#include "syshead.h"#include <string.h>#include "base64.h"#include "manage.h"#include "otime.h"#include "run_command.h"#include "ssl_verify.h"#include "ssl_verify_backend.h"#include "ssl_verify_openssl.h"#include "auth_token.h"#include "push.h"#include "ssl_util.h"
Go to the source code of this file.
Macros | |
| #define | TLS_USERNAME_LEN 64 |
| Maximum length of common name. More... | |
| #define | KMDA_ERROR 0 |
| #define | KMDA_SUCCESS 1 |
| #define | KMDA_UNDEF 2 |
| #define | KMDA_DEF 3 |
Functions | |
| static void | string_mod_remap_name (char *str) |
| static void | setenv_untrusted (struct tls_session *session) |
| static void | tls_deauthenticate (struct tls_multi *multi) |
| static void | set_common_name (struct tls_session *session, const char *common_name) |
| const char * | tls_common_name (const struct tls_multi *multi, const bool null) |
| Returns the common name field for the given tunnel. More... | |
| void | tls_lock_common_name (struct tls_multi *multi) |
| Locks the common name field for the given tunnel. More... | |
| static bool | tls_lock_username (struct tls_multi *multi, const char *username) |
| const char * | tls_username (const struct tls_multi *multi, const bool null) |
| Returns the username field for the given tunnel. More... | |
| void | cert_hash_remember (struct tls_session *session, const int error_depth, const struct buffer *cert_hash) |
| void | cert_hash_free (struct cert_hash_set *chs) |
| Frees the given set of certificate hashes. More... | |
| bool | cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2) |
| Compares certificates hashes, returns true if hashes are equal. More... | |
| static struct cert_hash_set * | cert_hash_copy (const struct cert_hash_set *chs) |
| void | tls_lock_cert_hash_set (struct tls_multi *multi) |
| Locks the certificate hash set used in the given tunnel. More... | |
| static const char * | print_nsCertType (int type) |
| static result_t | verify_peer_cert (const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject, const char *common_name) |
| static void | verify_cert_set_env (struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, const char *subject, const char *common_name, const struct x509_track *x509_track) |
| static bool | verify_cert_cert_export_env (struct env_set *es, openvpn_x509_cert_t *peer_cert, const char *pem_export_fname) |
Exports the certificate in peer_cert into the environment and adds the filname. More... | |
| static void | verify_cert_cert_delete_env (struct env_set *es, const char *pem_export_fname) |
| static result_t | verify_cert_call_plugin (const struct plugin_list *plugins, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject) |
| static result_t | verify_cert_call_command (const char *verify_command, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject) |
| static result_t | verify_check_crl_dir (const char *crl_dir, openvpn_x509_cert_t *cert, const char *subject, int cert_depth) |
| result_t | verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) |
| void | auth_set_client_reason (struct tls_multi *multi, const char *client_reason) |
| Sets the reason why authentication of a client failed. More... | |
| static enum auth_deferred_result | man_def_auth_test (const struct key_state *ks) |
| static void | key_state_rm_auth_pending_file (struct auth_deferred_status *ads) |
| Removes auth_pending file from the file system and key_state structure. More... | |
| static bool | check_auth_pending_method (const char *peer_info, const char *method) |
| Check peer_info if the client supports the requested pending auth method. More... | |
| static bool | key_state_check_auth_pending_file (struct auth_deferred_status *ads, struct tls_multi *multi, struct tls_session *session) |
| Checks if the deferred state should also send auth pending request to the client. More... | |
| void | key_state_rm_auth_control_files (struct auth_deferred_status *ads) |
| Removes auth_pending and auth_control files from file system and key_state structure. More... | |
| static bool | key_state_gen_auth_control_files (struct auth_deferred_status *ads, const struct tls_options *opt) |
| Generates and creates the control files used for deferred authentification in the temporary directory. More... | |
| static char * | key_state_check_auth_failed_message_file (const struct auth_deferred_status *ads, struct tls_multi *multi, struct gc_arena *gc) |
