OpenVPN
ssl_verify_mbedtls.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #include "syshead.h"
34 
35 #if defined(ENABLE_CRYPTO_MBEDTLS)
36 
37 #include "crypto_mbedtls.h"
38 #include "mbedtls_compat.h"
39 #include "ssl_verify.h"
40 #include <mbedtls/asn1.h>
41 #include <mbedtls/error.h>
42 #include <mbedtls/bignum.h>
43 #include <mbedtls/oid.h>
44 #include <mbedtls/sha1.h>
45 
46 #define MAX_SUBJECT_LENGTH 256
47 
48 int
49 verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
50  uint32_t *flags)
51 {
52  struct tls_session *session = (struct tls_session *) session_obj;
53  struct gc_arena gc = gc_new();
54 
55  ASSERT(cert);
56  ASSERT(session);
57 
58  session->verified = false;
59 
60  /* Remember certificate hash */
61  struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc);
62  cert_hash_remember(session, cert_depth, &cert_fingerprint);
63 
64  if (session->opt->verify_hash_no_ca)
65  {
66  /*
67  * If we decide to verify the peer certificate based on the fingerprint
68  * we ignore wrong dates and the certificate not being trusted.
69  * Any other problem with the certificate (wrong key, bad cert,...)
70  * will still trigger an error.
71  * Clearing these flags relies on verify_cert will later rejecting a
72  * certificate that has no matching fingerprint.
73  */
74  uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
75  | MBEDTLS_X509_BADCERT_EXPIRED
76  | MBEDTLS_X509_BADCERT_FUTURE;
77  *flags = *flags & ~flags_ignore;
78  }
79 
80  /* did peer present cert which was signed by our root cert? */
81  if (*flags != 0)
82  {
83  int ret = 0;
84  char errstr[512] = { 0 };
85  char *subject = x509_get_subject(cert, &gc);
86  char *serial = backend_x509_get_serial(cert, &gc);
87 
88  ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags);
89  if (ret <= 0 && !snprintf(errstr, sizeof(errstr),
90  "Could not retrieve error string, flags=%" PRIx32, *flags))
91  {
92  errstr[0] = '\0';
93  }
94  else
95  {
96  chomp(errstr);
97  }
98 
99  if (subject)
100  {
101  msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s",
102  cert_depth, subject, serial ? serial : "<not available>", errstr);
103  }
104  else
105  {
106  msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 "
107  "subject string from certificate): %s", cert_depth, errstr);
108  }
109 
110  /* Leave flags set to non-zero to indicate that the cert is not ok */
111  }
112  else if (SUCCESS != verify_cert(session, cert, cert_depth))
113  {
114  *flags |= MBEDTLS_X509_BADCERT_OTHER;
115  }
116 
117  gc_free(&gc);
118 
119  /*
120  * PolarSSL/mbed TLS-1.2.0+ expects 0 on anything except fatal errors.
121  */
122  return 0;
123 }
124 
125 #ifdef ENABLE_X509ALTUSERNAME
126 #warning "X509 alt user name not yet supported for mbed TLS"
127 #endif
128 
129 result_t
130 backend_x509_get_username(char *cn, int cn_len,
131  char *x509_username_field, mbedtls_x509_crt *cert)
132 {
133  mbedtls_x509_name *name;
134 
135  ASSERT( cn != NULL );
136 
137  name = &cert->subject;
138 
139  /* Find common name */
140  while (name != NULL)
141  {
142  if (0 == memcmp(name->oid.p, MBEDTLS_OID_AT_CN,
143  MBEDTLS_OID_SIZE(MBEDTLS_OID_AT_CN)))
144  {
145  break;
146  }
147 
148  name = name->next;
149  }
150 
151  /* Not found, return an error if this is the peer's certificate */
152  if (name == NULL)
153  {
154  return FAILURE;
155  }
156 
157  /* Found, extract CN */
158  if (cn_len > name->val.len)
159  {
160  memcpy( cn, name->val.p, name->val.len );
161  cn[name->val.len] = '\0';
162  }
163  else
164  {
165  memcpy( cn, name->val.p, cn_len);
166  cn[cn_len-1] = '\0';
167  }
168 
169  return SUCCESS;
170 }
171 
172 char *
173 backend_x509_get_serial(mbedtls_x509_crt *cert, struct gc_arena *gc)
174 {
175  char *buf = NULL;
176  size_t buflen = 0;
177  mbedtls_mpi serial_mpi = { 0 };
178 
179  /* Transform asn1 integer serial into mbed TLS MPI */
