OpenVPN
Functions
ssl_verify_openssl.c File Reference

Control Channel Verification Module OpenSSL implementation. More...

#include "syshead.h"
#include "ssl_verify_openssl.h"
#include "error.h"
#include "ssl_openssl.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"
#include "openssl_compat.h"
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
Include dependency graph for ssl_verify_openssl.c:

Go to the source code of this file.

Functions

int verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
 Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
 
bool x509_username_field_ext_supported (const char *fieldname)
 Return true iff the supplied extension field is supported by the –x509-username-field option.
 
static bool extract_x509_extension (X509 *cert, char *fieldname, char *out, size_t size)
 
static result_t extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, size_t size)
 
result_t backend_x509_get_username (char *common_name, size_t cn_len, char *x509_username_field, X509 *peer_cert)
 
char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
char * backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
result_t backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename)
 
struct buffer x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA1 fingerprint.
 
struct buffer x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA256 fingerprint.
 
char * x509_get_subject (X509 *cert, struct gc_arena *gc)
 
void x509_track_add (const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
 
static void do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth)
 
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509)
 
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
 
result_t x509_verify_ns_cert_type (openvpn_x509_cert_t *peer_cert, const int usage)
 
result_t x509_verify_cert_ku (X509 *x509, const unsigned int *const expected_ku, size_t expected_len)
 
result_t x509_verify_cert_eku (X509 *x509, const char *const expected_oid)
 
bool tls_verify_crl_missing (const struct tls_options *opt)
 Return true iff a CRL is configured, but is not loaded.
 

Detailed Description

Control Channel Verification Module OpenSSL implementation.

Definition in file ssl_verify_openssl.c.

Function Documentation

◆ backend_x509_get_serial()

char * backend_x509_get_serial ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 295 of file ssl_verify_openssl.c.

References gc, and string_alloc().

Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().

◆ backend_x509_get_serial_hex()

char * backend_x509_get_serial_hex ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 314 of file ssl_verify_openssl.c.

References format_hex_ex(), and gc.

Referenced by verify_cert_set_env().

◆ backend_x509_get_username()

result_t backend_x509_get_username ( char *  common_name,
size_t  cn_len,
char *  x509_username_field,
X509 *  peer_cert 
)

Definition at line 251 of file ssl_verify_openssl.c.

References D_TLS_ERRORS, extract_x509_extension(), extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc, gc_free(), gc_new(), buffer::len, msg, and SUCCESS.

Referenced by verify_cert().

◆ backend_x509_write_pem()

result_t backend_x509_write_pem ( openvpn_x509_cert_t cert,
const char *  filename 
)

Definition at line 322 of file ssl_verify_openssl.c.

References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.

Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().

◆ do_setenv_x509()

static void do_setenv_x509 ( struct env_set es,
const char *  name,
char *  value,
int  depth 
)
static

Definition at line 445 of file ssl_verify_openssl.c.

References CC_ANY, CC_CRLF, check_malloc_return(), D_X509_ATTR, es, msg, x509_track::name, setenv_str(), and string_mod().

Referenced by x509_setenv_track().

◆ extract_x509_extension()

static bool extract_x509_extension ( X509 *  cert,
char *  fieldname,
char *  out,
size_t  size 
)
static

Definition at line 122 of file ssl_verify_openssl.c.

References D_TLS_DEBUG, D_TLS_ERRORS, buffer::len, msg, strncpynt(), and x509_username_field_ext_supported().

Referenced by backend_x509_get_username().

◆ extract_x509_field_ssl()

static result_t extract_x509_field_ssl ( X509_NAME *  x509,
const char *  field_name,
char *  out,
size_t  size 
)
static

Definition at line 196 of file ssl_verify_openssl.c.

References ASSERT, D_TLS_ERRORS, FAILURE, buffer::len, msg, strncpynt(), and SUCCESS.

Referenced by backend_x509_get_username().

◆ tls_verify_crl_missing()

bool tls_verify_crl_missing ( const struct tls_options opt)

Return true iff a CRL is configured, but is not loaded.

This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)

Definition at line 782 of file ssl_verify_openssl.c.

References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, buffer::len, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.

Referenced by verify_cert().

◆ x509_get_sha1_fingerprint()

struct buffer x509_get_sha1_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA1 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 344 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.

Referenced by verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_sha256_fingerprint()

struct buffer x509_get_sha256_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA256 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Definition at line 354 of file ssl_verify_openssl.c.

References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.

Referenced by verify_callback(), verify_cert(), verify_cert_set_env(), and x509_setenv_track().

◆ x509_get_subject()

char * x509_get_subject ( X509 *  cert,
struct gc_arena gc 
)

Definition at line 364 of file ssl_verify_openssl.c.

Referenced by verify_callback().

◆ x509_setenv()

void x509_setenv ( struct env_set es,
int  cert_depth,
openvpn_x509_cert_t peer_cert 
)

Definition at line 549 of file ssl_verify_openssl.c.

References CC_CRLF, CC_PRINT, check_malloc_return(), es, buffer::len, setenv_str_incr(), and string_mod().

Referenced by verify_cert_set_env().

◆ x509_setenv_track()

void x509_setenv_track ( const struct x509_track xt,
struct env_set es,
const int  depth,
X509 *  x509 
)

Definition at line 461 of file ssl_verify_openssl.c.

References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc, gc_free(), gc_new(), buffer::len, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.

Referenced by verify_cert_set_env().

◆ x509_track_add()

void x509_track_add ( const struct x509_track **  ll_head,
const char *  name,
msglvl_t  msglevel,
struct gc_arena gc 
)

Definition at line 420 of file ssl_verify_openssl.c.

References ALLOC_OBJ_CLEAR_GC, x509_track::flags, gc, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.

Referenced by add_option().

◆ x509_username_field_ext_supported()

bool x509_username_field_ext_supported ( const char *  fieldname)

Return true iff the supplied extension field is supported by the –x509-username-field option.

Definition at line 115 of file ssl_verify_openssl.c.

References buffer::len.

Referenced by add_option(), and extract_x509_extension().

◆ x509_verify_cert_eku()

result_t x509_verify_cert_eku ( X509 *  x509,
const char *const  expected_oid 
)

Definition at line 733 of file ssl_verify_openssl.c.

References D_HANDSHAKE, FAILURE, buffer::len, msg, and SUCCESS.

Referenced by verify_peer_cert().

◆ x509_verify_cert_ku()

result_t x509_verify_cert_ku ( X509 *  x509,
const unsigned int *const  expected_ku,
size_t  expected_len 
)

Definition at line 674 of file ssl_verify_openssl.c.

References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, buffer::len, msg, OPENVPN_KU_REQUIRED, and SUCCESS.

◆ x509_verify_ns_cert_type()

result_t x509_verify_ns_cert_type ( openvpn_x509_cert_t peer_cert,
const int  usage 
)

Definition at line 607 of file ssl_verify_openssl.c.

References FAILURE, buffer::len, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().

Referenced by verify_peer_cert().

Generated by doxygen 1.9.8