From d3806d05038ac06d779cbb87a73fd33c095eed82 Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Tue, 24 Mar 2015 05:22:25 +0000 Subject: [PATCH 1/2] Use X509_digest() instead of memcpy() to obtain cert fingerprint This will continue to work even if the OpenSSL developers make the X509* structure opaque, the current approach will not. --- libratbox/src/openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c index 850318b2..4544ad6b 100644 --- a/libratbox/src/openssl.c +++ b/libratbox/src/openssl.c @@ -33,6 +33,7 @@ #include #include #include +#include #include static SSL_CTX *ssl_server_ctx; @@ -666,7 +667,8 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { - memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN); + unsigned int certfp_length = RB_SSL_CERTFP_LEN; + X509_digest(cert, EVP_sha1(), certfp, &certfp_length); X509_free(cert); return 1; } From 614502a63c0950fe430766fe4abd741a3cfc1873 Mon Sep 17 00:00:00 2001 From: Aaron Jones Date: Tue, 24 Mar 2015 05:25:38 +0000 Subject: [PATCH 2/2] Generate fingerprints for chained certificates with an unknown root --- libratbox/src/openssl.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libratbox/src/openssl.c b/libratbox/src/openssl.c index 4544ad6b..8044be1d 100644 --- a/libratbox/src/openssl.c +++ b/libratbox/src/openssl.c @@ -662,10 +662,12 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) if(cert != NULL) { res = SSL_get_verify_result((SSL *) F->ssl); - if(res == X509_V_OK || - res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || - res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || - res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) + if( + res == X509_V_OK || + res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || + res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || + res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || + res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { unsigned int certfp_length = RB_SSL_CERTFP_LEN; X509_digest(cert, EVP_sha1(), certfp, &certfp_length);