Hi,
I can't claim to fully understand the crypto side of things, but from
the "coding standards" and "non-intrusiveness" point of view: ACK.
(All it does is sent an extra environment variable based on the
content of a well-defined memory buffer, using the APIs already existing
for that purpose, format_hex_ex() and setenv_str())
Someone with a better understanding of the crypto stuff should verify
that the ctx->current_cert->sha1_hash is always valid, and points to
a buffer of the necessary length.
gert
On Mon, Feb 15, 2010 at 11:28:13PM +0100, David Sommerseth wrote:
> From: David Sommerseth <d...@users.sourceforge.net>
>
> Addedd configure option (--disable-eurephia) to disable the code which the
> eurephia plug-in depends on.
>
> It was chosen to use --disable-eurephia, as this patch is not much intrusive.
> It
> just enables a SHA1 fingerprint environment variable for each certificate
> being
> used for the connection.
>
> Signed-off-by: David Sommerseth <d...@users.sourceforge.net>
> ---
> configure.ac | 9 +++++++++
> options.c | 6 ++++++
> ssl.c | 14 ++++++++++++++
> 3 files changed, 29 insertions(+), 0 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 116ff7c..e775665 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -99,6 +99,12 @@ AC_ARG_ENABLE(plugins,
> [PLUGINS="yes"]
> )
>
> +AC_ARG_ENABLE(eurephia,
> + [ --disable-eurephia Disable support for the eurephia plug-in],
> + [EUREPHIA="$enableval"],
> + [EUREPHIA="yes"]
> +)
> +
> AC_ARG_ENABLE(management,
> [ --disable-management Disable management server support],
> [MANAGEMENT="$enableval"],
> @@ -632,6 +638,9 @@ if test "${WIN32}" != "yes"; then
> )],
> [AC_MSG_RESULT([libdl headers not found.])]
> )
> + if test "$EUREPHIA" = "yes"; then
> + AC_DEFINE(ENABLE_EUREPHIA, 1, [Enable support for the eurephia
> plug-in])
> + fi
> fi
> fi
>
> diff --git a/options.c b/options.c
> index c5ca8b6..aae954e 100644
> --- a/options.c
> +++ b/options.c
> @@ -7,6 +7,9 @@
> *
> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net>
> *
> + * Additions for eurephia plugin done by:
> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) 2009
> + *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License version 2
> * as published by the Free Software Foundation.
> @@ -73,6 +76,9 @@ const char title_string[] =
> #ifdef ENABLE_PKCS11
> " [PKCS11]"
> #endif
> +#ifdef ENABLE_EUREPHIA
> + " [eurephia]"
> +#endif
> " built on " __DATE__
> ;
>
> diff --git a/ssl.c b/ssl.c
> index 82e04a3..1936f64 100644
> --- a/ssl.c
> +++ b/ssl.c
> @@ -7,6 +7,10 @@
> *
> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net>
> *
> + * Additions for eurephia plugin done by:
> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C)
> 2008-2009
> + *
> + *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License version 2
> * as published by the Free Software Foundation.
> @@ -780,6 +784,16 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
> openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", ctx->error_depth);
> setenv_str (opt->es, envname, subject);
>
> +#ifdef ENABLE_EUREPHIA
> + /* export X509 cert SHA1 fingerprint */
> + {
> + struct gc_arena gc = gc_new ();
> + openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d",
> ctx->error_depth);
> + setenv_str (opt->es, envname,
> + format_hex_ex(ctx->current_cert->sha1_hash, SHA_DIGEST_LENGTH,
> 0, 1, ":", &gc));
> + gc_free(&gc);
> + }
> +#endif
> #if 0
> /* export common name string as environmental variable */
> openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d",
> ctx->error_depth);
> --
> 1.6.6
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
