From dd2fbc26eb7b32325793ae3f7d215f46e881e68c Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Mon, 4 Apr 2016 21:59:38 +0200
Subject: [PATCH] PolarSSL x509_get_sha1_hash now returns correct SHA1
 fingerprint.

509_get_sha1_hash() is supposed to return the certificate fingerprint,
which is the hash of the entire certificate - including the signature -
and not just the 'to be signed' data (cert->tbs in polarssl).

This changes externally visible behavior for polarssl builds: it will
change the value of the tls_digest_N values exported to the environment
for scripts.

v2 Steffan Karger: added commit message and Changes.rst entry.
                   Code unchanged from v1 by James.

Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL=QYUy6N+jKgxVVuftmF=75mSEz3rYUbisT245UfB5Dg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11396
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 Changes.rst                       | 5 ++++-
 src/openvpn/ssl_verify_polarssl.c | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 93e4bd9da..5034b156b 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -63,7 +63,6 @@ User-visible Changes
   In --static mode connect-timeout specifies the timeout for TCP and
   proxy connection establishment
 
-
 - connect-retry now specifies the maximum number of unsucessfully
   trying all remote/connection entries before exiting.
 
@@ -92,6 +91,10 @@ User-visible Changes
   * Non-ephemeral key exchange using static (EC)DH keys
   * DSS private keys
 
+- PolarSSL builds: changed the tls_digest_N values exported to the script
+  environment to be equal to the ones exported by OpenSSL builds, namely
+  the certificate fingerprint (was the hash of the 'to be signed' data).
+
 
 Maintainer-visible changes
 --------------------------
diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index d1b9f02fb..73a9af1f7 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -175,7 +175,7 @@ unsigned char *
 x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc)
 {
   unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
-  sha1(cert->tbs.p, cert->tbs.len, sha1_hash);
+  sha1(cert->raw.p, cert->raw.len, sha1_hash);
   return sha1_hash;
 }
 
-- 
2.47.2