180  mbedtls_mpi_init(&serial_mpi);
181  if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p,
182  cert->serial.len)))
183  {
184  msg(M_WARN, "Failed to retrieve serial from certificate.");
185  goto end;
186  }
187 
188  /* Determine decimal representation length, allocate buffer */
189  mbedtls_mpi_write_string(&serial_mpi, 10, NULL, 0, &buflen);
190  buf = gc_malloc(buflen, true, gc);
191 
192  /* Write MPI serial as decimal string into buffer */
193  if (!mbed_ok(mbedtls_mpi_write_string(&serial_mpi, 10, buf, buflen, &buflen)))
194  {
195  msg(M_WARN, "Failed to write serial to string.");
196  buf = NULL;
197  goto end;
198  }
199 
200 end:
201  mbedtls_mpi_free(&serial_mpi);
202  return buf;
203 }
204 
205 char *
206 backend_x509_get_serial_hex(mbedtls_x509_crt *cert, struct gc_arena *gc)
207 {
208  char *buf = NULL;
209  size_t len = cert->serial.len * 3 + 1;
210 
211  buf = gc_malloc(len, true, gc);
212 
213  if (mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0)
214  {
215  buf = NULL;
216  }
217 
218  return buf;
219 }
220 
221 result_t
222 backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)
223 {
224  /* mbed TLS does not make it easy to write a certificate in PEM format.
225  * The only way is to directly access the DER encoded raw certificate
226  * and PEM encode it ourselves */
227 
228  struct gc_arena gc = gc_new();
229  /* just do a very loose upper bound for the base64 based PEM encoding
230  * using 3 times the space for the base64 and 100 bytes for the
231  * headers and footer */
232  struct buffer pem = alloc_buf_gc(cert->raw.len * 3 + 100, &gc);
233 
234  struct buffer der = {};
235  buf_set_read(&der, cert->raw.p, cert->raw.len);
236 
237  if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc))
238  {
239  goto err;
240  }
241 
242  if (!buffer_write_file(filename, &pem))
243  {
244  goto err;
245  }
246 
247  gc_free(&gc);
248  return SUCCESS;
249 err:
250  msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s",
251  filename);
252  gc_free(&gc);
253  return FAILURE;
254 }
255 
256 static struct buffer
257 x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert,
258  struct gc_arena *gc)
259 {
260  const size_t md_size = mbedtls_md_get_size(md_info);
261  struct buffer fingerprint = alloc_buf_gc(md_size, gc);
262  mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint));
263  ASSERT(buf_inc_len(&fingerprint, md_size));
264  return fingerprint;
265 }
266 
267 struct buffer
268 x509_get_sha1_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc)
269 {
270  return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
271  cert, gc);
272 }
273 
274 struct buffer
275 x509_get_sha256_fingerprint(mbedtls_x509_crt *cert, struct gc_arena *gc)
276 {
277  return x509_get_fingerprint(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
278  cert, gc);
279 }
280 
281 char *
282 x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc)
283 {
284  char tmp_subject[MAX_SUBJECT_LENGTH] = {0};
285  char *subject = NULL;
286 
287  int ret = 0;
288 
289  ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject );
290  if (ret > 0)
291  {
292  /* Allocate the required space for the subject */
293  subject = string_alloc(tmp_subject, gc);
294  }
295 
296  return subject;
297 }
298 
299 static void
300 do_setenv_x509(struct env_set *es, const char *name, char *value, int depth)
301 {
302  char *name_expand;
303  size_t name_expand_size;
304 
305  string_mod(value, CC_ANY, CC_CRLF, '?');
306  msg(D_X509_ATTR, "X509 ATTRIBUTE name='%s' value='%s' depth=%d", name, value, depth);
307  name_expand_size = 64 + strlen(name);
308  name_expand = (char *) malloc(name_expand_size);
309  check_malloc_return(name_expand);
310  snprintf(name_expand, name_expand_size, "X509_%d_%s", depth, name);
311  setenv_str(es, name_expand, value);
312  free(name_expand);
313 }
314 
315 static char *
