Definition at line 840 of file ssl_verify.c.

Referenced by multi_client_set_protocol_options(), tls_authenticate_key(), tls_multi_free(), and verify_auth_token().

◆ cert_hash_compare()

bool cert_hash_compare ( const struct cert_hash_set chs1,
const struct cert_hash_set chs2 
)

Compares certificates hashes, returns true if hashes are equal.

Parameters
chs1cert 1 hash set
chs2cert 2 hash set

Definition at line 248 of file ssl_verify.c.

References cert_hash_set::ch, MAX_CERT_DEPTH, and cert_hash::sha256_hash.

Referenced by multi_process_float(), and verify_final_auth_checks().

◆ cert_hash_copy()

static struct cert_hash_set* cert_hash_copy ( const struct cert_hash_set chs)
static

◆ cert_hash_free()

void cert_hash_free ( struct cert_hash_set chs)

Frees the given set of certificate hashes.

Parameters
chsThe certificate hash set to free.

Definition at line 234 of file ssl_verify.c.

References cert_hash_set::ch, free, and MAX_CERT_DEPTH.

Referenced by tls_multi_free(), and tls_session_free().

◆ cert_hash_remember()

void cert_hash_remember ( struct tls_session session,
const int  error_depth,
const struct buffer cert_hash 
)

◆ key_state_gen_auth_control_file()

static bool key_state_gen_auth_control_file ( struct key_state ks,
const struct tls_options opt 
)
static

◆ key_state_rm_auth_control_file()

void key_state_rm_auth_control_file ( struct key_state ks)

Remove the given key state's auth control file, if it exists.

Parameters
ksThe key state the remove the file for

Definition at line 873 of file ssl_verify.c.

References key_state::auth_control_file, free, and platform_unlink().

Referenced by key_state_free(), key_state_gen_auth_control_file(), and verify_user_pass_plugin().

◆ key_state_test_auth_control_file()

static unsigned int key_state_test_auth_control_file ( struct key_state ks)
static

◆ man_def_auth_test()

static unsigned int man_def_auth_test ( const struct key_state ks)
inlinestatic

◆ print_nsCertType()

static const char* print_nsCertType ( int  type)
static

Definition at line 319 of file ssl_verify.c.

References NS_CERT_CHECK_CLIENT, and NS_CERT_CHECK_SERVER.

Referenced by verify_peer_cert().

◆ set_common_name()

static void set_common_name ( struct tls_session session,
const char *  common_name 
)
static

◆ set_verify_user_pass_env()

static bool set_verify_user_pass_env ( struct user_pass up,
struct tls_multi multi,
struct tls_session session 
)
static

◆ setenv_untrusted()

static void setenv_untrusted ( struct tls_session session)
static

◆ string_mod_remap_name()

static void string_mod_remap_name ( char *  str)
static

Definition at line 54 of file ssl_verify.c.

References CC_CRLF, CC_PRINT, and string_mod().

Referenced by verify_cert(), and verify_user_pass().

◆ tls_authenticate_key()

bool tls_authenticate_key ( struct tls_multi multi,
const unsigned int  mda_key_id,
const bool  auth,
const char *  client_reason 
)

◆ tls_authentication_status()

int tls_authentication_status ( struct tls_multi multi,
const int  latency 
)

◆ tls_common_name()

const char* tls_common_name ( const struct tls_multi multi,
const bool  null 
)

Returns the common name field for the given tunnel.

Parameters
multiThe tunnel to return the common name for
nullWhether null may be returned. If not, "UNDEF" will be returned.

Definition at line 127 of file ssl_verify.c.

References tls_session::common_name, tls_multi::session, and TM_ACTIVE.

Referenced by format_common_name(), learn_address_script(), management_callback_kill_by_cn(), multi_client_connect_setenv(), multi_client_connect_source_ccd(), multi_delete_dup(), multi_instance_string(), multi_print_status(), multi_process_float(), multi_select_virtual_addr(), and send_control_channel_string_dowork().

◆ tls_deauthenticate()

static void tls_deauthenticate ( struct tls_multi multi)
static

◆ tls_lock_cert_hash_set()

void tls_lock_cert_hash_set ( struct tls_multi multi)

Locks the certificate hash set used in the given tunnel.

Parameters
multiThe tunnel to lock

Definition at line 306 of file ssl_verify.c.

References cert_hash_copy(), tls_session::cert_hash_set, tls_multi::locked_cert_hash_set, tls_multi::session, and TM_ACTIVE.

Referenced by multi_client_connect_early_setup().

◆ tls_lock_common_name()

void tls_lock_common_name ( struct tls_multi multi)

Locks the common name field for the given tunnel.

Parameters
multiThe tunnel to lock

Definition at line 152 of file ssl_verify.c.

References tls_session::common_name, tls_multi::locked_cn, tls_multi::session, string_alloc(), and TM_ACTIVE.

Referenced by multi_client_connect_early_setup().

◆ tls_lock_username()

static bool tls_lock_username ( struct tls_multi multi,
const char *  username 
)
static

◆ tls_username()

const char* tls_username ( const struct tls_multi multi,
const bool  null 
)

Returns the username field for the given tunnel.

