OpenVPN
ssl_verify.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
29#ifndef SSL_VERIFY_H_
30#define SSL_VERIFY_H_
31
32#include "syshead.h"
33#include "misc.h"
34#include "ssl_common.h"
35
36/* Include OpenSSL-specific code */
37#ifdef ENABLE_CRYPTO_OPENSSL
38#include "ssl_verify_openssl.h"
39#endif
40#ifdef ENABLE_CRYPTO_MBEDTLS
41#include "ssl_verify_mbedtls.h"
42#endif
43
44#include "ssl_verify_backend.h"
45
46/*
47 * Keep track of certificate hashes at various depths
48 */
49
51#define MAX_CERT_DEPTH 16
52
54#define TLS_USERNAME_LEN 64
55
58{
59 unsigned char sha256_hash[256 / 8];
60};
61
64{
66};
67
68#define VERIFY_X509_NONE 0
69#define VERIFY_X509_SUBJECT_DN 1
70#define VERIFY_X509_SUBJECT_RDN 2
71#define VERIFY_X509_SUBJECT_RDN_PREFIX 3
72
79
97
113#define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
114
122
128void cert_hash_free(struct cert_hash_set *chs);
129
135void tls_lock_cert_hash_set(struct tls_multi *multi);
136
142void tls_lock_common_name(struct tls_multi *multi);
143
150const char *tls_common_name(const struct tls_multi *multi, const bool null);
151
152
159void set_common_name(struct tls_session *session, const char *common_name);
160
167const char *tls_username(const struct tls_multi *multi, const bool null);
168
175bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
176
190void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session);
191
192
205bool ssl_verify_username_length(struct tls_session *session, const char *username);
206
215void verify_crresponse_script(struct tls_multi *multi, const char *cr_response);
216
224void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response);
225
235void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
236
238{
239 const struct x509_track *next;
240 const char *name;
241#define XT_FULL_CHAIN (1 << 0)
242 unsigned int flags;
243 int nid;
244};
245
246/*
247 * Certificate checking for verify_nsCertType
248 */
250#define NS_CERT_CHECK_NONE (0)
252#define NS_CERT_CHECK_SERVER (1 << 0)
254#define NS_CERT_CHECK_CLIENT (1 << 1)
255
257#define OPENVPN_KU_REQUIRED (0xFFFF)
258
259/*
260 * TODO: document
261 */
262#ifdef ENABLE_MANAGEMENT
263bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth,
264 const char *client_reason);
265
266#endif
267
275void auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
276
277static inline const char *
279{
280 return multi->client_reason;
281}
282
284void tls_x509_clear_env(struct env_set *es);
285
286#endif /* SSL_VERIFY_H_ */
Control Channel Common Data Structures.
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Remove the given key state's auth deferred status auth control file, if it exists.
Definition ssl_verify.c:954
tls_auth_status
Definition ssl_verify.h:74
@ TLS_AUTHENTICATION_DEFERRED
Definition ssl_verify.h:77
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
bool ssl_verify_username_length(struct tls_session *session, const char *username)
Checks if the username length is valid to use.
static const char * tls_client_reason(struct tls_multi *multi)
Definition ssl_verify.h:278
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition ssl_verify.c:229
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition ssl_verify.c:286
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition ssl_verify.c:132
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition ssl_verify.c:172
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition ssl_verify.c:85
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin,...
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition ssl_verify.h:51
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:215
Control Channel Verification Module library-specific backend interface.
Control Channel Verification Module mbed TLS backend.
Control Channel Verification Module OpenSSL backend.
Structure containing the hashes for a full certificate chain.
Definition ssl_verify.h:64
struct cert_hash * ch[MAX_CERT_DEPTH]
Array of certificate hashes.
Definition ssl_verify.h:65
Structure containing the hash for a single certificate.
Definition ssl_verify.h:58
unsigned char sha256_hash[256/8]
Definition ssl_verify.h:59
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
char * client_reason
An error message to send to client on AUTH_FAILED.
Definition ssl_common.h:667
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
unsigned int flags
Definition ssl_verify.h:242
const struct x509_track * next
Definition ssl_verify.h:239
const char * name
Definition ssl_verify.h:240
struct env_set * es