OpenVPN
Enumerations | Functions
ssl_verify_backend.h File Reference

Control Channel Verification Module library-specific backend interface. More...

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Enumerations

enum  result_t { SUCCESS = 0 , FAILURE = 1 }
 Result of verification function. More...
 

Functions

result_t verify_cert (struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth)
 
void cert_hash_remember (struct tls_session *session, const int cert_depth, const struct buffer *cert_hash)
 
char * x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
struct buffer x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA1 fingerprint.
 
struct buffer x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 Retrieve the certificate's SHA256 fingerprint.
 
result_t backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert)
 
char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
char * backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 
result_t backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename)
 
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert)
 
void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
 
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, openvpn_x509_cert_t *x509)
 
result_t x509_verify_ns_cert_type (openvpn_x509_cert_t *cert, const int usage)
 
result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned *const expected_ku, int expected_len)
 
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char *const expected_oid)
 
bool tls_verify_crl_missing (const struct tls_options *opt)
 Return true iff a CRL is configured, but is not loaded.
 

Detailed Description

Control Channel Verification Module library-specific backend interface.

Definition in file ssl_verify_backend.h.

Enumeration Type Documentation

◆ result_t

enum result_t

Result of verification function.

Enumerator
SUCCESS 
FAILURE 

Definition at line 36 of file ssl_verify_backend.h.

Function Documentation

◆ backend_x509_get_serial()

char * backend_x509_get_serial ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 298 of file ssl_verify_openssl.c.

References gc, and string_alloc().

Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().

◆ backend_x509_get_serial_hex()

char * backend_x509_get_serial_hex ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 317 of file ssl_verify_openssl.c.

References format_hex_ex(), and gc.

Referenced by verify_cert_set_env().

◆ backend_x509_get_username()

result_t backend_x509_get_username ( char *  common_name,
int  cn_len,
char *  x509_username_field,
openvpn_x509_cert_t peer_cert 
)

Referenced by verify_cert().

◆ backend_x509_write_pem()

result_t backend_x509_write_pem ( openvpn_x509_cert_t cert,
const char *  filename 
)

Definition at line 325 of file ssl_verify_openssl.c.

References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.

Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().

◆ cert_hash_remember()

void cert_hash_remember ( struct tls_session session,
const int  cert_depth,
const struct buffer cert_hash 
)

Definition at line 197 of file ssl_verify.c.

References ALLOC_OBJ, ALLOC_OBJ_CLEAR, ASSERT, BLEN, BPTR, MAX_CERT_DEPTH, and cert_hash::sha256_hash.

Referenced by verify_callback().

◆ tls_verify_crl_missing()

bool tls_verify_crl_missing ( const struct tls_options opt)

Return true iff a CRL is configured, but is not loaded.

This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)

Definition at line 790 of file ssl_verify_openssl.c.

References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, buffer::len, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.

Referenced by verify_cert().

◆ verify_cert()

result_t verify_cert ( struct tls_session session,
openvpn_x509_cert_t cert,
int  cert_depth 
)

Definition at line 590 of file ssl_verify.c.

References alloc_buf_gc(), ASSERT, backend_x509_get_username(), BLEN, BPTR, BSTR, buf_printf(), buffer::capacity, cleanup(), tls_options::crl_file, D_HANDSHAKE, D_TLS_ERRORS, tls_options::es, tls_options::export_peer_cert_dir, FAILURE, format_hex_ex(), gc, gc_free(), gc_new(), verify_hash_list::hash, buffer::len, M_WARN, MAX_CERT_DEPTH, max_int(), MD_SHA1, MD_SHA256, memcmp_constant_time(), msg, verify_hash_list::next, platform_create_temp_file(), tls_options::plugins, set_common_name(), setenv_untrusted(), tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, string_mod_remap_name(), string_replace_leading(), SUCCESS, tls_clear_error(), TLS_USERNAME_LEN, tls_verify_crl_missing(), verify_cert_call_command(), verify_cert_call_plugin(), verify_cert_cert_delete_env(), verify_cert_cert_export_env(), verify_cert_set_env(), verify_check_crl_dir(), tls_options::verify_command, tls_options::verify_hash, tls_options::verify_hash_algo, tls_options::verify_hash_depth, verify_peer_cert(), x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), x509_get_subject(), tls_options::x509_track, and tls_options::x509_username_field.

Referenced by verify_callback().

◆ x509_get_sha1_fingerprint()

struct buffer x509_get_sha1_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA1 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Referenced by verify_cert(), and verify_cert_set_env().

◆ x509_get_sha256_fingerprint()

struct buffer x509_get_sha256_fingerprint ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Retrieve the certificate's SHA256 fingerprint.

Parameters
certCertificate to retrieve the fingerprint from.
gcGarbage collection arena to use when allocating string.
Returns
a string containing the certificate fingerprint

Referenced by verify_cert(), and verify_cert_set_env().

◆ x509_get_subject()

char * x509_get_subject ( openvpn_x509_cert_t cert,
struct gc_arena gc 
)

Definition at line 69 of file test_pkcs11.c.

Referenced by verify_cert().

◆ x509_setenv()

void x509_setenv ( struct env_set es,
int  cert_depth,
openvpn_x509_cert_t cert 
)

Definition at line 553 of file ssl_verify_openssl.c.

References CC_CRLF, CC_PRINT, check_malloc_return(), es, buffer::len, setenv_str_incr(), and string_mod().

Referenced by verify_cert_set_env().

◆ x509_setenv_track()

void x509_setenv_track ( const struct x509_track xt,
struct env_set es,
const int  depth,
openvpn_x509_cert_t x509 
)

Referenced by verify_cert_set_env().

◆ x509_track_add()

void x509_track_add ( const struct x509_track **  ll_head,
const char *  name,
int  msglevel,
struct gc_arena gc 
)

Definition at line 424 of file ssl_verify_openssl.c.

References ALLOC_OBJ_CLEAR_GC, x509_track::flags, gc, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.

Referenced by add_option().

◆ x509_verify_cert_eku()

result_t x509_verify_cert_eku ( openvpn_x509_cert_t x509,
const char *const  expected_oid 
)

Referenced by verify_peer_cert().

◆ x509_verify_cert_ku()

result_t x509_verify_cert_ku ( openvpn_x509_cert_t x509,
const unsigned *const  expected_ku,
int  expected_len 
)

Referenced by verify_peer_cert().

◆ x509_verify_ns_cert_type()

result_t x509_verify_ns_cert_type ( openvpn_x509_cert_t cert,
const int  usage 
)

Definition at line 612 of file ssl_verify_openssl.c.

References FAILURE, buffer::len, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().

Referenced by verify_peer_cert().

Generated by doxygen 1.9.8