OpenVPN
ssl_verify.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_VERIFY_H_
30 #define SSL_VERIFY_H_
31 
32 #include "syshead.h"
33 #include "misc.h"
34 #include "ssl_common.h"
35 
36 /* Include OpenSSL-specific code */
37 #ifdef ENABLE_CRYPTO_OPENSSL
38 #include "ssl_verify_openssl.h"
39 #endif
40 #ifdef ENABLE_CRYPTO_MBEDTLS
41 #include "ssl_verify_mbedtls.h"
42 #endif
43 
44 #include "ssl_verify_backend.h"
45 
46 /*
47  * Keep track of certificate hashes at various depths
48  */
49 
51 #define MAX_CERT_DEPTH 16
52 
54 struct cert_hash {
55  unsigned char sha256_hash[256/8];
56 };
57 
59 struct cert_hash_set {
60  struct cert_hash *ch[MAX_CERT_DEPTH];
61 };
62 
63 #define VERIFY_X509_NONE 0
64 #define VERIFY_X509_SUBJECT_DN 1
65 #define VERIFY_X509_SUBJECT_RDN 2
66 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
67 
69 {
74 };
75 
95 enum tls_auth_status
96 tls_authentication_status(struct tls_multi *multi, const int latency);
97 
113 #define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
114 
121 
127 void cert_hash_free(struct cert_hash_set *chs);
128 
134 void tls_lock_cert_hash_set(struct tls_multi *multi);
135 
141 void tls_lock_common_name(struct tls_multi *multi);
142 
149 const char *tls_common_name(const struct tls_multi *multi, const bool null);
150 
157 const char *tls_username(const struct tls_multi *multi, const bool null);
158 
165 bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
166 
167 #ifdef ENABLE_PF
168 
178 static inline bool
179 tls_common_name_hash(const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
180 {
181  if (multi)
182  {
183  const struct tls_session *s = &multi->session[TM_ACTIVE];
184  if (s->common_name && s->common_name[0] != '\0')
185  {
186  *cn = s->common_name;
187  *cn_hash = s->common_name_hashval;
188  return true;
189  }
190  }
191  return false;
192 }
193 
194 #endif
195 
209 void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
210  struct tls_session *session);
211 
221 void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
222 
224 {
225  const struct x509_track *next;
226  const char *name;
227 #define XT_FULL_CHAIN (1<<0)
228  unsigned int flags;
229  int nid;
230 };
231 
232 /*
233  * Certificate checking for verify_nsCertType
234  */
236 #define NS_CERT_CHECK_NONE (0)
237 
238 #define NS_CERT_CHECK_SERVER (1<<0)
239 
240 #define NS_CERT_CHECK_CLIENT (1<<1)
241 
243 #define OPENVPN_KU_REQUIRED (0xFFFF)
244 
245 /*
246  * TODO: document
247  */
248 #ifdef ENABLE_MANAGEMENT
249 bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
250 
251 #endif
252 
260 void auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
261 
262 static inline const char *
264 {
265  return multi->client_reason;
266 }
267 
269 void tls_x509_clear_env(struct env_set *es);
270 
271 #endif /* SSL_VERIFY_H_ */
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:475
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:263
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:512
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:234
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:152
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:127
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1475
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1028
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1413
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
Definition: ssl_verify.c:873
unsigned int flags
Definition: ssl_verify.h:228
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:51
unsigned __int32 uint32_t
Definition: config-msvc.h:157
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:840
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1233
const struct x509_track * next
Definition: ssl_verify.h:225
char * client_reason
Definition: ssl_common.h:554
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:306
const char * name
Definition: ssl_verify.h:226
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:191
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:417
Definition: misc.h:56
char * common_name
Definition: ssl_common.h:442
tls_auth_status
Definition: ssl_verify.h:68
enum tls_auth_status tls_authentication_status(struct tls_multi *multi, const int latency)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:930
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:248
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:55