GitList

src/openvpn/ssl_verify_backend.h

9a160b79	/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. *
49979459	* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
9a160b79	* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. *
caa54ac3	* You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
9a160b79	/ /* * @file Control Channel Verification Module library-specific backend interface */ #ifndef SSL_VERIFY_BACKEND_H_ #define SSL_VERIFY_BACKEND_H_
8a840d83	/** * Result of verification function */
81d882d5	typedef enum { SUCCESS = 0, FAILURE = 1 } result_t;
8a840d83
82f925b6	/* * Backend support functions. * * The following functions are needed by the backend, but defined in the main * file. / /
0a67e462	* Verify certificate for the given session. Performs OpenVPN-specific * verification. * * This function must be called for every certificate in the certificate * chain during the certificate verification stage of the handshake. *
81d882d5	* @param session TLS Session associated with this tunnel * @param cert Certificate to process * @param cert_depth Depth of the current certificate
0a67e462	*
81d882d5	* @return \c SUCCESS if verification was successful, \c FAILURE on failure.
0a67e462	*/
9b33b5a4	result_t verify_cert(struct tls_session session, openvpn_x509_cert_t cert, int cert_depth);
0a67e462	/*
82f925b6	* Remember the given certificate hash, allowing the certificate chain to be * locked between sessions. * * Must be called for every certificate in the verification chain, whether it * is valid or not. *
81d882d5	* @param session TLS Session associated with this tunnel * @param cert_depth Depth of the current certificate * @param cert_hash Hash of the current certificate
82f925b6	*/
81d882d5	void cert_hash_remember(struct tls_session session, const int cert_depth, const struct buffer cert_hash);
82f925b6
971790da	/* * Library-specific functions. * * The following functions must be implemented on a library-specific basis. / /
fceecbab	* Retrieve certificate's subject name.
971790da	*
81d882d5	* @param cert Certificate to retrieve the subject from. * @param gc Garbage collection arena to use when allocating string.
971790da	*
81d882d5	* @return a string containing the subject
3cb348e4	*/
81d882d5	char x509_get_subject(openvpn_x509_cert_t cert, struct gc_arena *gc);
971790da
af1e4d26	/** * Retrieve the certificate's SHA1 fingerprint. *
81d882d5	* @param cert Certificate to retrieve the fingerprint from. * @param gc Garbage collection arena to use when allocating string.
af1e4d26	*
81d882d5	* @return a string containing the certificate fingerprint
af1e4d26	*/
81d882d5	struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t cert, struct gc_arena gc);
af1e4d26	/** * Retrieve the certificate's SHA256 fingerprint.
fceecbab	*
81d882d5	* @param cert Certificate to retrieve the fingerprint from. * @param gc Garbage collection arena to use when allocating string.
fceecbab	*
81d882d5	* @return a string containing the certificate fingerprint
fceecbab	*/
81d882d5	struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t cert, struct gc_arena gc);
fceecbab
dd4cdb9e	/* * Retrieve the certificate's username from the specified field. * * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled, * it will be loaded from an X.509 extension *
81d882d5	* @param cn Buffer to return the common name in. * @param cn_len Length of the cn buffer. * @param x509_username_field Name of the field to load from * @param cert Certificate to retrieve the common name from.
dd4cdb9e	*
81d882d5	* @return \c FAILURE, \c or SUCCESS
dd4cdb9e	*/
81d882d5	result_t backend_x509_get_username(char common_name, int cn_len, char x509_username_field, openvpn_x509_cert_t *peer_cert);
fe100528
d2a19185	#ifdef ENABLE_X509ALTUSERNAME /** * Return true iff the supplied extension field is supported by the * --x509-username-field option. / bool x509_username_field_ext_supported(const char extname); #endif
fe100528	/*
f80a52b0	* Return the certificate's serial number in decimal string representation.
fe100528	* * The serial number is returned as a string, since it might be a bignum. *
81d882d5	* @param cert Certificate to retrieve the serial number from. * @param gc Garbage collection arena to use when allocating string.
fe100528	*
81d882d5	* @return String representation of the certificate's serial number * in decimal notation, or NULL on error.
