OpenVPN
ssl_verify.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #include "syshead.h"
34 #include <string.h>
35 
36 #include "base64.h"
37 #include "manage.h"
38 #include "otime.h"
39 #include "run_command.h"
40 #include "ssl_verify.h"
41 #include "ssl_verify_backend.h"
42 
43 #ifdef ENABLE_CRYPTO_OPENSSL
44 #include "ssl_verify_openssl.h"
45 #endif
46 #include "auth_token.h"
47 #include "push.h"
48 #include "ssl_util.h"
49 
51 #define TLS_USERNAME_LEN 64
52 
53 static void
54 string_mod_remap_name(char *str)
55 {
56  string_mod(str, CC_PRINT, CC_CRLF, '_');
57 }
58 
59 /*
60  * Export the untrusted IP address and port to the environment
61  */
62 static void
63 setenv_untrusted(struct tls_session *session)
64 {
65  setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
66 }
67 
68 /*
69  * Remove authenticated state from all sessions in the given tunnel
70  */
71 static void
72 tls_deauthenticate(struct tls_multi *multi)
73 {
74  if (multi)
75  {
76  wipe_auth_token(multi);
77  for (int i = 0; i < TM_SIZE; ++i)
78  {
79  for (int j = 0; j < KS_SIZE; ++j)
80  {
81  multi->session[i].key[j].authenticated = KS_AUTH_FALSE;
82  }
83  }
84  }
85 }
86 
87 /*
88  * Set the given session's common_name
89  */
90 static void
91 set_common_name(struct tls_session *session, const char *common_name)
92 {
93  if (session->common_name)
94  {
95  free(session->common_name);
96  session->common_name = NULL;
97  }
98  if (common_name)
99  {
100  /* FIXME: Last alloc will never be freed */
101  session->common_name = string_alloc(common_name, NULL);
102  }
103  /* update common name in env */
104  setenv_str(session->opt->es, "common_name", common_name);
105 }
106 
107 /*
108  * Retrieve the common name for the given tunnel's active session. If the
109  * common name is NULL or empty, return NULL if null is true, or "UNDEF" if
110  * null is false.
111  */
112 const char *
113 tls_common_name(const struct tls_multi *multi, const bool null)
114 {
115  const char *ret = NULL;
116  if (multi)
117  {
118  ret = multi->session[TM_ACTIVE].common_name;
119  }
120  if (ret && strlen(ret))
121  {
122  return ret;
123  }
124  else if (null)
125  {
126  return NULL;
127  }
128  else
129  {
130  return "UNDEF";
131  }
132 }
133 
134 /*
135  * Lock the common name for the given tunnel.
136  */
137 void
138 tls_lock_common_name(struct tls_multi *multi)
139 {
140  const char *cn = multi->session[TM_ACTIVE].common_name;
141  if (cn && !multi->locked_cn)
142  {
143  multi->locked_cn = string_alloc(cn, NULL);
144  }
145 }
146 
147 /*
148  * Lock the username for the given tunnel
149  */
150 static bool
151 tls_lock_username(struct tls_multi *multi, const char *username)
152 {
153  if (multi->locked_username)
154  {
155  if (!username || strcmp(username, multi->locked_username))
156  {
157  msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
158  multi->locked_username,
159  np(username));
160 
161  /* disable the tunnel */
162  tls_deauthenticate(multi);
163  return false;
164  }
165  }
166  else
167  {
168  if (username)
169  {
170  multi->locked_username = string_alloc(username, NULL);
171  }
172  }
173  return true;
174 }
175 
176 const char *
177 tls_username(const struct tls_multi *multi, const bool null)
178 {
179  const char *ret = NULL;
180  if (multi)
181  {
182  ret = multi->locked_username;
183  }
184  if (ret && strlen(ret))
185  {
186  return ret;
187  }
188  else if (null)
189  {
190  return NULL;
191  }
192  else
193  {
194  return "UNDEF";
195  }
196 }
197 
198 void
199 cert_hash_remember(struct tls_session *session, const int error_depth,
200  const struct buffer *cert_hash)
201 {
202  if (error_depth >= 0 && error_depth < MAX_CERT_DEPTH)
203  {
204  if (!session->cert_hash_set)
205  {
206  ALLOC_OBJ_CLEAR(session->cert_hash_set, struct cert_hash_set);
207  }
208  if (!session->cert_hash_set->ch[error_depth])
209  {
210  ALLOC_OBJ(session->cert_hash_set->ch[error_depth], struct cert_hash);
211  }
212 
213  struct cert_hash *ch = session->cert_hash_set->ch[error_depth];
214  ASSERT(sizeof(ch->sha256_hash) == BLEN(cert_hash));
215  memcpy(ch->sha256_hash, BPTR(cert_hash), sizeof(ch->sha256_hash));
216  }
217 }
218 
219 void
220 cert_hash_free(struct cert_hash_set *chs)
221 {
222  if (chs)
223  {
224  int i;
225  for (i = 0; i < MAX_CERT_DEPTH; ++i)
226  {
227  free(chs->ch[i]);
228  }
229  free(chs);
230  }
231 }
232 
233 bool
234 cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
235 {
236  if (chs1 && chs2)
237  {
238  int i;
239  for (i = 0; i < MAX_CERT_DEPTH; ++i)
240  {
241  const struct cert_hash *ch1 = chs1->ch[i];
242  const struct cert_hash *ch2 = chs2->ch[i];
243 
244  if (!ch1 && !ch2)
245  {
246  continue;
247  }
248  else if (ch1 && ch2 && !memcmp(ch1->sha256_hash, ch2->sha256_hash,
249  sizeof(ch1->sha256_hash)))
250  {
251  continue;
252  }
253  else
254  {
255  return false;
256  }
257  }
258  return true;
259  }
260  else if (!chs1 && !chs2)
261  {
262  return true;
263  }
264  else
265  {
266  return false;
267  }
268 }
269 
270 static struct cert_hash_set *
271 cert_hash_copy(const struct cert_hash_set *chs)
272 {
273  struct cert_hash_set *dest = NULL;
274  if (chs)
275  {
276  int i;
277  ALLOC_OBJ_CLEAR(dest, struct cert_hash_set);
278  for (i = 0; i < MAX_CERT_DEPTH; ++i)
279  {
280  const struct cert_hash *ch = chs->ch[i];
281  if (ch)
282  {
283  ALLOC_OBJ(dest->ch[i], struct cert_hash);
284  memcpy(dest->ch[i]->sha256_hash, ch->sha256_hash,
285  sizeof(dest->ch[i]->sha256_hash));
286  }
287  }
288  }
289  return dest;
290 }
291 void
292 tls_lock_cert_hash_set(struct tls_multi *multi)
293 {
294  const struct cert_hash_set *chs = multi->session[TM_ACTIVE].cert_hash_set;
295  if (chs && !multi->locked_cert_hash_set)
296  {
297  multi->locked_cert_hash_set = cert_hash_copy(chs);
298  }
299 }
300 
301 /*
302  * Returns the string associated with the given certificate type.
303  */
304 static const char *
305 print_nsCertType(int type)
306 {
307  switch (type)
308  {
309  case NS_CERT_CHECK_SERVER:
310  return "SERVER";
311 
312  case NS_CERT_CHECK_CLIENT:
313  return "CLIENT";
314 
315  default:
316  return "?";
317  }
318 }
319 
320 /*
321  * Verify the peer's certificate fields.
322  *
323  * @param opt the tls options to verify against
324  * @param peer_cert the peer's certificate
325  * @param subject the peer's extracted subject name
326  * @param subject the peer's extracted common name
327  */
328 static result_t
329 verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,
330  const char *subject, const char *common_name)
331 {
332  /* verify certificate nsCertType */
333  if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
334  {
335  if (SUCCESS == x509_verify_ns_cert_type(peer_cert, opt->ns_cert_type))
336  {
337  msg(D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
338  print_nsCertType(opt->ns_cert_type));
339  }
340  else
341  {
342  msg(D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
343  subject, print_nsCertType(opt->ns_cert_type));
344  return FAILURE; /* Reject connection */
345  }
346  }
347 
348  /* verify certificate ku */
349  if (opt->remote_cert_ku[0] != 0)
350  {
351  if (SUCCESS == x509_verify_cert_ku(peer_cert, opt->remote_cert_ku, MAX_PARMS))
352  {
353  msg(D_HANDSHAKE, "VERIFY KU OK");
354  }
355  else
356  {
357  msg(D_HANDSHAKE, "VERIFY KU ERROR");
358  return FAILURE; /* Reject connection */
359  }
360  }
361 
362  /* verify certificate eku */
363  if (opt->remote_cert_eku != NULL)
364  {
365  if (SUCCESS == x509_verify_cert_eku(peer_cert, opt->remote_cert_eku))
366  {
367  msg(D_HANDSHAKE, "VERIFY EKU OK");
368  }
369  else
370  {
371  msg(D_HANDSHAKE, "VERIFY EKU ERROR");
372  return FAILURE; /* Reject connection */
373  }
374  }
375 
376  /* verify X509 name or username against --verify-x509-[user]name */
377  if (opt->verify_x509_type != VERIFY_X509_NONE)
378  {
379  if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
380  && strcmp(opt->verify_x509_name, subject) == 0)
381  || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
382  && strcmp(opt->verify_x509_name, common_name) == 0)
383  || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
384  && strncmp(opt->verify_x509_name, common_name,
385  strlen(opt->verify_x509_name)) == 0) )
386  {
387  msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
388  }
389  else
390  {
391  msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
392  subject, opt->verify_x509_name);
393  return FAILURE; /* Reject connection */
394  }
395  }
396 
397  return SUCCESS;
398 }
399 
400 /*
401  * Export the subject, common_name, and raw certificate fields to the
402  * environment for later verification by scripts and plugins.