| Checks if the auth failed reason file has any content and if yes it will be returned as string allocated in gc to the caller. More... | |
| static enum auth_deferred_result | key_state_test_auth_control_file (struct auth_deferred_status *ads, bool cached) |
| Checks the auth control status from a file. More... | |
| static void | update_key_auth_status (bool cached, struct key_state *ks) |
| This method takes a key_state and if updates the state of the key if it is deferred. More... | |
| static bool | tls_authentication_status_use_cache (struct tls_multi *multi) |
| uses cache_intervals times to determine if we should update the cache. More... | |
| enum tls_auth_status | tls_authentication_status (struct tls_multi *multi) |
| Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTICATION_SUCCEEDED only if the session is fully authenticated, i.e. More... | |
| bool | tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) |
| static void | check_for_client_reason (struct tls_multi *multi, struct auth_deferred_status *status) |
| Check if the script/plugin left a message in the auth failed message file and relay it to the user. More... | |
| static int | verify_user_pass_script (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) |
| void | verify_crresponse_plugin (struct tls_multi *multi, const char *cr_response) |
| Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE. More... | |
| void | verify_crresponse_script (struct tls_multi *multi, const char *cr_response) |
| Runs the –client-crresponse script if one is defined. More... | |
| static int | verify_user_pass_plugin (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) |
| static int | verify_user_pass_management (struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) |
| static bool | set_verify_user_pass_env (struct user_pass *up, struct tls_multi *multi, struct tls_session *session) |
| void | verify_user_pass (struct user_pass *up, struct tls_multi *multi, struct tls_session *session) |
| Main username/password verification entry point. More... | |
| void | verify_final_auth_checks (struct tls_multi *multi, struct tls_session *session) |
| Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory. More... | |
| void | tls_x509_clear_env (struct env_set *es) |
| Remove any X509_ env variables from env_set es. More... | |
Variables | |
| static time_t | cache_intervals [] = {0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8} |
| The minimum times to have passed to update the cache. More... | |
Macro Definition Documentation
◆ KMDA_DEF
| #define KMDA_DEF 3 |
Definition at line 1530 of file ssl_verify.c.
◆ KMDA_ERROR
| #define KMDA_ERROR 0 |
Definition at line 1527 of file ssl_verify.c.
◆ KMDA_SUCCESS
| #define KMDA_SUCCESS 1 |
Definition at line 1528 of file ssl_verify.c.
◆ KMDA_UNDEF
| #define KMDA_UNDEF 2 |
Definition at line 1529 of file ssl_verify.c.
◆ TLS_USERNAME_LEN
| #define TLS_USERNAME_LEN 64 |
Maximum length of common name.
Definition at line 51 of file ssl_verify.c.
Function Documentation
◆ auth_set_client_reason()
| void auth_set_client_reason | ( | struct tls_multi * | multi, |
| const char * | client_reason | ||
| ) |
Sets the reason why authentication of a client failed.
This be will send to the client when the AUTH_FAILED message is sent An example would be "SESSION: Token expired"
- Parameters
-
multi The multi tls struct client_reason The string to send to the client as part of AUTH_FAILED
Definition at line 817 of file ssl_verify.c.
Referenced by check_for_client_reason(), key_state_check_auth_pending_file(), multi_client_set_protocol_options(), tls_authenticate_key(), tls_authentication_status(), tls_multi_free(), and verify_auth_token().
◆ cert_hash_compare()
| bool cert_hash_compare | ( | const struct cert_hash_set * | chs1, |
| const struct cert_hash_set * | chs2 | ||
| ) |
Compares certificates hashes, returns true if hashes are equal.
- Parameters
-
chs1 cert 1 hash set chs2 cert 2 hash set
Definition at line 234 of file ssl_verify.c.
References cert_hash_set::ch, MAX_CERT_DEPTH, and cert_hash::sha256_hash.
Referenced by multi_process_float(), and verify_final_auth_checks().
◆ cert_hash_copy()
|
static |
Definition at line 271 of file ssl_verify.c.
References ALLOC_OBJ, ALLOC_OBJ_CLEAR, cert_hash_set::ch, MAX_CERT_DEPTH, and cert_hash::sha256_hash.
Referenced by tls_lock_cert_hash_set().
