We could discuss this crypto issue with James in the IRC meeting tomorrow. He should also be able to provide useful feedback about the patches in general.
Samuli > Someone with a better understanding of the crypto stuff should verify > that the ctx->current_cert->sha1_hash is always valid, and points to > a buffer of the necessary length. > > gert > > > On Mon, Feb 15, 2010 at 11:28:13PM +0100, David Sommerseth wrote: > >> From: David Sommerseth <d...@users.sourceforge.net> >> >> Addedd configure option (--disable-eurephia) to disable the code which the >> eurephia plug-in depends on. >> >> It was chosen to use --disable-eurephia, as this patch is not much >> intrusive. It >> just enables a SHA1 fingerprint environment variable for each certificate >> being >> used for the connection. >> >> Signed-off-by: David Sommerseth <d...@users.sourceforge.net> >> --- >> configure.ac | 9 +++++++++ >> options.c | 6 ++++++ >> ssl.c | 14 ++++++++++++++ >> 3 files changed, 29 insertions(+), 0 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index 116ff7c..e775665 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -99,6 +99,12 @@ AC_ARG_ENABLE(plugins, >> [PLUGINS="yes"] >> ) >> >> +AC_ARG_ENABLE(eurephia, >> + [ --disable-eurephia Disable support for the eurephia plug-in], >> + [EUREPHIA="$enableval"], >> + [EUREPHIA="yes"] >> +) >> + >> AC_ARG_ENABLE(management, >> [ --disable-management Disable management server support], >> [MANAGEMENT="$enableval"], >> @@ -632,6 +638,9 @@ if test "${WIN32}" != "yes"; then >> )], >> [AC_MSG_RESULT([libdl headers not found.])] >> ) >> + if test "$EUREPHIA" = "yes"; then >> + AC_DEFINE(ENABLE_EUREPHIA, 1, [Enable support for the eurephia >> plug-in]) >> + fi >> fi >> fi >> >> diff --git a/options.c b/options.c >> index c5ca8b6..aae954e 100644 >> --- a/options.c >> +++ b/options.c >> @@ -7,6 +7,9 @@ >> * >> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net> >> * >> + * Additions for eurephia plugin done by: >> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) 2009 >> + * >> * This program is free software; you can redistribute it and/or modify >> * it under the terms of the GNU General Public License version 2 >> * as published by the Free Software Foundation. >> @@ -73,6 +76,9 @@ const char title_string[] = >> #ifdef ENABLE_PKCS11 >> " [PKCS11]" >> #endif >> +#ifdef ENABLE_EUREPHIA >> + " [eurephia]" >> +#endif >> " built on " __DATE__ >> ; >> >> diff --git a/ssl.c b/ssl.c >> index 82e04a3..1936f64 100644 >> --- a/ssl.c >> +++ b/ssl.c >> @@ -7,6 +7,10 @@ >> * >> * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sa...@openvpn.net> >> * >> + * Additions for eurephia plugin done by: >> + * David Sommerseth <d...@users.sourceforge.net> Copyright (C) >> 2008-2009 >> + * >> + * >> * This program is free software; you can redistribute it and/or modify >> * it under the terms of the GNU General Public License version 2 >> * as published by the Free Software Foundation. >> @@ -780,6 +784,16 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) >> openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", >> ctx->error_depth); >> setenv_str (opt->es, envname, subject); >> >> +#ifdef ENABLE_EUREPHIA >> + /* export X509 cert SHA1 fingerprint */ >> + { >> + struct gc_arena gc = gc_new (); >> + openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", >> ctx->error_depth); >> + setenv_str (opt->es, envname, >> + format_hex_ex(ctx->current_cert->sha1_hash, SHA_DIGEST_LENGTH, >> 0, 1, ":", &gc)); >> + gc_free(&gc); >> + } >> +#endif >> #if 0 >> /* export common name string as environmental variable */ >> openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d", >> ctx->error_depth); >> -- >> 1.6.6 >> >> >> ------------------------------------------------------------------------------ >> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, >> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW >> http://p.sf.net/sfu/solaris-dev2dev >> _______________________________________________ >> Openvpn-devel mailing list >> Openvpn-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >> >> > >