We could discuss this crypto issue with James in the IRC meeting
tomorrow. He should also be able to provide useful feedback about the
patches in general.
Samuli
> Someone with a better understanding of the crypto stuff should verify
> that the ctx->current_cert->sha1_hash is always valid, and points to
> a buffer of the necessary length.
>
> gert
>
>
> On Mon, Feb 15, 2010 at 11:28:13PM +0100, David Sommerseth wrote:
>
>> From: David Sommerseth <d...@users.sourceforge.net>
>>
>> Addedd configure option (--disable-eurephia) to disable the code which the
>> eurephia plug-in depends on.
>>
>> It was chosen to use --disable-eurephia, as this patch is not much
>> intrusive. It
>> just enables a SHA1 fingerprint environment variable for each certificate
>> being
>> used for the connection.
>>
>> Signed-off-by: David Sommerseth <d...@users.sourceforge.net>
>> ---
>> configure.ac | 9 +++++++++
>> options.c | 6 ++++++
>> ssl.c | 14 ++++++++++++++
>> 3 files changed, 29 insertions(+), 0 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 116ff7c..e775665 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -99,6 +99,12 @@ AC_ARG_ENABLE(plugins,
>> [PLUGINS="yes"]
>> )
>>
>> +AC_ARG_ENABLE(eurephia,
>> + [ --disable-eurephia Disable support for the eurephia plug-in],
>> + [EUREPHIA="$enableval"],
>> + [EUREPHIA="yes"]
>> +)
>> +
>> AC_ARG_ENABLE(management,
>> [ --disable-management Disable management server support],
>> [MANAGEMENT="$enableval"],
>> @@ -632,6 +638,9 @@ if test "${WIN32}" != "yes"; then
>> )],
>> [AC_MSG_RESULT([libdl headers not found.])]
>> )
>> + if test "$EUREPHIA" = "yes"; then
>> + AC_DEFINE(ENABLE_EUREPHIA, 1, [Enable support for the eurephia
>> plug-in])
>> + fi
>> fi
>> fi
>>
>> diff --git a/options.c b/options.c
>> index c5ca8b6..aae954e 100644
>> --- a/options.c
>> +++ b/options.c
>> @@ -7,6 +7,9 @@
>> *
>> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net>
>> *
>> + * Additions for eurephia plugin done by:
>> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) 2009
>> + *
>> * This program is free software; you can redistribute it and/or modify
>> * it under the terms of the GNU General Public License version 2
>> * as published by the Free Software Foundation.
>> @@ -73,6 +76,9 @@ const char title_string[] =
>> #ifdef ENABLE_PKCS11
>> " [PKCS11]"
>> #endif
>> +#ifdef ENABLE_EUREPHIA
>> + " [eurephia]"
>> +#endif
>> " built on " __DATE__
>> ;
>>
>> diff --git a/ssl.c b/ssl.c
>> index 82e04a3..1936f64 100644
>> --- a/ssl.c
>> +++ b/ssl.c
>> @@ -7,6 +7,10 @@
>> *
>> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net>
>> *
>> + * Additions for eurephia plugin done by:
>> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C)
>> 2008-2009
>> + *
>> + *
>> * This program is free software; you can redistribute it and/or modify
>> * it under the terms of the GNU General Public License version 2
>> * as published by the Free Software Foundation.
>> @@ -780,6 +784,16 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
>> openvpn_snprintf (envname, sizeof(envname), "tls_id_%d",
>> ctx->error_depth);
>> setenv_str (opt->es, envname, subject);
>>
>> +#ifdef ENABLE_EUREPHIA
>> + /* export X509 cert SHA1 fingerprint */
>> + {
>> + struct gc_arena gc = gc_new ();
>> + openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d",
>> ctx->error_depth);
>> + setenv_str (opt->es, envname,
>> + format_hex_ex(ctx->current_cert->sha1_hash, SHA_DIGEST_LENGTH,
>> 0, 1, ":", &gc));
>> + gc_free(&gc);
>> + }
>> +#endif
>> #if 0
>> /* export common name string as environmental variable */
>> openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d",
>> ctx->error_depth);
>> --
>> 1.6.6
>>
>>
>> ------------------------------------------------------------------------------
>> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>> http://p.sf.net/sfu/solaris-dev2dev
>> _______________________________________________
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>>
>
>