403  */
404 static void
405 verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth,
406  const char *subject, const char *common_name,
407  const struct x509_track *x509_track)
408 {
409  char envname[64];
410  char *serial = NULL;
411  struct gc_arena gc = gc_new();
412 
413  /* Save X509 fields in environment */
414  if (x509_track)
415  {
416  x509_setenv_track(x509_track, es, cert_depth, peer_cert);
417  }
418  else
419  {
420  x509_setenv(es, cert_depth, peer_cert);
421  }
422 
423  /* export subject name string as environmental variable */
424  snprintf(envname, sizeof(envname), "tls_id_%d", cert_depth);
425  setenv_str(es, envname, subject);
426 
427 #if 0
428  /* export common name string as environmental variable */
429  snprintf(envname, sizeof(envname), "tls_common_name_%d", cert_depth);
430  setenv_str(es, envname, common_name);
431 #endif
432 
433  /* export X509 cert fingerprints */
434  {
435  struct buffer sha1 = x509_get_sha1_fingerprint(peer_cert, &gc);
436  struct buffer sha256 = x509_get_sha256_fingerprint(peer_cert, &gc);
437 
438  snprintf(envname, sizeof(envname), "tls_digest_%d", cert_depth);
439  setenv_str(es, envname,
440  format_hex_ex(BPTR(&sha1), BLEN(&sha1), 0, 1, ":", &gc));
441 
442  snprintf(envname, sizeof(envname), "tls_digest_sha256_%d",
443  cert_depth);
444  setenv_str(es, envname,
445  format_hex_ex(BPTR(&sha256), BLEN(&sha256), 0, 1, ":", &gc));
446  }
447 
448  /* export serial number as environmental variable */
449  serial = backend_x509_get_serial(peer_cert, &gc);
450  snprintf(envname, sizeof(envname), "tls_serial_%d", cert_depth);
451  setenv_str(es, envname, serial);
452 
453  /* export serial number in hex as environmental variable */
454  serial = backend_x509_get_serial_hex(peer_cert, &gc);
455  snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);
456  setenv_str(es, envname, serial);
457 
458  gc_free(&gc);
459 }
460 
465 static bool
466 verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert,
467  const char *pem_export_fname)
468 {
469  /* export the path to the current certificate in pem file format */
470  setenv_str(es, "peer_cert", pem_export_fname);
471 
472  return backend_x509_write_pem(peer_cert, pem_export_fname) == SUCCESS;
473 }
474 
475 static void
476 verify_cert_cert_delete_env(struct env_set *es, const char *pem_export_fname)
477 {
478  env_set_del(es, "peer_cert");
479  if (pem_export_fname)
480  {
481  unlink(pem_export_fname);
482  }
483 }
484 
485 /*
486  * call --tls-verify plug-in(s)
487  */
488 static result_t
489 verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
490  int cert_depth, openvpn_x509_cert_t *cert, char *subject)
491 {
492  if (plugin_defined(plugins, OPENVPN_PLUGIN_TLS_VERIFY))
493  {
494  int ret;
495  struct argv argv = argv_new();
496 
497  argv_printf(&argv, "%d %s", cert_depth, subject);
498 
499  ret = plugin_call_ssl(plugins, OPENVPN_PLUGIN_TLS_VERIFY, &argv, NULL, es, cert_depth, cert);
500 
501  argv_free(&argv);
502 
503  if (ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
504  {
505  msg(D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
506  cert_depth, subject);
507  }
508  else
509  {
510  msg(D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
511  cert_depth, subject);
512  return FAILURE; /* Reject connection */
513  }
514  }
515  return SUCCESS;
516 }
517 
518 /*
519  * run --tls-verify script
520  */
521 static result_t
522 verify_cert_call_command(const char *verify_command, struct env_set *es,
523  int cert_depth, openvpn_x509_cert_t *cert, char *subject)
524 {
525  int ret;
526  struct gc_arena gc = gc_new();
527  struct argv argv = argv_new();
528 
529  setenv_str(es, "script_type", "tls-verify");
530 
531  argv_parse_cmd(&argv, verify_command);
532  argv_printf_cat(&argv, "%d %s", cert_depth, subject);
533 
534  argv_msg_prefix(D_TLS_DEBUG, &argv, "TLS: executing verify command");
535  ret = openvpn_run_script(&argv, es, 0, "--tls-verify script");
536 
537  gc_free(&gc);
538  argv_free(&argv);
539 
540  if (ret)
541  {
542  msg(D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
543  cert_depth, subject);
544  return SUCCESS;
545  }
546 
547  msg(D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
548  cert_depth, subject);
549  return FAILURE; /* Reject connection */
550 }
551 
552 /*
553  * check peer cert against CRL directory
554  */
555 static result_t
556 verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert,
557  const char *subject, int cert_depth)
558 {
559  result_t ret = FAILURE;
560  char fn[256];
561  int fd = -1;
562  struct gc_arena gc = gc_new();
563 
564  char *serial = backend_x509_get_serial(cert, &gc);
565  if (!serial)
566  {
567  msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available",
568  cert_depth, subject);
569  goto cleanup;
570  }
571 
572  if (!snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, PATH_SEPARATOR, serial))
573  {
574  msg(D_HANDSHAKE, "VERIFY CRL: filename overflow");
575  goto cleanup;
576  }
577  fd = platform_open(fn, O_RDONLY, 0);
578  if (fd >= 0)
579  {
580  msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked",
581  cert_depth, subject, serial);
582  goto cleanup;
583  }
584 
585  ret = SUCCESS;
586 
587 cleanup:
588 
589  if (fd != -1)
590  {
591  close(fd);
592  }
593  gc_free(&gc);
594  return ret;
595 }
596 
597 result_t
598 verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
599 {
600  /* need to define these variables here so goto cleanup will always have
601  * them defined */
602  result_t ret = FAILURE;
603  struct gc_arena gc = gc_new();
604  const char *pem_export_fname = NULL;
605 
606  const struct tls_options *opt = session->opt;
607  ASSERT(opt);
608 
609  session->verified = false;
610 
611  /* get the X509 name */
612  char *subject = x509_get_subject(cert, &gc);
613  if (!subject)
614  {
615  msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
616  "subject string from certificate", cert_depth);
617  goto cleanup;
618  }
619 
620  /* enforce character class restrictions in X509 name */
621  string_mod_remap_name(subject);
622  string_replace_leading(subject, '-', '_');
623 
624  /* extract the username (default is CN) */
625  struct buffer buf = alloc_buf_gc(256, &gc);
626  for (int i = 0; opt->x509_username_field[i] != NULL; i++)
627  {
628  char username[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */
629 
630  if (SUCCESS != backend_x509_get_username(username, sizeof(username),
631  opt->x509_username_field[i], cert))
632  {
633  if (!cert_depth)
634  {
635  msg(D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 "
636  "subject string ('%s') -- note that the field length is "
637  "limited to %d characters",
638  opt->x509_username_field[i],
639  subject,
640  TLS_USERNAME_LEN);
641  goto cleanup;
642  }
643  break;
644  }
645  if (!buf_printf(&buf, i ? "_%s" : "%s", username))
646  {
647  if (!cert_depth)
648  {
649  msg(D_TLS_ERRORS, "VERIFY ERROR: could not append %s from X509 "
650  "certificate -- note that the username length is "
651  "limited to %d characters",
652  opt->x509_username_field[i],
653  buf.capacity - 1);
654  goto cleanup;
655  }
656  break;
657  }
658  }
659 
660  char *common_name = BSTR(&buf);
661  if (!common_name)
662  {
663  msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
664  "username string from certificate", cert_depth);
665  goto cleanup;
666  }
667 
668  /* enforce character class restrictions in common name */
669  string_mod_remap_name(common_name);
670 
671  /* warn if cert chain is too deep */
672  if (cert_depth >= MAX_CERT_DEPTH)
673  {
674  msg(D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", cert_depth, MAX_CERT_DEPTH);
