OpenVPN
Enumerations | Functions
ssl_verify_backend.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Enumerations

enum  result_t { SUCCESS = 0, FAILURE = 1 }
 Result of verification function. More...
 

Functions

result_t verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
 
void cert_hash_remember (struct tls_session *session, const int cert_depth, const struct buffer *cert_hash)
 
char * x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
struct buffer x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA1 fingerprint. More...
 
struct buffer x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA256 fingerprint. More...
 
result_t backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
 
char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
char * backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
 
void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
 
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
 
result_t x509_verify_ns_cert_type (openvpn_x509_cert_t *cert, const int usage)
 
result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len)
 
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char *const expected_oid)
 
result_t x509_write_pem (FILE *peercert_file, openvpn_x509_cert_t *peercert)
 
bool tls_verify_crl_missing (const struct tls_options *opt)
 Return true iff a CRL is configured, but is not loaded. More...
 

Enumeration Type Documentation

◆ result_t

enum result_t

Result of verification function.

Enumerator
SUCCESS 
FAILURE 

Definition at line 35 of file ssl_verify_backend.h.

Function Documentation

◆ backend_x509_get_serial()

char* backend_x509_get_serial ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 283 of file ssl_verify_openssl.c.

References string_alloc().

Referenced by verify_cert_set_env(), and verify_check_crl_dir().

◆ backend_x509_get_serial_hex()

char* backend_x509_get_serial_hex ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 302 of file ssl_verify_openssl.c.

References format_hex_ex().

Referenced by verify_cert_set_env().

◆ backend_x509_get_username()

result_t backend_x509_get_username ( char *  common_name,
int  cn_len,
char *  x509_username_field,
openvpn_x509_cert_t peer_cert 
)

Definition at line 260 of file ssl_verify_openssl.c.

References extract_x509_field_ssl(), FAILURE, and SUCCESS.

Referenced by verify_cert().

◆ cert_hash_remember()

void cert_hash_remember ( struct tls_session session,
const int  cert_depth,
const struct buffer cert_hash 
)

◆ tls_verify_crl_missing()

bool tls_verify_crl_missing ( const struct tls_options opt)

Return true iff a CRL is configured, but is not loaded.

This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)

Definition at line 767 of file ssl_verify_openssl.c.

References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, STACK_OF(), and X509_OBJECT_get_type().

Referenced by verify_cert().

◆ verify_cert()

result_t verify_cert ( struct tls_session session,
openvpn_x509_cert_t cert,
int  cert_depth 
)

◆ x509_get_sha1_fingerprint()

struct buffer x509_get_sha1_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA1 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 310 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_sha256_fingerprint()

struct buffer x509_get_sha256_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA256 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 320 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_subject()

char* x509_get_subject ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 330 of file ssl_verify_openssl.c.

References gc_malloc().

Referenced by verify_callback(), and verify_cert().

◆ x509_setenv()

void x509_setenv ( struct env_set es,
int  cert_depth,
openvpn_x509_cert_t cert 
)

◆ x509_setenv_track()

void x509_setenv_track ( const struct x509_track xt,
struct env_set es,
const int  depth,
openvpn_x509_cert_t x509 
)

◆ x509_track_add()

void x509_track_add ( const struct x509_track **  ll_head,
const char *  name,
int  msglevel,
struct gc_arena gc 
)

◆ x509_verify_cert_eku()

result_t x509_verify_cert_eku ( openvpn_x509_cert_t x509,
const char *const  expected_oid 
)

Definition at line 706 of file ssl_verify_openssl.c.

References D_HANDSHAKE, FAILURE, msg, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_cert_ku()

result_t x509_verify_cert_ku ( openvpn_x509_cert_t x509,
const unsigned *const  expected_ku,
int  expected_len 
)

Definition at line 645 of file ssl_verify_openssl.c.

References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_ns_cert_type()

result_t x509_verify_ns_cert_type ( openvpn_x509_cert_t cert,
const int  usage 
)

◆ x509_write_pem()

result_t x509_write_pem ( FILE *  peercert_file,
openvpn_x509_cert_t peercert 
)

Definition at line 756 of file ssl_verify_openssl.c.

References FAILURE, M_NONFATAL, msg, and SUCCESS.

Referenced by verify_cert_export_cert().