diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-07-01 14:39:13 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:44:36 +0200 |
commit | fceecbab9ddd58ccec28aeafa7be39c65f313458 (patch) | |
tree | e8f261d594931caa3587f77d122e6be547f27326 /ssl_verify.c | |
parent | a4da1fe776b774670948f00898d370da614960f5 (diff) | |
download | openvpn-fceecbab9ddd58ccec28aeafa7be39c65f313458.tar.gz openvpn-fceecbab9ddd58ccec28aeafa7be39c65f313458.tar.xz openvpn-fceecbab9ddd58ccec28aeafa7be39c65f313458.zip |
Final cleanup before PolarSSL addition:
- Remove stray X509 entries
- Remove unnecessary USE_OPENSSL ifdefs
- Normalised x509_get_sha1_hash to look similar to x509_get_* functions
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify.c')
-rw-r--r-- | ssl_verify.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index 804abe7..ac5c03b 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -433,9 +433,12 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, /* export X509 cert SHA1 fingerprint */ { struct gc_arena gc = gc_new (); + unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert); + openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth); - setenv_str (es, envname, - format_hex_ex(peer_cert->sha1_hash, SHA_DIGEST_LENGTH, 0, 1, ":", &gc)); + setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1, + ":", &gc)); + x509_free_sha1_hash(sha1_hash); gc_free(&gc); } #endif @@ -536,7 +539,7 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, * check peer cert against CRL directory */ static bool -verify_check_crl_dir(const char *crl_dir, X509 *cert) +verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) { char fn[256]; int fd; @@ -615,11 +618,14 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { - if (memcmp (cert->sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH)) + unsigned char *sha1_hash = x509_get_sha1_hash(cert); + if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH)) { msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); + x509_free_sha1_hash(sha1_hash); goto err; } + x509_free_sha1_hash(sha1_hash); } /* save common name in session object */ |