diff options
| author | James Yonan <james@openvpn.net> | 2011-07-04 08:43:51 +0000 |
|---|---|---|
| committer | James Yonan <james@openvpn.net> | 2011-07-04 08:43:51 +0000 |
| commit | 5cdb5e0111df7b3d4da7e28390af6e4f26b2cdbe (patch) | |
| tree | 6bbdeff656b127206f151d2bdf032a4726455b93 | |
| parent | 7fb0e07ec3f7c5f6514523085dbe02ea6b8933e2 (diff) | |
| download | openvpn-5cdb5e0111df7b3d4da7e28390af6e4f26b2cdbe.tar.gz openvpn-5cdb5e0111df7b3d4da7e28390af6e4f26b2cdbe.tar.xz openvpn-5cdb5e0111df7b3d4da7e28390af6e4f26b2cdbe.zip | |
Extended x509-track to allow SHA1 certificate hash to be extracted,
e.g.:
x509-track "+SHA1"
will extract the SHA1 certificate hash for all certs in the
client chain.
Version 2.1.3z
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7408 e7ae566f-a301-0410-adde-c780ea21d3b5
| -rw-r--r-- | ssl.c | 102 | ||||
| -rw-r--r-- | version.m4 | 2 |
2 files changed, 63 insertions, 41 deletions
@@ -589,52 +589,74 @@ setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int de { X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; - int i; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { - i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); - if (i >= 0) + switch (xt->nid) { - X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); - if (ent) - { - ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); - unsigned char *buf; - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8 (&buf, val) > 0) - { - do_setenv_x509(es, xt->name, (char *)buf, depth); - OPENSSL_free (buf); - } - } - } - else - { - i = X509_get_ext_by_NID(x509, xt->nid, -1); - if (i >= 0) - { - X509_EXTENSION *ext = X509_get_ext(x509, i); - if (ext) - { - BIO *bio = BIO_new(BIO_s_mem()); - if (bio) - { - if (X509V3_EXT_print(bio, ext, 0, 0)) - { - if (BIO_write(bio, &nullc, 1) == 1) - { - char *str; - BIO_get_mem_data(bio, &str); - do_setenv_x509(es, xt->name, str, depth); - } - } - BIO_free(bio); - } - } - } + case NID_sha1: + { + int i; + const int hl = SHA_DIGEST_LENGTH*3+1; + char hash_str[hl]; + char *hs = hash_str; + const unsigned char *src = x509->sha1_hash; + for (i = 0; i < SHA_DIGEST_LENGTH; ++i) + { + openvpn_snprintf(hs, 4, "%02X:", src[i]); + hs += 3; + } + --hs; /* wipe the trailing ':' */ + *hs = '\0'; + do_setenv_x509(es, xt->name, hash_str, depth); + } + break; + default: + { + int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); + if (i >= 0) + { + X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); + if (ent) + { + ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); + unsigned char *buf; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ + if (ASN1_STRING_to_UTF8 (&buf, val) > 0) + { + do_setenv_x509(es, xt->name, (char *)buf, depth); + OPENSSL_free (buf); + } + } + } + else + { + i = X509_get_ext_by_NID(x509, xt->nid, -1); + if (i >= 0) + { + X509_EXTENSION *ext = X509_get_ext(x509, i); + if (ext) + { + BIO *bio = BIO_new(BIO_s_mem()); + if (bio) + { + if (X509V3_EXT_print(bio, ext, 0, 0)) + { + if (BIO_write(bio, &nullc, 1) == 1) + { + char *str; + BIO_get_mem_data(bio, &str); + do_setenv_x509(es, xt->name, str, depth); + } + } + BIO_free(bio); + } + } + } + } + } } } xt = xt->next; @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1.3y]) +define(PRODUCT_VERSION,[2.1.3z]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) |