"Fossies" - the Fresh Open Source Software Archive

Member "openvpn-2.4.7/src/openvpn/ssl_verify_backend.h" (20 Feb 2019, 10158 Bytes) of package /windows/misc/openvpn-2.4.7.zip:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ssl_verify_backend.h" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 2.4.4_vs_2.4.5.

    1 /*
    2  *  OpenVPN -- An application to securely tunnel IP networks
    3  *             over a single TCP/UDP port, with support for SSL/TLS-based
    4  *             session authentication and key exchange,
    5  *             packet encryption, packet authentication, and
    6  *             packet compression.
    7  *
    8  *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
    9  *  Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
   10  *
   11  *  This program is free software; you can redistribute it and/or modify
   12  *  it under the terms of the GNU General Public License version 2
   13  *  as published by the Free Software Foundation.
   14  *
   15  *  This program is distributed in the hope that it will be useful,
   16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
   17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18  *  GNU General Public License for more details.
   19  *
   20  *  You should have received a copy of the GNU General Public License along
   21  *  with this program; if not, write to the Free Software Foundation, Inc.,
   22  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
   23  */
   24 
   25 /**
   26  * @file Control Channel Verification Module library-specific backend interface
   27  */
   28 
   29 #ifndef SSL_VERIFY_BACKEND_H_
   30 #define SSL_VERIFY_BACKEND_H_
   31 
   32 /**
   33  * Result of verification function
   34  */
   35 typedef enum { SUCCESS = 0, FAILURE = 1 } result_t;
   36 
   37 /*
   38  * Backend support functions.
   39  *
   40  * The following functions are needed by the backend, but defined in the main
   41  * file.
   42  */
   43 
   44 /*
   45  * Verify certificate for the given session. Performs OpenVPN-specific
   46  * verification.
   47  *
   48  * This function must be called for every certificate in the certificate
   49  * chain during the certificate verification stage of the handshake.
   50  *
   51  * @param session       TLS Session associated with this tunnel
   52  * @param cert          Certificate to process
   53  * @param cert_depth    Depth of the current certificate
   54  *
   55  * @return              \c SUCCESS if verification was successful, \c FAILURE on failure.
   56  */
   57 result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth);
   58 
   59 /*
   60  * Remember the given certificate hash, allowing the certificate chain to be
   61  * locked between sessions.
   62  *
   63  * Must be called for every certificate in the verification chain, whether it
   64  * is valid or not.
   65  *
   66  * @param session       TLS Session associated with this tunnel
   67  * @param cert_depth    Depth of the current certificate
   68  * @param cert_hash     Hash of the current certificate
   69  */
   70 void cert_hash_remember(struct tls_session *session, const int cert_depth,
   71                         const struct buffer *cert_hash);
   72 
   73 /*
   74  * Library-specific functions.
   75  *
   76  * The following functions must be implemented on a library-specific basis.
   77  */
   78 
   79 /*
   80  * Retrieve certificate's subject name.
   81  *
   82  * @param cert          Certificate to retrieve the subject from.
   83  * @param gc            Garbage collection arena to use when allocating string.
   84  *
   85  * @return              a string containing the subject
   86  */
   87 char *x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc);
   88 
   89 /**
   90  * Retrieve the certificate's SHA1 fingerprint.
   91  *
   92  * @param cert          Certificate to retrieve the fingerprint from.
   93  * @param gc            Garbage collection arena to use when allocating string.
   94  *
   95  * @return              a string containing the certificate fingerprint
   96  */
   97 struct buffer x509_get_sha1_fingerprint(openvpn_x509_cert_t *cert,
   98                                         struct gc_arena *gc);
   99 
  100 /**
  101  * Retrieve the certificate's SHA256 fingerprint.
  102  *
  103  * @param cert          Certificate to retrieve the fingerprint from.
  104  * @param gc            Garbage collection arena to use when allocating string.
  105  *
  106  * @return              a string containing the certificate fingerprint
  107  */
  108 struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert,
  109                                           struct gc_arena *gc);
  110 
  111 /*
  112  * Retrieve the certificate's username from the specified field.
  113  *
  114  * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
  115  * it will be loaded from an X.509 extension
  116  *
  117  * @param cn                    Buffer to return the common name in.
  118  * @param cn_len                Length of the cn buffer.
  119  * @param x509_username_field   Name of the field to load from
  120  * @param cert                  Certificate to retrieve the common name from.
  121  *
  122  * @return              \c FAILURE, \c or SUCCESS
  123  */
  124 result_t backend_x509_get_username(char *common_name, int cn_len,
  125                                    char *x509_username_field, openvpn_x509_cert_t *peer_cert);
  126 
  127 #ifdef ENABLE_X509ALTUSERNAME
  128 /**
  129  * Return true iff the supplied extension field is supported by the
  130  * --x509-username-field option.
  131  */
  132 bool x509_username_field_ext_supported(const char *extname);
  133 #endif
  134 
  135 /*
  136  * Return the certificate's serial number in decimal string representation.
  137  *
  138  * The serial number is returned as a string, since it might be a bignum.