◆ cert_hash_free()
| void cert_hash_free | ( | struct cert_hash_set * | chs | ) |
Frees the given set of certificate hashes.
- Parameters
-
chs The certificate hash set to free.
Definition at line 220 of file ssl_verify.c.
References cert_hash_set::ch, and MAX_CERT_DEPTH.
Referenced by tls_multi_free(), and tls_session_free().
◆ cert_hash_remember()
| void cert_hash_remember | ( | struct tls_session * | session, |
| const int | error_depth, | ||
| const struct buffer * | cert_hash | ||
| ) |
Definition at line 199 of file ssl_verify.c.
Referenced by verify_callback().
◆ check_auth_pending_method()
|
static |
Check peer_info if the client supports the requested pending auth method.
Definition at line 863 of file ssl_verify.c.
References extract_var_peer_info(), gc_free(), and gc_new().
Referenced by key_state_check_auth_pending_file().
◆ check_for_client_reason()
|
static |
Check if the script/plugin left a message in the auth failed message file and relay it to the user.
Definition at line 1287 of file ssl_verify.c.
References auth_set_client_reason(), gc_free(), gc_new(), key_state_check_auth_failed_message_file(), msg, and status.
Referenced by verify_user_pass_plugin(), and verify_user_pass_script().
◆ key_state_check_auth_failed_message_file()
|
static |
Checks if the auth failed reason file has any content and if yes it will be returned as string allocated in gc to the caller.
Definition at line 1021 of file ssl_verify.c.
References auth_deferred_status::auth_failed_reason_file, BLEN, BSTR, and buffer_read_from_file().
Referenced by check_for_client_reason(), and tls_authentication_status().
◆ key_state_check_auth_pending_file()
|
static |
Checks if the deferred state should also send auth pending request to the client.
Also removes the auth_pending control file
- Returns
- true if file was either processed sucessfully or did not exist at all
- false The file had an invlaid format or another error occured
Definition at line 900 of file ssl_verify.c.
References auth_deferred_status::auth_pending_file, auth_set_client_reason(), BSTR, buffer_entry::buf, buf_chomp(), buffer_list_file(), buffer_list_free(), check_auth_pending_method(), buffer_list::head, key_state_rm_auth_pending_file(), M_INFO, M_WARN, msg, buffer_entry::next, openvpn_snprintf(), tls_multi::peer_info, and send_auth_pending_messages().
Referenced by verify_user_pass_plugin(), and verify_user_pass_script().
◆ key_state_gen_auth_control_files()
|
static |
Generates and creates the control files used for deferred authentification in the temporary directory.
- Returns
- true if file creation was successful
Definition at line 991 of file ssl_verify.c.
References auth_deferred_status::auth_control_file, auth_deferred_status::auth_failed_reason_file, auth_deferred_status::auth_pending_file, tls_options::es, gc_free(), gc_new(), key_state_rm_auth_control_files(), platform_create_temp_file(), setenv_str(), string_alloc(), and tls_options::tmp_dir.
Referenced by verify_user_pass_plugin(), and verify_user_pass_script().
◆ key_state_rm_auth_control_files()
| void key_state_rm_auth_control_files | ( | struct auth_deferred_status * | ads | ) |
Removes auth_pending and auth_control files from file system and key_state structure.
Remove the given key state's auth deferred status auth control file, if it exists.
Definition at line 967 of file ssl_verify.c.
References auth_deferred_status::auth_control_file, auth_deferred_status::auth_failed_reason_file, key_state_rm_auth_pending_file(), and platform_unlink().
Referenced by key_state_free(), key_state_gen_auth_control_files(), verify_user_pass_plugin(), and verify_user_pass_script().
◆ key_state_rm_auth_pending_file()
|
static |
Removes auth_pending file from the file system and key_state structure.
Definition at line 849 of file ssl_verify.c.
References auth_deferred_status::auth_pending_file, and platform_unlink().
Referenced by key_state_check_auth_pending_file(), and key_state_rm_auth_control_files().
◆ key_state_test_auth_control_file()
|
static |
Checks the auth control status from a file.