316 asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc)
317 {
318  size_t i;
319  char *val;
320 
321  if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
322  || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
323  || orig->tag == MBEDTLS_ASN1_IA5_STRING))
324  {
325  /* Only support C-string compatible types */
326  return string_alloc("ERROR: unsupported ASN.1 string type", gc);
327  }
328 
329  for (i = 0; i < orig->len; ++i)
330  {
331  if (orig->p[i] == '\0')
332  {
333  return string_alloc("ERROR: embedded null value", gc);
334  }
335  }
336  val = gc_malloc(orig->len+1, false, gc);
337  memcpy(val, orig->p, orig->len);
338  val[orig->len] = '\0';
339  return val;
340 }
341 
342 static void
343 do_setenv_name(struct env_set *es, const struct x509_track *xt,
344  const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc)
345 {
346  const mbedtls_x509_name *xn;
347  for (xn = &cert->subject; xn != NULL; xn = xn->next)
348  {
349  const char *xn_short_name = NULL;
350  if (0 == mbedtls_oid_get_attr_short_name(&xn->oid, &xn_short_name)
351  && 0 == strcmp(xt->name, xn_short_name))
352  {
353  char *val_str = asn1_buf_to_c_string(&xn->val, gc);
354  do_setenv_x509(es, xt->name, val_str, depth);
355  }
356  }
357 }
358 
359 void
360 x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
361 {
362  struct x509_track *xt;
363  ALLOC_OBJ_CLEAR_GC(xt, struct x509_track, gc);
364  if (*name == '+')
365  {
366  xt->flags |= XT_FULL_CHAIN;
367  ++name;
368  }
369  xt->name = name;
370  xt->next = *ll_head;
371  *ll_head = xt;
372 }
373 
374 void
375 x509_setenv_track(const struct x509_track *xt, struct env_set *es,
376  const int depth, mbedtls_x509_crt *cert)
377 {
378  struct gc_arena gc = gc_new();
379  while (xt)
380  {
381  if (depth == 0 || (xt->flags & XT_FULL_CHAIN))
382  {
383  if (0 == strcmp(xt->name, "SHA1") || 0 == strcmp(xt->name, "SHA256"))
384  {
385  /* Fingerprint is not part of X509 structure */
386  struct buffer cert_hash;
387  char *fingerprint;
388 
389  if (0 == strcmp(xt->name, "SHA1"))
390  {
391  cert_hash = x509_get_sha1_fingerprint(cert, &gc);
392  }
393  else
394  {
395  cert_hash = x509_get_sha256_fingerprint(cert, &gc);
396  }
397 
398  fingerprint = format_hex_ex(BPTR(&cert_hash),
399  BLEN(&cert_hash), 0, 1 | FHE_CAPS, ":", &gc);
400  do_setenv_x509(es, xt->name, fingerprint, depth);
401  }
402  else
403  {
404  do_setenv_name(es, xt, cert, depth, &gc);
405  }
406  }
407  xt = xt->next;
408  }
409  gc_free(&gc);
410 }
411 
412 /*
413  * Save X509 fields to environment, using the naming convention:
414  *
415  * X509_{cert_depth}_{name}={value}
416  */
417 void
418 x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert)
419 {
420  int i;
421  unsigned char c;
422  const mbedtls_x509_name *name;
423  char s[128] = { 0 };
424 
425  name = &cert->subject;
426 
427  while (name != NULL)
428  {
429  char name_expand[64+8];
430  const char *shortname;
431 
432  if (0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) )
433  {
434  snprintf(name_expand, sizeof(name_expand), "X509_%d_%s",
435  cert_depth, shortname);
436  }
437  else
438  {
439  snprintf(name_expand, sizeof(name_expand), "X509_%d_\?\?",
440  cert_depth);
441  }
442 
443  for (i = 0; i < name->val.len; i++)
444  {
445  if (i >= (int) sizeof( s ) - 1)
446  {
447  break;
448  }
449 
450  c = name->val.p[i];
451  if (c < 32 || c == 127 || ( c > 128 && c < 160 ) )
452  {
453  s[i] = '?';
454  }
455  else
456  {
457  s[i] = c;
458  }
459  }
460  s[i] = '\0';
461 
462  /* Check both strings, set environment variable */
463  string_mod(name_expand, CC_PRINT, CC_CRLF, '_');
464  string_mod((char *)s, CC_PRINT, CC_CRLF, '_');
465  setenv_str_incr(es, name_expand, (char *)s);
466 
467  name = name->next;
468  }
469 }
470 
471 /* Dummy function because Netscape certificate types are not supported in OpenVPN with mbedtls.
