9a160b79 |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
49979459 |
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
* Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> |
9a160b79 |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* |
caa54ac3 |
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
9a160b79 |
*/
/**
* @file Control Channel Verification Module library-specific backend interface
*/
#ifndef SSL_VERIFY_BACKEND_H_
#define SSL_VERIFY_BACKEND_H_
|
8a840d83 |
/**
* Result of verification function
*/ |
81d882d5 |
typedef enum { SUCCESS = 0, FAILURE = 1 } result_t; |
8a840d83 |
|
82f925b6 |
/*
* Backend support functions.
*
* The following functions are needed by the backend, but defined in the main
* file.
*/
/* |
0a67e462 |
* Verify certificate for the given session. Performs OpenVPN-specific
* verification.
*
* This function must be called for every certificate in the certificate
* chain during the certificate verification stage of the handshake.
* |
81d882d5 |
* @param session TLS Session associated with this tunnel
* @param cert Certificate to process
* @param cert_depth Depth of the current certificate |
0a67e462 |
* |
81d882d5 |
* @return \c SUCCESS if verification was successful, \c FAILURE on failure. |
0a67e462 |
*/ |
9b33b5a4 |
result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth); |
0a67e462 |
/* |
82f925b6 |
* Remember the given certificate hash, allowing the certificate chain to be
* locked between sessions.
*
* Must be called for every certificate in the verification chain, whether it
* is valid or not.
* |
81d882d5 |
* @param session TLS Session associated with this tunnel
* @param cert_depth Depth of the current certificate
* @param cert_hash Hash of the current certificate |
82f925b6 |
*/ |
81d882d5 |
void cert_hash_remember(struct tls_session *session, const int cert_depth,
const struct buffer *cert_hash); |
82f925b6 |
|
971790da |
/*
* Library-specific functions.
*
* The following functions must be implemented on a library-specific basis.
*/
/* |
fceecbab |
* Retrieve certificate's subject name. |
971790da |
* |
81d882d5 |
* @param cert Certificate to retrieve the subject from.
* @param gc Garbage collection arena to use when allocating string. |
971790da |
* |
81d882d5 |
* @return a string containing the subject |
3cb348e4 |
*/ |
81d882d5 |
char *x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc); |
971790da |
|
af1e4d26 |
/**
* Retrieve the certificate's SHA1 fingerprint.
* |
81d882d5 |
* @param cert Certificate to retrieve the fingerprint from.
* @param gc Garbage collection arena to use when allocating string. |
af1e4d26 |
* |
81d882d5 |
* @return a string containing the certificate fingerprint |
af1e4d26 |
*/ |
81d882d5 |
struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert,
struct gc_arena *gc); |
af1e4d26 |
/**
* Retrieve the certificate's SHA256 fingerprint. |
fceecbab |
* |
81d882d5 |
* @param cert Certificate to retrieve the fingerprint from.
* @param gc Garbage collection arena to use when allocating string. |
fceecbab |
* |
81d882d5 |
* @return a string containing the certificate fingerprint |
fceecbab |
*/ |
81d882d5 |
struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert,
struct gc_arena *gc); |
fceecbab |
|
dd4cdb9e |
/*
* Retrieve the certificate's username from the specified field.
*
* If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
* it will be loaded from an X.509 extension
* |
81d882d5 |
* @param cn Buffer to return the common name in.
* @param cn_len Length of the cn buffer.
* @param x509_username_field Name of the field to load from
* @param cert Certificate to retrieve the common name from. |
dd4cdb9e |
* |
81d882d5 |
* @return \c FAILURE, \c or SUCCESS |
dd4cdb9e |
*/ |
81d882d5 |
result_t backend_x509_get_username(char *common_name, int cn_len,
char *x509_username_field, openvpn_x509_cert_t *peer_cert); |
fe100528 |
|
d2a19185 |
#ifdef ENABLE_X509ALTUSERNAME
/**
* Return true iff the supplied extension field is supported by the
* --x509-username-field option.
*/
bool x509_username_field_ext_supported(const char *extname);
#endif
|
fe100528 |
/* |
f80a52b0 |
* Return the certificate's serial number in decimal string representation. |
fe100528 |
*
* The serial number is returned as a string, since it might be a bignum.
* |
81d882d5 |
* @param cert Certificate to retrieve the serial number from.
* @param gc Garbage collection arena to use when allocating string. |
fe100528 |
* |
81d882d5 |
* @return String representation of the certificate's serial number
* in decimal notation, or NULL on error. |
fe100528 |
*/ |
81d882d5 |
char *backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc); |
fe100528 |
/* |
f80a52b0 |
* Return the certificate's serial number in hex string representation.
