From: James Yonan Date: Mon, 4 Jul 2011 08:43:51 +0000 (+0000) Subject: Extended x509-track to allow SHA1 certificate hash to be extracted, X-Git-Tag: v2.3-alpha1~211^2^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5cdb5e0111df7b3d4da7e28390af6e4f26b2cdbe;p=thirdparty%2Fopenvpn.git Extended x509-track to allow SHA1 certificate hash to be extracted, e.g.: x509-track "+SHA1" will extract the SHA1 certificate hash for all certs in the client chain. Version 2.1.3z git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7408 e7ae566f-a301-0410-adde-c780ea21d3b5 --- diff --git a/ssl.c b/ssl.c index 6729de22e..fd14411e4 100644 --- a/ssl.c +++ b/ssl.c @@ -589,52 +589,74 @@ setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int de { X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; - int i; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { - i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); - if (i >= 0) + switch (xt->nid) { - X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); - if (ent) - { - ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); - unsigned char *buf; - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8 (&buf, val) > 0) - { - do_setenv_x509(es, xt->name, (char *)buf, depth); - OPENSSL_free (buf); - } - } - } - else - { - i = X509_get_ext_by_NID(x509, xt->nid, -1); - if (i >= 0) - { - X509_EXTENSION *ext = X509_get_ext(x509, i); - if (ext) - { - BIO *bio = BIO_new(BIO_s_mem()); - if (bio) - { - if (X509V3_EXT_print(bio, ext, 0, 0)) - { - if (BIO_write(bio, &nullc, 1) == 1) - { - char *str; - BIO_get_mem_data(bio, &str); - do_setenv_x509(es, xt->name, str, depth); - } - } - BIO_free(bio); - } - } - } + case NID_sha1: + { + int i; + const int hl = SHA_DIGEST_LENGTH*3+1; + char hash_str[hl]; + char *hs = hash_str; + const unsigned char *src = x509->sha1_hash; + for (i = 0; i < SHA_DIGEST_LENGTH; ++i) + { + openvpn_snprintf(hs, 4, "%02X:", src[i]); + hs += 3; + } + --hs; /* wipe the trailing ':' */ + *hs = '\0'; + do_setenv_x509(es, xt->name, hash_str, depth); + } + break; + default: + { + int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); + if (i >= 0) + { + X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); + if (ent) + { + ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); + unsigned char *buf; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ + if (ASN1_STRING_to_UTF8 (&buf, val) > 0) + { + do_setenv_x509(es, xt->name, (char *)buf, depth); + OPENSSL_free (buf); + } + } + } + else + { + i = X509_get_ext_by_NID(x509, xt->nid, -1); + if (i >= 0) + { + X509_EXTENSION *ext = X509_get_ext(x509, i); + if (ext) + { + BIO *bio = BIO_new(BIO_s_mem()); + if (bio) + { + if (X509V3_EXT_print(bio, ext, 0, 0)) + { + if (BIO_write(bio, &nullc, 1) == 1) + { + char *str; + BIO_get_mem_data(bio, &str); + do_setenv_x509(es, xt->name, str, depth); + } + } + BIO_free(bio); + } + } + } + } + } } } xt = xt->next; diff --git a/version.m4 b/version.m4 index 1bc7f5e35..2b11a6344 100644 --- a/version.m4 +++ b/version.m4 @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1.3y]) +define(PRODUCT_VERSION,[2.1.3z]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])