1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program (see the file COPYING included with this 22 * distribution); if not, write to the Free Software Foundation, Inc., 23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 */ 25 26/** 27 * @file Control Channel Verification Module 28 */ 29 30#ifndef SSL_VERIFY_H_ 31#define SSL_VERIFY_H_ 32 33#include "syshead.h" 34#include "misc.h" 35#include "manage.h" 36#include "ssl_common.h" 37 38/* Include OpenSSL-specific code */ 39#ifdef ENABLE_CRYPTO_OPENSSL 40#include "ssl_verify_openssl.h" 41#endif 42#ifdef ENABLE_CRYPTO_POLARSSL 43#include "ssl_verify_polarssl.h" 44#endif 45 46#include "ssl_verify_backend.h" 47 48/* 49 * Keep track of certificate hashes at various depths 50 */ 51 52/** Maximum certificate depth we will allow */ 53#define MAX_CERT_DEPTH 16 54 55/** Structure containing the hash for a single certificate */ 56struct cert_hash { 57 unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */ 58}; 59 60/** Structure containing the hashes for a full certificate chain */ 61struct cert_hash_set { 62 struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */ 63}; 64 65#define VERIFY_X509_NONE 0 66#define VERIFY_X509_SUBJECT_DN 1 67#define VERIFY_X509_SUBJECT_RDN 2 68#define VERIFY_X509_SUBJECT_RDN_PREFIX 3 69#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 70#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 71 72#define TLS_AUTHENTICATION_SUCCEEDED 0 73#define TLS_AUTHENTICATION_FAILED 1 74#define TLS_AUTHENTICATION_DEFERRED 2 75#define TLS_AUTHENTICATION_UNDEFINED 3 76 77/* 78 * Return current session authentication state. Return 79 * value is TLS_AUTHENTICATION_x. 80 * 81 * TODO: document this function 82 */ 83int tls_authentication_status (struct tls_multi *multi, const int latency); 84 85/** Check whether the \a ks \c key_state is ready to receive data channel 86 * packets. 87 * @ingroup data_crypto 88 * 89 * If true, it is safe to assume that this session has been authenticated 90 * by TLS. 91 * 92 * @note This macro only works if S_SENT_KEY + 1 == S_GOT_KEY. */ 93#define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server)) 94 95/** 96 * Remove the given key state's auth control file, if it exists. 97 * 98 * @param ks The key state the remove the file for 99 */ 100void key_state_rm_auth_control_file (struct key_state *ks); 101 102/** 103 * Frees the given set of certificate hashes. 104 * 105 * @param chs The certificate hash set to free. 106 */ 107void cert_hash_free (struct cert_hash_set *chs); 108 109/** 110 * Locks the certificate hash set used in the given tunnel 111 * 112 * @param multi The tunnel to lock 113 */ 114void tls_lock_cert_hash_set (struct tls_multi *multi); 115 116/** 117 * Locks the common name field for the given tunnel 118 * 119 * @param multi The tunnel to lock 120 */ 121void tls_lock_common_name (struct tls_multi *multi); 122 123/** 124 * Returns the common name field for the given tunnel 125 * 126 * @param multi The tunnel to return the common name for 127 * @param null Whether null may be returned. If not, "UNDEF" will be returned. 128 */ 129const char *tls_common_name (const struct tls_multi* multi, const bool null); 130 131/** 132 * Returns the username field for the given tunnel 133 * 134 * @param multi The tunnel to return the username for 135 * @param null Whether null may be returned. If not, "UNDEF" will be returned. 136 */ 137const char *tls_username (const struct tls_multi *multi, const bool null); 138 139#ifdef ENABLE_PF 140 141/** 142 * Retrieve the given tunnel's common name and its hash value. 143 * 144 * @param multi The tunnel to use 145 * @param cn Common name's string 146 * @param cn_hash Common name's hash value 147 * 148 * @return true if the common name was set, false otherwise. 149 */ 150static inline bool 151tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *cn_hash) 152{ 153 if (multi) 154 { 155 const struct tls_session *s = &multi->session[TM_ACTIVE]; 156 if (s->common_name && s->common_name[0] != '\0') 157 { 158 *cn = s->common_name; 159 *cn_hash = s->common_name_hashval; 160 return true; 161 } 162 } 163 return false; 164} 165 166#endif 167 168/** 169 * Returns whether or not the server should check for username/password 170 * 171 * @param session The current TLS session 172 * 173 * @return true if username and password verification is enabled, 174 * false if not. 175 * 176 */ 177static inline bool verify_user_pass_enabled(struct tls_session *session) 178{ 179 return (session->opt->auth_user_pass_verify_script 180 || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) 181#ifdef MANAGEMENT_DEF_AUTH 182 || management_enable_def_auth (management) 183#endif 184 ); 185} 186 187/** 188 * Verify the given username and password, using either an external script, a 189 * plugin, or the management interface. 190 * 191 * If authentication succeeds, the appropriate state is filled into the 192 * session's primary key state's authenticated field. Authentication may also 193 * be deferred, in which case the key state's auth_deferred field is filled in. 194 * 195 * @param up The username and password to verify. 196 * @param multi The TLS multi structure to verify usernames against. 197 * @param session The current TLS session 198 * 199 */ 200void verify_user_pass(struct user_pass *up, struct tls_multi *multi, 201 struct tls_session *session); 202 203/** 204 * Perform final authentication checks, including locking of the cn, the allowed 205 * certificate hashes, and whether a client config entry exists in the 206 * client config directory. 207 * 208 * @param multi The TLS multi structure to verify locked structures. 209 * @param session The current TLS session 210 * 211 */ 212void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); 213 214#ifdef ENABLE_X509_TRACK 215 216struct x509_track 217{ 218 const struct x509_track *next; 219 const char *name; 220# define XT_FULL_CHAIN (1<<0) 221 unsigned int flags; 222 int nid; 223}; 224 225void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc); 226 227#endif 228 229/* 230 * Certificate checking for verify_nsCertType 231 */ 232/** Do not perform Netscape certificate type verification */ 233#define NS_CERT_CHECK_NONE (0) 234/** Do not perform Netscape certificate type verification */ 235#define NS_CERT_CHECK_SERVER (1<<0) 236/** Do not perform Netscape certificate type verification */ 237#define NS_CERT_CHECK_CLIENT (1<<1) 238 239/* 240 * TODO: document 241 */ 242#ifdef MANAGEMENT_DEF_AUTH 243bool tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason); 244void man_def_auth_set_client_reason (struct tls_multi *multi, const char *client_reason); 245#endif 246 247static inline const char * 248tls_client_reason (struct tls_multi *multi) 249{ 250#ifdef ENABLE_DEF_AUTH 251 return multi->client_reason; 252#else 253 return NULL; 254#endif 255} 256 257#endif /* SSL_VERIFY_H_ */ 258 259