/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
* Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* @file Control Channel Verification Module library-specific backend interface
*/
#ifndef SSL_VERIFY_BACKEND_H_
#define SSL_VERIFY_BACKEND_H_
/**
* Result of verification function
*/
typedef enum { SUCCESS=0, FAILURE=1 } result_t;
/*
* Backend support functions.
*
* The following functions are needed by the backend, but defined in the main
* file.
*/
/*
* Verify certificate for the given session. Performs OpenVPN-specific
* verification.
*
* This function must be called for every certificate in the certificate
* chain during the certificate verification stage of the handshake.
*
* @param session TLS Session associated with this tunnel
* @param cert Certificate to process
* @param cert_depth Depth of the current certificate
*
* @return \c SUCCESS if verification was successful, \c FAILURE on failure.
*/
result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
/*
* Remember the given certificate hash, allowing the certificate chain to be
* locked between sessions.
*
* Must be called for every certificate in the verification chain, whether it
* is valid or not.
*
* @param session TLS Session associated with this tunnel
* @param cert_depth Depth of the current certificate
* @param sha1_hash Hash of the current certificate
*/
void cert_hash_remember (struct tls_session *session, const int cert_depth,
const unsigned char *sha1_hash);
/*
* Library-specific functions.
*
* The following functions must be implemented on a library-specific basis.
*/
/*
* Retrieve certificate's subject name.
*
* The returned string must be freed with \c verify_free_subject()
*
* @param cert Certificate to retrieve the subject from.
*
* @return a string containing the subject
*/
char *x509_get_subject (x509_cert_t *cert);
/*
* Free a subject string as returned by \c verify_get_subject()
*
* @param subject The subject to be freed.
*/
void x509_free_subject (char *subject);
/* Retrieve the certificate's SHA1 hash.
*
* The returned string must be freed with \c verify_free_sha1_hash()
*
* @param cert Certificate to retrieve the hash from.
*
* @return a string containing the SHA1 hash of the certificate
*/
unsigned char *x509_get_sha1_hash (x509_cert_t *cert);
/*
* Free a hash as returned by \c verify_get_hash()
*
* @param hash The subject to be freed.
*/
void x509_free_sha1_hash (unsigned char *hash);
/*
* Retrieve the certificate's username from the specified field.
*
* If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
* it will be loaded from an X.509 extension
*
* @param cn Buffer to return the common name in.
* @param cn_len Length of the cn buffer.
* @param x509_username_field Name of the field to load from
* @param cert Certificate to retrieve the common name from.
*
* @return \c FAILURE, \c or SUCCESS
*/
result_t x509_get_username (char *common_name, int cn_len,
char * x509_username_field, x509_cert_t *peer_cert);
/*
* Return the certificate's serial number.
*
* The serial number is returned as a string, since it might be a bignum.
* The returned string must be freed with \c verify_free_serial()
*
* @param cert Certificate to retrieve the serial number from.
*
* @return The certificate's serial number.
*/
char *x509_get_serial (x509_cert_t *cert);
/*
* Free a serial number string as returned by \c verify_get_serial()
*
* @param serial The string to be freed.
*/
void x509_free_serial (char *serial);
/*
* Save X509 fields to environment, using the naming convention:
*
* X509_{cert_depth}_{name}={value}
*
* @param es Environment set to save variables in
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for
*/
void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert);
#ifdef ENABLE_X509_TRACK
/*
* Start tracking the given attribute.
*
* The tracked attributes are stored in ll_head.
*
* @param ll_head The x509_track to store tracked atttributes in
* @param name Name of the attribute to track
* @param msglevel Message level for errors
* @param gc Garbage collection arena for temp data
*
*/
void x509_track_add (const struct x509_track **ll_head, const char *name,
int msglevel, struct gc_arena *gc);
/*
* Save X509 fields to environment, using the naming convention:
*
* X509_{cert_depth}_{name}={value}
*
* This function differs from setenv_x509 below in the following ways:
*
* (1) Only explicitly named attributes in xt are saved, per usage
* of --x509-track program options.
* (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
* flag is set in xt->flags (corresponds with prepending a '+'
* to the name when specified by --x509-track program option).
* (3) This function supports both X509 subject name fields as
* well as X509 V3 extensions.
*
* @param xt
* @param es Environment set to save variables in
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for
*/
void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
const int depth, x509_cert_t *x509);
#endif
/*
* Check X.509 Netscape certificate type field, if available.
*
* @param cert Certificate to check.
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
* or \c NS_CERT_CHECK_NONE.
*
* @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
* the expected bit set. \c FAILURE if the certificate does
* not have NS cert type verification or the wrong bit set.
*/
result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
/*
* Verify X.509 key usage extension field.
*
* @param cert Certificate to check.
* @param expected_ku Array of valid key usage values
* @param expected_len Length of the key usage array
*
* @return \c SUCCESS if one of the key usage values matches, \c FAILURE
* if key usage is not enabled, or the values do not match.
*/
result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
int expected_len);
/*
* Verify X.509 extended key usage extension field.
*
* @param cert Certificate to check.
* @param expected_oid String representation of the expected Object ID. May be
* either the string representation of the numeric OID
* (e.g. \c "1.2.3.4", or the descriptive string matching
* the OID.
*
* @return \c SUCCESS if one of the expected OID matches one of the
* extended key usage fields, \c FAILURE if extended key
* usage is not enabled, or the values do not match.
*/
result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
#endif
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
*
* @param cert Certificate to store
* @param tmp_dir Temporary directory to store the directory
* @param gc gc_arena to store temporary objects in
*
*
*/
result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
/*
* Check the certificate against a CRL file.
*
* @param crl_file File name of the CRL file
* @param cert Certificate to verify
* @param subject Subject of the given certificate
*
* @return \c SUCCESS if the CRL was not signed by the issuer of the
* certificate or does not contain an entry for it.
* \c FAILURE otherwise.
*/
result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
const char *subject);
#endif /* SSL_VERIFY_BACKEND_H_ */