1 files changed, 272 insertions, 0 deletions
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
new file mode 100644
index 0000000..2ba3723
--- /dev/null
+++ b/src/openvpn/ssl_verify_backend.h
@@ -0,0 +1,272 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single TCP/UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/**
+ * @file Control Channel Verification Module library-specific backend interface
+ */
+
+#ifndef SSL_VERIFY_BACKEND_H_
+#define SSL_VERIFY_BACKEND_H_
+
+/**
+ * Result of verification function
+ */
+typedef enum { SUCCESS=0, FAILURE=1 } result_t;
+
+/*
+ * Backend support functions.
+ *
+ * The following functions are needed by the backend, but defined in the main
+ * file.
+ */
+
+/*
+ * Verify certificate for the given session. Performs OpenVPN-specific
+ * verification.
+ *
+ * This function must be called for every certificate in the certificate
+ * chain during the certificate verification stage of the handshake.
+ *
+ * @param session	TLS Session associated with this tunnel
+ * @param cert		Certificate to process
+ * @param cert_depth	Depth of the current certificate
+ *
+ * @return 		\c SUCCESS if verification was successful, \c FAILURE on failure.
+ */
+result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
+
+/*
+ * Remember the given certificate hash, allowing the certificate chain to be
+ * locked between sessions.
+ *
+ * Must be called for every certificate in the verification chain, whether it
+ * is valid or not.
+ *
+ * @param session	TLS Session associated with this tunnel
+ * @param cert_depth	Depth of the current certificate
+ * @param sha1_hash	Hash of the current certificate
+ */
+void cert_hash_remember (struct tls_session *session, const int cert_depth,
+    const unsigned char *sha1_hash);
+
+/*
+ * Library-specific functions.
+ *
+ * The following functions must be implemented on a library-specific basis.
+ */
+
+/*
+ * Retrieve certificate's subject name.
+ *
+ * The returned string must be freed with \c verify_free_subject()
+ *
+ * @param cert		Certificate to retrieve the subject from.
+ *
+ * @return 		a string containing the subject
+ */
+char *x509_get_subject (x509_cert_t *cert);
+
+/*
+ * Free a subject string as returned by \c verify_get_subject()
+ *
+ * @param subject	The subject to be freed.
+ */
+void x509_free_subject (char *subject);
+
+/* Retrieve the certificate's SHA1 hash.
+ *
+ * The returned string must be freed with \c verify_free_sha1_hash()
+ *
+ * @param cert		Certificate to retrieve the hash from.
+ *
+ * @return 		a string containing the SHA1 hash of the certificate
+ */
+unsigned char *x509_get_sha1_hash (x509_cert_t *cert);
+
+/*
+ * Free a hash as returned by \c verify_get_hash()
+ *
+ * @param hash		The subject to be freed.
+ */
+void x509_free_sha1_hash (unsigned char *hash);
+
+/*
+ * Retrieve the certificate's username from the specified field.
+ *
+ * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
+ * it will be loaded from an X.509 extension
+ *
+ * @param cn			Buffer to return the common name in.
+ * @param cn_len		Length of the cn buffer.
+ * @param x509_username_field	Name of the field to load from
+ * @param cert			Certificate to retrieve the common name from.
+ *
+ * @return 		\c FAILURE, \c or SUCCESS
+ */
+result_t x509_get_username (char *common_name, int cn_len,
+    char * x509_username_field, x509_cert_t *peer_cert);
+
+/*
+ * Return the certificate's serial number.
+ *
+ * The serial number is returned as a string, since it might be a bignum.
+ * The returned string must be freed with \c verify_free_serial()
+ *
+ * @param cert		Certificate to retrieve the serial number from.
+ *
+ * @return 		The certificate's serial number.
+ */
+char *x509_get_serial (x509_cert_t *cert);
+
+/*
+ * Free a serial number string as returned by \c verify_get_serial()
+ *
+ * @param serial	The string to be freed.