675  goto cleanup; /* Reject connection */
676  }
677 
678  if (cert_depth == opt->verify_hash_depth && opt->verify_hash)
679  {
680  struct buffer cert_fp = {0};
681 
682  switch (opt->verify_hash_algo)
683  {
684  case MD_SHA1:
685  cert_fp = x509_get_sha1_fingerprint(cert, &gc);
686  break;
687 
688  case MD_SHA256:
689  cert_fp = x509_get_sha256_fingerprint(cert, &gc);
690  break;
691 
692  default:
693  /* This should normally not happen at all; the algorithm used
694  * is parsed by add_option() [options.c] and set to a predefined
695  * value in an enumerated type. So if this unlikely scenario
696  * happens, consider this a failure
697  */
698  msg(M_WARN, "Unexpected invalid algorithm used with "
699  "--verify-hash (%i)", opt->verify_hash_algo);
700  ret = FAILURE;
701  goto cleanup;
702  }
703 
704  struct verify_hash_list *current_hash = opt->verify_hash;
705 
706  while (current_hash)
707  {
708  if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash,
709  BLEN(&cert_fp)) == 0)
710  {
711  break;
712  }
713  current_hash = current_hash->next;
714  }
715 
716  if (!current_hash)
717  {
718  const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp),
719  0, 1, ":", &gc);
720  msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
721  "certificate hash verification failed. (got certificate "
722  "fingerprint: %s)", hex_fp);
723  goto cleanup;
724  }
725  }
726 
727  /* save common name in session object */
728  if (cert_depth == 0)
729  {
730  set_common_name(session, common_name);
731  }
732 
733  session->verify_maxlevel = max_int(session->verify_maxlevel, cert_depth);
734 
735  if (opt->export_peer_cert_dir)
736  {
737  pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir,
738  "pef", &gc);
739 
740  if (!pem_export_fname
741  || !verify_cert_cert_export_env(opt->es, cert, pem_export_fname))
742  {
743  msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for "
744  "--tls-export-cert in %s", opt->export_peer_cert_dir);
745  goto cleanup;
746  }
747  }
748  /* export certificate values to the environment */
749  verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name,
750  opt->x509_track);
751 
752  /* export current untrusted IP */
753  setenv_untrusted(session);
754 
755  /* If this is the peer's own certificate, verify it */
756  if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name))
757  {
758  goto cleanup;
759  }
760 
761  /* call --tls-verify plug-in(s), if registered */
762  if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
763  {
764  goto cleanup;
765  }
766 
767  /* run --tls-verify script */
768  if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
769  opt->es, cert_depth, cert, subject))
770  {
771  goto cleanup;
772  }
773 
774  /* check peer cert against CRL */
775  if (opt->crl_file)
776  {
777  if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
778  {
779  if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert, subject, cert_depth))
780  {
781  goto cleanup;
782  }
783  }
784  else
785  {
786  if (tls_verify_crl_missing(opt))
787  {
788  msg(D_TLS_ERRORS, "VERIFY ERROR: CRL not loaded");
789  goto cleanup;
790  }
791  }
792  }
793 
794  msg(D_HANDSHAKE, "VERIFY OK: depth=%d, %s", cert_depth, subject);
795  session->verified = true;
796  ret = SUCCESS;
797 
798 cleanup:
799  verify_cert_cert_delete_env(opt->es, pem_export_fname);
800  if (ret != SUCCESS)
801  {
802  tls_clear_error(); /* always? */
803  session->verified = false; /* double sure? */
804  }
805 
806  gc_free(&gc);
807 
808  return ret;
809 }
810 
811 /* ***************************************************************************
812 * Functions for the management of deferred authentication when using
813 * user/password authentication.
814 *************************************************************************** */
815 
816 void
817 auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
818 {
819  free(multi->client_reason);
820  multi->client_reason = NULL;
821 
822  if (client_reason && strlen(client_reason))
823  {
824  multi->client_reason = string_alloc(client_reason, NULL);
825  }
826 }
827 
828 #ifdef ENABLE_MANAGEMENT
829 
830 static inline enum auth_deferred_result
831 man_def_auth_test(const struct key_state *ks)
832 {
833  if (management_enable_def_auth(management))
834  {
835  return ks->mda_status;
836  }
837  else
838  {
839  return ACF_DISABLED;
840  }
841 }
842 #endif /* ifdef ENABLE_MANAGEMENT */
843 
848 static void
849 key_state_rm_auth_pending_file(struct auth_deferred_status *ads)
850 {
851  if (ads && ads->auth_pending_file)
852  {
853  platform_unlink(ads->auth_pending_file);
854  free(ads->auth_pending_file);
855  ads->auth_pending_file = NULL;
856  }
857 }
858 
862 static bool
863 check_auth_pending_method(const char *peer_info, const char *method)
864 {
865  struct gc_arena gc = gc_new();
866 
867  char *iv_sso = extract_var_peer_info(peer_info, "IV_SSO=", &gc);
868  if (!iv_sso)
869  {
870  gc_free(&gc);
871  return false;
872  }
873 
874  const char *client_method = strtok(iv_sso, ",");
875  bool supported = false;
876 
877  while (client_method)
878  {
879  if (0 == strcmp(client_method, method))
880  {
881  supported = true;
882  break;
883  }
884  client_method = strtok(NULL, ",");
885  }
886 
887  gc_free(&gc);
888  return supported;
889 }
890 
899 static bool
900 key_state_check_auth_pending_file(struct auth_deferred_status *ads,
901  struct tls_multi *multi,
902  struct tls_session *session)
903 {
904  bool ret = true;
905  if (ads->auth_pending_file)
906  {
907  struct buffer_list *lines = buffer_list_file(ads->auth_pending_file,
908  1024);
909  if (lines && lines->head)
910  {
911  /* Must have at least three lines. further lines are ignored for
912  * forward compatibility */
913  if (!lines->head || !lines->head->next || !lines->head->next->next)
914  {
915  msg(M_WARN, "auth pending control file is not at least "
916  "three lines long.");
917  buffer_list_free(lines);
918  return false;
919  }
920  struct buffer *timeout_buf = &lines->head->buf;
921  struct buffer *iv_buf = &lines->head->next->buf;
922  struct buffer *extra_buf = &lines->head->next->next->buf;
923 
924  /* Remove newline chars at the end of the lines */
925  buf_chomp(timeout_buf);
926  buf_chomp(iv_buf);
927  buf_chomp(extra_buf);
928 
929  long timeout = strtol(BSTR(timeout_buf), NULL, 10);
930  if (timeout == 0)
931  {
932  msg(M_WARN, "could not parse auth pending file timeout");
933  buffer_list_free(lines);
934  return false;
935  }
936 
937  const char *pending_method = BSTR(iv_buf);
938  if (!check_auth_pending_method(multi->peer_info, pending_method))
939  {
940  char buf[128];
941  snprintf(buf, sizeof(buf),
942  "Authentication failed, required pending auth "
943  "method '%s' not supported", pending_method);
944  auth_set_client_reason(multi, buf);
945  msg(M_INFO, "Client does not supported auth pending method "
946  "'%s'", pending_method);
947  ret = false;
948  }
949  else
950  {
951  send_auth_pending_messages(multi, session, BSTR(extra_buf), timeout);
952  }
953  }
954 
955  buffer_list_free(lines);
956  }
957  key_state_rm_auth_pending_file(ads);
958  return ret;
959 }
960 
961 
966 void
967 key_state_rm_auth_control_files(struct auth_deferred_status *ads)
968 {
969  if (ads->auth_control_file)
970  {
971  platform_unlink(ads->auth_control_file);
972  free(ads->auth_control_file);
973  ads->auth_control_file = NULL;
974  }
975  if (ads->auth_failed_reason_file)
976  {
977  platform_unlink(ads->auth_failed_reason_file);
978  free(ads->auth_failed_reason_file);
979  ads->auth_failed_reason_file = NULL;
980  }
981  key_state_rm_auth_pending_file(ads);
982 }
983 
990 static bool