The function will try to read and update the cached status if the status is still pending and the parameter cached is false. The function returns the most recent known status.
- Parameters
-
ads deferred status control structure cached Return only cached status
- Returns
- ACF_* as per enum
Definition at line 1051 of file ssl_verify.c.
References ACF_DISABLED, ACF_FAILED, ACF_PENDING, ACF_SUCCEEDED, auth_deferred_status::auth_control_file, and auth_deferred_status::auth_control_status.
Referenced by update_key_auth_status().
◆ man_def_auth_test()
|
inlinestatic |
Definition at line 831 of file ssl_verify.c.
References ACF_DISABLED, management_enable_def_auth(), and key_state::mda_status.
Referenced by update_key_auth_status().
◆ print_nsCertType()
|
static |
Definition at line 305 of file ssl_verify.c.
References NS_CERT_CHECK_CLIENT, and NS_CERT_CHECK_SERVER.
Referenced by verify_peer_cert().
◆ set_common_name()
|
static |
Definition at line 91 of file ssl_verify.c.
References setenv_str(), and string_alloc().
Referenced by verify_cert(), verify_final_auth_checks(), and verify_user_pass().
◆ set_verify_user_pass_env()
|
static |
Definition at line 1557 of file ssl_verify.c.
References add_session_token_env(), D_TLS_ERRORS, msg, setenv_str(), setenv_untrusted(), SSLF_AUTH_USER_PASS_OPTIONAL, and user_pass::username.
Referenced by verify_user_pass().
◆ setenv_untrusted()
|
static |
Definition at line 63 of file ssl_verify.c.
References SA_IP_PORT, and setenv_link_socket_actual().
Referenced by set_verify_user_pass_env(), and verify_cert().
◆ string_mod_remap_name()
|
static |
Definition at line 54 of file ssl_verify.c.
References CC_CRLF, CC_PRINT, and string_mod().
Referenced by verify_cert(), and verify_user_pass().
◆ tls_authenticate_key()
| bool tls_authenticate_key | ( | struct tls_multi * | multi, |
| const unsigned int | mda_key_id, | ||
| const bool | auth, | ||
| const char * | client_reason | ||
| ) |
Definition at line 1251 of file ssl_verify.c.
References ACF_FAILED, ACF_SUCCEEDED, auth_set_client_reason(), get_key_scan(), KEY_SCAN_SIZE, key_state::mda_key_id, and key_state::mda_status.
Referenced by management_client_auth().
◆ tls_authentication_status()
| enum tls_auth_status tls_authentication_status | ( | struct tls_multi * | multi | ) |
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTICATION_SUCCEEDED only if the session is fully authenticated, i.e.
VPN traffic is allowed over it.
Checks the status of all active keys and checks if the deferred authentication has succeeded.
As a side effect this function will also transition ks->authenticated from KS_AUTH_DEFERRED to KS_AUTH_FALSE/KS_AUTH_TRUE if the deferred authentication has succeeded after last call.
- Parameters
-
multi the tls_multi struct to operate on
- Returns
- Current authentication status of the tls_multi
Definition at line 1154 of file ssl_verify.c.
References auth_set_client_reason(), key_state::authenticated, D_TLS_ERRORS, dmsg, gc_free(), gc_new(), get_key_scan(), get_primary_key(), KEY_SCAN_SIZE, key_state_check_auth_failed_message_file(), KS_AUTH_DEFERRED, KS_AUTH_FALSE, KS_AUTH_TRUE, now, key_state::plugin_auth, key_state::script_auth, tls_multi::tas_cache_last_update, tls_multi::tas_cache_num_updates, TLS_AUTHENTICATED, TLS_AUTHENTICATION_DEFERRED, TLS_AUTHENTICATION_FAILED, tls_authentication_status_use_cache(), TLS_AUTHENTICATION_SUCCEEDED, and update_key_auth_status().
Referenced by process_incoming_push_request(), and tls_multi_process().
◆ tls_authentication_status_use_cache()
|
static |
uses cache_intervals times to determine if we should update the cache.
Definition at line 1146 of file ssl_verify.c.
