Merge pull request #92 from aaronmdjones/master

Use accessor function for certificate fingerprint, allow fingerprint generation for chained unknown roots
2015-03-24 12:31:24 -05:00 · 2015-03-24 12:31:24 -05:00 · c7e38ca917
commit c7e38ca917
parent 7dade6a811 614502a63c
1 changed files with 9 additions and 5 deletions
--- a/libratbox/src/openssl.c
+++ b/libratbox/src/openssl.c
@ -33,6 +33,7 @@
 #include <openssl/ssl.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <openssl/rand.h>

 static SSL_CTX *ssl_server_ctx;
@ -661,12 +662,15 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
 	if(cert != NULL)
 	{
 		res = SSL_get_verify_result((SSL *) F->ssl);
-		if(res == X509_V_OK ||
-				res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-				res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-				res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+		if(
+			res == X509_V_OK ||
+			res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+			res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+			res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+			res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		{
-			memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
+			unsigned int certfp_length = RB_SSL_CERTFP_LEN;
+			X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
 			X509_free(cert);
 			return 1;
 		}