Use common implementation for get_cert_XYZ_fingerprint() functions

Specialized functions get_gert_md5_fingerprint() and
get_cert_sha1_fingerprint() call get_cert_fingerprint() function.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

diff --git a/http.c b/http.c
index 46da75d..bdfb66f 100644 (file)
--- a/http.c
+++ b/http.c
@@ -333,7 +333,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
                csd_argv[i++] = "\"0\"";
                csd_argv[i++] = "-group";
                asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"");
-               get_cert_md5_fingerprint(cert, certbuf);
+               get_cert_md5_fingerprint(vpninfo, cert, certbuf);
                csd_argv[i++] = "-certhash";
                asprintf(&csd_argv[i++], "\"%s:%s\"", certbuf, vpninfo->cert_md5_fingerprint ?: "");
                csd_argv[i++] = "-url";

diff --git a/nm-auth-dialog.c b/nm-auth-dialog.c
index 34fcff9..3c4afd7 100644 (file)
--- a/nm-auth-dialog.c
+++ b/nm-auth-dialog.c
@@ -683,7 +683,7 @@ static int validate_peer_cert(struct openconnect_info *vpninfo,
        int ret = 0;
        cert_data *data;
 
-       ret = get_cert_sha1_fingerprint(peer_cert, fingerprint);
+       ret = get_cert_sha1_fingerprint(vpninfo, peer_cert, fingerprint);
        if (ret)
                return ret;
 
@@ -1068,7 +1068,7 @@ static void print_peer_cert(struct openconnect_info *vpninfo)
        char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
        X509 *cert = SSL_get_peer_certificate(vpninfo->https_ssl);
 
-       if (cert && !get_cert_sha1_fingerprint(cert, fingerprint))
+       if (cert && !get_cert_sha1_fingerprint(vpninfo, cert, fingerprint))
                printf("gwcert\n%s\n", fingerprint);
 }
 

diff --git a/openconnect.h b/openconnect.h
index c5d3288..2ace6ea 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -277,8 +277,10 @@ int  __attribute__ ((format (printf, 2, 3)))
 int openconnect_SSL_gets(SSL *ssl, char *buf, size_t len);
 int openconnect_open_https(struct openconnect_info *vpninfo);
 void openconnect_close_https(struct openconnect_info *vpninfo);
-int get_cert_md5_fingerprint(X509 *cert, char *buf);
-int get_cert_sha1_fingerprint(X509 *cert, char *buf);
+int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
+                            char *buf);
+int get_cert_sha1_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
+                             char *buf);
 void report_ssl_errors(struct openconnect_info *vpninfo);
 int passphrase_from_fsid(struct openconnect_info *vpninfo);
 

diff --git a/ssl.c b/ssl.c
index 97c11fe..75c4505 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -147,7 +147,7 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12 *p12
        }
        if (cert) {
                SSL_CTX_use_certificate(vpninfo->https_ctx, cert);
-               get_cert_md5_fingerprint(cert, certbuf);
+               get_cert_md5_fingerprint(vpninfo, cert, certbuf);
                vpninfo->cert_md5_fingerprint = strdup(certbuf);
                X509_free(cert);
        } else {
@@ -343,13 +343,31 @@ static int load_certificate(struct openconnect_info *vpninfo)
        return 0;
 }
 
-int get_cert_md5_fingerprint(X509 *cert, char *buf)
+enum cert_hash_type {
+       EVP_MD5,
+       EVP_SHA1
+};
+
+static int get_cert_fingerprint(struct openconnect_info *vpninfo,
+                               X509 *cert, enum cert_hash_type hash,
+                               char *buf)
 {
        unsigned char md[EVP_MAX_MD_SIZE];
        unsigned int i, n;
 
-       if (!X509_digest(cert, EVP_md5(), md, &n))
-               return -ENOMEM;
+       switch (hash) {
+       case EVP_MD5:
+               if (!X509_digest(cert, EVP_md5(), md, &n))
+                       return -ENOMEM;
+               break;
+       case EVP_SHA1:
+               if (!X509_digest(cert, EVP_sha1(), md, &n))
+                       return -ENOMEM;
+               break;
+       default:
+               vpninfo->progress(vpninfo, PRG_ERR,
+                                 "Unsupported SSL certificate hash function type\n");
+       }
 
        for (i=0; i < n; i++) {
                sprintf(&buf[i*2], "%02X", md[i]);
@@ -357,18 +375,16 @@ int get_cert_md5_fingerprint(X509 *cert, char *buf)
        return 0;
 }
 
-int get_cert_sha1_fingerprint(X509 *cert, char *buf)
+int get_cert_md5_fingerprint(struct openconnect_info *vpninfo,
+                            X509 *cert, char *buf)
 {
-       unsigned char md[EVP_MAX_MD_SIZE];
-       unsigned int i, n;
-
-       if (!X509_digest(cert, EVP_sha1(), md, &n))
-               return -ENOMEM;
+       return get_cert_fingerprint(vpninfo, cert, EVP_MD5, buf);
+}
 
-       for (i=0; i < n; i++) {
-               sprintf(&buf[i*2], "%02x", md[i]);
-       }
-       return 0;
+int get_cert_sha1_fingerprint(struct openconnect_info *vpninfo,
+                             X509 *cert, char *buf)
+{
+       return get_cert_fingerprint(vpninfo, cert, EVP_SHA1, buf);
 }
 
 static int check_server_cert(struct openconnect_info *vpninfo, X509 *cert)
@@ -376,7 +392,7 @@ static int check_server_cert(struct openconnect_info *vpninfo, X509 *cert)
        char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
        int ret;
 
-       ret = get_cert_sha1_fingerprint(cert, fingerprint);
+       ret = get_cert_sha1_fingerprint(vpninfo, cert, fingerprint);
        if (ret)
                return ret;