PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.

509_get_sha1_hash() is supposed to return the certificate fingerprint,
which is the hash of the entire certificate - including the signature -
and not just the 'to be signed' data (cert->tbs in polarssl).

This changes externally visible behavior for polarssl builds: it will
change the value of the tls_digest_N values exported to the environment
for scripts.

v2 Steffan Karger: added commit message and Changes.rst entry.
                   Code unchanged from v1 by James.

Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL=QYUy6N+jKgxVVuftmF=75mSEz3rYUbisT245UfB5Dg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11396
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst

@@ -63,7 +63,6 @@ User-visible Changes
   In --static mode connect-timeout specifies the timeout for TCP and
   proxy connection establishment
 
-
 - connect-retry now specifies the maximum number of unsucessfully
   trying all remote/connection entries before exiting.
 
@@ -92,6 +91,10 @@ User-visible Changes
   * Non-ephemeral key exchange using static (EC)DH keys
   * DSS private keys
 
+- PolarSSL builds: changed the tls_digest_N values exported to the script
+  environment to be equal to the ones exported by OpenSSL builds, namely
+  the certificate fingerprint (was the hash of the 'to be signed' data).
+
 
 Maintainer-visible changes
 --------------------------

src/openvpn/ssl_verify_polarssl.c

@@ -175,7 +175,7 @@ unsigned char *
 x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc)
 {
   unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
-  sha1(cert->tbs.p, cert->tbs.len, sha1_hash);
+  sha1(cert->raw.p, cert->raw.len, sha1_hash);
   return sha1_hash;
 }