aboutsummaryrefslogtreecommitdiff
path: root/ssl.h
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-10-25 15:51:04 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-10-25 15:51:04 +0000
commitec4a500bb4f0c642fb4e013387d97aab3c516372 (patch)
treec56bc3a8991d0afe025e946f8a6b61296487dde7 /ssl.h
parentChange to doval valgrind script. The openvpn command parameter is now (diff)
downloadopenvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.xz
On server, lock client-provided certs against mid-session TLS
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.h')
-rw-r--r--ssl.h21
1 files changed, 20 insertions, 1 deletions
diff --git a/ssl.h b/ssl.h
index 7e0bfb5..3bb5fbe 100644
--- a/ssl.h
+++ b/ssl.h
@@ -303,6 +303,21 @@
/* #define MEASURE_TLS_HANDSHAKE_STATS */
/*
+ * Keep track of certificate hashes at various depths
+ */
+
+/* Maximum certificate depth we will allow */
+#define MAX_CERT_DEPTH 8
+
+struct cert_hash {
+ unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+};
+
+struct cert_hash_set {
+ struct cert_hash *ch[MAX_CERT_DEPTH];
+};
+
+/*
* Key material, used as source for PRF-based
* key expansion.
*/
@@ -518,6 +533,8 @@ struct tls_session
char *common_name;
+ struct cert_hash_set *cert_hash_set;
+
#ifdef ENABLE_PF
uint32_t common_name_hashval;
#endif
@@ -589,10 +606,11 @@ struct tls_multi
int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
/*
- * Our locked common name and username (cannot change during the life of this tls_multi object)
+ * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
*/
char *locked_cn;
char *locked_username;
+ struct cert_hash_set *locked_cert_hash_set;
#ifdef ENABLE_DEF_AUTH
/*
@@ -692,6 +710,7 @@ bool tls_rec_payload (struct tls_multi *multi,
const char *tls_common_name (const struct tls_multi* multi, const bool null);
void tls_set_common_name (struct tls_multi *multi, const char *common_name);
void tls_lock_common_name (struct tls_multi *multi);
+void tls_lock_cert_hash_set (struct tls_multi *multi);
#define TLS_AUTHENTICATION_SUCCEEDED 0
#define TLS_AUTHENTICATION_FAILED 1