mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
8a840d832e
- Now return either SUCCESS or FAILURE. - SUCCESS is defined as 0. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
273 lines
8.5 KiB
C
273 lines
8.5 KiB
C
/*
|
|
* OpenVPN -- An application to securely tunnel IP networks
|
|
* over a single TCP/UDP port, with support for SSL/TLS-based
|
|
* session authentication and key exchange,
|
|
* packet encryption, packet authentication, and
|
|
* packet compression.
|
|
*
|
|
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
|
* Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program (see the file COPYING included with this
|
|
* distribution); if not, write to the Free Software Foundation, Inc.,
|
|
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
/**
|
|
* @file Control Channel Verification Module library-specific backend interface
|
|
*/
|
|
|
|
#ifndef SSL_VERIFY_BACKEND_H_
|
|
#define SSL_VERIFY_BACKEND_H_
|
|
|
|
/**
|
|
* Result of verification function
|
|
*/
|
|
typedef enum { SUCCESS=0, FAILURE=1 } result_t;
|
|
|
|
/*
|
|
* Backend support functions.
|
|
*
|
|
* The following functions are needed by the backend, but defined in the main
|
|
* file.
|
|
*/
|
|
|
|
/*
|
|
* Verify certificate for the given session. Performs OpenVPN-specific
|
|
* verification.
|
|
*
|
|
* This function must be called for every certificate in the certificate
|
|
* chain during the certificate verification stage of the handshake.
|
|
*
|
|
* @param session TLS Session associated with this tunnel
|
|
* @param cert Certificate to process
|
|
* @param cert_depth Depth of the current certificate
|
|
*
|
|
* @return \c SUCCESS if verification was successful, \c FAILURE on failure.
|
|
*/
|
|
result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
|
|
|
|
/*
|
|
* Remember the given certificate hash, allowing the certificate chain to be
|
|
* locked between sessions.
|
|
*
|
|
* Must be called for every certificate in the verification chain, whether it
|
|
* is valid or not.
|
|
*
|
|
* @param session TLS Session associated with this tunnel
|
|
* @param cert_depth Depth of the current certificate
|
|
* @param sha1_hash Hash of the current certificate
|
|
*/
|
|
void cert_hash_remember (struct tls_session *session, const int cert_depth,
|
|
const unsigned char *sha1_hash);
|
|
|
|
/*
|
|
* Library-specific functions.
|
|
*
|
|
* The following functions must be implemented on a library-specific basis.
|
|
*/
|
|
|
|
/*
|
|
* Retrieve certificate's subject name.
|
|
*
|
|
* The returned string must be freed with \c verify_free_subject()
|
|
*
|
|
* @param cert Certificate to retrieve the subject from.
|
|
*
|
|
* @return a string containing the subject
|
|
*/
|
|
char *x509_get_subject (x509_cert_t *cert);
|
|
|
|
/*
|
|
* Free a subject string as returned by \c verify_get_subject()
|
|
*
|
|
* @param subject The subject to be freed.
|
|
*/
|
|
void x509_free_subject (char *subject);
|
|
|
|
/* Retrieve the certificate's SHA1 hash.
|
|
*
|
|
* The returned string must be freed with \c verify_free_sha1_hash()
|
|
*
|
|
* @param cert Certificate to retrieve the hash from.
|
|
*
|
|
* @return a string containing the SHA1 hash of the certificate
|
|
*/
|
|
unsigned char *x509_get_sha1_hash (x509_cert_t *cert);
|
|
|
|
/*
|
|
* Free a hash as returned by \c verify_get_hash()
|
|
*
|
|
* @param hash The subject to be freed.
|
|
*/
|
|
void x509_free_sha1_hash (unsigned char *hash);
|
|
|
|
/*
|
|
* Retrieve the certificate's username from the specified field.
|
|
*
|
|
* If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
|
|
* it will be loaded from an X.509 extension
|
|
*
|
|
* @param cn Buffer to return the common name in.
|
|
* @param cn_len Length of the cn buffer.
|
|
* @param x509_username_field Name of the field to load from
|
|
* @param cert Certificate to retrieve the common name from.
|
|
*
|
|
* @return \c FAILURE, \c or SUCCESS
|
|
*/
|
|
result_t x509_get_username (char *common_name, int cn_len,
|
|
char * x509_username_field, x509_cert_t *peer_cert);
|
|
|
|
/*
|
|
* Return the certificate's serial number.
|
|
*
|
|
* The serial number is returned as a string, since it might be a bignum.
|
|
* The returned string must be freed with \c verify_free_serial()
|
|
*
|
|
* @param cert Certificate to retrieve the serial number from.
