mirrors/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-11-24 02:03:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Migrated x509_get_sha1_hash to use the garbage collector

Browse Source 
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
This commit is contained in:
Adriaan de Jong 2012-02-14 11:11:26 +01:00 committed by David Sommerseth
parent 025f30d7c6
commit 8e5613c2a8
4 changed files with 11 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/openvpn/ssl_verify.c
View File

@ -407,12 +407,11 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert
#ifdef ENABLE_EUREPHIA
/* export X509 cert SHA1 fingerprint */
{
unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);
unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc);
openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
":", &gc));
x509_free_sha1_hash(sha1_hash);
}
#endif
@ -620,14 +619,12 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
/* verify level 1 cert, i.e. the CA that signed our leaf cert */
if (cert_depth == 1 && opt->verify_hash)
{
unsigned char *sha1_hash = x509_get_sha1_hash(cert);
unsigned char *sha1_hash = x509_get_sha1_hash(cert, &gc);
if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))
{
msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");
x509_free_sha1_hash(sha1_hash);
goto err;
}
x509_free_sha1_hash(sha1_hash);
}
/* save common name in session object */

12
src/openvpn/ssl_verify_backend.h
View File

@ -88,21 +88,13 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth,
char *x509_get_subject (openvpn_x509_cert_t *cert, struct gc_arena *gc);
/* Retrieve the certificate's SHA1 hash.
*
* The returned string must be freed with \c verify_free_sha1_hash()
*
* @param cert Certificate to retrieve the hash from.
* @param gc Garbage collection arena to use when allocating string.
*
* @return a string containing the SHA1 hash of the certificate
*/
unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert);
/*
* Free a hash as returned by \c verify_get_hash()
*
* @param hash The subject to be freed.
*/
void x509_free_sha1_hash (unsigned char *hash);
unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *gc);
/*
* Retrieve the certificate's username from the specified field.

17
src/openvpn/ssl_verify_openssl.c
View File

@ -49,7 +49,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
struct tls_session *session;
SSL *ssl;
struct gc_arena gc = gc_new();
unsigned char *sha1_hash = NULL;
/* get the tls_session pointer */
ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
@ -57,9 +56,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
ASSERT (session);
sha1_hash = x509_get_sha1_hash(ctx->current_cert);
cert_hash_remember (session, ctx->error_depth, sha1_hash);
x509_free_sha1_hash(sha1_hash);
cert_hash_remember (session, ctx->error_depth,
x509_get_sha1_hash(ctx->current_cert, &gc));
/* did peer present cert which was signed by our root cert? */
if (!preverify_ok)
@ -238,20 +236,13 @@ x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
}
unsigned char *
x509_get_sha1_hash (X509 *cert)
x509_get_sha1_hash (X509 *cert, struct gc_arena *gc)
{
char *hash = malloc(SHA_DIGEST_LENGTH);
char *hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH);
return hash;
}
void
x509_free_sha1_hash (unsigned char *hash)
{
if (hash)
free(hash);
}
char *
x509_get_subject (X509 *cert, struct gc_arena *gc)
{

17
src/openvpn/ssl_verify_polarssl.c
View File

@ -48,7 +48,6 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
{
struct tls_session *session = (struct tls_session *) session_obj;
struct gc_arena gc = gc_new();
unsigned char *sha1_hash = NULL;
ASSERT (cert);
ASSERT (session);
@ -56,9 +55,7 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
session->verified = false;
/* Remember certificate hash */
sha1_hash = x509_get_sha1_hash(cert);
cert_hash_remember (session, cert_depth, sha1_hash);
x509_free_sha1_hash(sha1_hash);
cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));
/* did peer present cert which was signed by our root cert? */
if (!preverify_ok)
@ -141,20 +138,13 @@ x509_get_serial (x509_cert *cert, struct gc_arena *gc)
}
unsigned char *
x509_get_sha1_hash (x509_cert *cert)
x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc)
{
unsigned char *sha1_hash = malloc(SHA_DIGEST_LENGTH);
unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
sha1(cert->tbs.p, cert->tbs.len, sha1_hash);
return sha1_hash;
}
void
x509_free_sha1_hash (unsigned char *hash)
{
if (hash)
free(hash);
}
char *
x509_get_subject(x509_cert *cert, struct gc_arena *gc)
{
@ -173,7 +163,6 @@ x509_get_subject(x509_cert *cert, struct gc_arena *gc)
return subject;
}
/*
* Save X509 fields to environment, using the naming convention:
*