ssl_verify.h

Go to the documentation of this file.

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 *  Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, see <https://www.gnu.org/licenses/>.
 */
 
#ifndef SSL_VERIFY_H_
#define SSL_VERIFY_H_
 
#include "syshead.h"
#include "misc.h"
#include "ssl_common.h"
 
/* Include OpenSSL-specific code */
#ifdef ENABLE_CRYPTO_OPENSSL
#include "ssl_verify_openssl.h"
#endif
#ifdef ENABLE_CRYPTO_MBEDTLS
#include "ssl_verify_mbedtls.h"
#endif
 
#include "ssl_verify_backend.h"
 
/*
 * Keep track of certificate hashes at various depths
 */
 
#define MAX_CERT_DEPTH 16
 
#define TLS_USERNAME_LEN 64
 
struct cert_hash
{
    unsigned char sha256_hash[256 / 8];
};
 
struct cert_hash_set
{
    struct cert_hash *ch[MAX_CERT_DEPTH]; 
};
 
#define VERIFY_X509_NONE               0
#define VERIFY_X509_SUBJECT_DN         1
#define VERIFY_X509_SUBJECT_RDN        2
#define VERIFY_X509_SUBJECT_RDN_PREFIX 3
 
enum tls_auth_status
{
    TLS_AUTHENTICATION_SUCCEEDED = 0,
    TLS_AUTHENTICATION_FAILED = 1,
    TLS_AUTHENTICATION_DEFERRED = 2
};
 
enum tls_auth_status tls_authentication_status(struct tls_multi *multi);
 
#define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
 
void key_state_rm_auth_control_files(struct auth_deferred_status *ads);
 
void cert_hash_free(struct cert_hash_set *chs);
 
void tls_lock_cert_hash_set(struct tls_multi *multi);
 
void tls_lock_common_name(struct tls_multi *multi);
 
const char *tls_common_name(const struct tls_multi *multi, const bool null);
 
 
void set_common_name(struct tls_session *session, const char *common_name);
 
const char *tls_username(const struct tls_multi *multi, const bool null);
 
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
 
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session);
 
 
bool ssl_verify_username_length(struct tls_session *session, const char *username);
 
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response);
 
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response);
 
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
 
struct x509_track
{
    const struct x509_track *next;
    const char *name;
#define XT_FULL_CHAIN (1 << 0)
    unsigned int flags;
    int nid;
};
 
/*
 * Certificate checking for verify_nsCertType
 */
#define NS_CERT_CHECK_NONE   (0)
#define NS_CERT_CHECK_SERVER (1 << 0)
#define NS_CERT_CHECK_CLIENT (1 << 1)
 
#define OPENVPN_KU_REQUIRED (0xFFFF)
 
/*
 * TODO: document
 */
#ifdef ENABLE_MANAGEMENT
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth,
                          const char *client_reason);
 
#endif
 
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
 
static inline const char *
tls_client_reason(struct tls_multi *multi)
{
    return multi->client_reason;
}
 
void tls_x509_clear_env(struct env_set *es);
 
#endif /* SSL_VERIFY_H_ */