fe100528	*/
81d882d5	char backend_x509_get_serial(openvpn_x509_cert_t cert, struct gc_arena *gc);
fe100528	/*
f80a52b0	* Return the certificate's serial number in hex string representation. * * The serial number is returned as a string, since it might be a bignum. *
81d882d5	* @param cert Certificate to retrieve the serial number from. * @param gc Garbage collection arena to use when allocating string.
f80a52b0	*
81d882d5	* @return String representation of the certificate's serial number * in hex notation, or NULL on error.
f80a52b0	*/
81d882d5	char backend_x509_get_serial_hex(openvpn_x509_cert_t cert, struct gc_arena *gc);
f80a52b0	/*
fceecbab	* Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value}
fe100528	*
81d882d5	* @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for
fe100528	*/
81d882d5	void x509_setenv(struct env_set es, int cert_depth, openvpn_x509_cert_t cert);
72533628	/* * Start tracking the given attribute. * * The tracked attributes are stored in ll_head. *
81d882d5	* @param ll_head The x509_track to store tracked atttributes in * @param name Name of the attribute to track * @param msglevel Message level for errors * @param gc Garbage collection arena for temp data
72533628	* */
81d882d5	void x509_track_add(const struct x509_track *ll_head, const char name, int msglevel, struct gc_arena *gc);
fe100528	/* * Save X509 fields to environment, using the naming convention: *
72533628	* X509_{cert_depth}_{name}={value} * * This function differs from setenv_x509 below in the following ways:
fe100528	*
72533628	* (1) Only explicitly named attributes in xt are saved, per usage * of --x509-track program options. * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN * flag is set in xt->flags (corresponds with prepending a '+' * to the name when specified by --x509-track program option). * (3) This function supports both X509 subject name fields as * well as X509 V3 extensions. * * @param xt
81d882d5	* @param es Environment set to save variables in * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for
fe100528	*/
81d882d5	void x509_setenv_track(const struct x509_track xt, struct env_set es, const int depth, openvpn_x509_cert_t *x509);
72533628
06d22777	/* * Check X.509 Netscape certificate type field, if available. *
81d882d5	* @param cert Certificate to check. * @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER, * or \c NS_CERT_CHECK_NONE.
06d22777	*
81d882d5	* @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has * the expected bit set. \c FAILURE if the certificate does * not have NS cert type verification or the wrong bit set.
06d22777	*/
17d1ab90	result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage);
06d22777
876752ae	/* * Verify X.509 key usage extension field. *
81d882d5	* @param cert Certificate to check. * @param expected_ku Array of valid key usage values * @param expected_len Length of the key usage array
876752ae	*
81d882d5	* @return \c SUCCESS if one of the key usage values matches, \c FAILURE * if key usage is not enabled, or the values do not match.
876752ae	*/
81d882d5	result_t x509_verify_cert_ku(openvpn_x509_cert_t x509, const unsigned const expected_ku, int expected_len);
876752ae
587f419b	/* * Verify X.509 extended key usage extension field. *
81d882d5	* @param cert Certificate to check. * @param expected_oid String representation of the expected Object ID. May be * either the string representation of the numeric OID * (e.g. \c "1.2.3.4", or the descriptive string matching * the OID.
587f419b	*
81d882d5	* @return \c SUCCESS if one of the expected OID matches one of the * extended key usage fields, \c FAILURE if extended key * usage is not enabled, or the values do not match.
587f419b	*/
81d882d5	result_t x509_verify_cert_eku(openvpn_x509_cert_t x509, const char const expected_oid);
587f419b
3e44ea55	/* * Store the given certificate in pem format in a temporary file in tmp_dir *
81d882d5	* @param cert Certificate to store * @param tmp_dir Temporary directory to store the directory * @param gc gc_arena to store temporary objects in
8a840d83	* *
3e44ea55	*/
9b33b5a4	result_t x509_write_pem(FILE peercert_file, openvpn_x509_cert_t peercert);
3e44ea55
160504a2	/** * Return true iff a CRL is configured, but is not loaded. This can be caused * by e.g. a CRL parsing error, a missing CRL file or CRL file permission * errors. (These conditions are checked upon startup, but the CRL might be * updated and reloaded during runtime.)
83c49a3e	*/
160504a2	bool tls_verify_crl_missing(const struct tls_options *opt);
83c49a3e
9a160b79	#endif /* SSL_VERIFY_BACKEND_H_ */