2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 * @file Control Channel Verification Module
36 #include "ssl_common.h"
38 /* Include OpenSSL-specific code */
39 #ifdef ENABLE_CRYPTO_OPENSSL
40 #include "ssl_verify_openssl.h"
42 #ifdef ENABLE_CRYPTO_POLARSSL
43 #include "ssl_verify_polarssl.h"
46 #include "ssl_verify_backend.h"
49 * Keep track of certificate hashes at various depths
52 /** Maximum certificate depth we will allow */
53 #define MAX_CERT_DEPTH 16
55 /** Structure containing the hash for a single certificate */
57 unsigned char sha1_hash
[SHA_DIGEST_LENGTH
]; /**< The SHA1 hash for a certificate */
60 /** Structure containing the hashes for a full certificate chain */
61 struct cert_hash_set
{
62 struct cert_hash
*ch
[MAX_CERT_DEPTH
]; /**< Array of certificate hashes */
65 #define VERIFY_X509_NONE 0
66 #define VERIFY_X509_SUBJECT_DN 1
67 #define VERIFY_X509_SUBJECT_RDN 2
68 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
69 #define TLS_REMOTE_SUBJECT_DN 1 + 0x100
70 #define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100
72 #define TLS_AUTHENTICATION_SUCCEEDED 0
73 #define TLS_AUTHENTICATION_FAILED 1
74 #define TLS_AUTHENTICATION_DEFERRED 2
75 #define TLS_AUTHENTICATION_UNDEFINED 3
78 * Return current session authentication state. Return
79 * value is TLS_AUTHENTICATION_x.
81 * TODO: document this function
83 int tls_authentication_status (struct tls_multi
*multi
, const int latency
);
85 /** Check whether the \a ks \c key_state is ready to receive data channel
87 * @ingroup data_crypto
89 * If true, it is safe to assume that this session has been authenticated
92 * @note This macro only works if S_SENT_KEY + 1 == S_GOT_KEY. */
93 #define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
96 * Remove the given key state's auth control file, if it exists.
98 * @param ks The key state the remove the file for
100 void key_state_rm_auth_control_file (struct key_state
*ks
);
103 * Frees the given set of certificate hashes.
105 * @param chs The certificate hash set to free.
107 void cert_hash_free (struct cert_hash_set
*chs
);
110 * Locks the certificate hash set used in the given tunnel
112 * @param multi The tunnel to lock
114 void tls_lock_cert_hash_set (struct tls_multi
*multi
);
117 * Locks the common name field for the given tunnel
119 * @param multi The tunnel to lock
121 void tls_lock_common_name (struct tls_multi
*multi
);
124 * Returns the common name field for the given tunnel
126 * @param multi The tunnel to return the common name for
127 * @param null Whether null may be returned. If not, "UNDEF" will be returned.
129 const char *tls_common_name (const struct tls_multi
* multi
, const bool null
);
132 * Returns the username field for the given tunnel
134 * @param multi The tunnel to return the username for
135 * @param null Whether null may be returned. If not, "UNDEF" will be returned.
137 const char *tls_username (const struct tls_multi
*multi
, const bool null
);
142 * Retrieve the given tunnel's common name and its hash value.
144 * @param multi The tunnel to use
145 * @param cn Common name's string
146 * @param cn_hash Common name's hash value
148 * @return true if the common name was set, false otherwise.
151 tls_common_name_hash (const struct tls_multi
*multi
, const char **cn
, uint32_t *cn_hash
)
155 const struct tls_session
*s
= &multi
->session
[TM_ACTIVE
];
156 if (s
->common_name
&& s
->common_name
[0] != '\0')
158 *cn
= s
->common_name
;
159 *cn_hash
= s
->common_name_hashval
;
169 * Returns whether or not the server should check for username/password
171 * @param session The current TLS session
173 * @return true if username and password verification is enabled,
177 static inline bool verify_user_pass_enabled(struct tls_session
*session
)
179 return (session
->opt
->auth_user_pass_verify_script
180 || plugin_defined (session
->opt
->plugins
, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
)
181 #ifdef MANAGEMENT_DEF_AUTH
182 || management_enable_def_auth (management
)
188 * Verify the given username and password, using either an external script, a
189 * plugin, or the management interface.
191 * If authentication succeeds, the appropriate state is filled into the
192 * session's primary key state's authenticated field. Authentication may also
193 * be deferred, in which case the key state's auth_deferred field is filled in.
195 * @param up The username and password to verify.
196 * @param multi The TLS multi structure to verify usernames against.
197 * @param session The current TLS session
200 void verify_user_pass(struct user_pass
*up
, struct tls_multi
*multi
,
201 struct tls_session
*session
);
204 * Perform final authentication checks, including locking of the cn, the allowed
205 * certificate hashes, and whether a client config entry exists in the
206 * client config directory.
208 * @param multi The TLS multi structure to verify locked structures.
209 * @param session The current TLS session
212 void verify_final_auth_checks(struct tls_multi
*multi
, struct tls_session
*session
);
214 #ifdef ENABLE_X509_TRACK
218 const struct x509_track
*next
;
220 # define XT_FULL_CHAIN (1<<0)
225 void x509_track_add (const struct x509_track
**ll_head
, const char *name
, int msglevel
, struct gc_arena
*gc
);
230 * Certificate checking for verify_nsCertType
232 /** Do not perform Netscape certificate type verification */
233 #define NS_CERT_CHECK_NONE (0)
234 /** Do not perform Netscape certificate type verification */
235 #define NS_CERT_CHECK_SERVER (1<<0)
236 /** Do not perform Netscape certificate type verification */
237 #define NS_CERT_CHECK_CLIENT (1<<1)
242 #ifdef MANAGEMENT_DEF_AUTH
243 bool tls_authenticate_key (struct tls_multi
*multi
, const unsigned int mda_key_id
, const bool auth
, const char *client_reason
);
244 void man_def_auth_set_client_reason (struct tls_multi
*multi
, const char *client_reason
);
247 static inline const char *
248 tls_client_reason (struct tls_multi
*multi
)
250 #ifdef ENABLE_DEF_AUTH
251 return multi
->client_reason
;
257 #endif /* SSL_VERIFY_H_ */