+ */
+void x509_free_serial (char *serial);
+
+/*
+ * Save X509 fields to environment, using the naming convention:
+ *
+ * X509_{cert_depth}_{name}={value}
+ *
+ * @param es		Environment set to save variables in
+ * @param cert_depth	Depth of the certificate
+ * @param cert		Certificate to set the environment for
+ */
+void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert);
+
+#ifdef ENABLE_X509_TRACK
+
+/*
+ * Start tracking the given attribute.
+ *
+ * The tracked attributes are stored in ll_head.
+ *
+ * @param ll_head	The x509_track to store tracked atttributes in
+ * @param name		Name of the attribute to track
+ * @param msglevel	Message level for errors
+ * @param gc		Garbage collection arena for temp data
+ *
+ */
+void x509_track_add (const struct x509_track **ll_head, const char *name,
+    int msglevel, struct gc_arena *gc);
+
+/*
+ * Save X509 fields to environment, using the naming convention:
+ *
+ *  X509_{cert_depth}_{name}={value}
+ *
+ * This function differs from setenv_x509 below in the following ways:
+ *
+ * (1) Only explicitly named attributes in xt are saved, per usage
+ *     of --x509-track program options.
+ * (2) Only the level 0 cert info is saved unless the XT_FULL_CHAIN
+ *     flag is set in xt->flags (corresponds with prepending a '+'
+ *     to the name when specified by --x509-track program option).
+ * (3) This function supports both X509 subject name fields as
+ *     well as X509 V3 extensions.
+ *
+ * @param xt
+ * @param es		Environment set to save variables in
+ * @param cert_depth	Depth of the certificate
+ * @param cert		Certificate to set the environment for
+ */
+void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
+    const int depth, x509_cert_t *x509);
+
+#endif
+
+/*
+ * Check X.509 Netscape certificate type field, if available.
+ *
+ * @param cert		Certificate to check.
+ * @param usage		One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
+ * 			or \c NS_CERT_CHECK_NONE.
+ *
+ * @return		\c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
+ * 			the expected bit set. \c FAILURE if the certificate does
+ * 			not have NS cert type verification or the wrong bit set.
+ */
+result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
+
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
+
+/*
+ * Verify X.509 key usage extension field.
+ *
+ * @param cert		Certificate to check.
+ * @param expected_ku	Array of valid key usage values
+ * @param expected_len	Length of the key usage array
+ *
+ * @return 		\c SUCCESS if one of the key usage values matches, \c FAILURE
+ * 			if key usage is not enabled, or the values do not match.
+ */
+result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
+    int expected_len);
+
+/*
+ * Verify X.509 extended key usage extension field.
+ *
+ * @param cert		Certificate to check.
+ * @param expected_oid	String representation of the expected Object ID. May be
+ * 			either the string representation of the numeric OID
+ * 			(e.g. \c "1.2.3.4", or the descriptive string matching
+ * 			the OID.
+ *
+ * @return 		\c SUCCESS if one of the expected OID matches one of the
+ * 			extended key usage fields, \c FAILURE if extended key
+ * 			usage is not enabled, or the values do not match.
+ */
+result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+
+#endif
+
+/*
+ * Store the given certificate in pem format in a temporary file in tmp_dir
+ *
+ * @param cert		Certificate to store
+ * @param tmp_dir	Temporary directory to store the directory
+ * @param gc		gc_arena to store temporary objects in
+ *
+ *
+ */
+result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
+
+/*
+ * Check the certificate against a CRL file.
+ *
+ * @param crl_file	File name of the CRL file
+ * @param cert		Certificate to verify
+ * @param subject	Subject of the given certificate
+ *
+ * @return 		\c SUCCESS if the CRL was not signed by the issuer of the
+ * 			certificate or does not contain an entry for it.
+ * 			\c FAILURE otherwise.
+ */
+result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
+    const char *subject);
+
+#endif /* SSL_VERIFY_BACKEND_H_ */