OpenVPN
Functions
ssl_verify_openssl.c File Reference
#include "syshead.h"
#include "ssl_verify_openssl.h"
#include "error.h"
#include "ssl_openssl.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"
#include "openssl_compat.h"
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
Include dependency graph for ssl_verify_openssl.c:

Go to the source code of this file.

Functions

int verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
 Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel. More...
 
static result_t extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size)
 
result_t backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert)
 
char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
char * backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
struct buffer x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA1 fingerprint. More...
 
struct buffer x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA256 fingerprint. More...
 
char * x509_get_subject (X509 *cert, struct gc_arena *gc)
 
void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
 
static void do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth)
 
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509)
 
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
 
result_t x509_verify_ns_cert_type (openvpn_x509_cert_t *peer_cert, const int usage)
 
result_t x509_verify_cert_ku (X509 *x509, const unsigned *const expected_ku, int expected_len)
 
result_t x509_verify_cert_eku (X509 *x509, const char *const expected_oid)
 
result_t x509_write_pem (FILE *peercert_file, X509 *peercert)
 
bool tls_verify_crl_missing (const struct tls_options *opt)
 Return true iff a CRL is configured, but is not loaded. More...
 

Function Documentation

◆ backend_x509_get_serial()

char* backend_x509_get_serial ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 283 of file ssl_verify_openssl.c.

References string_alloc().

Referenced by verify_cert_set_env(), and verify_check_crl_dir().

◆ backend_x509_get_serial_hex()

char* backend_x509_get_serial_hex ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 302 of file ssl_verify_openssl.c.

References format_hex_ex().

Referenced by verify_cert_set_env().

◆ backend_x509_get_username()

result_t backend_x509_get_username ( char *  common_name,
int  cn_len,
char *  x509_username_field,
X509 *  peer_cert 
)

Definition at line 260 of file ssl_verify_openssl.c.

References extract_x509_field_ssl(), FAILURE, and SUCCESS.

Referenced by verify_cert().

◆ do_setenv_x509()

static void do_setenv_x509 ( struct env_set es,
const char *  name,
char *  value,
int  depth 
)
static

◆ extract_x509_field_ssl()

static result_t extract_x509_field_ssl ( X509_NAME *  x509,
const char *  field_name,
char *  out,
int  size 
)
static

Definition at line 202 of file ssl_verify_openssl.c.

References ASSERT, D_TLS_ERRORS, FAILURE, msg, strncpynt(), and SUCCESS.

Referenced by backend_x509_get_username().

◆ tls_verify_crl_missing()

bool tls_verify_crl_missing ( const struct tls_options opt)

Return true iff a CRL is configured, but is not loaded.

This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)

Definition at line 767 of file ssl_verify_openssl.c.

References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, STACK_OF(), and X509_OBJECT_get_type().

Referenced by verify_cert().

◆ x509_get_sha1_fingerprint()

struct buffer x509_get_sha1_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA1 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 310 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_sha256_fingerprint()

struct buffer x509_get_sha256_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA256 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 320 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_subject()

char* x509_get_subject ( X509 *  cert,
struct gc_arena gc 
)

Definition at line 330 of file ssl_verify_openssl.c.

References gc_malloc().

Referenced by verify_callback(), and verify_cert().

◆ x509_setenv()

void x509_setenv ( struct env_set es,
int  cert_depth,
openvpn_x509_cert_t peer_cert 
)

◆ x509_setenv_track()

void x509_setenv_track ( const struct x509_track xt,
struct env_set es,
const int  depth,
X509 *  x509 
)

◆ x509_track_add()

void x509_track_add ( const struct x509_track **  ll_head,
const char *  name,
int  msglevel,
struct gc_arena gc 
)

◆ x509_verify_cert_eku()

result_t x509_verify_cert_eku ( X509 *  x509,
const char *const  expected_oid 
)

Definition at line 706 of file ssl_verify_openssl.c.

References D_HANDSHAKE, FAILURE, msg, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_cert_ku()

result_t x509_verify_cert_ku ( X509 *  x509,
const unsigned *const  expected_ku,
int  expected_len 
)

Definition at line 645 of file ssl_verify_openssl.c.

References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_ns_cert_type()

result_t x509_verify_ns_cert_type ( openvpn_x509_cert_t peer_cert,
const int  usage 
)

◆ x509_write_pem()

result_t x509_write_pem ( FILE *  peercert_file,
X509 *  peercert 
)

Definition at line 756 of file ssl_verify_openssl.c.

References FAILURE, M_NONFATAL, msg, and SUCCESS.

Referenced by verify_cert_export_cert().