From 20c8675ba46bda97330a4117c459a59a9f1c465e Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Mon, 21 Nov 2016 09:37:33 +0100 Subject: New upstream version 2.4~beta1 --- src/openvpn/ssl_verify.h | 47 +++++++++++++++-------------------------------- 1 file changed, 15 insertions(+), 32 deletions(-) (limited to 'src/openvpn/ssl_verify.h') diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index e0bcba4..98312fd 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -30,17 +30,18 @@ #ifndef SSL_VERIFY_H_ #define SSL_VERIFY_H_ +#ifdef ENABLE_CRYPTO + #include "syshead.h" #include "misc.h" -#include "manage.h" #include "ssl_common.h" /* Include OpenSSL-specific code */ #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" #endif -#ifdef ENABLE_CRYPTO_POLARSSL -#include "ssl_verify_polarssl.h" +#ifdef ENABLE_CRYPTO_MBEDTLS +#include "ssl_verify_mbedtls.h" #endif #include "ssl_verify_backend.h" @@ -54,7 +55,7 @@ /** Structure containing the hash for a single certificate */ struct cert_hash { - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */ + unsigned char sha256_hash[256/8]; }; /** Structure containing the hashes for a full certificate chain */ @@ -66,8 +67,6 @@ struct cert_hash_set { #define VERIFY_X509_SUBJECT_DN 1 #define VERIFY_X509_SUBJECT_RDN 2 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 -#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 -#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 @@ -136,6 +135,14 @@ const char *tls_common_name (const struct tls_multi* multi, const bool null); */ const char *tls_username (const struct tls_multi *multi, const bool null); +/** + * Compares certificates hashes, returns true if hashes are equal. + * + * @param chs1 cert 1 hash set + * @param chs2 cert 2 hash set + */ +bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2); + #ifdef ENABLE_PF /** @@ -165,25 +172,6 @@ tls_common_name_hash (const struct tls_multi *multi, const char **cn, uint32_t * #endif -/** - * Returns whether or not the server should check for username/password - * - * @param session The current TLS session - * - * @return true if username and password verification is enabled, - * false if not. - * - */ -static inline bool verify_user_pass_enabled(struct tls_session *session) -{ - return (session->opt->auth_user_pass_verify_script - || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) -#ifdef MANAGEMENT_DEF_AUTH - || management_enable_def_auth (management) -#endif - ); -} - /** * Verify the given username and password, using either an external script, a * plugin, or the management interface. @@ -211,8 +199,6 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, */ void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session); -#ifdef ENABLE_X509_TRACK - struct x509_track { const struct x509_track *next; @@ -222,10 +208,6 @@ struct x509_track int nid; }; -void x509_track_add (const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc); - -#endif - /* * Certificate checking for verify_nsCertType */ @@ -254,5 +236,6 @@ tls_client_reason (struct tls_multi *multi) #endif } -#endif /* SSL_VERIFY_H_ */ +#endif /* ENABLE_CRYPTO */ +#endif /* SSL_VERIFY_H_ */ -- cgit v1.2.3