Parameters
multiThe tunnel to return the username for
nullWhether null may be returned. If not, "UNDEF" will be returned.

Definition at line 191 of file ssl_verify.c.

References tls_multi::locked_username.

Referenced by multi_print_status().

◆ tls_x509_clear_env()

void tls_x509_clear_env ( struct env_set es)

Remove any X509_ env variables from env_set es.

Definition at line 1484 of file ssl_verify.c.

References env_set_del(), env_set::list, env_item::next, and env_item::string.

Referenced by tls_client_reason(), and tls_process().

◆ verify_cert()

result_t verify_cert ( struct tls_session session,
openvpn_x509_cert_t cert,
int  cert_depth 
)

◆ verify_cert_call_command()

static result_t verify_cert_call_command ( const char *  verify_command,
struct env_set es,
int  cert_depth,
openvpn_x509_cert_t cert,
char *  subject,
const char *  verify_export_cert 
)
static

◆ verify_cert_call_plugin()

static result_t verify_cert_call_plugin ( const struct plugin_list plugins,
struct env_set es,
int  cert_depth,
openvpn_x509_cert_t cert,
char *  subject 
)
static

◆ verify_cert_export_cert()

static const char* verify_cert_export_cert ( openvpn_x509_cert_t peercert,
const char *  tmp_dir,
struct gc_arena gc 
)
static

◆ verify_cert_set_env()

static void verify_cert_set_env ( struct env_set es,
openvpn_x509_cert_t peer_cert,
int  cert_depth,
const char *  subject,
const char *  common_name,
const struct x509_track x509_track 
)
static

◆ verify_check_crl_dir()

static result_t verify_check_crl_dir ( const char *  crl_dir,
openvpn_x509_cert_t cert,
const char *  subject,
int  cert_depth 
)
static

◆ verify_final_auth_checks()

void verify_final_auth_checks ( struct tls_multi multi,
struct tls_session session 
)

Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory.

Parameters
multiThe TLS multi structure to verify locked structures.
sessionThe current TLS session

Definition at line 1422 of file ssl_verify.c.

References key_state::authenticated, CCD_DEFAULT, cert_hash_compare(), tls_session::cert_hash_set, tls_options::client_config_dir_exclusive, tls_session::common_name, D_TLS_ERRORS, gc_free(), gc_new(), tls_session::key, KS_AUTH_FALSE, KS_PRIMARY, tls_multi::locked_cert_hash_set, tls_multi::locked_cn, msg, tls_session::opt, platform_gen_path(), platform_test_file(), set_common_name(), tls_deauthenticate(), and wipe_auth_token().

Referenced by key_method_2_read().

◆ verify_peer_cert()

static result_t verify_peer_cert ( const struct tls_options opt,
openvpn_x509_cert_t peer_cert,
const char *  subject,
const char *  common_name 
)
static

◆ verify_user_pass()

void verify_user_pass ( struct user_pass up,
struct tls_multi multi,
struct tls_session session 
)

Verify the given username and password, using either an external script, a plugin, or the management interface.

If authentication succeeds, the appropriate state is filled into the session's primary key state's authenticated field. Authentication may also be deferred, in which case the key state's auth_deferred field is filled in.

Parameters
upThe username and password to verify.
multiThe TLS multi structure to verify usernames against.
sessionThe current TLS session

Definition at line 1242 of file ssl_verify.c.

References tls_multi::auth_token, tls_options::auth_token_call_auth, AUTH_TOKEN_EXPIRED, tls_options::auth_token_generate, AUTH_TOKEN_HMAC_OK, tls_multi::auth_token_initial, tls_multi::auth_token_state_flags, tls_options::auth_user_pass_verify_script, key_state::authenticated, CC_CRLF, CC_PRINT, D_HANDSHAKE, D_TLS_ERRORS, ENABLE_MANAGEMENT, generate_auth_token(), is_auth_token(), tls_session::key, KMDA_DEF, KMDA_ERROR, KMDA_UNDEF, KS_AUTH_DEFERRED, KS_AUTH_FALSE, KS_AUTH_TRUE, KS_PRIMARY, M_WARN, management_enable_def_auth(), msg, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, tls_session::opt, user_pass::password, plugin_defined(), tls_options::plugins, send_push_reply_auth_token(), set_common_name(), set_verify_user_pass_env(), tls_options::ssl_flags, SSLF_USERNAME_AS_COMMON_NAME, string_mod(), string_mod_remap_name(), tls_lock_username(), TLS_USERNAME_LEN, user_pass::username, verify_auth_token(), verify_user_pass_management(), verify_user_pass_plugin(), verify_user_pass_script(), and wipe_auth_token().

Referenced by key_method_2_read().

◆ verify_user_pass_management()

static int verify_user_pass_management ( struct tls_session session,
struct tls_multi multi,
const struct user_pass up 
)
static

◆ verify_user_pass_plugin()

static int verify_user_pass_plugin ( struct tls_session session,
struct tls_multi multi,
const struct user_pass up 
)
static

◆ verify_user_pass_script()

static bool verify_user_pass_script ( struct tls_session session,
struct tls_multi multi,
const struct user_pass up 
)
static