Introduce semi-opaque OPENCONNECT_X509 type in library API

We offer functions to do everything that a user might want to do with the cert, including one that returns it in DER form. The *only* reason this isn't a completely opaque type is backward-compatibility. When we change the soname, it'll be opaque. For now, let it actually be an X509* for OpenSSL or a gnutls_x509_crt_t for GnuTLS. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · May 29, 2012 · e3ebe90 · e3ebe90
1 parent d8995a7
commit e3ebe90
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 15 deletions.
diff --git a/library.c b/library.c
@@ -155,7 +155,7 @@ void openconnect_set_client_cert (struct openconnect_info *vpninfo, char *cert,
 		vpninfo->sslkey = cert;
 }
 
-struct x509_st *openconnect_get_peer_cert (struct openconnect_info *vpninfo)
+OPENCONNECT_X509 *openconnect_get_peer_cert (struct openconnect_info *vpninfo)
 {
 	return vpninfo->peer_cert;
 }

diff --git a/main.c b/main.c
@@ -63,7 +63,8 @@ static void write_progress(void *_vpninfo,
 static void syslog_progress(void *_vpninfo,
 			    int level, const char *fmt, ...);
 static int validate_peer_cert(void *_vpninfo,
-			      X509 *peer_cert, const char *reason);
+			      OPENCONNECT_X509 *peer_cert,
+			      const char *reason);
 static int process_auth_form(void *_vpninfo,
 			     struct oc_auth_form *form);
 
@@ -877,15 +878,15 @@ void syslog_progress(void *_vpninfo, int level, const char *fmt, ...)
 
 struct accepted_cert {
 	struct accepted_cert *next;
-	char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
+	char fingerprint[SHA1_SIZE * 2 + 1];
 	char host[0];
 } *accepted_certs;
 
-static int validate_peer_cert(void *_vpninfo, X509 *peer_cert,
+static int validate_peer_cert(void *_vpninfo, OPENCONNECT_X509 *peer_cert,
 			      const char *reason)
 {
 	struct openconnect_info *vpninfo = _vpninfo;
-	char fingerprint[EVP_MAX_MD_SIZE * 2 + 1];
+	char fingerprint[SHA1_SIZE * 2 + 1];
 	struct accepted_cert *this;
 	int ret;
 

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -138,7 +138,7 @@ struct openconnect_info {
 	int uid_csd_given;
 	int no_http_keepalive;
 
-	X509 *peer_cert;
+	OPENCONNECT_X509 *peer_cert;
 
 	char *cookie; /* Pointer to within cookies list */
 	struct vpn_option *cookies;
@@ -291,7 +291,7 @@ int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t le
 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 int openconnect_open_https(struct openconnect_info *vpninfo);
 void openconnect_close_https(struct openconnect_info *vpninfo);
-int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
+int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
 			     char *buf);
 /* This one is actually OpenSSL-specific */
 void openconnect_report_ssl_errors(struct openconnect_info *vpninfo);

diff --git a/openconnect.h b/openconnect.h
@@ -119,21 +119,29 @@ struct oc_auth_form {
 #define PRG_TRACE	3
 
 struct openconnect_info;
-/* We don't want to have to pull in OpenSSL stuff just for this */
+
+#if defined (OPENCONNECT_OPENSSL)
 struct x509_st;
+#define OPENCONNECT_X509 struct x509_st
+#elif defined (OPENCONNECT_GNUTLS)
+struct gnutls_x509_crt_int;
+#define OPENCONNECT_X509 struct gnutls_x509_crt_int
+#else
+#error You are not building correctly using pkg-config.
+#endif
 
 
 
 /* Unless otherwise specified, all functions which set strings will take ownership of those strings
    and should free them later in openconnect_vpninfo_free() */
 int openconnect_get_cert_sha1(struct openconnect_info *vpninfo,
-			      struct x509_st *cert, char *buf);
+			      OPENCONNECT_X509 *cert, char *buf);
 char *openconnect_get_cert_details(struct openconnect_info *vpninfo,
-				   struct x509_st *cert);
+				   OPENCONNECT_X509 *cert);
 /* Returns the length of the created DER output, in a newly-allocated buffer
    that will need to be freed by the caller. */
 int openconnect_get_cert_DER(struct openconnect_info *vpninfo,
-			     struct x509_st *cert, unsigned char **buf);
+			     OPENCONNECT_X509 *cert, unsigned char **buf);
 int openconnect_set_http_proxy(struct openconnect_info *vpninfo, char *proxy);
 int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo);
 int openconnect_obtain_cookie(struct openconnect_info *vpninfo);
@@ -157,7 +165,7 @@ void openconnect_set_client_cert (struct openconnect_info *, char *cert, char *s
  * will be valid when a cookie has been obtained successfully, and will
  * be valid until the connection is destroyed or another attempt it made
  * to use it. */
-struct x509_st *openconnect_get_peer_cert (struct openconnect_info *);
+OPENCONNECT_X509 *openconnect_get_peer_cert (struct openconnect_info *);
 
 int openconnect_get_port (struct openconnect_info *);
 char *openconnect_get_cookie (struct openconnect_info *);
@@ -194,8 +202,8 @@ const char *openconnect_get_version(void);
    if the certificate is (or has in the past been) explicitly accepted
    by the user, and non-zero to abort the connection. */
 typedef int (*openconnect_validate_peer_cert_vfn) (void *privdata,
-						  struct x509_st *cert,
-						  const char *reason);
+						   OPENCONNECT_X509 *cert,
+						   const char *reason);
 /* On a successful connection, the server may provide us with a new XML
    configuration file. This contains the list of servers that can be
    chosen by the user to connect to, amongst other stuff that we mostly
@@ -229,7 +237,7 @@ void openconnect_vpninfo_free (struct openconnect_info *vpninfo);
    vpninfo instead of a caller-provided pointer. You probably don't want to
    use these; they're here for compatibility only. */
 typedef int (*openconnect_validate_peer_cert_fn) (struct openconnect_info *,
-						  struct x509_st *cert,
+						  OPENCONNECT_X509 *cert,
 						  const char *reason);
 typedef int (*openconnect_write_new_config_fn) (struct openconnect_info *, char *buf,
 						int buflen);