991 key_state_gen_auth_control_files(struct auth_deferred_status *ads,
992  const struct tls_options *opt)
993 {
994  struct gc_arena gc = gc_new();
995 
996  key_state_rm_auth_control_files(ads);
997  const char *acf = platform_create_temp_file(opt->tmp_dir, "acf", &gc);
998  const char *apf = platform_create_temp_file(opt->tmp_dir, "apf", &gc);
999  const char *afr = platform_create_temp_file(opt->tmp_dir, "afr", &gc);
1000 
1001  if (acf && apf)
1002  {
1003  ads->auth_control_file = string_alloc(acf, NULL);
1004  ads->auth_pending_file = string_alloc(apf, NULL);
1005  ads->auth_failed_reason_file = string_alloc(afr, NULL);
1006 
1007  setenv_str(opt->es, "auth_control_file", ads->auth_control_file);
1008  setenv_str(opt->es, "auth_pending_file", ads->auth_pending_file);
1009  setenv_str(opt->es, "auth_failed_reason_file", ads->auth_failed_reason_file);
1010  }
1011 
1012  gc_free(&gc);
1013  return (acf && apf);
1014 }
1015 
1020 static char *
1021 key_state_check_auth_failed_message_file(const struct auth_deferred_status *ads,
1022  struct tls_multi *multi,
1023  struct gc_arena *gc)
1024 {
1025  char *ret = NULL;
1026  if (ads->auth_failed_reason_file)
1027  {
1028  struct buffer reason = buffer_read_from_file(ads->auth_failed_reason_file, gc);
1029 
1030  if (BLEN(&reason))
1031  {
1032  ret = BSTR(&reason);
1033  }
1034 
1035  }
1036  return ret;
1037 }
1038 
1039 
1050 static enum auth_deferred_result
1051 key_state_test_auth_control_file(struct auth_deferred_status *ads, bool cached)
1052 {
1053  if (ads->auth_control_file)
1054  {
1055  unsigned int ret = ads->auth_control_status;
1056  if (ret == ACF_PENDING && !cached)
1057  {
1058  FILE *fp = fopen(ads->auth_control_file, "r");
1059  if (fp)
1060  {
1061  const int c = fgetc(fp);
1062  if (c == '1')
1063  {
1064  ret = ACF_SUCCEEDED;
1065  }
1066  else if (c == '0')
1067  {
1068  ret = ACF_FAILED;
1069  }
1070  fclose(fp);
1071  ads->auth_control_status = ret;
1072  }
1073  }
1074  return ret;
1075  }
1076  return ACF_DISABLED;
1077 }
1078 
1086 static void
1087 update_key_auth_status(bool cached, struct key_state *ks)
1088 {
1089  if (ks->authenticated == KS_AUTH_FALSE)
1090  {
1091  return;
1092  }
1093  else
1094  {
1095  enum auth_deferred_result auth_plugin = ACF_DISABLED;
1096  enum auth_deferred_result auth_script = ACF_DISABLED;
1097  enum auth_deferred_result auth_man = ACF_DISABLED;
1098  auth_plugin = key_state_test_auth_control_file(&ks->plugin_auth, cached);
1099  auth_script = key_state_test_auth_control_file(&ks->script_auth, cached);
1100 #ifdef ENABLE_MANAGEMENT
1101  auth_man = man_def_auth_test(ks);
1102 #endif
1103  ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4);
1104 
1105  if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED
1106  || auth_man == ACF_FAILED)
1107  {
1108  ks->authenticated = KS_AUTH_FALSE;
1109  return;
1110  }
1111  else if (auth_plugin == ACF_PENDING || auth_script == ACF_PENDING
1112  || auth_man == ACF_PENDING)
1113  {
1114  if (now >= ks->auth_deferred_expire)
1115  {
1116  /* Window to authenticate the key has expired, mark
1117  * the key as unauthenticated */
1118  ks->authenticated = KS_AUTH_FALSE;
1119  }
1120  }
1121  else
1122  {
1123  /* all auth states (auth_plugin, auth_script, auth_man)
1124  * are either ACF_DISABLED or ACF_SUCCEDED now, which
1125  * translates to "not checked" or "auth succeeded"
1126  */
1127  ks->authenticated = KS_AUTH_TRUE;
1128  }
1129  }
1130 }
1131 
1132 
1139 static time_t cache_intervals[] = {0, 0, 0, 0, 0, 1, 1, 2, 2, 4, 8};
1140 
1145 static bool
1146 tls_authentication_status_use_cache(struct tls_multi *multi)
1147 {
1148  unsigned int idx = min_uint(multi->tas_cache_num_updates, SIZE(cache_intervals) - 1);
1149  time_t latency = cache_intervals[idx];
1150  return multi->tas_cache_last_update + latency >= now;
1151 }
1152 
1153 enum tls_auth_status
1154 tls_authentication_status(struct tls_multi *multi)
1155 {
1156  bool deferred = false;
1157 
1158  /* at least one valid key has successfully completed authentication */
1159  bool success = false;
1160 
1161  /* at least one key is enabled for decryption */
1162  int active = 0;
1163 
1164  /* at least one key already failed authentication */
1165  bool failed_auth = false;
1166 
1167  bool cached = tls_authentication_status_use_cache(multi);
1168 
1169  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
1170  {
1171  struct key_state *ks = get_key_scan(multi, i);
1172  if (TLS_AUTHENTICATED(multi, ks))
1173  {
1174  active++;
1175  update_key_auth_status(cached, ks);
1176 
1177  if (ks->authenticated == KS_AUTH_FALSE)
1178  {
1179  failed_auth = true;
1180  }
1181  else if (ks->authenticated == KS_AUTH_DEFERRED)
1182  {
1183  deferred = true;
1184  }
1185  else if (ks->authenticated == KS_AUTH_TRUE)
1186  {
1187  success = true;
1188  }
1189  }
1190  }
1191 
1192  /* we did not rely on a cached result, remember the cache update time */
1193  if (!cached)
1194  {
1195  multi->tas_cache_last_update = now;
1196  multi->tas_cache_num_updates++;
1197  }
1198 
1199 #if 0
1200  dmsg(D_TLS_ERRORS, "TAS: a=%d s=%d d=%d f=%d", active, success, deferred, failed_auth);
1201 #endif
1202  if (failed_auth)
1203  {
1204  struct gc_arena gc = gc_new();
1205  const struct key_state *ks = get_primary_key(multi);
1206  const char *plugin_message = key_state_check_auth_failed_message_file(&ks->plugin_auth, multi, &gc);
1207  const char *script_message = key_state_check_auth_failed_message_file(&ks->script_auth, multi, &gc);
1208 
1209  if (plugin_message)
1210  {
1211  auth_set_client_reason(multi, plugin_message);
1212  }
1213  if (script_message)
1214  {
1215  auth_set_client_reason(multi, script_message);
1216  }
1217 
1218  /* We have at least one session that failed authentication. There
1219  * might be still another session with valid keys.
1220  * Although our protocol allows keeping the VPN session alive
1221  * with the other session (and we actually did that in earlier
1222  * version, this behaviour is really strange from a user (admin)
1223  * experience */
1224  gc_free(&gc);
1225  return TLS_AUTHENTICATION_FAILED;
1226  }
1227  else if (success)
1228  {
1229  return TLS_AUTHENTICATION_SUCCEEDED;
1230  }
1231  else if (active == 0 || deferred)
1232  {
1233  /* We have a deferred authentication and no currently active key
1234  * (first auth, no renegotiation) */
1235  return TLS_AUTHENTICATION_DEFERRED;
1236  }
1237  else
1238  {
1239  /* at least one key is active but none is fully authenticated (!success)
1240  * and all active are either failed authed or expired deferred auth */
1241  return TLS_AUTHENTICATION_FAILED;
1242  }
1243 }
1244 
1245 #ifdef ENABLE_MANAGEMENT
1246 /*
1247  * For deferred auth, this is where the management interface calls (on server)
1248  * to indicate auth failure/success.
1249  */
1250 bool
1251 tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
1252 {
1253  bool ret = false;
1254  if (multi)
1255  {
1256  int i;
1257  auth_set_client_reason(multi, client_reason);
1258  for (i = 0; i < KEY_SCAN_SIZE; ++i)
1259  {
1260  struct key_state *ks = get_key_scan(multi, i);
1261  if (ks->mda_key_id == mda_key_id)
1262  {
1263  ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
1264  ret = true;
1265  }
1266  }
1267  }
1268  return ret;
1269 }
1270 #endif /* ifdef ENABLE_MANAGEMENT */
1271 
1272 
1273 /* ****************************************************************************
1274  * Functions to verify username and password
1275  *
1276  * Authenticate a client using username/password.
1277  * Runs on server.
1278  *
1279  * If you want to add new authentication methods,
1280  * this is the place to start.
