summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_verify.h
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
commit93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch)
tree55a7688c9969ef4d01625caa58c7f679098c76eb /src/openvpn/ssl_verify.h
parentdaa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff)
parent20c8675ba46bda97330a4117c459a59a9f1c465e (diff)
Merge tag 'upstream/2.4_beta1'
Upstream version 2.4~beta1
Diffstat (limited to 'src/openvpn/ssl_verify.h')
-rw-r--r--src/openvpn/ssl_verify.h47
1 files changed, 15 insertions, 32 deletions
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
index e0bcba4..98312fd 100644
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@@ -30,17 +30,18 @@
#ifndef SSL_VERIFY_H_
#define SSL_VERIFY_H_
+#ifdef ENABLE_CRYPTO
+
#include "syshead.h"
#include "misc.h"
-#include "manage.h"
#include "ssl_common.h"
/* Include OpenSSL-specific code */
#ifdef ENABLE_CRYPTO_OPENSSL
#include "ssl_verify_openssl.h"
#endif
-#ifdef ENABLE_CRYPTO_POLARSSL
-#include "ssl_verify_polarssl.h"
+#ifdef ENABLE_CRYPTO_MBEDTLS
+#include "ssl_verify_mbedtls.h"
#endif
#include "ssl_verify_backend.h"
@@ -54,7 +55,7 @@
/** Structure containing the hash for a single certificate */
struct cert_hash {
- unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */
+ unsigned char sha256_hash[256/8];
};
/** Structure containing the hashes for a full certificate chain */
@@ -66,8 +67,6 @@ struct cert_hash_set {
#define VERIFY_X509_SUBJECT_DN 1
#define VERIFY_X509_SUBJECT_RDN 2
#define VERIFY_X509_SUBJECT_RDN_PREFIX 3
-#define TLS_REMOTE_SUBJECT_DN 1 + 0x100
-#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100
#define TLS_AUTHENTICATION_SUCCEEDED 0
#define TLS_AUTHENTICATION_FAILED 1
@@ -136,6 +135,14 @@ const char *tls_common_name (const struct tls_multi* multi, const bool null);
*/
const char *tls_username (const struct tls_multi *multi, const bool null);
+/**
+ * Compares certificates hashes, returns true if hashes are equal.
+ *
+ * @param chs1 cert 1 hash set
+ * @param chs2 cert 2 hash set
+ */
+bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
+
#ifdef ENABLE_PF
/**
@@ -166,25 +173,6 @@ tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t *
#endif
/**
- * Returns whether or not the server should check for username/password
- *
- * @param session The current TLS session
- *
- * @return true if username and password verification is enabled,
- * false if not.
- *
- */
-static inline bool verify_user_pass_enabled(struct tls_session *session)
-{
- return (session->opt->auth_user_pass_verify_script
- || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
-#ifdef MANAGEMENT_DEF_AUTH
- || management_enable_def_auth (management)
-#endif
- );
-}
-
-/**
* Verify the given username and password, using either an external script, a
* plugin, or the management interface.
*
@@ -211,8 +199,6 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
*/
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
-#ifdef ENABLE_X509_TRACK
-
struct x509_track
{
const struct x509_track *next;
@@ -222,10 +208,6 @@ struct x509_track
int nid;
};
-void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc);
-
-#endif
-
/*
* Certificate checking for verify_nsCertType
*/
@@ -254,5 +236,6 @@ tls_client_reason (struct tls_multi *multi)
#endif
}
-#endif /* SSL_VERIFY_H_ */
+#endif /* ENABLE_CRYPTO */
+#endif /* SSL_VERIFY_H_ */