Extended x509-track to allow SHA1 certificate hash to be extracted,

e.g.:

  x509-track "+SHA1"

will extract the SHA1 certificate hash for all certs in the
client chain.

Version 2.1.3z

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7408 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/ssl.c b/ssl.c
index 6729de22ee877d3e22f0d5aa339d8d0b47ea14b2..fd14411e49f1f181492d0db84d8e4bd267d13124 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -589,52 +589,74 @@ setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int de
 {
   X509_NAME *x509_name = X509_get_subject_name (x509);
   const char nullc = '\0';
-  int i;
 
   while (xt)
     {
       if (depth == 0 || (xt->flags & XT_FULL_CHAIN))
        {
-         i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1);
-         if (i >= 0)
+         switch (xt->nid)
            {
-             X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i);
-             if (ent)
-               {
-                 ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent);
-                 unsigned char *buf;
-                 buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
-                 if (ASN1_STRING_to_UTF8 (&buf, val) > 0)
-                   {
-                     do_setenv_x509(es, xt->name, (char *)buf, depth);
-                     OPENSSL_free (buf);
-                   }
-               }
-           }
-         else
-           {
-             i = X509_get_ext_by_NID(x509, xt->nid, -1);
-             if (i >= 0)
-               {
-                 X509_EXTENSION *ext = X509_get_ext(x509, i);
-                 if (ext)
-                   {
-                     BIO *bio = BIO_new(BIO_s_mem());
-                     if (bio)
-                       {
-                         if (X509V3_EXT_print(bio, ext, 0, 0))
-                           {
-                             if (BIO_write(bio, &nullc, 1) == 1)
-                               {
-                                 char *str;
-                                 BIO_get_mem_data(bio, &str);
-                                 do_setenv_x509(es, xt->name, str, depth);
-                               }
-                           }
-                         BIO_free(bio);
-                       }
-                   }
-               }
+           case NID_sha1:
+             {
+               int i;
+               const int hl = SHA_DIGEST_LENGTH*3+1;
+               char hash_str[hl];
+               char *hs = hash_str;
+               const unsigned char *src = x509->sha1_hash;
+               for (i = 0; i < SHA_DIGEST_LENGTH; ++i)
+                 {
+                   openvpn_snprintf(hs, 4, "%02X:", src[i]);
+                   hs += 3;
+                 }
+               --hs; /* wipe the trailing ':' */
+               *hs = '\0';
+               do_setenv_x509(es, xt->name, hash_str, depth);
+             }
+             break;
+           default:
+             {
+               int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1);
+               if (i >= 0)
+                 {
+                   X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i);
+                   if (ent)
+                     {
+                       ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent);
+                       unsigned char *buf;
+                       buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+                       if (ASN1_STRING_to_UTF8 (&buf, val) > 0)
+                         {
+                           do_setenv_x509(es, xt->name, (char *)buf, depth);
+                           OPENSSL_free (buf);
+                         }
+                     }
+                 }
+               else
+                 {
+                   i = X509_get_ext_by_NID(x509, xt->nid, -1);
+                   if (i >= 0)
+                     {
+                       X509_EXTENSION *ext = X509_get_ext(x509, i);
+                       if (ext)
+                         {
+                           BIO *bio = BIO_new(BIO_s_mem());
+                           if (bio)
+                             {
+                               if (X509V3_EXT_print(bio, ext, 0, 0))
+                                 {
+                                   if (BIO_write(bio, &nullc, 1) == 1)
+                                     {
+                                       char *str;
+                                       BIO_get_mem_data(bio, &str);
+                                       do_setenv_x509(es, xt->name, str, depth);
+                                     }
+                                 }
+                               BIO_free(bio);
+                             }
+                         }
+                     }
+                 }
+             }
            }
        }
       xt = xt->next;

diff --git a/version.m4 b/version.m4
index 1bc7f5e35dc5aae4a769ad1150ef52f9134e50d7..2b11a63447faecec37f2abf60c94c7e5cf0b5ced 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.3y])
+define(PRODUCT_VERSION,[2.1.3z])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])