Control Channel Verification Module OpenSSL implementation. More...
#include "syshead.h"#include "ssl_verify_openssl.h"#include "error.h"#include "ssl_openssl.h"#include "ssl_verify.h"#include "ssl_verify_backend.h"#include "openssl_compat.h"#include <openssl/bn.h>#include <openssl/err.h>#include <openssl/x509v3.h>
Go to the source code of this file.
Functions | |
| int | verify_callback (int preverify_ok, X509_STORE_CTX *ctx) |
| Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel. | |
| static result_t | extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) |
| result_t | backend_x509_get_username (char *common_name, int cn_len, char *x509_username_field, X509 *peer_cert) |
| char * | backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| char * | backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
| result_t | backend_x509_write_pem (openvpn_x509_cert_t *cert, const char *filename) |
| struct buffer | x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc) |
| struct buffer | x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc) |
| char * | x509_get_subject (X509 *cert, struct gc_arena *gc) |
| void | x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc) |
| static void | do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) |
| void | x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) |
| void | x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) |
| result_t | x509_verify_ns_cert_type (openvpn_x509_cert_t *peer_cert, const int usage) |
| result_t | x509_verify_cert_ku (X509 *x509, const unsigned *const expected_ku, int expected_len) |
| result_t | x509_verify_cert_eku (X509 *x509, const char *const expected_oid) |
| bool | tls_verify_crl_missing (const struct tls_options *opt) |
| Return true iff a CRL is configured, but is not loaded. | |
Detailed Description
Control Channel Verification Module OpenSSL implementation.
Definition in file ssl_verify_openssl.c.
Function Documentation
◆ backend_x509_get_serial()
| char * backend_x509_get_serial | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 292 of file ssl_verify_openssl.c.
References gc, and string_alloc().
Referenced by verify_callback(), verify_cert_set_env(), and verify_check_crl_dir().
◆ backend_x509_get_serial_hex()
| char * backend_x509_get_serial_hex | ( | openvpn_x509_cert_t * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 311 of file ssl_verify_openssl.c.
References format_hex_ex(), and gc.
Referenced by verify_cert_set_env().
◆ backend_x509_get_username()
| result_t backend_x509_get_username | ( | char * | common_name, |
| int | cn_len, | ||
| char * | x509_username_field, | ||
| X509 * | peer_cert | ||
| ) |
Definition at line 255 of file ssl_verify_openssl.c.
References extract_x509_field_ssl(), FAILURE, FHE_CAPS, format_hex_ex(), gc, gc_free(), gc_new(), buffer::len, and SUCCESS.
◆ backend_x509_write_pem()
| result_t backend_x509_write_pem | ( | openvpn_x509_cert_t * | cert, |
| const char * | filename | ||
| ) |
Definition at line 319 of file ssl_verify_openssl.c.
References crypto_msg, D_TLS_DEBUG_LOW, FAILURE, and SUCCESS.
Referenced by crypto_pem_encode_certificate(), and verify_cert_cert_export_env().
◆ do_setenv_x509()
|
static |
Definition at line 442 of file ssl_verify_openssl.c.
References CC_ANY, CC_CRLF, check_malloc_return(), D_X509_ATTR, es, msg, x509_track::name, setenv_str(), and string_mod().
Referenced by x509_setenv_track().
◆ extract_x509_field_ssl()
|
static |
Definition at line 198 of file ssl_verify_openssl.c.
References ASSERT, D_TLS_ERRORS, FAILURE, buffer::len, msg, strncpynt(), and SUCCESS.
Referenced by backend_x509_get_username().
◆ tls_verify_crl_missing()
| bool tls_verify_crl_missing | ( | const struct tls_options * | opt | ) |
Return true iff a CRL is configured, but is not loaded.
This can be caused by e.g. a CRL parsing error, a missing CRL file or CRL file permission errors. (These conditions are checked upon startup, but the CRL might be updated and reloaded during runtime.)
Definition at line 779 of file ssl_verify_openssl.c.
References ASSERT, tls_options::crl_file, crypto_msg, tls_root_ctx::ctx, i, buffer::len, M_FATAL, tls_options::ssl_ctx, tls_options::ssl_flags, and SSLF_CRL_VERIFY_DIR.
Referenced by verify_cert().
◆ x509_get_sha1_fingerprint()
Definition at line 341 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.
Referenced by x509_setenv_track().
◆ x509_get_sha256_fingerprint()
Definition at line 351 of file ssl_verify_openssl.c.
References alloc_buf_gc(), ASSERT, BPTR, buf_inc_len(), gc, and buffer::len.
Referenced by verify_callback(), and x509_setenv_track().
◆ x509_get_subject()
| char * x509_get_subject | ( | X509 * | cert, |
| struct gc_arena * | gc | ||
| ) |
Definition at line 361 of file ssl_verify_openssl.c.
References gc, gc_malloc(), and buffer::len.
Referenced by verify_callback().
◆ x509_setenv()
| void x509_setenv | ( | struct env_set * | es, |
| int | cert_depth, | ||
| openvpn_x509_cert_t * | peer_cert | ||
| ) |
Definition at line 546 of file ssl_verify_openssl.c.
References CC_CRLF, CC_PRINT, check_malloc_return(), es, i, buffer::len, setenv_str_incr(), and string_mod().
Referenced by verify_cert_set_env().
◆ x509_setenv_track()
| void x509_setenv_track | ( | const struct x509_track * | xt, |
| struct env_set * | es, | ||
| const int | depth, | ||
| X509 * | x509 | ||
| ) |
Definition at line 458 of file ssl_verify_openssl.c.
References BLEN, BPTR, do_setenv_x509(), es, FHE_CAPS, x509_track::flags, format_hex_ex(), gc, gc_free(), gc_new(), i, buffer::len, x509_track::nid, x509_get_sha1_fingerprint(), x509_get_sha256_fingerprint(), and XT_FULL_CHAIN.
◆ x509_track_add()
| void x509_track_add | ( | const struct x509_track ** | ll_head, |
| const char * | name, | ||
| int | msglevel, | ||
| struct gc_arena * | gc | ||
| ) |
Definition at line 417 of file ssl_verify_openssl.c.
References ALLOC_OBJ_CLEAR_GC, x509_track::flags, gc, msg, x509_track::name, x509_track::next, x509_track::nid, and XT_FULL_CHAIN.
Referenced by add_option().
◆ x509_verify_cert_eku()
| result_t x509_verify_cert_eku | ( | X509 * | x509, |
| const char *const | expected_oid | ||
| ) |
Definition at line 730 of file ssl_verify_openssl.c.
References D_HANDSHAKE, FAILURE, i, buffer::len, msg, and SUCCESS.
◆ x509_verify_cert_ku()
| result_t x509_verify_cert_ku | ( | X509 * | x509, |
| const unsigned *const | expected_ku, | ||
| int | expected_len | ||
| ) |
Definition at line 671 of file ssl_verify_openssl.c.
References D_HANDSHAKE, D_TLS_ERRORS, FAILURE, i, buffer::len, msg, OPENVPN_KU_REQUIRED, and SUCCESS.
◆ x509_verify_ns_cert_type()
| result_t x509_verify_ns_cert_type | ( | openvpn_x509_cert_t * | peer_cert, |
| const int | usage | ||
| ) |
Definition at line 604 of file ssl_verify_openssl.c.
References FAILURE, buffer::len, M_WARN, msg, NS_CERT_CHECK_CLIENT, NS_CERT_CHECK_NONE, NS_CERT_CHECK_SERVER, SUCCESS, and usage().
Referenced by verify_peer_cert().
