diff options
| author | Steffan Karger | 2016-05-05 22:14:07 +0200 |
|---|---|---|
| committer | David Sommerseth | 2016-09-17 15:23:04 +0300 |
| commit | af1e4d26ab65bd71de168ea621ca55d0e40a0bc1 (patch) | |
| tree | 96b7bb0d0300d22d635e0706b523c543ae318df0 /src/openvpn/ssl_verify_openssl.c | |
| parent | d13a40a4a477bae3efede6945174df1cb2c3aa69 (diff) | |
| download | openvpn-af1e4d26ab65bd71de168ea621ca55d0e40a0bc1.zip openvpn-af1e4d26ab65bd71de168ea621ca55d0e40a0bc1.tar.gz | |
Add SHA256 fingerprint support
Add SHA256 fingerprint support for both the normal exported fingerprints
(tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
internally, in cert_hash_remember() / cert_hash_compare(). And instead of
updating an #if 0'd code block that has been disabled since 2009, just
remove that.
This should take care of trac #675.
v2: update openvpn.8 accordingly
[ DS: This commit squashes in the clean-up cert_hash_remember scoping patch,
as it is highly related and tied to this primary patch ]
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 1462479247-21854-1-git-send-email-steffan@karger.me
Message-Id: 1474055635-7427-1-git-send-email-steffan@karger.me
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg11859.html
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12464.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Diffstat (limited to 'src/openvpn/ssl_verify_openssl.c')
| -rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 5817a05..a4b9432 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -61,8 +61,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); ASSERT (session); - cert_hash_remember (session, ctx->error_depth, - x509_get_sha1_hash(ctx->current_cert, &gc)); + struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); + cert_hash_remember (session, ctx->error_depth, &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) @@ -248,11 +248,21 @@ backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); } -unsigned char * -x509_get_sha1_hash (X509 *cert, struct gc_arena *gc) +struct buffer +x509_get_sha1_fingerprint (X509 *cert, struct gc_arena *gc) { - unsigned char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); - memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH); + struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc); + memcpy(BPTR(&hash), cert->sha1_hash, sizeof(cert->sha1_hash)); + ASSERT (buf_inc_len(&hash, sizeof (cert->sha1_hash))); + return hash; +} + +struct buffer +x509_get_sha256_fingerprint (X509 *cert, struct gc_arena *gc) +{ + struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc); + X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL); + ASSERT (buf_inc_len(&hash, (EVP_sha256())->md_size)); return hash; } @@ -376,10 +386,19 @@ x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int de switch (xt->nid) { case NID_sha1: + case NID_sha256: { - char *sha1_fingerprint = format_hex_ex(x509->sha1_hash, - SHA_DIGEST_LENGTH, 0, 1 | FHE_CAPS, ":", &gc); - do_setenv_x509(es, xt->name, sha1_fingerprint, depth); + struct buffer fp_buf; + char *fp_str = NULL; + + if (xt->nid == NID_sha1) + fp_buf = x509_get_sha1_fingerprint(x509, &gc); + else + fp_buf = x509_get_sha256_fingerprint(x509, &gc); + + fp_str = format_hex_ex(BPTR(&fp_buf), BLEN(&fp_buf), 0, + 1 | FHE_CAPS, ":", &gc); + do_setenv_x509(es, xt->name, fp_str, depth); } break; default: |