diff options
author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2009-10-25 15:51:04 +0000 |
---|---|---|
committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2009-10-25 15:51:04 +0000 |
commit | ec4a500bb4f0c642fb4e013387d97aab3c516372 (patch) | |
tree | c56bc3a8991d0afe025e946f8a6b61296487dde7 /ssl.h | |
parent | Change to doval valgrind script. The openvpn command parameter is now (diff) | |
download | openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.xz |
On server, lock client-provided certs against mid-session TLS
renegotiations -- this is similer to how the common name is also
locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.h')
-rw-r--r-- | ssl.h | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -303,6 +303,21 @@ /* #define MEASURE_TLS_HANDSHAKE_STATS */ /* + * Keep track of certificate hashes at various depths + */ + +/* Maximum certificate depth we will allow */ +#define MAX_CERT_DEPTH 8 + +struct cert_hash { + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; +}; + +struct cert_hash_set { + struct cert_hash *ch[MAX_CERT_DEPTH]; +}; + +/* * Key material, used as source for PRF-based * key expansion. */ @@ -518,6 +533,8 @@ struct tls_session char *common_name; + struct cert_hash_set *cert_hash_set; + #ifdef ENABLE_PF uint32_t common_name_hashval; #endif @@ -589,10 +606,11 @@ struct tls_multi int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ /* - * Our locked common name and username (cannot change during the life of this tls_multi object) + * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) */ char *locked_cn; char *locked_username; + struct cert_hash_set *locked_cert_hash_set; #ifdef ENABLE_DEF_AUTH /* @@ -692,6 +710,7 @@ bool tls_rec_payload (struct tls_multi *multi, const char *tls_common_name (const struct tls_multi* multi, const bool null); void tls_set_common_name (struct tls_multi *multi, const char *common_name); void tls_lock_common_name (struct tls_multi *multi); +void tls_lock_cert_hash_set (struct tls_multi *multi); #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 |