1/*
2 *  OpenVPN -- An application to securely tunnel IP networks
3 *             over a single TCP/UDP port, with support for SSL/TLS-based
4 *             session authentication and key exchange,
5 *             packet encryption, packet authentication, and
6 *             packet compression.
7 *
8 *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
10 *
11 *  This program is free software; you can redistribute it and/or modify
12 *  it under the terms of the GNU General Public License version 2
13 *  as published by the Free Software Foundation.
14 *
15 *  This program is distributed in the hope that it will be useful,
16 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
17 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18 *  GNU General Public License for more details.
19 *
20 *  You should have received a copy of the GNU General Public License
21 *  along with this program (see the file COPYING included with this
22 *  distribution); if not, write to the Free Software Foundation, Inc.,
23 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
24 */
25
26/**
27 * @file Control Channel Verification Module
28 */
29
30#ifndef SSL_VERIFY_H_
31#define SSL_VERIFY_H_
32
33#include "syshead.h"
34#include "misc.h"
35#include "manage.h"
36#include "ssl_common.h"
37
38/* Include OpenSSL-specific code */
39#ifdef ENABLE_CRYPTO_OPENSSL
40#include "ssl_verify_openssl.h"
41#endif
42#ifdef ENABLE_CRYPTO_POLARSSL
43#include "ssl_verify_polarssl.h"
44#endif
45
46#include "ssl_verify_backend.h"
47
48/*
49 * Keep track of certificate hashes at various depths
50 */
51
52/** Maximum certificate depth we will allow */
53#define MAX_CERT_DEPTH 16
54
55/** Structure containing the hash for a single certificate */
56struct cert_hash {
57  unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */
58};
59
60/** Structure containing the hashes for a full certificate chain */
61struct cert_hash_set {
62  struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */
63};
64
65#define VERIFY_X509_NONE                0
66#define VERIFY_X509_SUBJECT_DN          1
67#define VERIFY_X509_SUBJECT_RDN         2
68#define VERIFY_X509_SUBJECT_RDN_PREFIX  3
69#define TLS_REMOTE_SUBJECT_DN           1 + 0x100
70#define TLS_REMOTE_SUBJECT_RDN_PREFIX   3 + 0x100
71
72#define TLS_AUTHENTICATION_SUCCEEDED  0
73#define TLS_AUTHENTICATION_FAILED     1
74#define TLS_AUTHENTICATION_DEFERRED   2
75#define TLS_AUTHENTICATION_UNDEFINED  3
76
77/*
78 * Return current session authentication state.  Return
79 * value is TLS_AUTHENTICATION_x.
80 *
81 * TODO: document this function
82 */
83int tls_authentication_status (struct tls_multi *multi, const int latency);
84
85/** Check whether the \a ks \c key_state is ready to receive data channel
86 *   packets.
87 *   @ingroup data_crypto
88 *
89 *   If true, it is safe to assume that this session has been authenticated
90 *   by TLS.
91 *
92 *   @note This macro only works if S_SENT_KEY + 1 == S_GOT_KEY. */
93#define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
94
95/**
96 * Remove the given key state's auth control file, if it exists.
97 *
98 * @param ks	The key state the remove the file for
99 */
100void key_state_rm_auth_control_file (struct key_state *ks);
101
102/**
103 * Frees the given set of certificate hashes.
104 *
105 * @param chs	The certificate hash set to free.
106 */
107void cert_hash_free (struct cert_hash_set *chs);
108
109/**
110 * Locks the certificate hash set used in the given tunnel
111 *
112 * @param multi	The tunnel to lock
113 */
114void tls_lock_cert_hash_set (struct tls_multi *multi);
115
116/**
117 * Locks the common name field for the given tunnel
118 *
119 * @param multi	The tunnel to lock
120 */
121void tls_lock_common_name (struct tls_multi *multi);
122
123/**
124 * Returns the common name field for the given tunnel
125 *
126 * @param multi	The tunnel to return the common name for
127 * @param null	Whether null may be returned. If not, "UNDEF" will be returned.
128 */
129const char *tls_common_name (const struct tls_multi* multi, const bool null);
130
131/**
132 * Returns the username field for the given tunnel
133 *
134 * @param multi	The tunnel to return the username for
135 * @param null	Whether null may be returned. If not, "UNDEF" will be returned.
136 */
137const char *tls_username (const struct tls_multi *multi, const bool null);
138
139#ifdef ENABLE_PF
140
141/**
142 * Retrieve the given tunnel's common name and its hash value.
143 *
144 * @param multi		The tunnel to use
145 * @param cn		Common name's string
146 * @param cn_hash	Common name's hash value
147 *
148 * @return true if the common name was set, false otherwise.
149 */
150static inline bool
151tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash)
152{
153  if (multi)
154    {
155      const struct tls_session *s = &multi->session[TM_ACTIVE];
156      if (s->common_name && s->common_name[0] != '\0')
157	{
158	  *cn = s->common_name;
159	  *cn_hash = s->common_name_hashval;
160	  return true;
161	}
162    }
163  return false;
164}
165
166#endif
167
168/**
169 * Returns whether or not the server should check for username/password
170 *
171 * @param session	The current TLS session
172 *
173 * @return 		true if username and password verification is enabled,
174 * 			false if not.
175 *
176 */
177static inline bool verify_user_pass_enabled(struct tls_session *session)
178{
179  return (session->opt->auth_user_pass_verify_script
180        || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
181#ifdef MANAGEMENT_DEF_AUTH
182        || management_enable_def_auth (management)
183#endif
184        );
185}
186
187/**
188 * Verify the given username and password, using either an external script, a
189 * plugin, or the management interface.
190 *
191 * If authentication succeeds, the appropriate state is filled into the
192 * session's primary key state's authenticated field. Authentication may also
193 * be deferred, in which case the key state's auth_deferred field is filled in.
194 *
195 * @param up		The username and password to verify.
196 * @param multi		The TLS multi structure to verify usernames against.
197 * @param session	The current TLS session
198 *
199 */
200void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
201    struct tls_session *session);
202
203/**
204 * Perform final authentication checks, including locking of the cn, the allowed
205 * certificate hashes, and whether a client config entry exists in the
206 * client config directory.
207 *
208 * @param multi		The TLS multi structure to verify locked structures.
209 * @param session	The current TLS session
210 *
211 */
212void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
213
214#ifdef ENABLE_X509_TRACK
215
216struct x509_track
217{
218  const struct x509_track *next;
219  const char *name;
220# define XT_FULL_CHAIN (1<<0)
221  unsigned int flags;
222  int nid;
223};
224
225void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc);
226
227#endif
228
229/*
230 * Certificate checking for verify_nsCertType
231 */
232/** Do not perform Netscape certificate type verification */
233#define NS_CERT_CHECK_NONE (0)
234/** Do not perform Netscape certificate type verification */
235#define NS_CERT_CHECK_SERVER (1<<0)
236/** Do not perform Netscape certificate type verification */
237#define NS_CERT_CHECK_CLIENT (1<<1)
238
239/*
240 * TODO: document
241 */
242#ifdef MANAGEMENT_DEF_AUTH
243bool tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
244void man_def_auth_set_client_reason (struct tls_multi *multi, const char *client_reason);
245#endif
246
247static inline const char *
248tls_client_reason (struct tls_multi *multi)
249{
250#ifdef ENABLE_DEF_AUTH
251  return multi->client_reason;
252#else
253  return NULL;
254#endif
255}
256
257#endif /* SSL_VERIFY_H_ */
258
259