summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_verify_backend.h
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
commit93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch)
tree55a7688c9969ef4d01625caa58c7f679098c76eb /src/openvpn/ssl_verify_backend.h
parentdaa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff)
parent20c8675ba46bda97330a4117c459a59a9f1c465e (diff)
Merge tag 'upstream/2.4_beta1'
Upstream version 2.4~beta1
Diffstat (limited to 'src/openvpn/ssl_verify_backend.h')
-rw-r--r--src/openvpn/ssl_verify_backend.h51
1 files changed, 25 insertions, 26 deletions
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 01e453e..de304b9 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -66,10 +66,10 @@ result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int
*
* @param session TLS Session associated with this tunnel
* @param cert_depth Depth of the current certificate
- * @param sha1_hash Hash of the current certificate
+ * @param cert_hash Hash of the current certificate
*/
void cert_hash_remember (struct tls_session *session, const int cert_depth,
- const unsigned char *sha1_hash);
+ const struct buffer *cert_hash);
/*
* Library-specific functions.
@@ -87,14 +87,27 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth,
*/
char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc);
-/* Retrieve the certificate's SHA1 hash.
+/**
+ * Retrieve the certificate's SHA1 fingerprint.
*
- * @param cert Certificate to retrieve the hash from.
+ * @param cert Certificate to retrieve the fingerprint from.
* @param gc Garbage collection arena to use when allocating string.
*
- * @return a string containing the SHA1 hash of the certificate
+ * @return a string containing the certificate fingerprint
*/
-unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+struct buffer x509_get_sha1_fingerprint (openvpn_x509_cert_t *cert,
+ struct gc_arena *gc);
+
+/**
+ * Retrieve the certificate's SHA256 fingerprint.
+ *
+ * @param cert Certificate to retrieve the fingerprint from.
+ * @param gc Garbage collection arena to use when allocating string.
+ *
+ * @return a string containing the certificate fingerprint
+ */
+struct buffer x509_get_sha256_fingerprint (openvpn_x509_cert_t *cert,
+ struct gc_arena *gc);
/*
* Retrieve the certificate's username from the specified field.
@@ -150,8 +163,6 @@ char *backend_x509_get_serial_hex (openvpn_x509_cert_t *cert,
*/
void x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert);
-#ifdef ENABLE_X509_TRACK
-
/*
* Start tracking the given attribute.
*
@@ -189,8 +200,6 @@ void x509_track_add (const struct x509_track **ll_head, const char *name,
void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
const int depth, openvpn_x509_cert_t *x509);
-#endif
-
/*
* Check X.509 Netscape certificate type field, if available.
*
@@ -204,8 +213,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
*/
result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
-
/*
* Verify X.509 key usage extension field.
*
@@ -234,8 +241,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const
*/
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid);
-#endif
-
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
*
@@ -247,18 +252,12 @@ result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const exp
*/
result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);
-/*
- * Check the certificate against a CRL file.
- *
- * @param crl_file File name of the CRL file
- * @param cert Certificate to verify
- * @param subject Subject of the given certificate
- *
- * @return \c SUCCESS if the CRL was not signed by the issuer of the
- * certificate or does not contain an entry for it.
- * \c FAILURE otherwise.
+/**
+ * Return true iff a CRL is configured, but is not loaded. This can be caused
+ * by e.g. a CRL parsing error, a missing CRL file or CRL file permission
+ * errors. (These conditions are checked upon startup, but the CRL might be
+ * updated and reloaded during runtime.)
*/
-result_t x509_verify_crl(const char *crl_file, openvpn_x509_cert_t *cert,
- const char *subject);
+bool tls_verify_crl_missing(const struct tls_options *opt);
#endif /* SSL_VERIFY_BACKEND_H_ */