OpenVPN
ssl_verify_backend.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2026 Sentyron B.V. <openvpn@sentyron.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
29#ifndef SSL_VERIFY_BACKEND_H_
30#define SSL_VERIFY_BACKEND_H_
31
35typedef enum
36{
37 SUCCESS = 0,
38 FAILURE = 1
39} result_t;
40
41/*
42 * Backend support functions.
43 *
44 * The following functions are needed by the backend, but defined in the main
45 * file.
46 */
47
48/*
49 * Verify certificate for the given session. Performs OpenVPN-specific
50 * verification.
51 *
52 * This function must be called for every certificate in the certificate
53 * chain during the certificate verification stage of the handshake.
54 *
55 * @param session TLS Session associated with this tunnel
56 * @param cert Certificate to process
57 * @param cert_depth Depth of the current certificate
58 *
59 * @return \c SUCCESS if verification was successful, \c FAILURE on failure.
60 */
61result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth);
62
63/*
64 * Remember the given certificate hash, allowing the certificate chain to be
65 * locked between sessions.
66 *
67 * Must be called for every certificate in the verification chain, whether it
68 * is valid or not.
69 *
70 * @param session TLS Session associated with this tunnel
71 * @param cert_depth Depth of the current certificate
72 * @param cert_hash Hash of the current certificate
73 */
74void cert_hash_remember(struct tls_session *session, const int cert_depth,
75 const struct buffer *cert_hash);
76
77/*
78 * Library-specific functions.
79 *
80 * The following functions must be implemented on a library-specific basis.
81 */
82
83/*
84 * Retrieve certificate's subject name.
85 *
86 * @param cert Certificate to retrieve the subject from.
87 * @param gc Garbage collection arena to use when allocating string.
88 *
89 * @return a string containing the subject
90 */
91char *x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc);
92
101struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc);
102
111struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc);
112
113/*
114 * Retrieve the certificate's username from the specified field.
115 *
116 * If the field is prepended with ext: is enabled,
117 * it will be loaded from an X.509 extension
118 *
119 * @param cn Buffer to return the common name in.
120 * @param cn_len Length of the cn buffer.
121 * @param x509_username_field Name of the field to load from
122 * @param cert Certificate to retrieve the common name from.
123 *
124 * @return \c FAILURE, \c or SUCCESS
125 */
126result_t backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_field,
127 openvpn_x509_cert_t *peer_cert);
128
133bool x509_username_field_ext_supported(const char *extname);
134
135/*
136 * Return the certificate's serial number in decimal string representation.
137 *
138 * The serial number is returned as a string, since it might be a bignum.
139 *
140 * @param cert Certificate to retrieve the serial number from.
141 * @param gc Garbage collection arena to use when allocating string.
142 *
143 * @return String representation of the certificate's serial number
144 * in decimal notation, or NULL on error.
145 */
146char *backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc);
147
148/*
149 * Return the certificate's serial number in hex string representation.
150 *
151 * The serial number is returned as a string, since it might be a bignum.
152 *
153 * @param cert Certificate to retrieve the serial number from.
154 * @param gc Garbage collection arena to use when allocating string.
155 *
156 * @return String representation of the certificate's serial number
157 * in hex notation, or NULL on error.
158 */
159char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc);
160
161/*
162 * Write the certificate to the file in PEM format.
163 *
164 *
165 * @param cert Certificate to serialise.
166 *
167 * @return \c FAILURE, \c or SUCCESS
168 */
169result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename);
170
171/*
172 * Save X509 fields to environment, using the naming convention:
173 *
174 * X509_{cert_depth}_{name}={value}
175 *
176 * @param es Environment set to save variables in
177 * @param cert_depth Depth of the certificate
178 * @param cert Certificate to set the environment for
179 */
180void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert);
181
182/*
183 * Start tracking the given attribute.
184 *
185 * The tracked attributes are stored in ll_head.
186 *
187 * @param ll_head The x509_track to store tracked attributes in
188 * @param name Name of the attribute to track
189 * @param msglevel Message level for errors
190 * @param gc Garbage collection arena for temp data
191 *
192 */
193void x509_track_add(const struct x509_track **ll_head, const char *name,
194 msglvl_t msglevel, struct gc_arena *gc);
195
196/*
197 * Save X509 fields to environment, using the naming convention:
198 *
199 * X509_{cert_depth}_{name}={value}
200 *
201 * This function differs from setenv_x509 below in the following ways:
202 *
203 * (1) Only explicitly named attributes in xt are saved, per usage
204 * of --x509-track program options.