1281  *************************************************************************** */
1282 
1286 static void
1287 check_for_client_reason(struct tls_multi *multi,
1288  struct auth_deferred_status *status)
1289 {
1290  struct gc_arena gc = gc_new();
1291  const char *msg = key_state_check_auth_failed_message_file(status, multi, &gc);
1292  if (msg)
1293  {
1294  auth_set_client_reason(multi, msg);
1295  }
1296  gc_free(&gc);
1297 }
1298 /*
1299  * Verify the user name and password using a script
1300  */
1301 static int
1302 verify_user_pass_script(struct tls_session *session, struct tls_multi *multi,
1303  const struct user_pass *up)
1304 {
1305  struct gc_arena gc = gc_new();
1306  struct argv argv = argv_new();
1307  const char *tmp_file = "";
1308  int retval = OPENVPN_PLUGIN_FUNC_ERROR;
1309  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1310 
1311  /* Set environmental variables prior to calling script */
1312  setenv_str(session->opt->es, "script_type", "user-pass-verify");
1313 
1314  /* format command line */
1315  argv_parse_cmd(&argv, session->opt->auth_user_pass_verify_script);
1316 
1317  if (session->opt->auth_user_pass_verify_script_via_file)
1318  {
1319  struct status_output *so;
1320 
1321  tmp_file = platform_create_temp_file(session->opt->tmp_dir, "up",
1322  &gc);
1323  if (tmp_file)
1324  {
1325  so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
1326  status_printf(so, "%s", up->username);
1327  status_printf(so, "%s", up->password);
1328  if (!status_close(so))
1329  {
1330  msg(D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s",
1331  tmp_file);
1332  goto done;
1333  }
1334  /* pass temp file name to script */
1335  argv_printf_cat(&argv, "%s", tmp_file);
1336  }
1337  }
1338  else
1339  {
1340  setenv_str(session->opt->es, "username", up->username);
1341  setenv_str(session->opt->es, "password", up->password);
1342  }
1343 
1344  /* pre-create files for deferred auth control */
1345  if (!key_state_gen_auth_control_files(&ks->script_auth, session->opt))
1346  {
1347  msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
1348  "could not create deferred auth control file", __func__);
1349  retval = OPENVPN_PLUGIN_FUNC_ERROR;
1350  goto error;
1351  }
1352 
1353  /* call command */
1354  int script_ret = openvpn_run_script(&argv, session->opt->es, S_EXITCODE,
1355  "--auth-user-pass-verify");
1356  switch (script_ret)
1357  {
1358  case 0:
1359  retval = OPENVPN_PLUGIN_FUNC_SUCCESS;
1360  break;
1361 
1362  case 2:
1363  retval = OPENVPN_PLUGIN_FUNC_DEFERRED;
1364  break;
1365 
1366  default:
1367  check_for_client_reason(multi, &ks->script_auth);
1368  retval = OPENVPN_PLUGIN_FUNC_ERROR;
1369  break;
1370  }
1371  if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED)
1372  {
1373  /* Check if we the plugin has written the pending auth control
1374  * file and send the pending auth to the client */
1375  if (!key_state_check_auth_pending_file(&ks->script_auth,
1376  multi, session))
1377  {
1378  retval = OPENVPN_PLUGIN_FUNC_ERROR;
1379  key_state_rm_auth_control_files(&ks->script_auth);
1380  }
1381 
1382  }
1383  else
1384  {
1385  /* purge auth control filename (and file itself) for non-deferred returns */
1386  key_state_rm_auth_control_files(&ks->script_auth);
1387  }
1388  if (!session->opt->auth_user_pass_verify_script_via_file)
1389  {
1390  setenv_del(session->opt->es, "password");
1391  }
1392 
1393 done:
1394  if (tmp_file && strlen(tmp_file) > 0)
1395  {
1396  platform_unlink(tmp_file);
1397  }
1398 
1399 error:
1400  argv_free(&argv);
1401  gc_free(&gc);
1402  return retval;
1403 }
1404 
1405 #ifdef ENABLE_PLUGIN
1406 void
1407 verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
1408 {
1409  struct tls_session *session = &multi->session[TM_ACTIVE];
1410  setenv_str(session->opt->es, "crresponse", cr_response);
1411 
1412  plugin_call(session->opt->plugins, OPENVPN_PLUGIN_CLIENT_CRRESPONSE, NULL,
1413  NULL, session->opt->es);
1414 
1415  setenv_del(session->opt->es, "crresponse");
1416 }
1417 #endif
1418 
1419 void
1420 verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
1421 {
1422 
1423  struct tls_session *session = &multi->session[TM_ACTIVE];
1424 
1425  if (!session->opt->client_crresponse_script)
1426  {
1427  return;
1428  }
1429  struct argv argv = argv_new();
1430  struct gc_arena gc = gc_new();
1431 
1432  setenv_str(session->opt->es, "script_type", "client-crresponse");
1433 
1434  /* Since cr response might be sensitive, like a stupid way to query
1435  * a password via 2FA, we pass it via file instead environment */
1436  const char *tmp_file = platform_create_temp_file(session->opt->tmp_dir, "cr", &gc);
1437  static const char *openerrmsg = "TLS CR Response Error: could not write "
1438  "crtext challenge response to file: %s";
1439 
1440  if (tmp_file)
1441  {
1442  struct status_output *so = status_open(tmp_file, 0, -1, NULL,
1443  STATUS_OUTPUT_WRITE);
1444  status_printf(so, "%s", cr_response);
1445  if (!status_close(so))
1446  {
1447  msg(D_TLS_ERRORS, openerrmsg, tmp_file);
1448  tls_deauthenticate(multi);
1449  goto done;
1450  }
1451  }
1452  else
1453  {
1454  msg(D_TLS_ERRORS, openerrmsg, "creating file failed");
1455  tls_deauthenticate(multi);
1456  goto done;
1457  }
1458 
1459  argv_parse_cmd(&argv, session->opt->client_crresponse_script);
1460  argv_printf_cat(&argv, "%s", tmp_file);
1461 
1462 
1463  if (!openvpn_run_script(&argv, session->opt->es, 0, "--client-crresponse"))
1464  {
1465  tls_deauthenticate(multi);
1466  }
1467 done:
1468  argv_free(&argv);
1469  gc_free(&gc);
1470 }
1471 
1472 /*
1473  * Verify the username and password using a plugin
1474  */
1475 static int
1476 verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
1477  const struct user_pass *up)
1478 {
1479  int retval = OPENVPN_PLUGIN_FUNC_ERROR;
1480  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1481 
1482  /* set password in private env space */
1483  setenv_str(session->opt->es, "password", up->password);
1484 
1485  /* generate filename for deferred auth control file */
1486  if (!key_state_gen_auth_control_files(&ks->plugin_auth, session->opt))
1487  {
1488  msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
1489  "could not create deferred auth control file", __func__);
1490  return retval;
1491  }
1492 
1493  /* call command */
1494  retval = plugin_call(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
1495 
1496  if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED)
1497  {
1498  /* Check if the plugin has written the pending auth control
1499  * file and send the pending auth to the client */
1500  if (!key_state_check_auth_pending_file(&ks->plugin_auth, multi, session))
1501  {
1502  retval = OPENVPN_PLUGIN_FUNC_ERROR;
1503  }
1504  }
1505 
1506  if (retval == OPENVPN_PLUGIN_FUNC_ERROR)
1507  {
1508  check_for_client_reason(multi, &ks->plugin_auth);
1509  }
1510 
1511  if (retval != OPENVPN_PLUGIN_FUNC_DEFERRED)
1512  {
1513  /* purge auth control filename (and file itself) for non-deferred returns */
1514  key_state_rm_auth_control_files(&ks->plugin_auth);
1515  }
1516 
1517  setenv_del(session->opt->es, "password");
1518 
1519  return retval;
1520 }
1521 
1522 
1523 #ifdef ENABLE_MANAGEMENT
1524 /*
1525  * management deferred internal ssl_verify.c status codes
1526  */
1527 #define KMDA_ERROR 0
1528 #define KMDA_SUCCESS 1
1529 #define KMDA_UNDEF 2
1530 #define KMDA_DEF 3
1531 
1532 static int
1533 verify_user_pass_management(struct tls_session *session,
1534  struct tls_multi *multi,
1535  const struct user_pass *up)
1536 {
1537  int retval = KMDA_ERROR;
1538  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1539 
1540  /* set username/password in private env space */
1541  setenv_str(session->opt->es, "password", up->password);
1542 
1543  if (management)
1544  {
1545  management_notify_client_needing_auth(management, ks->mda_key_id, session->opt->mda_context, session->opt->es);
1546  }
1547 
1548  setenv_del(session->opt->es, "password");
1549 
1550  retval = KMDA_SUCCESS;
1551 
1552  return retval;
1553 }
1554 #endif /* ifdef ENABLE_MANAGEMENT */
1555 
1556 static bool
1557 set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi,
1558  struct tls_session *session)
1559 {
1560  /* Is username defined? */
1561  if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username))
1562  {
1563  setenv_str(session->opt->es, "username", up->username);
1564 
1565  /* setenv incoming cert common name for script */
1566  setenv_str(session->opt->es, "common_name", session->common_name);
1567 
1568  /* setenv client real IP address */
1569  setenv_untrusted(session);
1570 
1571  /*
1572  * if we are using auth-gen-token, send also the session id of auth gen token to
1573  * allow the management to figure out if it is a new session or a continued one
1574  */
1575  add_session_token_env(session, multi, up);
1576  return true;
1577  }
1578  else
1579  {
1580  msg(D_TLS_ERRORS, "TLS Auth Error: peer provided a blank username");
1581  return false;
1582  }
1583 }
1584 
1591 void
1592 verify_user_pass(struct user_pass *up, struct tls_multi *multi,
1593  struct tls_session *session)
1594 {
1595  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1596 
1597 #ifdef ENABLE_MANAGEMENT
1598  int man_def_auth = KMDA_UNDEF;
1599 
1600  if (management_enable_def_auth(management))
1601  {
1602  man_def_auth = KMDA_DEF;
1603  }
1604 #endif
1605 
1606  /* enforce character class restrictions in username/password */
1607  string_mod_remap_name(up->username);
1608  string_mod(up->password, CC_PRINT, CC_CRLF, '_');
1609 
1610  /*
1611  * If auth token succeeds we skip the auth
1612  * methods unless otherwise specified
1613  */
1614  bool skip_auth = false;
1615 
1616  /*
1617  * If server is configured with --auth-gen-token and the client sends
1618  * something that looks like an authentication token, this
1619  * round will be done internally using the token instead of
1620  * calling any external authentication modules.
