OpenVPN
Enumerations | Functions
ssl_verify_backend.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Enumerations

enum  result_t { SUCCESS = 0, FAILURE = 1 }
 Result of verification function. More...
 

Functions

result_t verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
 
void cert_hash_remember (struct tls_session *session, const int cert_depth, const struct buffer *cert_hash)
 
char * x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
struct buffer x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA1 fingerprint. More...
 
struct buffer x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA256 fingerprint. More...
 
result_t backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
 
char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
char * backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
result_t backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename)
 
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
 
void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
 
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
 
result_t x509_verify_ns_cert_type (openvpn_x509_cert_t *cert, const int usage)
 
result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len)
 
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char *const expected_oid)
 
bool tls_verify_crl_missing (const struct tls_options *opt)
 Return true iff a CRL is configured, but is not loaded. More...
 

Enumeration Type Documentation

◆ result_t

enum result_t

Result of verification function.

Enumerator
SUCCESS 
FAILURE 

Definition at line 35 of file ssl_verify_backend.h.

Function Documentation

◆ backend_x509_get_serial()

char* backend_x509_get_serial ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 297 of file ssl_verify_openssl.c.

References string_alloc().

Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().

◆ backend_x509_get_serial_hex()

char* backend_x509_get_serial_hex ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 316 of file ssl_verify_openssl.c.

References format_hex_ex().

Referenced by verify_cert_set_env().

◆ backend_x509_get_username()

result_t backend_x509_get_username ( char *  common_name,
int  cn_len,
char *  x509_username_field,
openvpn_x509_cert_t peer_cert 
)

Definition at line 259 of file ssl_verify_openssl.c.

References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc_free(), gc_new(), and SUCCESS.

Referenced by verify_cert().

◆ backend_x509_write_pem()

result_t backend_x509_write_pem ( openvpn_x509_cert_t cert,
const char *  filename 
)

◆ cert_hash_remember()

void cert_hash_remember ( struct tls_session session,
const int  cert_depth,
const struct buffer cert_hash 
)

Definition at line 199 of file ssl_verify.c.

References ALLOC_OBJ, ALLOC_OBJ_CLEAR, ASSERT, BLEN, BPTR, MAX_CERT_DEPTH, and cert_hash::sha256_hash.

Referenced by verify_callback().

◆ tls_verify_crl_missing()

bool tls_verify_crl_missing ( const struct tls_options opt)

Return true iff a CRL is configured, but is not loaded.

This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)

Definition at line 789 of file ssl_verify_openssl.c.

References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.

Referenced by verify_cert().

◆ verify_cert()

result_t verify_cert ( struct tls_session session,
openvpn_x509_cert_t cert,
int  cert_depth 
)

◆ x509_get_sha1_fingerprint()

struct buffer x509_get_sha1_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA1 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 347 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_sha256_fingerprint()

struct buffer x509_get_sha256_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA256 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 357 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().

Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_subject()

char* x509_get_subject ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 367 of file ssl_verify_openssl.c.

References gc_malloc().

Referenced by verify_callback(), and verify_cert().

◆ x509_setenv()

void x509_setenv ( struct env_set es,
int  cert_depth,
openvpn_x509_cert_t cert 
)

Definition at line 552 of file ssl_verify_openssl.c.

References CC_CRLF, CC_PRINT, check_malloc_return(), es, setenv_str_incr(), and string_mod().

Referenced by verify_cert_set_env().

◆ x509_setenv_track()

void x509_setenv_track ( const struct x509_track xt,
struct env_set es,
const int  depth,
openvpn_x509_cert_t x509 
)

◆ x509_track_add()

void x509_track_add ( const struct x509_track **  ll_head,
const char *  name,
int  msglevel,
struct gc_arena gc 
)

◆ x509_verify_cert_eku()

result_t x509_verify_cert_eku ( openvpn_x509_cert_t x509,
const char *const  expected_oid 
)

Definition at line 739 of file ssl_verify_openssl.c.

References D_HANDSHAKE, FAILURE, msg, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_cert_ku()

result_t x509_verify_cert_ku ( openvpn_x509_cert_t x509,
const unsigned *const  expected_ku,
int  expected_len 
)

Definition at line 678 of file ssl_verify_openssl.c.

References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_ns_cert_type()

result_t x509_verify_ns_cert_type ( openvpn_x509_cert_t cert,
const int  usage 
)