|
|
*
|
|
* @return The certificate's serial number.
|
|
*/
|
|
char *x509_get_serial (x509_cert_t *cert);
|
|
|
|
/*
|
|
* Free a serial number string as returned by \c verify_get_serial()
|
|
*
|
|
* @param serial The string to be freed.
|
|
*/
|
|
void x509_free_serial (char *serial);
|
|
|
|
/*
|
|
* Save X509 fields to environment, using the naming convention:
|
|
*
|
|
* X509_{cert_depth}_{name}={value}
|
|
*
|
|
* @param es Environment set to save variables in
|
|
* @param cert_depth Depth of the certificate
|
|
* @param cert Certificate to set the environment for
|
|
*/
|
|
void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert);
|
|
|
|
#ifdef ENABLE_X509_TRACK
|
|
|
|
/*
|
|
* Start tracking the given attribute.
|
|
*
|
|
* The tracked attributes are stored in ll_head.
|
|
*
|
|
* @param ll_head The x509_track to store tracked atttributes in
|
|
* @param name Name of the attribute to track
|
|
* @param msglevel Message level for errors
|
|
* @param gc Garbage collection arena for temp data
|
|
*
|
|
*/
|
|
void x509_track_add (const struct x509_track **ll_head, const char *name,
|
|
int msglevel, struct gc_arena *gc);
|
|
|
|
/*
|
|
* Save X509 fields to environment, using the naming convention:
|
|
*
|
|
* X509_{cert_depth}_{name}={value}
|
|
*
|
|
* This function differs from setenv_x509 below in the following ways:
|
|
*
|
|
* (1) Only explicitly named attributes in xt are saved, per usage
|
|
* of --x509-track program options.
|
|
* (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
|
|
* flag is set in xt->flags (corresponds with prepending a '+'
|
|
* to the name when specified by --x509-track program option).
|
|
* (3) This function supports both X509 subject name fields as
|
|
* well as X509 V3 extensions.
|
|
*
|
|
* @param xt
|
|
* @param es Environment set to save variables in
|
|
* @param cert_depth Depth of the certificate
|
|
* @param cert Certificate to set the environment for
|
|
*/
|
|
void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
|
|
const int depth, x509_cert_t *x509);
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Check X.509 Netscape certificate type field, if available.
|
|
*
|
|
* @param cert Certificate to check.
|
|
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
|
|
* or \c NS_CERT_CHECK_NONE.
|
|
*
|
|
* @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
|
|
* the expected bit set. \c FAILURE if the certificate does
|
|
* not have NS cert type verification or the wrong bit set.
|
|
*/
|
|
result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
|
|
|
|
/*
|
|
* Verify X.509 key usage extension field.
|
|
*
|
|
* @param cert Certificate to check.
|
|
* @param expected_ku Array of valid key usage values
|
|
* @param expected_len Length of the key usage array
|
|
*
|
|
* @return \c SUCCESS if one of the key usage values matches, \c FAILURE
|
|
* if key usage is not enabled, or the values do not match.
|
|
*/
|
|
result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
|
|
int expected_len);
|
|
|
|
/*
|
|
* Verify X.509 extended key usage extension field.
|
|
*
|
|
* @param cert Certificate to check.
|
|
* @param expected_oid String representation of the expected Object ID. May be
|
|
* either the string representation of the numeric OID
|
|
* (e.g. \c "1.2.3.4", or the descriptive string matching
|
|
* the OID.
|
|
*
|
|
* @return \c SUCCESS if one of the expected OID matches one of the
|
|
* extended key usage fields, \c FAILURE if extended key
|
|
* usage is not enabled, or the values do not match.
|
|
*/
|
|
result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Store the given certificate in pem format in a temporary file in tmp_dir
|
|
*
|
|
* @param cert Certificate to store
|
|
* @param tmp_dir Temporary directory to store the directory
|
|
* @param gc gc_arena to store temporary objects in
|
|
*
|
|
*
|
|
*/
|
|
result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
|
|
|
|
/*
|
|
* Check the certificate against a CRL file.
|
|
*
|
|
* @param crl_file File name of the CRL file
|
|
* @param cert Certificate to verify
|
|
* @param subject Subject of the given certificate
|
|
*
|
|
* @return \c SUCCESS if the CRL was not signed by the issuer of the
|
|
* certificate or does not contain an entry for it.
|
|
* \c FAILURE otherwise.
|
|
*/
|
|
result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
|
|
const char *subject);
|
|
|
|
#endif /* SSL_VERIFY_BACKEND_H_ */
|