Control Channel Verification Module OpenSSL implementation. More...
#include "syshead.h"#include "ssl_verify_openssl.h"#include "error.h"#include "ssl_openssl.h"#include "ssl_verify.h"#include "ssl_verify_backend.h"#include "openssl_compat.h"#include <openssl/bn.h>#include <openssl/err.h>#include <openssl/x509v3.h>
Go to the source code of this file.
Functions | |
| int | verify_callback (int preverify_ok, X509_STORE_CTX *ctx) |
| Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel. | |
| static result_t | extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) |
| result_t | backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert) |
| char * | backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| char * | backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| result_t | backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename) |
| struct buffer | x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc) |
| struct buffer | x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc) |
| char * | x509_get_subject (X509 *cert, struct gc_arena *gc) |
| void | x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) |
| static void | do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) |
| void | x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) |
| void | x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) |
| result_t | x509_verify_ns_cert_type (openvpn_x509_cert_t *peer_cert, const int usage) |
| result_t | x509_verify_cert_ku (X509 *x509, const unsigned *const expected_ku, int expected_len) |
| result_t | x509_verify_cert_eku (X509 *x509, const char *const expected_oid) |
| bool | tls_verify_crl_missing (const struct tls_options *opt) |
| Return true iff a CRL is configured, but is not loaded. | |
Detailed Description
Control Channel Verification Module OpenSSL implementation.
Definition in file ssl_verify_openssl.c.
Function Documentation
◆ backend_x509_get_serial()
| char * backend_x509_get_serial | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 298 of file ssl_verify_openssl.c.
References gc, and string_alloc().
Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().
◆ backend_x509_get_serial_hex()
| char * backend_x509_get_serial_hex | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 317 of file ssl_verify_openssl.c.
References format_hex_ex(), and gc.
Referenced by verify_cert_set_env().
◆ backend_x509_get_username()
| result_t backend_x509_get_username | ( | char * | common_name, |
| int | cn_len, | ||
| char * | x509_username_field, | ||
| X509 * | peer_cert | ||
| ) |
Definition at line 260 of file ssl_verify_openssl.c.
References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc, gc_free(), gc_new(), buffer::len, and SUCCESS.
◆ backend_x509_write_pem()
| result_t backend_x509_write_pem | ( | openvpn_x509_cert_t * | cert, |
| const char * | filename | ||
| ) |
Definition at line 325 of file ssl_verify_openssl.c.
References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.
Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().
◆ do_setenv_x509()
|
static |
Definition at line 448 of file ssl_verify_openssl.c.
References CC_ANY, CC_CRLF, check_malloc_return(), D_X509_ATTR, es, msg, x509_track::name, setenv_str(), and string_mod().
Referenced by x509_setenv_track().
◆ extract_x509_field_ssl()
|
static |
Definition at line 202 of file ssl_verify_openssl.c.
References ASSERT, D_TLS_ERRORS, FAILURE, buffer::len, msg, strncpynt(), and SUCCESS.
Referenced by backend_x509_get_username().
◆ tls_verify_crl_missing()
| bool tls_verify_crl_missing | ( | const struct tls_options * | opt | ) |
Return true iff a CRL is configured, but is not loaded.
This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)
Definition at line 790 of file ssl_verify_openssl.c.
References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, buffer::len, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.
Referenced by verify_cert().
◆ x509_get_sha1_fingerprint()
Definition at line 348 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.
Referenced by x509_setenv_track().
◆ x509_get_sha256_fingerprint()
Definition at line 358 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.
Referenced by verify_callback(), and x509_setenv_track().
◆ x509_get_subject()
| char * x509_get_subject | ( | X509 * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 368 of file ssl_verify_openssl.c.
References gc, gc_malloc(), and buffer::len.
Referenced by verify_callback().
◆ x509_setenv()
| void x509_setenv | ( | struct env_set * | es, |
| int | cert_depth, | ||
| openvpn_x509_cert_t * | peer_cert | ||
| ) |
Definition at line 553 of file ssl_verify_openssl.c.
References CC_CRLF, CC_PRINT, check_malloc_return(), es, buffer::len, setenv_str_incr(), and string_mod().
Referenced by verify_cert_set_env().
◆ x509_setenv_track()
| void x509_setenv_track | ( | const struct x509_track * | xt, |
| struct env_set * | es, | ||
| const int | depth, | ||
| X509 * | x509 | ||
| ) |
Definition at line 464 of file ssl_verify_openssl.c.
References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc, gc_free(), gc_new(), buffer::len, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.
◆ x509_track_add()
| void x509_track_add | ( | const struct x509_track ** | ll_head, |
| const char * | name, | ||
| int | msglevel, | ||
| struct gc_arena * | gc | ||
| ) |
Definition at line 424 of file ssl_verify_openssl.c.
References ALLOC_OBJ_CLEAR_GC, x509_track::flags, gc, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.
Referenced by add_option().
◆ x509_verify_cert_eku()
| result_t x509_verify_cert_eku | ( | X509 * | x509, |
| const char *const | expected_oid | ||
| ) |
Definition at line 740 of file ssl_verify_openssl.c.
References D_HANDSHAKE, FAILURE, buffer::len, msg, and SUCCESS.
◆ x509_verify_cert_ku()
| result_t x509_verify_cert_ku | ( | X509 * | x509, |
| const unsigned *const | expected_ku, | ||
| int | expected_len | ||
| ) |
Definition at line 679 of file ssl_verify_openssl.c.
References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, buffer::len, msg, OPENVPN_KU_REQUIRED, and SUCCESS.
◆ x509_verify_ns_cert_type()
| result_t x509_verify_ns_cert_type | ( | openvpn_x509_cert_t * | peer_cert, |
| const int | usage | ||
| ) |
Definition at line 612 of file ssl_verify_openssl.c.
References FAILURE, buffer::len, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().
Referenced by verify_peer_cert().