References cache_intervals, min_uint(), now, SIZE, tls_multi::tas_cache_last_update, and tls_multi::tas_cache_num_updates.
Referenced by tls_authentication_status().
◆ tls_common_name()
| const char* tls_common_name | ( | const struct tls_multi * | multi, |
| const bool | null | ||
| ) |
Returns the common name field for the given tunnel.
- Parameters
-
multi The tunnel to return the common name for null Whether null may be returned. If not, "UNDEF" will be returned.
Definition at line 113 of file ssl_verify.c.
References tls_session::common_name, tls_multi::session, and TM_ACTIVE.
Referenced by format_common_name(), learn_address_script(), management_callback_kill_by_cn(), multi_client_connect_setenv(), multi_client_connect_source_ccd(), multi_delete_dup(), multi_instance_string(), multi_print_status(), multi_process_float(), and multi_select_virtual_addr().
◆ tls_deauthenticate()
|
static |
Definition at line 72 of file ssl_verify.c.
References key_state::authenticated, tls_session::key, KS_AUTH_FALSE, KS_SIZE, tls_multi::session, TM_SIZE, and wipe_auth_token().
Referenced by tls_lock_username(), verify_crresponse_script(), and verify_final_auth_checks().
◆ tls_lock_cert_hash_set()
| void tls_lock_cert_hash_set | ( | struct tls_multi * | multi | ) |
Locks the certificate hash set used in the given tunnel.
- Parameters
-
multi The tunnel to lock
Definition at line 292 of file ssl_verify.c.
References cert_hash_copy(), tls_session::cert_hash_set, tls_multi::locked_cert_hash_set, tls_multi::session, and TM_ACTIVE.
Referenced by multi_client_connect_early_setup().
◆ tls_lock_common_name()
| void tls_lock_common_name | ( | struct tls_multi * | multi | ) |
Locks the common name field for the given tunnel.
- Parameters
-
multi The tunnel to lock
Definition at line 138 of file ssl_verify.c.
References tls_session::common_name, tls_multi::locked_cn, tls_multi::session, string_alloc(), and TM_ACTIVE.
Referenced by multi_client_connect_early_setup().
◆ tls_lock_username()
|
static |
Definition at line 151 of file ssl_verify.c.
References D_TLS_ERRORS, tls_multi::locked_username, msg, np(), string_alloc(), and tls_deauthenticate().
Referenced by verify_user_pass().
◆ tls_username()
| const char* tls_username | ( | const struct tls_multi * | multi, |
| const bool | null | ||
| ) |
Returns the username field for the given tunnel.
- Parameters
-
multi The tunnel to return the username for null Whether null may be returned. If not, "UNDEF" will be returned.
Definition at line 177 of file ssl_verify.c.
References tls_multi::locked_username.
Referenced by multi_print_status().
◆ tls_x509_clear_env()
| void tls_x509_clear_env | ( | struct env_set * | es | ) |
Remove any X509_ env variables from env_set es.
Definition at line 1836 of file ssl_verify.c.
References env_set_del(), es, env_set::list, env_item::next, and env_item::string.
Referenced by tls_process_state().
◆ update_key_auth_status()
|
static |
This method takes a key_state and if updates the state of the key if it is deferred.
- Parameters
-
cached If auth control files should be tried to be opened or th cached results should be used ks The key_state to update
Definition at line 1087 of file ssl_verify.c.
References ACF_DISABLED, ACF_FAILED, ACF_PENDING, ASSERT, key_state::auth_deferred_expire, key_state::authenticated, key_state_test_auth_control_file(), KS_AUTH_FALSE, KS_AUTH_TRUE, man_def_auth_test(), now, key_state::plugin_auth, and key_state::script_auth.
Referenced by tls_authentication_status().
◆ verify_cert()
| result_t verify_cert | ( | struct tls_session * | session, |
| openvpn_x509_cert_t * | cert, | ||
| int | cert_depth | ||
| ) |
Definition at line 598 of file ssl_verify.c.
Referenced by verify_callback().
◆ verify_cert_call_command()
|
static |
Definition at line 522 of file ssl_verify.c.
