subject:"\[Openvpn\-devel\] \[PATCH applied\] Re\: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds."

[Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

2014-04-30 Thread Gert Doering

ACK.

Patch is slightly bigger than f80a52b09eed8e5e0cad ("the same thing for 
master") as it also backports the renaming of x509_get_serial() to
backend_x509_get_serial() - which is purely cosmetic, but now the code
is better aligned.

Your patch has been applied to the release/2.3 branch.

commit 142d4dd2e98317a03ca9827f03fc4643fe922834 (release/2.3)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Apr 28 21:50:22 2014 +0200

 Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <535eb49e.5090...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/8664
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

2014-04-28 Thread Steffan Karger

Hi,

On 27-04-14 15:22, Gert Doering wrote:
> Your patch has been applied to the master branch ONLY, as it doesn't
> work with PolarSSL 1.2 (no "x509_crt" type there) - so 2.3.x still has
> inconsistency here.

Right, different PolarSSL API. Attached a reworked patch for 2.3. Same
functionality, slightly different API calls.

-Steffan
>From 52d5f5a76dc70e20da740acd347cbdaab40b60df Mon Sep 17 00:00:00 2001
From: Steffan Karger 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon, 28 Apr 2014 21:50:22 +0200
Subject: [PATCH] Make serial env exporting consistent amongst OpenSSL and
 PolarSSL builds.

This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.

Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.

Signed-off-by: Steffan Karger 
---
 doc/openvpn.8 |  6 ++
 src/openvpn/ssl_verify.c  |  9 +++--
 src/openvpn/ssl_verify_backend.h  | 21 +---
 src/openvpn/ssl_verify_openssl.c  | 10 +-
 src/openvpn/ssl_verify_polarssl.c | 42 ++-
 5 files changed, 81 insertions(+), 7 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 7a33f8a..585751b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6048,6 +6048,12 @@ code should check that.
 See the contrib/OCSP_check/OCSP_check.sh script for an example.
 .\"*
 .TP
+.B tls_serial_hex_{n}
+Like
+.B tls_serial_{n}\fR,
+but in hex form (e.g. "12:34:56:78:9A").
+.\"*
+.TP
 .B tun_mtu
 The MTU of the TUN/TAP device.
 Set prior to
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 0670f2a..c90c2c3 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -435,10 +435,15 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert
   }

   /* export serial number as environmental variable */
-  serial = x509_get_serial(peer_cert, &gc);
+  serial = backend_x509_get_serial(peer_cert, &gc);
   openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
   setenv_str (es, envname, serial);

+  /* export serial number in hex as environmental variable */
+  serial = backend_x509_get_serial_hex(peer_cert, &gc);
+  openvpn_snprintf (envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);
+  setenv_str (es, envname, serial);
+
   gc_free(&gc);
 }

@@ -562,7 +567,7 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert)
   int fd = -1;
   struct gc_arena gc = gc_new();

-  char *serial = x509_get_serial(cert, &gc);
+  char *serial = backend_x509_get_serial(cert, &gc);

   if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
 {
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 1658cc0..6f118c9 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -113,16 +113,31 @@ result_t x509_get_username (char *common_name, int cn_len,
 char * x509_username_field, openvpn_x509_cert_t *peer_cert);

 /*
- * Return the certificate's serial number.
+ * Return the certificate's serial number in decimal string representation.
  *
  * The serial number is returned as a string, since it might be a bignum.
  *
  * @param cert		Certificate to retrieve the serial number from.
  * @param gc		Garbage collection arena to use when allocating string.
  *
- * @return 		The certificate's serial number.
+ * @return 		String representation of the certificate's serial number
+ * 			in decimal notation, or NULL on error.
  */
-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc);
+
+/*
+ * Return the certificate's serial number in hex string representation.
+ *
+ * The serial number is returned as a string, since it might be a bignum.
+ *
+ * @param cert		Certificate to retrieve the serial number from.
+ * @param gc		Garbage collection arena to use when allocating string.
+ *
+ * @return 		String representation of the certificate's serial number
+ * 			in hex notation, or NULL on error.
+ */
+char *backend_x509_get_serial_hex (openvpn_x509_cert_t *cert,
+struct gc_arena *gc);

 /*
  * Save X509 fields to environment, using the naming convention:
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 91a42b2..19982ae 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -220,7 +220,7 @@ x509_get_username (char *common_name, int cn_len,
 }

 char *
-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
+backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
 {
   ASN1_INTE

[Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

2014-04-27 Thread Gert Doering

ACK.  Tested both OpenSSL and PolarSSL builds on the server side, and
certificate reporting is consistent, if differing in uppercase/lowercase:

OpenSSL:

tls_serial_0=22
tls_serial_1=13617978572412530086
tls_serial_hex_0=16
tls_serial_hex_1=bc:fc:c7:5c:47:87:ad:a6

PolarSSL:

tls_serial_0=22
tls_serial_1=13617978572412530086
tls_serial_hex_0=16
tls_serial_hex_1=BC:FC:C7:5C:47:87:AD:A6

(I'm too lazy right now to actually multiply out whether the hex 
representation of cert 1 matches the decimal representation, but if
both libraries return the same thing, that is good enough for me)


Your patch has been applied to the master branch ONLY, as it doesn't
work with PolarSSL 1.2 (no "x509_crt" type there) - so 2.3.x still has
inconsistency here.

commit f80a52b09eed8e5e0cad990c56ec99256d6cc2d0 (master)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Apr 27 10:49:20 2014 +0200

 Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1398588561-18964-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/8649
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

Re: [Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

[Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

3 matches

Site Navigation

Mail list logo

Footer information