csd_argv[i++] = "\"0\"";
csd_argv[i++] = "-group";
asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"");
- get_cert_md5_fingerprint(cert, certbuf);
+ get_cert_md5_fingerprint(vpninfo, cert, certbuf);
csd_argv[i++] = "-certhash";
asprintf(&csd_argv[i++], "\"%s:%s\"", certbuf, vpninfo->cert_md5_fingerprint ?: "");
csd_argv[i++] = "-url";
int ret = 0;
cert_data *data;
- ret = get_cert_sha1_fingerprint(peer_cert, fingerprint);
+ ret = get_cert_sha1_fingerprint(vpninfo, peer_cert, fingerprint);
if (ret)
return ret;
char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
X509 *cert = SSL_get_peer_certificate(vpninfo->https_ssl);
- if (cert && !get_cert_sha1_fingerprint(cert, fingerprint))
+ if (cert && !get_cert_sha1_fingerprint(vpninfo, cert, fingerprint))
printf("gwcert\n%s\n", fingerprint);
}
int openconnect_SSL_gets(SSL *ssl, char *buf, size_t len);
int openconnect_open_https(struct openconnect_info *vpninfo);
void openconnect_close_https(struct openconnect_info *vpninfo);
-int get_cert_md5_fingerprint(X509 *cert, char *buf);
-int get_cert_sha1_fingerprint(X509 *cert, char *buf);
+int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
+ char *buf);
+int get_cert_sha1_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
+ char *buf);
void report_ssl_errors(struct openconnect_info *vpninfo);
int passphrase_from_fsid(struct openconnect_info *vpninfo);
}
if (cert) {
SSL_CTX_use_certificate(vpninfo->https_ctx, cert);
- get_cert_md5_fingerprint(cert, certbuf);
+ get_cert_md5_fingerprint(vpninfo, cert, certbuf);
vpninfo->cert_md5_fingerprint = strdup(certbuf);
X509_free(cert);
} else {
return 0;
}
-int get_cert_md5_fingerprint(X509 *cert, char *buf)
+enum cert_hash_type {
+ EVP_MD5,
+ EVP_SHA1
+};
+
+static int get_cert_fingerprint(struct openconnect_info *vpninfo,
+ X509 *cert, enum cert_hash_type hash,
+ char *buf)
{
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int i, n;
- if (!X509_digest(cert, EVP_md5(), md, &n))
- return -ENOMEM;
+ switch (hash) {
+ case EVP_MD5:
+ if (!X509_digest(cert, EVP_md5(), md, &n))
+ return -ENOMEM;
+ break;
+ case EVP_SHA1:
+ if (!X509_digest(cert, EVP_sha1(), md, &n))
+ return -ENOMEM;
+ break;
+ default:
+ vpninfo->progress(vpninfo, PRG_ERR,
+ "Unsupported SSL certificate hash function type\n");
+ }
for (i=0; i < n; i++) {
sprintf(&buf[i*2], "%02X", md[i]);
return 0;
}
-int get_cert_sha1_fingerprint(X509 *cert, char *buf)
+int get_cert_md5_fingerprint(struct openconnect_info *vpninfo,
+ X509 *cert, char *buf)
{
- unsigned char md[EVP_MAX_MD_SIZE];
- unsigned int i, n;
-
- if (!X509_digest(cert, EVP_sha1(), md, &n))
- return -ENOMEM;
+ return get_cert_fingerprint(vpninfo, cert, EVP_MD5, buf);
+}
- for (i=0; i < n; i++) {
- sprintf(&buf[i*2], "%02x", md[i]);
- }
- return 0;
+int get_cert_sha1_fingerprint(struct openconnect_info *vpninfo,
+ X509 *cert, char *buf)
+{
+ return get_cert_fingerprint(vpninfo, cert, EVP_SHA1, buf);
}
static int check_server_cert(struct openconnect_info *vpninfo, X509 *cert)
char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
int ret;
- ret = get_cert_sha1_fingerprint(cert, fingerprint);
+ ret = get_cert_sha1_fingerprint(vpninfo, cert, fingerprint);
if (ret)
return ret;