Go to the source code of this file.
Enumerations | |
| enum | result_t { SUCCESS = 0, FAILURE = 1 } |
| Result of verification function. More... | |
Functions | |
| result_t | verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) |
| void | cert_hash_remember (struct tls_session *session, const int cert_depth, const struct buffer *cert_hash) |
| char * | x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| struct buffer | x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA1 fingerprint. More... | |
| struct buffer | x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA256 fingerprint. More... | |
| result_t | backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert) |
| char * | backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| char * | backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| result_t | backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename) |
| void | x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
| void | x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) |
| void | x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509) |
| result_t | x509_verify_ns_cert_type (openvpn_x509_cert_t *cert, const int usage) |
| result_t | x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len) |
| result_t | x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char *const expected_oid) |
| bool | tls_verify_crl_missing (const struct tls_options *opt) |
| Return true iff a CRL is configured, but is not loaded. More... | |
Detailed Description
Control Channel Verification Module library-specific backend interface
Definition in file ssl_verify_backend.h.
Enumeration Type Documentation
◆ result_t
| enum result_t |
Result of verification function.
| Enumerator | |
|---|---|
| SUCCESS | |
| FAILURE | |
Definition at line 36 of file ssl_verify_backend.h.
Function Documentation
◆ backend_x509_get_serial()
| char* backend_x509_get_serial | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 298 of file ssl_verify_openssl.c.
References gc, and string_alloc().
Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().
◆ backend_x509_get_serial_hex()
| char* backend_x509_get_serial_hex | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 317 of file ssl_verify_openssl.c.
References format_hex_ex(), and gc.
Referenced by verify_cert_set_env().
◆ backend_x509_get_username()
| result_t backend_x509_get_username | ( | char * | common_name, |
| int | cn_len, | ||
| char * | x509_username_field, | ||
| openvpn_x509_cert_t * | peer_cert | ||
| ) |
Definition at line 260 of file ssl_verify_openssl.c.
References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc, gc_free(), gc_new(), and SUCCESS.
Referenced by verify_cert().
◆ backend_x509_write_pem()
| result_t backend_x509_write_pem | ( | openvpn_x509_cert_t * | cert, |
| const char * | filename | ||
| ) |
Definition at line 325 of file ssl_verify_openssl.c.
References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.
Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().
◆ cert_hash_remember()
| void cert_hash_remember | ( | struct tls_session * | session, |
| const int | cert_depth, | ||
| const struct buffer * | cert_hash | ||
| ) |
Definition at line 194 of file ssl_verify.c.
References ALLOC_OBJ, ALLOC_OBJ_CLEAR, ASSERT, BLEN, BPTR, MAX_CERT_DEPTH, and cert_hash::sha256_hash.
Referenced by verify_callback().
◆ tls_verify_crl_missing()
| bool tls_verify_crl_missing | ( | const struct tls_options * | opt | ) |
Return true iff a CRL is configured, but is not loaded.
This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)
Definition at line 790 of file ssl_verify_openssl.c.
References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.
Referenced by verify_cert().
◆ verify_cert()
| result_t verify_cert | ( | struct tls_session * | session, |
| openvpn_x509_cert_t * | cert, | ||
| int | cert_depth | ||
| ) |
Definition at line 587 of file ssl_verify.c.
References alloc_buf_gc(), ASSERT, backend_x509_get_username(), BLEN, BPTR, BSTR, buf_printf(), buffer::capacity, cleanup(), tls_options::crl_file, D_HANDSHAKE, D_TLS_ERRORS, tls_options::es, tls_options::export_peer_cert_dir, FAILURE, format_hex_ex(), gc, gc_free(), gc_new(), verify_hash_list::hash, M_WARN, MAX_CERT_DEPTH, max_int(), MD_SHA1, MD_SHA256, memcmp_constant_time(), msg, verify_hash_list::next, platform_create_temp_file(), tls_options::plugins, set_common_name(), setenv_untrusted(), tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, string_mod_remap_name(), string_replace_leading(), SUCCESS, tls_clear_error(), TLS_USERNAME_LEN, tls_verify_crl_missing(), verify_cert_call_command(), verify_cert_call_plugin(), verify_cert_cert_delete_env(), verify_cert_cert_export_env(), verify_cert_set_env(), verify_check_crl_dir(), tls_options::verify_command, tls_options::verify_hash, tls_options::verify_hash_algo, tls_options::verify_hash_depth, verify_peer_cert(), x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), x509_get_subject(), tls_options::x509_track, and tls_options::x509_username_field.
Referenced by verify_callback().
◆ x509_get_sha1_fingerprint()
| struct buffer x509_get_sha1_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA1 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 348 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), and gc.
Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_sha256_fingerprint()
| struct buffer x509_get_sha256_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA256 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 358 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), and gc.
Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_subject()
| char* x509_get_subject | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 368 of file ssl_verify_openssl.c.
References gc, and gc_malloc().
Referenced by verify_callback(), and verify_cert().
◆ x509_setenv()
| void x509_setenv | ( | struct env_set * | es, |
| int | cert_depth, | ||
| openvpn_x509_cert_t * | cert | ||
| ) |
Definition at line 553 of file ssl_verify_openssl.c.
References CC_CRLF, CC_PRINT, check_malloc_return(), es, setenv_str_incr(), and string_mod().
Referenced by verify_cert_set_env().
◆ x509_setenv_track()
| void x509_setenv_track | ( | const struct x509_track * | xt, |
| struct env_set * | es, | ||
| const int | depth, | ||
| openvpn_x509_cert_t * | x509 | ||
| ) |
Definition at line 464 of file ssl_verify_openssl.c.
References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc, gc_free(), gc_new(), x509_track::name, x509_track::next, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.
Referenced by verify_cert_set_env().
◆ x509_track_add()
| void x509_track_add | ( | const struct x509_track ** | ll_head, |
| const char * | name, | ||
| int | msglevel, | ||
| struct gc_arena * | gc | ||
| ) |
Definition at line 424 of file ssl_verify_openssl.c.
References ALLOC_OBJ_CLEAR_GC, x509_track::flags, gc, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.
Referenced by add_option().
◆ x509_verify_cert_eku()
| result_t x509_verify_cert_eku | ( | openvpn_x509_cert_t * | x509, |
| const char *const | expected_oid | ||
| ) |
Definition at line 740 of file ssl_verify_openssl.c.
References D_HANDSHAKE, FAILURE, msg, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_cert_ku()
| result_t x509_verify_cert_ku | ( | openvpn_x509_cert_t * | x509, |
| const unsigned *const | expected_ku, | ||
| int | expected_len | ||
| ) |
Definition at line 679 of file ssl_verify_openssl.c.
References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_ns_cert_type()
| result_t x509_verify_ns_cert_type | ( | openvpn_x509_cert_t * | cert, |
| const int | usage | ||
| ) |
Definition at line 612 of file ssl_verify_openssl.c.
References FAILURE, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().
Referenced by verify_peer_cert().
