Re: [Openvpn-devel] [PATCH 03/10] tls_serial_{n} value should be distinguishable as hex or decimal.

2016-03-04 Thread Gert Doering 
Hi,

On Thu, Mar 03, 2016 at 01:18:59AM -0700, James Yonan wrote:
> To accomplish this, prepend 'x' before hex serial numbers, so they
> can be distinguished from decimal serial numbers.  For example:
> 
>   tls_serial_1 = "x4D:9B:7C:94"
> 
> is equivalent to:
> 
>   tls_serial_1 = "1302035604"
> 
> Currently, only PolarSSL generates hex serial numbers while
> OpenSSL returns decimal serial numbers.

we have this one in the community tree today:

commit f80a52b09eed8e5e0cad990c56ec99256d6cc2d0 (master)
commit 142d4dd2e98317a03ca9827f03fc4643fe922834 (release/2.3)

Author: Steffan Karger 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Apr 27 10:49:20 2014 +0200

Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.

Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.


so I think the intention of your patch has been achieved already.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH 03/10] tls_serial_{n} value should be distinguishable as hex or decimal.

2016-03-03 Thread James Yonan 
To accomplish this, prepend 'x' before hex serial numbers, so they
can be distinguished from decimal serial numbers.  For example:

  tls_serial_1 = "x4D:9B:7C:94"

is equivalent to:

  tls_serial_1 = "1302035604"

Currently, only PolarSSL generates hex serial numbers while
OpenSSL returns decimal serial numbers.

RFC 5280, published in 2008, decrees that serial numbers can be
up to 20 bytes long, hence it is necessary to support SSL
libraries that return the serial number as a hex string.

Signed-off-by: James Yonan 
---
 src/openvpn/ssl_verify_polarssl.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/ssl_verify_polarssl.c 
b/src/openvpn/ssl_verify_polarssl.c
index a2e6a8e..e87d2e2 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -161,11 +161,12 @@ char *
 backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 {
   char *buf = NULL;
-  size_t len = cert->serial.len * 3 + 1;
+  size_t len = cert->serial.len * 3;

-  buf = gc_malloc(len, true, gc);
+  buf = gc_malloc(len+1, true, gc);

-  if(x509_serial_gets(buf, len-1, >serial) < 0)
+  buf[0] = 'x';
+  if(x509_serial_gets(buf+1, len, >serial) < 0)
 buf = NULL;

   return buf;
-- 
1.9.1