Hi, I can't claim to fully understand the crypto side of things, but from the "coding standards" and "non-intrusiveness" point of view: ACK.
(All it does is sent an extra environment variable based on the content of a well-defined memory buffer, using the APIs already existing for that purpose, format_hex_ex() and setenv_str()) Someone with a better understanding of the crypto stuff should verify that the ctx->current_cert->sha1_hash is always valid, and points to a buffer of the necessary length. gert On Mon, Feb 15, 2010 at 11:28:13PM +0100, David Sommerseth wrote: > From: David Sommerseth <d...@users.sourceforge.net> > > Addedd configure option (--disable-eurephia) to disable the code which the > eurephia plug-in depends on. > > It was chosen to use --disable-eurephia, as this patch is not much intrusive. > It > just enables a SHA1 fingerprint environment variable for each certificate > being > used for the connection. > > Signed-off-by: David Sommerseth <d...@users.sourceforge.net> > --- > configure.ac | 9 +++++++++ > options.c | 6 ++++++ > ssl.c | 14 ++++++++++++++ > 3 files changed, 29 insertions(+), 0 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 116ff7c..e775665 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -99,6 +99,12 @@ AC_ARG_ENABLE(plugins, > [PLUGINS="yes"] > ) > > +AC_ARG_ENABLE(eurephia, > + [ --disable-eurephia Disable support for the eurephia plug-in], > + [EUREPHIA="$enableval"], > + [EUREPHIA="yes"] > +) > + > AC_ARG_ENABLE(management, > [ --disable-management Disable management server support], > [MANAGEMENT="$enableval"], > @@ -632,6 +638,9 @@ if test "${WIN32}" != "yes"; then > )], > [AC_MSG_RESULT([libdl headers not found.])] > ) > + if test "$EUREPHIA" = "yes"; then > + AC_DEFINE(ENABLE_EUREPHIA, 1, [Enable support for the eurephia > plug-in]) > + fi > fi > fi > > diff --git a/options.c b/options.c > index c5ca8b6..aae954e 100644 > --- a/options.c > +++ b/options.c > @@ -7,6 +7,9 @@ > * > * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net> > * > + * Additions for eurephia plugin done by: > + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) 2009 > + * > * This program is free software; you can redistribute it and/or modify > * it under the terms of the GNU General Public License version 2 > * as published by the Free Software Foundation. > @@ -73,6 +76,9 @@ const char title_string[] = > #ifdef ENABLE_PKCS11 > " [PKCS11]" > #endif > +#ifdef ENABLE_EUREPHIA > + " [eurephia]" > +#endif > " built on " __DATE__ > ; > > diff --git a/ssl.c b/ssl.c > index 82e04a3..1936f64 100644 > --- a/ssl.c > +++ b/ssl.c > @@ -7,6 +7,10 @@ > * > * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net> > * > + * Additions for eurephia plugin done by: > + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) > 2008-2009 > + * > + * > * This program is free software; you can redistribute it and/or modify > * it under the terms of the GNU General Public License version 2 > * as published by the Free Software Foundation. > @@ -780,6 +784,16 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) > openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", ctx->error_depth); > setenv_str (opt->es, envname, subject); > > +#ifdef ENABLE_EUREPHIA > + /* export X509 cert SHA1 fingerprint */ > + { > + struct gc_arena gc = gc_new (); > + openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", > ctx->error_depth); > + setenv_str (opt->es, envname, > + format_hex_ex(ctx->current_cert->sha1_hash, SHA_DIGEST_LENGTH, > 0, 1, ":", &gc)); > + gc_free(&gc); > + } > +#endif > #if 0 > /* export common name string as environmental variable */ > openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d", > ctx->error_depth); > -- > 1.6.6 > > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de