1621  */
1622  if (session->opt->auth_token_generate && is_auth_token(up->password))
1623  {
1624  ks->auth_token_state_flags = verify_auth_token(up, multi, session);
1625 
1626  /* If this is the first time we see an auth-token in this multi session,
1627  * save it as initial auth token. This ensures using the
1628  * same session ID and initial timestamp in new tokens */
1629  if (!multi->auth_token_initial)
1630  {
1631  multi->auth_token_initial = strdup(up->password);
1632  }
1633 
1634  if (session->opt->auth_token_call_auth)
1635  {
1636  /*
1637  * we do not care about the result here because it is
1638  * the responsibility of the external authentication to
1639  * decide what to do with the result
1640  */
1641  }
1642  else if (ks->auth_token_state_flags == AUTH_TOKEN_HMAC_OK)
1643  {
1644  /*
1645  * We do not want the EXPIRED or EMPTY USER flags here so check
1646  * for equality with AUTH_TOKEN_HMAC_OK
1647  */
1648  msg(M_WARN, "TLS: Username/auth-token authentication "
1649  "succeeded for username '%s'",
1650  up->username);
1651  skip_auth = true;
1652  }
1653  else
1654  {
1655  wipe_auth_token(multi);
1656  ks->authenticated = KS_AUTH_FALSE;
1657  msg(M_WARN, "TLS: Username/auth-token authentication "
1658  "failed for username '%s'", up->username);
1659  return;
1660  }
1661  }
1662 
1663  int plugin_status = OPENVPN_PLUGIN_FUNC_SUCCESS;
1664  int script_status = OPENVPN_PLUGIN_FUNC_SUCCESS;
1665  /* Set the environment variables used by all auth variants */
1666  if (!set_verify_user_pass_env(up, multi, session))
1667  {
1668  skip_auth = true;
1669  plugin_status = OPENVPN_PLUGIN_FUNC_ERROR;
1670  }
1671 
1672  /* call plugin(s) and/or script */
1673  if (!skip_auth)
1674  {
1675 #ifdef ENABLE_MANAGEMENT
1676  if (man_def_auth == KMDA_DEF)
1677  {
1678  man_def_auth = verify_user_pass_management(session, multi, up);
1679  }
1680 #endif
1681  if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY))
1682  {
1683  plugin_status = verify_user_pass_plugin(session, multi, up);
1684  }
1685 
1686  if (session->opt->auth_user_pass_verify_script)
1687  {
1688  script_status = verify_user_pass_script(session, multi, up);
1689  }
1690  }
1691 
1692  /* check sizing of username if it will become our common name */
1693  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
1694  && strlen(up->username)>TLS_USERNAME_LEN)
1695  {
1696  msg(D_TLS_ERRORS,
1697  "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters",
1698  TLS_USERNAME_LEN);
1699  plugin_status = OPENVPN_PLUGIN_FUNC_ERROR;
1700  script_status = OPENVPN_PLUGIN_FUNC_ERROR;
1701  }
1702  /* auth succeeded? */
1703  bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS
1704  || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
1705 
1706  bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS
1707  || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
1708 
1709  if (script_ok && plugin_ok && tls_lock_username(multi, up->username)
1710 #ifdef ENABLE_MANAGEMENT
1711  && man_def_auth != KMDA_ERROR
1712 #endif
1713  )
1714  {
1715  ks->authenticated = KS_AUTH_TRUE;
1716  if (plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED
1717  || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED)
1718  {
1719  ks->authenticated = KS_AUTH_DEFERRED;
1720  }
1721 #ifdef ENABLE_MANAGEMENT
1722  if (man_def_auth != KMDA_UNDEF)
1723  {
1724  if (skip_auth)
1725  {
1726  ks->mda_status = ACF_DISABLED;
1727  }
1728  else
1729  {
1730  ks->authenticated = KS_AUTH_DEFERRED;
1731  }
1732  }
1733 #endif
1734  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
1735  {
1736  set_common_name(session, up->username);
1737  }
1738 
1739  if ((session->opt->auth_token_generate))
1740  {
1741  /*
1742  * If we accepted a (not expired) token, i.e.
1743  * initial auth via token on new connection, we need
1744  * to store the auth-token in multi->auth_token, so
1745  * the initial timestamp and session id can be extracted from it
1746  */
1747  if (!multi->auth_token
1748  && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK)
1749  && !(ks->auth_token_state_flags & AUTH_TOKEN_EXPIRED))
1750  {
1751  multi->auth_token = strdup(up->password);
1752  }
1753 
1754  /*
1755  * Server is configured with --auth-gen-token. Generate or renew
1756  * the token.
1757  */
1758  generate_auth_token(up, multi);
1759  }
1760 
1761  msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s",
1762  (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded",
1763  up->username,
1764  (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : "");
1765  }
1766  else
1767  {
1768  ks->authenticated = KS_AUTH_FALSE;
1769  msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer");
1770  }
1771 }
1772 
1773 void
1774 verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
1775 {
1776  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1777 
1778  /* While it shouldn't really happen, don't allow the common name to be NULL */
1779  if (!session->common_name)
1780  {
1781  set_common_name(session, "");
1782  }
1783 
1784  /* Don't allow the CN to change once it's been locked */
1785  if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cn)
1786  {
1787  const char *cn = session->common_name;
1788  if (cn && strcmp(cn, multi->locked_cn))
1789  {
1790  msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
1791  multi->locked_cn,
1792  cn);
1793 
1794  /* change the common name back to its original value and disable the tunnel */
1795  set_common_name(session, multi->locked_cn);
1796  tls_deauthenticate(multi);
1797  }
1798  }
1799 
1800  /* Don't allow the cert hashes to change once they have been locked */
1801  if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cert_hash_set)
1802  {
1803  const struct cert_hash_set *chs = session->cert_hash_set;
1804  if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set))
1805  {
1806  msg(D_TLS_ERRORS, "TLS Auth Error: TLS object CN=%s client-provided SSL certs unexpectedly changed during mid-session reauth",
1807  session->common_name);
1808 
1809  /* disable the tunnel */
1810  tls_deauthenticate(multi);
1811  }
1812  }
1813 
1814  /* verify --client-config-dir based authentication */
1815  if (ks->authenticated > KS_AUTH_FALSE && session->opt->client_config_dir_exclusive)
1816  {
1817  struct gc_arena gc = gc_new();
1818 
1819  const char *cn = session->common_name;
1820  const char *path = platform_gen_path(session->opt->client_config_dir_exclusive,
1821  cn, &gc);
1822  if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path))
1823  {
1824  ks->authenticated = KS_AUTH_FALSE;
1825  wipe_auth_token(multi);
1826  msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
1827  session->common_name,
1828  path ? path : "UNDEF");
1829  }
1830 
1831  gc_free(&gc);
1832  }
1833 }
1834 
1835 void
1836 tls_x509_clear_env(struct env_set *es)
1837 {
1838  struct env_item *item = es->list;
1839  while (item)
1840  {
1841  struct env_item *next = item->next;
1842  if (item->string
1843  && 0 == strncmp("X509_", item->string, strlen("X509_")))
1844  {
1845  env_set_del(es, item->string);
1846  }
1847  item = next;
1848  }
1849 }
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
auth_deferred_status::auth_failed_reason_file
char * auth_failed_reason_file
Definition: ssl_common.h:161
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition: buffer.c:1376
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:554
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:165
tls_multi::auth_token
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:644
x509_verify_cert_eku
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid)
Definition: ssl_verify_openssl.c:739
MAX_CERT_DEPTH
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:51
min_uint
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition: integer.h:63
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1154
M_INFO
#define M_INFO
Definition: errlevel.h:55
plugin_call_ssl
int plugin_call_ssl(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es, int certdepth, openvpn_x509_cert_t *current_cert)
Definition: plugin.c:797
env_item::next
struct env_item * next
Definition: env_set.h:39
key_state::auth_token_state_flags
unsigned int auth_token_state_flags
The state of the auth-token sent from the client.
