OpenVPN
ssl_verify.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_VERIFY_H_
30 #define SSL_VERIFY_H_
31 
32 #include "syshead.h"
33 #include "misc.h"
34 #include "ssl_common.h"
35 
36 /* Include OpenSSL-specific code */
37 #ifdef ENABLE_CRYPTO_OPENSSL
38 #include "ssl_verify_openssl.h"
39 #endif
40 #ifdef ENABLE_CRYPTO_MBEDTLS
41 #include "ssl_verify_mbedtls.h"
42 #endif
43 
44 #include "ssl_verify_backend.h"
45 
46 /*
47  * Keep track of certificate hashes at various depths
48  */
49 
51 #define MAX_CERT_DEPTH 16
52 
54 struct cert_hash {
55  unsigned char sha256_hash[256/8];
56 };
57 
59 struct cert_hash_set {
60  struct cert_hash *ch[MAX_CERT_DEPTH];
61 };
62 
63 #define VERIFY_X509_NONE 0
64 #define VERIFY_X509_SUBJECT_DN 1
65 #define VERIFY_X509_SUBJECT_RDN 2
66 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
67 
68 #define TLS_AUTHENTICATION_SUCCEEDED 0
69 #define TLS_AUTHENTICATION_FAILED 1
70 #define TLS_AUTHENTICATION_DEFERRED 2
71 #define TLS_AUTHENTICATION_UNDEFINED 3
72 
73 /*
74  * Return current session authentication state. Return
75  * value is TLS_AUTHENTICATION_x.
76  *
77  * TODO: document this function
78  */
79 int tls_authentication_status(struct tls_multi *multi, const int latency);
80 
89 #define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
90 
97 
103 void cert_hash_free(struct cert_hash_set *chs);
104 
110 void tls_lock_cert_hash_set(struct tls_multi *multi);
111 
117 void tls_lock_common_name(struct tls_multi *multi);
118 
125 const char *tls_common_name(const struct tls_multi *multi, const bool null);
126 
133 const char *tls_username(const struct tls_multi *multi, const bool null);
134 
141 bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
142 
143 #ifdef ENABLE_PF
144 
154 static inline bool
155 tls_common_name_hash(const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
156 {
157  if (multi)
158  {
159  const struct tls_session *s = &multi->session[TM_ACTIVE];
160  if (s->common_name && s->common_name[0] != '\0')
161  {
162  *cn = s->common_name;
163  *cn_hash = s->common_name_hashval;
164  return true;
165  }
166  }
167  return false;
168 }
169 
170 #endif
171 
185 void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
186  struct tls_session *session);
187 
197 void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
198 
200 {
201  const struct x509_track *next;
202  const char *name;
203 #define XT_FULL_CHAIN (1<<0)
204  unsigned int flags;
205  int nid;
206 };
207 
208 /*
209  * Certificate checking for verify_nsCertType
210  */
212 #define NS_CERT_CHECK_NONE (0)
213 
214 #define NS_CERT_CHECK_SERVER (1<<0)
215 
216 #define NS_CERT_CHECK_CLIENT (1<<1)
217 
219 #define OPENVPN_KU_REQUIRED (0xFFFF)
220 
221 /*
222  * TODO: document
223  */
224 #ifdef MANAGEMENT_DEF_AUTH
225 bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
226 
227 void man_def_auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
228 
229 #endif
230 
231 static inline const char *
233 {
234 #ifdef ENABLE_DEF_AUTH
235  return multi->client_reason;
236 #else
237  return NULL;
238 #endif
239 }
240 
242 void tls_x509_clear_env(struct env_set *es);
243 
244 #endif /* SSL_VERIFY_H_ */
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:456
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:232
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:494
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:268
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:186
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:569
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:161
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1533
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1471
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
unsigned int flags
Definition: ssl_verify.h:204
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:51
unsigned __int32 uint32_t
Definition: config-msvc.h:121
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:941
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1282
const struct x509_track * next
Definition: ssl_verify.h:201
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:340
const char * name
Definition: ssl_verify.h:202
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:225
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:398
Definition: misc.h:62
char * common_name
Definition: ssl_common.h:423
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:282
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:55