472  * Returns SUCCESS if usage is NS_CERT_CHECK_NONE, FAILURE otherwise. */
473 result_t
474 x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage)
475 {
476  if (usage == NS_CERT_CHECK_NONE)
477  {
478  return SUCCESS;
479  }
480 
481  return FAILURE;
482 }
483 
484 result_t
485 x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku,
486  int expected_len)
487 {
488  msg(D_HANDSHAKE, "Validating certificate key usage");
489 
490  if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_KEY_USAGE))
491  {
492  msg(D_TLS_ERRORS,
493  "ERROR: Certificate does not have key usage extension");
494  return FAILURE;
495  }
496 
497  if (expected_ku[0] == OPENVPN_KU_REQUIRED)
498  {
499  /* Extension required, value checked by TLS library */
500  return SUCCESS;
501  }
502 
503  result_t fFound = FAILURE;
504  for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++)
505  {
506  if (expected_ku[i] != 0
507  && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i]))
508  {
509  fFound = SUCCESS;
510  }
511  }
512 
513  if (fFound != SUCCESS)
514  {
515  msg(D_TLS_ERRORS, "ERROR: Certificate has invalid key usage, expected one of:");
516  for (size_t i = 0; i < expected_len && expected_ku[i]; i++)
517  {
518  msg(D_TLS_ERRORS, " * %04x", expected_ku[i]);
519  }
520  }
521 
522  return fFound;
523 }
524 
525 result_t
526 x509_verify_cert_eku(mbedtls_x509_crt *cert, const char *const expected_oid)
527 {
528  result_t fFound = FAILURE;
529 
530  if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE))
531  {
532  msg(D_HANDSHAKE, "Certificate does not have extended key usage extension");
533  }
534  else
535  {
536  mbedtls_x509_sequence *oid_seq = &(cert->ext_key_usage);
537 
538  msg(D_HANDSHAKE, "Validating certificate extended key usage");
539  while (oid_seq != NULL)
540  {
541  mbedtls_x509_buf *oid = &oid_seq->buf;
542  char oid_num_str[1024];
543  const char *oid_str;
544 
545  if (0 == mbedtls_oid_get_extended_key_usage( oid, &oid_str ))
546  {
547  msg(D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
548  oid_str, expected_oid);
549  if (!strcmp(expected_oid, oid_str))
550  {
551  fFound = SUCCESS;
552  break;
553  }
554  }
555 
556  if (0 < mbedtls_oid_get_numeric_string( oid_num_str,
557  sizeof(oid_num_str), oid))
558  {
559  msg(D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
560  oid_num_str, expected_oid);
561  if (!strcmp(expected_oid, oid_num_str))
562  {
563  fFound = SUCCESS;
564  break;
565  }
566  }
567  oid_seq = oid_seq->next;
568  }
569  }
570 
571  return fFound;
572 }
573 
574 bool
575 tls_verify_crl_missing(const struct tls_options *opt)
576 {
577  if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
578  && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0))
579  {
580  return true;
581  }
582  return false;
583 }
584 
585 #endif /* #if defined(ENABLE_CRYPTO_MBEDTLS) */
buffer_write_file
bool buffer_write_file(const char *filename, const struct buffer *buf)
Write buffer contents to file.
Definition: buffer.c:318
x509_verify_cert_eku
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid)
Definition: ssl_verify_openssl.c:739
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
x509_get_sha256_fingerprint
struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA256 fingerprint.
Definition: ssl_verify_openssl.c:357
es
struct env_set * es
Definition: test_pkcs11.c:133
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
verify_cert
result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
Definition: ssl_verify.c:598
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
CC_CRLF
#define CC_CRLF
carriage return or newline
Definition: buffer.h:925
backend_x509_get_username
result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
Definition: ssl_verify_openssl.c:259
x509_setenv_track
void x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
Definition: ssl_verify_openssl.c:463
result_t
result_t
Result of verification function.