Definition: ssl_common.h:202
tls_session::cert_hash_set
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:502
tls_options::verify_x509_name
const char * verify_x509_name
Definition: ssl_common.h:341
verify_crresponse_script
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Definition: ssl_verify.c:1420
verify_cert_call_plugin
static result_t verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject)
Definition: ssl_verify.c:489
auth_deferred_status::auth_control_status
unsigned int auth_control_status
Definition: ssl_common.h:162
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
run_command.h
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition: ssl_verify.h:66
auth_token.h
ssl_verify_backend.h
verify_auth_token
unsigned int verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verifies the auth token to be in the format that generate_auth_token create and checks if the token i...
Definition: auth_token.c:297
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition: ssl_verify.h:64
auth_deferred_status::auth_pending_file
char * auth_pending_file
Definition: ssl_common.h:160
env_item::string
char * string
Definition: env_set.h:38
x509_get_sha256_fingerprint
struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA256 fingerprint.
Definition: ssl_verify_openssl.c:357
SA_IP_PORT
#define SA_IP_PORT
Definition: socket.h:398
auth_deferred_status
Definition: ssl_common.h:157
argv
Definition: argv.h:35
key_state_check_auth_pending_file
static bool key_state_check_auth_pending_file(struct auth_deferred_status *ads, struct tls_multi *multi, struct tls_session *session)
Checks if the deferred state should also send auth pending request to the client.
Definition: ssl_verify.c:900
is_auth_token
static bool is_auth_token(const char *password)
Return if the password string has the format of a password.
Definition: auth_token.h:127
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:533
TLS_AUTHENTICATED
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition: ssl_verify.h:109
manage.h
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:448
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition: ssl_verify.h:65
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:625
es
struct env_set * es
Definition: test_pkcs11.c:133
cert_hash_set::ch
struct cert_hash * ch[MAX_CERT_DEPTH]
Array of certificate hashes.
Definition: ssl_verify.h:60
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:675
verify_cert
result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
Definition: ssl_verify.c:598
KMDA_UNDEF
#define KMDA_UNDEF
Definition: ssl_verify.c:1529
verify_hash_list::next
struct verify_hash_list * next
Definition: options.h:232
BSTR
#define BSTR(buf)
Definition: buffer.h:129
add_session_token_env
void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Put the session id, and auth token status into the environment if auth-token is enabled.
Definition: auth_token.c:38
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:71
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition: ssl_common.h:409
tls_multi::tas_cache_num_updates
unsigned int tas_cache_num_updates
The number of times we updated the cache.
Definition: ssl_common.h:632
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
cert_hash::sha256_hash
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:55
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:464
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
CC_CRLF
#define CC_CRLF
carriage return or newline
Definition: buffer.h:925
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
Definition: openvpn-plugin.h:122
backend_x509_get_username
result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
Definition: ssl_verify_openssl.c:259
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition: ssl_common.h:346
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition: ssl_verify.c:1774
tls_options::verify_hash_depth
int verify_hash_depth
Definition: ssl_common.h:348
x509_setenv_track
void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
Definition: ssl_verify_openssl.c:463
ssl_verify_openssl.h
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:722
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:147
dmsg
#define dmsg(flags,...)
Definition: error.h:148
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config.h:53
result_t
result_t
Result of verification function.
Definition: ssl_verify_backend.h:35
key_state_test_auth_control_file
static enum auth_deferred_result key_state_test_auth_control_file(struct auth_deferred_status *ads, bool cached)
Checks the auth control status from a file.
Definition: ssl_verify.c:1051
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:501
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:410
argv_msg_prefix
void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix)
Similar to argv_msg() but prefixes the messages being written with a given string.
Definition: argv.c:260
verify_hash_list
Definition: options.h:227
backend_x509_get_serial
char * backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:297
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
PATH_SEPARATOR
#define PATH_SEPARATOR
Definition: syshead.h:416
tls_verify_crl_missing
bool tls_verify_crl_missing(const struct tls_options *opt)
Return true iff a CRL is configured, but is not loaded.
Definition: ssl_verify_openssl.c:789
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:379
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:590
check_auth_pending_method
static bool check_auth_pending_method(const char *peer_info, const char *method)
Check peer_info if the client supports the requested pending auth method.
Definition: ssl_verify.c:863
key_state_rm_auth_pending_file
static void key_state_rm_auth_pending_file(struct auth_deferred_status *ads)
Removes auth_pending file from the file system and key_state structure.
Definition: ssl_verify.c:849
backend_x509_write_pem
result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)
Definition: ssl_verify_openssl.c:324
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:250
verify_peer_cert
static result_t verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, const char *subject, const char *common_name)
Definition: ssl_verify.c:329
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:198
key_state_gen_auth_control_files
static bool key_state_gen_auth_control_files(struct auth_deferred_status *ads, const struct tls_options *opt)
Generates and creates the control files used for deferred authentification in the temporary directory...
Definition: ssl_verify.c:991
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition: ssl_common.h:549
np
static const char * np(const char *str)
Definition: multi-auth.c:146
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
tls_auth_status
tls_auth_status
Definition: ssl_verify.h:68
MD_SHA256
@ MD_SHA256
Definition: crypto_backend.h:53
buffer_list_file
struct buffer_list * buffer_list_file(const char *fn, int max_line_len)
Definition: buffer.c:1353
ssl_util.h
verify_cert_call_command
static result_t verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert, char *subject)
Definition: ssl_verify.c:522
KMDA_DEF
#define KMDA_DEF
Definition: ssl_verify.c:1530
env_set::list
struct env_item * list
Definition: env_set.h:44
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:529
x509_verify_cert_ku
result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len)
Definition: ssl_verify_openssl.c:678
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:667
ssl_verify.h
ASSERT
#define ASSERT(x)
Definition: error.h:195
string_replace_leading
void string_replace_leading(char *str, const char match, const char replace)
Definition: buffer.c:1127
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:673
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:177
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1121
buf_chomp
void buf_chomp(struct buffer *buf)
Definition: buffer.c:572
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1836
key_state::mda_status
enum auth_deferred_result mda_status
Definition: ssl_common.h:255
OPENVPN_PLUGIN_FUNC_ERROR
#define OPENVPN_PLUGIN_FUNC_ERROR
Definition: openvpn-plugin.h:149
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:699
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition: ssl_common.h:347
tls_options
Definition: ssl_common.h:296
tls_options::x509_track
const struct x509_track * x509_track
Definition: ssl_common.h:424
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:138
BLEN
#define BLEN(buf)
Definition: buffer.h:127
tls_options::export_peer_cert_dir
const char * export_peer_cert_dir
Definition: ssl_common.h:380
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1060
CC_PRINT
#define CC_PRINT
printable (>= 32, != 127)
Definition: buffer.h:896
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:509
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:412
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:438
string_mod
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Modifies a string in place by replacing certain classes of characters of it with a specified characte...
Definition: buffer.c:1059
tls_options::ssl_flags
unsigned int ssl_flags
Definition: ssl_common.h:418
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1122
push.h
management_notify_client_needing_auth
void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2927
M_WARN
#define M_WARN
Definition: error.h:91
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
tls_authentication_status_use_cache
static bool tls_authentication_status_use_cache(struct tls_multi *multi)
uses cache_intervals times to determine if we should update the cache.
