diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 10:10:28 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-21 11:55:14 +0200 |
| commit | 82f925b60c0f029295975e64d9acabb53c0a5e3c (patch) | |
| tree | 6a3e860a83a2af1ed9fcd8dd179d9cb7e0f1b92a /ssl_verify.h | |
| parent | 88aaf1aefd91b3704b3b00eeddff3befdefbc2b8 (diff) | |
| download | openvpn-82f925b60c0f029295975e64d9acabb53c0a5e3c.tar.gz openvpn-82f925b60c0f029295975e64d9acabb53c0a5e3c.tar.xz openvpn-82f925b60c0f029295975e64d9acabb53c0a5e3c.zip | |
Refactored certificate hash lock checks
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify.h')
| -rw-r--r-- | ssl_verify.h | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/ssl_verify.h b/ssl_verify.h index 1944a0f..4440acd 100644 --- a/ssl_verify.h +++ b/ssl_verify.h @@ -40,6 +40,38 @@ #include "ssl_verify_openssl.h" #endif +/* + * Keep track of certificate hashes at various depths + */ + +/** Maximum certificate depth we will allow */ +#define MAX_CERT_DEPTH 16 + +/** Structure containing the hash for a single certificate */ +struct cert_hash { + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; /**< The SHA1 hash for a certificate */ +}; + +/** Structure containing the hashes for a full certificate chain */ +struct cert_hash_set { + struct cert_hash *ch[MAX_CERT_DEPTH]; /**< Array of certificate hashes */ +}; + + +/** + * Frees the given set of certificate hashes. + * + * @param chs The certificate hash set to free. + */ +void cert_hash_free (struct cert_hash_set *chs); + +/** + * Locks the certificate hash set used in the given tunnel + * + * @param multi The tunnel to lock + */ +void tls_lock_cert_hash_set (struct tls_multi *multi); + /** * Perform final authentication checks, including locking of the cn, the allowed * certificate hashes, and whether a client config entry exists in the |