  139  *
  140  * @param cert          Certificate to retrieve the serial number from.
  141  * @param gc            Garbage collection arena to use when allocating string.
  142  *
  143  * @return              String representation of the certificate's serial number
  144  *                      in decimal notation, or NULL on error.
  145  */
  146 char *backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc);
  147 
  148 /*
  149  * Return the certificate's serial number in hex string representation.
  150  *
  151  * The serial number is returned as a string, since it might be a bignum.
  152  *
  153  * @param cert          Certificate to retrieve the serial number from.
  154  * @param gc            Garbage collection arena to use when allocating string.
  155  *
  156  * @return              String representation of the certificate's serial number
  157  *                      in hex notation, or NULL on error.
  158  */
  159 char *backend_x509_get_serial_hex(openvpn_x509_cert_t *cert,
  160                                   struct gc_arena *gc);
  161 
  162 /*
  163  * Save X509 fields to environment, using the naming convention:
  164  *
  165  * X509_{cert_depth}_{name}={value}
  166  *
  167  * @param es            Environment set to save variables in
  168  * @param cert_depth    Depth of the certificate
  169  * @param cert          Certificate to set the environment for
  170  */
  171 void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert);
  172 
  173 /*
  174  * Start tracking the given attribute.
  175  *
  176  * The tracked attributes are stored in ll_head.
  177  *
  178  * @param ll_head       The x509_track to store tracked atttributes in
  179  * @param name          Name of the attribute to track
  180  * @param msglevel      Message level for errors
  181  * @param gc            Garbage collection arena for temp data
  182  *
  183  */
  184 void x509_track_add(const struct x509_track **ll_head, const char *name,
  185                     int msglevel, struct gc_arena *gc);
  186 
  187 /*
  188  * Save X509 fields to environment, using the naming convention:
  189  *
  190  *  X509_{cert_depth}_{name}={value}
  191  *
  192  * This function differs from setenv_x509 below in the following ways:
  193  *
  194  * (1) Only explicitly named attributes in xt are saved, per usage
  195  *     of --x509-track program options.
  196  * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
  197  *     flag is set in xt->flags (corresponds with prepending a '+'
  198  *     to the name when specified by --x509-track program option).
  199  * (3) This function supports both X509 subject name fields as
  200  *     well as X509 V3 extensions.
  201  *
  202  * @param xt
  203  * @param es            Environment set to save variables in
  204  * @param cert_depth    Depth of the certificate
  205  * @param cert          Certificate to set the environment for
  206  */
  207 void x509_setenv_track(const struct x509_track *xt, struct env_set *es,
  208                        const int depth, openvpn_x509_cert_t *x509);
  209 
  210 /*
  211  * Check X.509 Netscape certificate type field, if available.
  212  *
  213  * @param cert          Certificate to check.
  214  * @param usage         One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
  215  *                      or \c NS_CERT_CHECK_NONE.
  216  *
  217  * @return              \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
  218  *                      the expected bit set. \c FAILURE if the certificate does
  219  *                      not have NS cert type verification or the wrong bit set.
  220  */
  221 result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage);
  222 
  223 /*
  224  * Verify X.509 key usage extension field.
  225  *
  226  * @param cert          Certificate to check.
  227  * @param expected_ku   Array of valid key usage values
  228  * @param expected_len  Length of the key usage array
  229  *
  230  * @return              \c SUCCESS if one of the key usage values matches, \c FAILURE
  231  *                      if key usage is not enabled, or the values do not match.
  232  */
  233 result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku,
  234                              int expected_len);
  235 
  236 /*
  237  * Verify X.509 extended key usage extension field.
  238  *
  239  * @param cert          Certificate to check.
  240  * @param expected_oid  String representation of the expected Object ID. May be
  241  *                      either the string representation of the numeric OID
  242  *                      (e.g. \c "1.2.3.4", or the descriptive string matching
  243  *                      the OID.
  244  *
  245  * @return              \c SUCCESS if one of the expected OID matches one of the
  246  *                      extended key usage fields, \c FAILURE if extended key
  247  *                      usage is not enabled, or the values do not match.
  248  */
  249 result_t x509_verify_cert_eku(openvpn_x509_cert_t *x509, const char *const expected_oid);
  250 
  251 /*
  252  * Store the given certificate in pem format in a temporary file in tmp_dir
  253  *
  254  * @param cert          Certificate to store
  255  * @param tmp_dir       Temporary directory to store the directory
  256  * @param gc            gc_arena to store temporary objects in
  257  *
  258  *
  259  */
  260 result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);
  261 
  262 /**
  263  * Return true iff a CRL is configured, but is not loaded.  This can be caused
  264  * by e.g. a CRL parsing error, a missing CRL file or CRL file permission
  265  * errors.  (These conditions are checked upon startup, but the CRL might be
  266  * updated and reloaded during runtime.)
  267  */
  268 bool tls_verify_crl_missing(const struct tls_options *opt);
  269 
  270 #endif /* SSL_VERIFY_BACKEND_H_ */