*
* The serial number is returned as a string, since it might be a bignum.
* |
81d882d5 |
* @param cert Certificate to retrieve the serial number from.
* @param gc Garbage collection arena to use when allocating string. |
f80a52b0 |
* |
81d882d5 |
* @return String representation of the certificate's serial number
* in hex notation, or NULL on error. |
f80a52b0 |
*/ |
81d882d5 |
char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert,
struct gc_arena *gc); |
f80a52b0 |
/* |
fceecbab |
* Save X509 fields to environment, using the naming convention:
*
* X509_{cert_depth}_{name}={value} |
fe100528 |
* |
81d882d5 |
* @param es Environment set to save variables in
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for |
fe100528 |
*/ |
81d882d5 |
void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert); |
72533628 |
/*
* Start tracking the given attribute.
*
* The tracked attributes are stored in ll_head.
* |
81d882d5 |
* @param ll_head The x509_track to store tracked atttributes in
* @param name Name of the attribute to track
* @param msglevel Message level for errors
* @param gc Garbage collection arena for temp data |
72533628 |
*
*/ |
81d882d5 |
void x509_track_add(const struct x509_track **ll_head, const char *name,
int msglevel, struct gc_arena *gc); |
fe100528 |
/*
* Save X509 fields to environment, using the naming convention:
* |
72533628 |
* X509_{cert_depth}_{name}={value}
*
* This function differs from setenv_x509 below in the following ways: |
fe100528 |
* |
72533628 |
* (1) Only explicitly named attributes in xt are saved, per usage
* of --x509-track program options.
* (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
* flag is set in xt->flags (corresponds with prepending a '+'
* to the name when specified by --x509-track program option).
* (3) This function supports both X509 subject name fields as
* well as X509 V3 extensions.
*
* @param xt |
81d882d5 |
* @param es Environment set to save variables in
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for |
fe100528 |
*/ |
81d882d5 |
void x509_setenv_track(const struct x509_track *xt, struct env_set *es,
const int depth, openvpn_x509_cert_t *x509); |
72533628 |
|
06d22777 |
/*
* Check X.509 Netscape certificate type field, if available.
* |
81d882d5 |
* @param cert Certificate to check.
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
* or \c NS_CERT_CHECK_NONE. |
06d22777 |
* |
81d882d5 |
* @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
* the expected bit set. \c FAILURE if the certificate does
* not have NS cert type verification or the wrong bit set. |
06d22777 |
*/ |
17d1ab90 |
result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage); |
06d22777 |
|
876752ae |
/*
* Verify X.509 key usage extension field.
* |
81d882d5 |
* @param cert Certificate to check.
* @param expected_ku Array of valid key usage values
* @param expected_len Length of the key usage array |
876752ae |
* |
81d882d5 |
* @return \c SUCCESS if one of the key usage values matches, \c FAILURE
* if key usage is not enabled, or the values do not match. |
876752ae |
*/ |
81d882d5 |
result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku,
int expected_len); |
876752ae |
|
587f419b |
/*
* Verify X.509 extended key usage extension field.
* |
81d882d5 |
* @param cert Certificate to check.
* @param expected_oid String representation of the expected Object ID. May be
* either the string representation of the numeric OID
* (e.g. \c "1.2.3.4", or the descriptive string matching
* the OID. |
587f419b |
* |
81d882d5 |
* @return \c SUCCESS if one of the expected OID matches one of the
* extended key usage fields, \c FAILURE if extended key
* usage is not enabled, or the values do not match. |
587f419b |
*/ |
81d882d5 |
result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid); |
587f419b |
|
3e44ea55 |
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
* |
81d882d5 |
* @param cert Certificate to store
* @param tmp_dir Temporary directory to store the directory
* @param gc gc_arena to store temporary objects in |
8a840d83 |
*
* |
3e44ea55 |
*/ |
9b33b5a4 |
result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); |
3e44ea55 |
|
160504a2 |
/**
* Return true iff a CRL is configured, but is not loaded. This can be caused
* by e.g. a CRL parsing error, a missing CRL file or CRL file permission
* errors. (These conditions are checked upon startup, but the CRL might be
* updated and reloaded during runtime.) |
83c49a3e |
*/ |
160504a2 |
bool tls_verify_crl_missing(const struct tls_options *opt); |
83c49a3e |
|
9a160b79 |
#endif /* SSL_VERIFY_BACKEND_H_ */ |