References argv_free(), argv_msg_prefix(), argv_new(), argv_parse_cmd(), argv_printf_cat(), D_HANDSHAKE, D_TLS_DEBUG, es, FAILURE, argv::gc, gc_free(), gc_new(), msg, openvpn_run_script(), setenv_str(), and SUCCESS.
Referenced by verify_cert().
◆ verify_cert_call_plugin()
|
static |
Definition at line 489 of file ssl_verify.c.
References argv_free(), argv_new(), argv_printf(), D_HANDSHAKE, es, FAILURE, msg, OPENVPN_PLUGIN_FUNC_SUCCESS, OPENVPN_PLUGIN_TLS_VERIFY, plugin_call_ssl(), plugin_defined(), and SUCCESS.
Referenced by verify_cert().
◆ verify_cert_cert_delete_env()
|
static |
Definition at line 476 of file ssl_verify.c.
References env_set_del(), and es.
Referenced by verify_cert().
◆ verify_cert_cert_export_env()
|
static |
Exports the certificate in peer_cert into the environment and adds the filname.
Definition at line 466 of file ssl_verify.c.
References backend_x509_write_pem(), es, setenv_str(), and SUCCESS.
Referenced by verify_cert().
◆ verify_cert_set_env()
|
static |
Definition at line 405 of file ssl_verify.c.
References backend_x509_get_serial(), backend_x509_get_serial_hex(), BLEN, BPTR, es, format_hex_ex(), gc_free(), gc_new(), openvpn_snprintf(), setenv_str(), x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), x509_setenv(), and x509_setenv_track().
Referenced by verify_cert().
◆ verify_check_crl_dir()
|
static |
Definition at line 556 of file ssl_verify.c.
References backend_x509_get_serial(), cleanup(), D_HANDSHAKE, FAILURE, gc_free(), gc_new(), msg, openvpn_snprintf(), PATH_SEPARATOR, platform_open(), and SUCCESS.
Referenced by verify_cert().
◆ verify_crresponse_plugin()
| void verify_crresponse_plugin | ( | struct tls_multi * | multi, |
| const char * | cr_response | ||
| ) |
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
As with the management interface calling the plugin is stateless in the sense that it does not directly participate in the authentication but rather should set the files for the deferred auth like the management commands.
Definition at line 1407 of file ssl_verify.c.
References plugin_call(), tls_multi::session, setenv_del(), setenv_str(), and TM_ACTIVE.
Referenced by receive_cr_response().
◆ verify_crresponse_script()
| void verify_crresponse_script | ( | struct tls_multi * | multi, |
| const char * | cr_response | ||
| ) |
Runs the –client-crresponse script if one is defined.
As with the management interface the script is stateless in the sense that it does not directly participate in the authentication but rather should set the files for the deferred auth like the management commands.
Definition at line 1420 of file ssl_verify.c.
References argv_free(), argv_new(), argv_parse_cmd(), argv_printf_cat(), D_TLS_ERRORS, gc_free(), gc_new(), msg, openvpn_run_script(), platform_create_temp_file(), tls_multi::session, setenv_str(), status_close(), status_open(), STATUS_OUTPUT_WRITE, status_printf(), tls_deauthenticate(), and TM_ACTIVE.
Referenced by receive_cr_response().
◆ verify_final_auth_checks()
| void verify_final_auth_checks | ( | struct tls_multi * | multi, |
| struct tls_session * | session | ||
| ) |
Perform final authentication checks, including locking of the cn, the allowed certificate hashes, and whether a client config entry exists in the client config directory.
- Parameters
-
multi The TLS multi structure to verify locked structures. session The current TLS session
Definition at line 1774 of file ssl_verify.c.
References key_state::authenticated, CCD_DEFAULT, cert_hash_compare(), D_TLS_ERRORS, gc_free(), gc_new(), session::key, KS_AUTH_FALSE, KS_PRIMARY, tls_multi::locked_cert_hash_set, tls_multi::locked_cn, msg, platform_gen_path(), platform_test_file(), set_common_name(), tls_deauthenticate(), and wipe_auth_token().
Referenced by key_method_2_read().
◆ verify_peer_cert()
|
static |
Definition at line 329 of file ssl_verify.c.
