int openconnect_check_peer_cert_hash(struct openconnect_info *vpninfo,
const char *old_hash)
{
char sha1_text[41];
const char *fingerprint;
unsigned min_match_len;
unsigned real_min_match_len = 4;
unsigned old_len, fingerprint_len;
if (strchr(old_hash, ':')) {
if (strncmp(old_hash, "sha1:", 5) == 0) {
fingerprint = vpninfo->peer_cert_sha1;
min_match_len = real_min_match_len + sizeof("sha1:")-1;
} else if (strncmp(old_hash, "sha256:", 7) == 0) {
fingerprint = vpninfo->peer_cert_sha256;
min_match_len = real_min_match_len + sizeof("sha256:")-1;
} else {
vpn_progress(vpninfo, PRG_ERR, _("Unknown certificate hash: %s.\n"), old_hash);
return -EIO;
}
if (!fingerprint)
return -EIO;
} else {
unsigned char *cert;
int len, i;
unsigned char sha1_bin[SHA1_SIZE];
len = openconnect_get_peer_cert_DER(vpninfo, &cert);
if (len < 0)
return len;
if (openconnect_sha1(sha1_bin, cert, len))
return -EIO;
for (i = 0; i < sizeof(sha1_bin); i++)
sprintf(&sha1_text[i*2], "%02x", sha1_bin[i]);
fingerprint = sha1_text;
min_match_len = real_min_match_len;
}
old_len = strlen(old_hash);
fingerprint_len = strlen(fingerprint);
/* allow partial matches */
if (old_len < fingerprint_len) {
if (strncasecmp(old_hash, fingerprint, MAX(min_match_len, old_len))) {
if (old_len < min_match_len) {
vpn_progress(vpninfo, PRG_ERR, _("The size of the provided fingerprint is less than the minimum required (%u).\n"), real_min_match_len);
}
return 1;
}
} else {
if (strcasecmp(old_hash, fingerprint))
return 1;
}
return 0;
}
int openconnect_check_peer_cert_hash(struct openconnect_info *vpninfo,
const char *old_hash)
{
char sha1_text[41];
const char *fingerprint;
if (strchr(old_hash, ':')) {
fingerprint = openconnect_get_peer_cert_hash(vpninfo);
if (!fingerprint)
return -EIO;
} else {
unsigned char *cert;
int len, i;
unsigned char sha1_bin[SHA1_SIZE];
len = openconnect_get_peer_cert_DER(vpninfo, &cert);
if (len < 0)
return len;
if (openconnect_sha1(sha1_bin, cert, len))
return -EIO;
for (i = 0; i < sizeof(sha1_bin); i++)
sprintf(&sha1_text[i*2], "%02x", sha1_bin[i]);
fingerprint = sha1_text;
}
if (strcasecmp(old_hash, fingerprint))
return 1;
return 0;
}
/* special handling: callee-allocated, caller-freed binary buffer */
JNIEXPORT jbyteArray JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getPeerCertDER(
JNIEnv *jenv, jobject jobj)
{
struct libctx *ctx = getctx(jenv, jobj);
unsigned char *buf = NULL;
int ret;
jbyteArray jresult = NULL;
if (!ctx)
return NULL;
ret = openconnect_get_peer_cert_DER(ctx->vpninfo, &buf);
if (ret < 0)
return NULL;
jresult = (*ctx->jenv)->NewByteArray(ctx->jenv, ret);
if (jresult)
(*ctx->jenv)->SetByteArrayRegion(ctx->jenv, jresult, 0, ret, (jbyte *) buf);
openconnect_free_cert_info(ctx->vpninfo, buf);
return jresult;
}