205 * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
206 * flag is set in xt->flags (corresponds with prepending a '+'
207 * to the name when specified by --x509-track program option).
208 * (3) This function supports both X509 subject name fields as
209 * well as X509 V3 extensions.
210 *
211 * @param xt
212 * @param es Environment set to save variables in
213 * @param cert_depth Depth of the certificate
214 * @param cert Certificate to set the environment for
215 */
216void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth,
217 openvpn_x509_cert_t *x509);
218
219/*
220 * Check X.509 Netscape certificate type field, if available.
221 *
222 * @param cert Certificate to check.
223 * @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
224 * or \c NS_CERT_CHECK_NONE.
225 *
226 * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
227 * the expected bit set. \c FAILURE if the certificate does
228 * not have NS cert type verification or the wrong bit set.
229 */
230result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage);
231
232/*
233 * Verify X.509 key usage extension field.
234 *
235 * @param cert Certificate to check.
236 * @param expected_ku Array of valid key usage values
237 * @param expected_len Length of the key usage array
238 *
239 * @return \c SUCCESS if one of the key usage values matches, \c FAILURE
240 * if key usage is not enabled, or the values do not match.
241 */
242result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku,
243 size_t expected_len);
244
245/*
246 * Verify X.509 extended key usage extension field.
247 *
248 * @param cert Certificate to check.
249 * @param expected_oid String representation of the expected Object ID. May be
250 * either the string representation of the numeric OID
251 * (e.g. \c "1.2.3.4", or the descriptive string matching
252 * the OID.
253 *
254 * @return \c SUCCESS if one of the expected OID matches one of the
255 * extended key usage fields, \c FAILURE if extended key
256 * usage is not enabled, or the values do not match.
257 */
258result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid);
259
266bool tls_verify_crl_missing(const struct tls_options *opt);
267
268#endif /* SSL_VERIFY_BACKEND_H_ */
openvpn_x509_cert_t
X509 openvpn_x509_cert_t
Definition openvpn-plugin.h:40
msglvl_t
unsigned int msglvl_t
Definition error.h:77
usage
void usage(void)
Definition options.c:4834
x509_get_sha256_fingerprint
struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA256 fingerprint.
Definition ssl_verify_openssl.c:354
x509_username_field_ext_supported
bool x509_username_field_ext_supported(const char *extname)
Return true iff the supplied extension field is supported by the –x509-username-field option.
Definition ssl_verify_openssl.c:115
cert_hash_remember
void cert_hash_remember(struct tls_session *session, const int cert_depth, const struct buffer *cert_hash)
Definition ssl_verify.c:194
x509_setenv_track
void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
Definition ssl_verify_openssl.c:461
x509_setenv
void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
Definition ssl_verify_openssl.c:549
tls_verify_crl_missing
bool tls_verify_crl_missing(const struct tls_options *opt)
Return true iff a CRL is configured, but is not loaded.
Definition ssl_verify_openssl.c:782
backend_x509_write_pem
result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)
Definition ssl_verify_openssl.c:322
x509_verify_ns_cert_type
result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage)
Definition ssl_verify_openssl.c:607
backend_x509_get_serial_hex
char * backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition ssl_verify_openssl.c:314
verify_cert
result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
Definition ssl_verify.c:577
x509_get_sha1_fingerprint
struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA1 fingerprint.
Definition ssl_verify_openssl.c:344
x509_verify_cert_ku
result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku, size_t expected_len)
x509_get_subject
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition ssl_verify_openssl.c:364
backend_x509_get_serial
char * backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition ssl_verify_openssl.c:295
backend_x509_get_username
result_t backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
Definition ssl_verify_openssl.c:251
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:420
result_t
result_t
Result of verification function.
Definition ssl_verify_backend.h:36
FAILURE
@ FAILURE
Definition ssl_verify_backend.h:38
SUCCESS
@ SUCCESS
Definition ssl_verify_backend.h:37
x509_verify_cert_eku
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid)
Definition ssl_verify_openssl.c:733
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
cert_hash
Structure containing the hash for a single certificate.
Definition ssl_verify.h:58
env_set
Definition env_set.h:43
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
tls_options
Definition ssl_common.h:307
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:489
x509_track
Definition ssl_verify.h:238
es
struct env_set * es
Definition test_pkcs11.c:138
gc
struct gc_arena gc
Definition test_ssl.c:131
Generated by doxygen 1.9.8