References D_HANDSHAKE, FAILURE, MAX_PARMS, msg, NS_CERT_CHECK_NONE, tls_options::ns_cert_type, print_nsCertType(), tls_options::remote_cert_eku, tls_options::remote_cert_ku, SUCCESS, tls_options::verify_x509_name, VERIFY_X509_NONE, VERIFY_X509_SUBJECT_DN, VERIFY_X509_SUBJECT_RDN, VERIFY_X509_SUBJECT_RDN_PREFIX, tls_options::verify_x509_type, x509_verify_cert_eku(), x509_verify_cert_ku(), and x509_verify_ns_cert_type().
Referenced by verify_cert().
◆ verify_user_pass()
| void verify_user_pass | ( | struct user_pass * | up, |
| struct tls_multi * | multi, | ||
| struct tls_session * | session | ||
| ) |
Main username/password verification entry point.
Verify the given username and password, using either an external script, a plugin, or the management interface.
Will set session->ks[KS_PRIMARY].authenticated according to result of the username/password verification
Definition at line 1592 of file ssl_verify.c.
References ACF_DISABLED, tls_multi::auth_token, AUTH_TOKEN_EXPIRED, AUTH_TOKEN_HMAC_OK, tls_multi::auth_token_initial, key_state::auth_token_state_flags, key_state::authenticated, CC_CRLF, CC_PRINT, D_HANDSHAKE, D_TLS_ERRORS, ENABLE_MANAGEMENT, generate_auth_token(), is_auth_token(), session::key, KMDA_DEF, KMDA_ERROR, KMDA_UNDEF, KS_AUTH_DEFERRED, KS_AUTH_FALSE, KS_AUTH_TRUE, KS_PRIMARY, M_WARN, management_enable_def_auth(), key_state::mda_status, msg, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, user_pass::password, plugin_defined(), set_common_name(), set_verify_user_pass_env(), SSLF_USERNAME_AS_COMMON_NAME, string_mod(), string_mod_remap_name(), tls_lock_username(), TLS_USERNAME_LEN, user_pass::username, verify_auth_token(), verify_user_pass_management(), verify_user_pass_plugin(), verify_user_pass_script(), and wipe_auth_token().
Referenced by key_method_2_read().
◆ verify_user_pass_management()
|
static |
Definition at line 1533 of file ssl_verify.c.
References session::key, KMDA_ERROR, KMDA_SUCCESS, KS_PRIMARY, management_notify_client_needing_auth(), key_state::mda_key_id, user_pass::password, setenv_del(), and setenv_str().
Referenced by verify_user_pass().
◆ verify_user_pass_plugin()
|
static |
Definition at line 1476 of file ssl_verify.c.
References check_for_client_reason(), D_TLS_ERRORS, session::key, key_state_check_auth_pending_file(), key_state_gen_auth_control_files(), key_state_rm_auth_control_files(), KS_PRIMARY, msg, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, user_pass::password, key_state::plugin_auth, plugin_call(), setenv_del(), and setenv_str().
Referenced by verify_user_pass().
◆ verify_user_pass_script()
|
static |
Definition at line 1302 of file ssl_verify.c.
References argv_free(), argv_new(), argv_parse_cmd(), argv_printf_cat(), check_for_client_reason(), D_TLS_ERRORS, gc_free(), gc_new(), session::key, key_state_check_auth_pending_file(), key_state_gen_auth_control_files(), key_state_rm_auth_control_files(), KS_PRIMARY, msg, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, openvpn_run_script(), user_pass::password, platform_create_temp_file(), platform_unlink(), S_EXITCODE, key_state::script_auth, setenv_del(), setenv_str(), status_close(), status_open(), STATUS_OUTPUT_WRITE, status_printf(), and user_pass::username.
Referenced by verify_user_pass().
Variable Documentation
◆ cache_intervals
|
static |
The minimum times to have passed to update the cache.
Older versions of OpenVPN had code path that did not do any caching, so we start with no caching (0) here as well to have the same super quick initial reaction.
Definition at line 1139 of file ssl_verify.c.
Referenced by tls_authentication_status_use_cache().