Definition: ssl_verify_backend.h:35
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:501
backend_x509_get_serial
char * backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:297
tls_verify_crl_missing
bool tls_verify_crl_missing(const struct tls_options *opt)
Return true iff a CRL is configured, but is not loaded.
Definition: ssl_verify_openssl.c:789
mbed_ok
#define mbed_ok(errval)
Check errval and log on error.
Definition: crypto_mbedtls.h:148
backend_x509_write_pem
result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)
Definition: ssl_verify_openssl.c:324
crypto_mbedtls.h
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:299
x509_verify_cert_ku
result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len)
Definition: ssl_verify_openssl.c:678
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:667
ssl_verify.h
ASSERT
#define ASSERT(x)
Definition: error.h:195
buf_inc_len
static bool buf_inc_len(struct buffer *buf, int inc)
Definition: buffer.h:595
tls_options
Definition: ssl_common.h:296
BLEN
#define BLEN(buf)
Definition: buffer.h:127
CC_PRINT
#define CC_PRINT
printable (>= 32, != 127)
Definition: buffer.h:896
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:412
string_mod
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Modifies a string in place by replacing certain classes of characters of it with a specified characte...
Definition: buffer.c:1059
tls_options::ssl_flags
unsigned int ssl_flags
Definition: ssl_common.h:418
M_WARN
#define M_WARN
Definition: error.h:91
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1102
FHE_CAPS
#define FHE_CAPS
Definition: buffer.h:503
x509_get_sha1_fingerprint
struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Retrieve the certificate's SHA1 fingerprint.
Definition: ssl_verify_openssl.c:347
cert_hash_remember
void cert_hash_remember(struct tls_session *session, const int error_depth, const struct buffer *cert_hash)
Definition: ssl_verify.c:199
x509_track::name
const char * name
Definition: ssl_verify.h:217
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
setenv_str_incr
void setenv_str_incr(struct env_set *es, const char *name, const char *value)
Store the supplied name value pair in the env_set.
Definition: env_set.c:305
x509_setenv
void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
Definition: ssl_verify_openssl.c:552
SUCCESS
@ SUCCESS
Definition: ssl_verify_backend.h:35
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
mbedtls_compat.h
x509_track::next
const struct x509_track * next
Definition: ssl_verify.h:216
CC_ANY
#define CC_ANY
any character
Definition: buffer.h:888
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
XT_FULL_CHAIN
#define XT_FULL_CHAIN
Definition: ssl_verify.h:218
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition: crypto_openssl.c:502
env_set
Definition: env_set.h:42
openvpn_x509_cert_t
X509 openvpn_x509_cert_t
Definition: openvpn-plugin.h:40
tls_root_ctx::crl
mbedtls_x509_crl * crl
Certificate Revocation List.
Definition: ssl_mbedtls.h:115
usage
static void usage(void)
Definition: options.c:4817
chomp
void chomp(char *str)
Definition: buffer.c:632
x509_track::flags
unsigned int flags
Definition: ssl_verify.h:219
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:342
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:354
verify_callback
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
x509_verify_ns_cert_type
result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage)
Definition: ssl_verify_openssl.c:611
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
cert_hash
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
do_setenv_x509
static void do_setenv_x509(struct env_set *es, const char *name, char *value, int depth)
Definition: ssl_verify_openssl.c:447
x509_get_subject
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:367
config.h
check_malloc_return
static void check_malloc_return(void *p)
Definition: buffer.h:1108
session
Definition: keyingmaterialexporter.c:56
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition: ssl_verify.h:234
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:423
mbedtls_x509_crt_has_ext_type
static int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx, int ext_type)
Definition: mbedtls_compat.h:228
backend_x509_get_serial_hex
char * backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:316
D_X509_ATTR
#define D_X509_ATTR
Definition: errlevel.h:103
msg
#define msg(flags,...)
Definition: error.h:144
x509_track
Definition: ssl_verify.h:214
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
NS_CERT_CHECK_NONE
#define NS_CERT_CHECK_NONE
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:227
FAILURE
@ FAILURE
Definition: ssl_verify_backend.h:35
Generated by   doxygen 1.8.17