#include "syshead.h"#include "ssl_verify_openssl.h"#include "error.h"#include "ssl_openssl.h"#include "ssl_verify.h"#include "ssl_verify_backend.h"#include "openssl_compat.h"#include <openssl/bn.h>#include <openssl/err.h>#include <openssl/x509v3.h>
Go to the source code of this file.
Functions | |
| int | verify_callback (int preverify_ok, X509_STORE_CTX *ctx) |
| Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel. More... | |
| static result_t | extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) |
| result_t | backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert) |
| char * | backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| char * | backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| result_t | backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename) |
| struct buffer | x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA1 fingerprint. More... | |
| struct buffer | x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA256 fingerprint. More... | |
| char * | x509_get_subject (X509 *cert, struct gc_arena *gc) |
| void | x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) |
| static void | do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) |
| void | x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) |
| void | x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) |
| result_t | x509_verify_ns_cert_type (openvpn_x509_cert_t *peer_cert, const int usage) |
| result_t | x509_verify_cert_ku (X509 *x509, const unsigned *const expected_ku, int expected_len) |
| result_t | x509_verify_cert_eku (X509 *x509, const char *const expected_oid) |
| bool | tls_verify_crl_missing (const struct tls_options *opt) |
| Return true iff a CRL is configured, but is not loaded. More... | |
Function Documentation
◆ backend_x509_get_serial()
| char* backend_x509_get_serial | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 297 of file ssl_verify_openssl.c.
References string_alloc().
Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().
◆ backend_x509_get_serial_hex()
| char* backend_x509_get_serial_hex | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 316 of file ssl_verify_openssl.c.
References format_hex_ex().
Referenced by verify_cert_set_env().
◆ backend_x509_get_username()
| result_t backend_x509_get_username | ( | char * | common_name, |
| int | cn_len, | ||
| char * | x509_username_field, | ||
| X509 * | peer_cert | ||
| ) |
Definition at line 259 of file ssl_verify_openssl.c.
References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc_free(), gc_new(), openvpn_snprintf(), and SUCCESS.
Referenced by verify_cert().
◆ backend_x509_write_pem()
| result_t backend_x509_write_pem | ( | openvpn_x509_cert_t * | cert, |
| const char * | filename | ||
| ) |
Definition at line 324 of file ssl_verify_openssl.c.
References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.
Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().
◆ do_setenv_x509()
|
static |
Definition at line 447 of file ssl_verify_openssl.c.
References CC_ANY, CC_CRLF, check_malloc_return(), D_X509_ATTR, es, msg, x509_track::name, openvpn_snprintf(), setenv_str(), and string_mod().
Referenced by x509_setenv_track().
◆ extract_x509_field_ssl()
|
static |
Definition at line 201 of file ssl_verify_openssl.c.
References ASSERT, D_TLS_ERRORS, FAILURE, msg, strncpynt(), and SUCCESS.
Referenced by backend_x509_get_username().
◆ tls_verify_crl_missing()
| bool tls_verify_crl_missing | ( | const struct tls_options * | opt | ) |
Return true iff a CRL is configured, but is not loaded.
This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)
Definition at line 789 of file ssl_verify_openssl.c.
References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, STACK_OF(), and X509_OBJECT_get_type().
Referenced by verify_cert().
◆ x509_get_sha1_fingerprint()
| struct buffer x509_get_sha1_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA1 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 347 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().
Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_sha256_fingerprint()
| struct buffer x509_get_sha256_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA256 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 357 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().
Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_subject()
| char* x509_get_subject | ( | X509 * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 367 of file ssl_verify_openssl.c.
References gc_malloc().
Referenced by verify_callback().
◆ x509_setenv()
| void x509_setenv | ( | struct env_set * | es, |
| int | cert_depth, | ||
| openvpn_x509_cert_t * | peer_cert | ||
| ) |
Definition at line 552 of file ssl_verify_openssl.c.
References CC_CRLF, CC_PRINT, check_malloc_return(), es, openvpn_snprintf(), setenv_str_incr(), and string_mod().
Referenced by verify_cert_set_env().
◆ x509_setenv_track()
| void x509_setenv_track | ( | const struct x509_track * | xt, |
| struct env_set * | es, | ||
| const int | depth, | ||
| X509 * | x509 | ||
| ) |
Definition at line 463 of file ssl_verify_openssl.c.
References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc_free(), gc_new(), x509_track::name, x509_track::next, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.
Referenced by verify_cert_set_env().
◆ x509_track_add()
| void x509_track_add | ( | const struct x509_track ** | ll_head, |
| const char * | name, | ||
| int | msglevel, | ||
| struct gc_arena * | gc | ||
| ) |
Definition at line 423 of file ssl_verify_openssl.c.
References ALLOC_OBJ_CLEAR_GC, x509_track::flags, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.
Referenced by add_option().
◆ x509_verify_cert_eku()
| result_t x509_verify_cert_eku | ( | X509 * | x509, |
| const char *const | expected_oid | ||
| ) |
Definition at line 739 of file ssl_verify_openssl.c.
References D_HANDSHAKE, FAILURE, msg, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_cert_ku()
| result_t x509_verify_cert_ku | ( | X509 * | x509, |
| const unsigned *const | expected_ku, | ||
| int | expected_len | ||
| ) |
Definition at line 678 of file ssl_verify_openssl.c.
References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_ns_cert_type()
| result_t x509_verify_ns_cert_type | ( | openvpn_x509_cert_t * | peer_cert, |
| const int | usage | ||
| ) |
Definition at line 611 of file ssl_verify_openssl.c.
References FAILURE, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().
Referenced by verify_peer_cert().
