Go to the source code of this file.
Enumerations | |
| enum | result_t { SUCCESS = 0, FAILURE = 1 } |
| Result of verification function. More... | |
Functions | |
| result_t | verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) |
| void | cert_hash_remember (struct tls_session *session, const int cert_depth, const struct buffer *cert_hash) |
| char * | x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| struct buffer | x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA1 fingerprint. More... | |
| struct buffer | x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| Retrieve the certificate's SHA256 fingerprint. More... | |
| result_t | backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert) |
| char * | backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| char * | backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| result_t | backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename) |
| void | x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
| void | x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) |
| void | x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509) |
| result_t | x509_verify_ns_cert_type (openvpn_x509_cert_t *cert, const int usage) |
| result_t | x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len) |
| result_t | x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char *const expected_oid) |
| bool | tls_verify_crl_missing (const struct tls_options *opt) |
| Return true iff a CRL is configured, but is not loaded. More... | |
Enumeration Type Documentation
◆ result_t
| enum result_t |
Result of verification function.
| Enumerator | |
|---|---|
| SUCCESS | |
| FAILURE | |
Definition at line 35 of file ssl_verify_backend.h.
Function Documentation
◆ backend_x509_get_serial()
| char* backend_x509_get_serial | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 297 of file ssl_verify_openssl.c.
References string_alloc().
Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().
◆ backend_x509_get_serial_hex()
| char* backend_x509_get_serial_hex | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 316 of file ssl_verify_openssl.c.
References format_hex_ex().
Referenced by verify_cert_set_env().
◆ backend_x509_get_username()
| result_t backend_x509_get_username | ( | char * | common_name, |
| int | cn_len, | ||
| char * | x509_username_field, | ||
| openvpn_x509_cert_t * | peer_cert | ||
| ) |
Definition at line 259 of file ssl_verify_openssl.c.
References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc_free(), gc_new(), openvpn_snprintf(), and SUCCESS.
Referenced by verify_cert().
◆ backend_x509_write_pem()
| result_t backend_x509_write_pem | ( | openvpn_x509_cert_t * | cert, |
| const char * | filename | ||
| ) |
Definition at line 324 of file ssl_verify_openssl.c.
References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.
Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().
◆ cert_hash_remember()
| void cert_hash_remember | ( | struct tls_session * | session, |
| const int | cert_depth, | ||
| const struct buffer * | cert_hash | ||
| ) |
Definition at line 199 of file ssl_verify.c.
References ALLOC_OBJ, ALLOC_OBJ_CLEAR, ASSERT, BLEN, BPTR, MAX_CERT_DEPTH, and cert_hash::sha256_hash.
Referenced by verify_callback().
◆ tls_verify_crl_missing()
| bool tls_verify_crl_missing | ( | const struct tls_options * | opt | ) |
Return true iff a CRL is configured, but is not loaded.
This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)
Definition at line 789 of file ssl_verify_openssl.c.
References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, STACK_OF(), and X509_OBJECT_get_type().
Referenced by verify_cert().
◆ verify_cert()
| result_t verify_cert | ( | struct tls_session * | session, |
| openvpn_x509_cert_t * | cert, | ||
| int | cert_depth | ||
| ) |
Definition at line 598 of file ssl_verify.c.
References alloc_buf_gc(), ASSERT, backend_x509_get_username(), BLEN, BPTR, BSTR, buf_printf(), buffer::capacity, cleanup(), tls_options::crl_file, D_HANDSHAKE, D_TLS_ERRORS, tls_options::es, tls_options::export_peer_cert_dir, FAILURE, format_hex_ex(), gc_free(), gc_new(), verify_hash_list::hash, M_WARN, MAX_CERT_DEPTH, max_int(), MD_SHA1, MD_SHA256, memcmp_constant_time(), msg, verify_hash_list::next, platform_create_temp_file(), tls_options::plugins, set_common_name(), setenv_untrusted(), tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, string_mod_remap_name(), string_replace_leading(), SUCCESS, tls_clear_error(), TLS_USERNAME_LEN, tls_verify_crl_missing(), verify_cert_call_command(), verify_cert_call_plugin(), verify_cert_cert_delete_env(), verify_cert_cert_export_env(), verify_cert_set_env(), verify_check_crl_dir(), tls_options::verify_command, tls_options::verify_hash, tls_options::verify_hash_algo, tls_options::verify_hash_depth, verify_peer_cert(), x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), x509_get_subject(), tls_options::x509_track, and tls_options::x509_username_field.
Referenced by verify_callback().
◆ x509_get_sha1_fingerprint()
| struct buffer x509_get_sha1_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA1 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 347 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().
Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_sha256_fingerprint()
| struct buffer x509_get_sha256_fingerprint | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Retrieve the certificate's SHA256 fingerprint.
- Parameters
-
cert Certificate to retrieve the fingerprint from. gc Garbage collection arena to use when allocating string.
- Returns
- a string containing the certificate fingerprint
Definition at line 357 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, and buf_inc_len().
Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().
◆ x509_get_subject()
| char* x509_get_subject | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 367 of file ssl_verify_openssl.c.
References gc_malloc().
Referenced by verify_callback(), and verify_cert().
◆ x509_setenv()
| void x509_setenv | ( | struct env_set * | es, |
| int | cert_depth, | ||
| openvpn_x509_cert_t * | cert | ||
| ) |
Definition at line 552 of file ssl_verify_openssl.c.
References CC_CRLF, CC_PRINT, check_malloc_return(), es, openvpn_snprintf(), setenv_str_incr(), and string_mod().
Referenced by verify_cert_set_env().
◆ x509_setenv_track()
| void x509_setenv_track | ( | const struct x509_track * | xt, |
| struct env_set * | es, | ||
| const int | depth, | ||
| openvpn_x509_cert_t * | x509 | ||
| ) |
Definition at line 463 of file ssl_verify_openssl.c.
References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc_free(), gc_new(), x509_track::name, x509_track::next, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.
Referenced by verify_cert_set_env().
◆ x509_track_add()
| void x509_track_add | ( | const struct x509_track ** | ll_head, |
| const char * | name, | ||
| int | msglevel, | ||
| struct gc_arena * | gc | ||
| ) |
Definition at line 423 of file ssl_verify_openssl.c.
References ALLOC_OBJ_CLEAR_GC, x509_track::flags, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.
Referenced by add_option().
◆ x509_verify_cert_eku()
| result_t x509_verify_cert_eku | ( | openvpn_x509_cert_t * | x509, |
| const char *const | expected_oid | ||
| ) |
Definition at line 739 of file ssl_verify_openssl.c.
References D_HANDSHAKE, FAILURE, msg, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_cert_ku()
| result_t x509_verify_cert_ku | ( | openvpn_x509_cert_t * | x509, |
| const unsigned *const | expected_ku, | ||
| int | expected_len | ||
| ) |
Definition at line 678 of file ssl_verify_openssl.c.
References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, msg, OPENVPN_KU_REQUIRED, and SUCCESS.
Referenced by verify_peer_cert().
◆ x509_verify_ns_cert_type()
| result_t x509_verify_ns_cert_type | ( | openvpn_x509_cert_t * | cert, |
| const int | usage | ||
| ) |
Definition at line 611 of file ssl_verify_openssl.c.
References FAILURE, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().
Referenced by verify_peer_cert().