Definition: ssl_verify.c:1146
check_for_client_reason
static void check_for_client_reason(struct tls_multi *multi, struct auth_deferred_status *status)
Check if the script/plugin left a message in the auth failed message file and relay it to the user.
Definition: ssl_verify.c:1287
verify_crresponse_plugin
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
Definition: ssl_verify.c:1407
tls_deauthenticate
static void tls_deauthenticate(struct tls_multi *multi)
Definition: ssl_verify.c:72
tls_multi::locked_cn
char * locked_cn
Definition: ssl_common.h:623
x509_get_sha1_fingerprint
struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA1 fingerprint.
Definition: ssl_verify_openssl.c:347
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:222
verify_user_pass_script
static int verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Definition: ssl_verify.c:1302
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:71
cert_hash_remember
void cert_hash_remember(struct tls_session *session, const int error_depth, const struct buffer *cert_hash)
Definition: ssl_verify.c:199
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
tls_options::verify_command
const char * verify_command
Definition: ssl_common.h:339
base64.h
set_verify_user_pass_env
static bool set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Definition: ssl_verify.c:1557
status_output
Definition: status.h:48
tls_session::common_name
char * common_name
Definition: ssl_common.h:500
verify_cert_cert_export_env
static bool verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, const char *pem_export_fname)
Exports the certificate in peer_cert into the environment and adds the filname.
Definition: ssl_verify.c:466
TLS_USERNAME_LEN
#define TLS_USERNAME_LEN
Maximum length of common name.
Definition: ssl_verify.c:51
OPENVPN_PLUGIN_TLS_VERIFY
#define OPENVPN_PLUGIN_TLS_VERIFY
Definition: openvpn-plugin.h:121
key_state_check_auth_failed_message_file
static char * key_state_check_auth_failed_message_file(const struct auth_deferred_status *ads, struct tls_multi *multi, struct gc_arena *gc)
Checks if the auth failed reason file has any content and if yes it will be returned as string alloca...
Definition: ssl_verify.c:1021
string_mod_remap_name
static void string_mod_remap_name(char *str)
Definition: ssl_verify.c:54
tls_lock_username
static bool tls_lock_username(struct tls_multi *multi, const char *username)
Definition: ssl_verify.c:151
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition: ssl_common.h:150
management_enable_def_auth
static bool management_enable_def_auth(const struct management *man)
Definition: manage.h:461
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:643
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
ACF_SUCCEEDED
@ ACF_SUCCEEDED
deferred auth has suceeded
Definition: ssl_common.h:169
argv::gc
struct gc_arena gc
Definition: argv.h:36
x509_setenv
void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
Definition: ssl_verify_openssl.c:552
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:234
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:292
SUCCESS
@ SUCCESS
Definition: ssl_verify_backend.h:35
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:340
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1251
verify_cert_set_env
static void verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert_depth, const char *subject, const char *common_name, const struct x509_track *x509_track)
Definition: ssl_verify.c:405
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:354
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition: options.h:231
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:159
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:501
tls_options::ns_cert_type
int ns_cert_type
Definition: ssl_common.h:344
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition: auth_token.c:161
key_state::mda_key_id
unsigned int mda_key_id
Definition: ssl_common.h:254
verify_user_pass_plugin
static int verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Definition: ssl_verify.c:1476
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
setenv_untrusted
static void setenv_untrusted(struct tls_session *session)
Definition: ssl_verify.c:63
tls_options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: ssl_common.h:350
cert_hash_set
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition: ssl_verify.c:967
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
KMDA_ERROR
#define KMDA_ERROR
Definition: ssl_verify.c:1527
env_set
Definition: env_set.h:42
openvpn_x509_cert_t
X509 openvpn_x509_cert_t
Definition: openvpn-plugin.h:40
env_set_del
bool env_set_del(struct env_set *es, const char *str)
Definition: env_set.c:183
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:259
plugin_list
Definition: plugin.h:94
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:440
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto_openssl.c:1345
tls_multi::client_reason
char * client_reason
Definition: ssl_common.h:637
AUTH_TOKEN_HMAC_OK
#define AUTH_TOKEN_HMAC_OK
Auth-token sent from client has valid hmac.
Definition: ssl_common.h:652
S_EXITCODE
#define S_EXITCODE
Instead of returning 1/0 for success/fail, return exit code when between 0 and 255 and -1 otherwise.
Definition: run_command.h:49
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:607
man_def_auth_test
static enum auth_deferred_result man_def_auth_test(const struct key_state *ks)
Definition: ssl_verify.c:831
ACF_PENDING
@ ACF_PENDING
deferred auth still pending
Definition: ssl_common.h:168
cert_hash_copy
static struct cert_hash_set * cert_hash_copy(const struct cert_hash_set *chs)
Definition: ssl_verify.c:271
auth_deferred_result
auth_deferred_result
Definition: ssl_common.h:167
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:260
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:342
max_int
static int max_int(int x, int y)
Definition: integer.h:76
AUTH_TOKEN_EXPIRED
#define AUTH_TOKEN_EXPIRED
Auth-token sent from client has expired.
Definition: ssl_common.h:654
otime.h
x509_verify_ns_cert_type
result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage)
Definition: ssl_verify_openssl.c:611
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:220
status
static SERVICE_STATUS status
Definition: interactive.c:53
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:817
management
Definition: manage.h:335
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
ACF_FAILED
@ ACF_FAILED
deferred auth has failed
Definition: ssl_common.h:171
cert_hash
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:148
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1065
verify_user_pass_management
static int verify_user_pass_management(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Definition: ssl_verify.c:1533
verify_check_crl_dir
static result_t verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert, const char *subject, int cert_depth)
Definition: ssl_verify.c:556
now
time_t now
Definition: otime.c:34
wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition: auth_token.c:403
x509_get_subject
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:367
verify_cert_cert_delete_env
static void verify_cert_cert_delete_env(struct env_set *es, const char *pem_export_fname)
Definition: ssl_verify.c:476
env_item
Definition: env_set.h:37
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition: ssl_common.h:251
tls_multi::tas_cache_last_update
time_t tas_cache_last_update
Time of last when we updated the cached state of tls_authentication_status deferred files.
Definition: ssl_common.h:629
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
cache_intervals
static time_t cache_intervals[]
The minimum times to have passed to update the cache.
Definition: ssl_verify.c:1139
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1185
MD_SHA1
@ MD_SHA1
Definition: crypto_backend.h:52
update_key_auth_status
static void update_key_auth_status(bool cached, struct key_state *ks)
This method takes a key_state and if updates the state of the key if it is deferred.
Definition: ssl_verify.c:1087
print_nsCertType
static const char * print_nsCertType(int type)
Definition: ssl_verify.c:305
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:345
user_pass::password
char password[USER_PASS_LEN]
Definition: misc.h:72
session
Definition: keyingmaterialexporter.c:56
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:932
platform_open
int platform_open(const char *path, int flags, int mode)
Definition: platform.c:527
set_common_name
static void set_common_name(struct tls_session *session, const char *common_name)
Definition: ssl_verify.c:91
setenv_link_socket_actual
void setenv_link_socket_actual(struct env_set *es, const char *name_prefix, const struct link_socket_actual *act, const unsigned int flags)
Definition: socket.c:3060
tls_multi::locked_username
char * locked_username
Definition: ssl_common.h:624
tls_multi::auth_token_initial
char * auth_token_initial
The first auth-token we sent to a client.
Definition: ssl_common.h:648
extract_var_peer_info
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition: ssl_util.c:32
user_pass
Definition: misc.h:56
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:451
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:328
backend_x509_get_serial_hex
char * backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:316
ACF_DISABLED
@ ACF_DISABLED
deferred auth is not used
Definition: ssl_common.h:170
buffer_list
Definition: buffer.h:1125
msg
#define msg(flags,...)
Definition: error.h:144
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition: ssl_verify.c:1592
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
tls_options::es
struct env_set * es
Definition: ssl_common.h:397
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
x509_track
Definition: ssl_verify.h:214
buffer_list::head
struct buffer_entry * head
Definition: buffer.h:1127
TLS_AUTHENTICATION_DEFERRED
@ TLS_AUTHENTICATION_DEFERRED
Definition: ssl_verify.h:72
KMDA_SUCCESS
#define KMDA_SUCCESS
Definition: ssl_verify.c:1528
tls_options::plugins
const struct plugin_list * plugins
Definition: ssl_common.h:399
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:229
NS_CERT_CHECK_NONE
#define NS_CERT_CHECK_NONE
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:227
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:231
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:113
FAILURE
@ FAILURE
Definition: ssl_verify_backend.h:35
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:280
Generated by   doxygen 1.8.17