This one time, at band camp, Jaldhar H. Vyas said: > On Tue, 30 Oct 2007, Stephen Gran wrote: > > >This one time, at band camp, Stephen Gran said: > >>Hi there, > >> > >>I'm now using the attached patch to handle this. It seems to work (it's > >>only been in production for 24 hours or so). If it looks OK to you all, > >>would you mind seeing if it can go upstream? > > > >Oh, I should mention that the routine to extract the actual fingerprint > >is largely lifted straight from postfix - it's not attributed in the > >patch mostly due to my laziness, but I thought if you're planning to do > >anything with this patch, correct attribution would be a plus. > > Hmm Postfix says it is IBM Public License 1.0 that's not going to cause a > problem with the LGPL 2.1 (dovecot's license) is it?
I thought they were compatible, but if I'm wrong, it's a fairly trivial patch to rewrite in a clean room reimplementation. I'll just describe the logic here if anyone feels both that they're incomaptible and they want to reimplement so they can do it without looking at the patch: The only part that is from postfix is the function body in src/login-common/ssl-proxy-openssl.c, so I'll just describe that. function prototype as called by other parts of the code: const char *ssl_proxy_get_fingerprint(struct ssl_proxy *proxy) We use the standard openssl API to get the fingerprint out of the client cert: X509 *x509; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; x509 = SSL_get_peer_certificate(proxy->ssl); X509_digest(x509, EVP_md5(), md, &n); This gives us a digest length in n, and the digest itself in md. You need to set up a char * to receive the fingerprint that is 3 times n, as each element of md needs to be transformed into 2 char representations of hex characters, and you want to have the standard ':' delimited field, with a final trailing null. Obviously some checks to see whether it's a valid cert and so on are useful. That is it - I'm not sure it's really enough logic to be more than fair use, but I think that sort of thing isn't universally applicable, and I can imagine some people being more confortable with a rewrite if they think there is a potential for license conflict. Obviously, I'm already tainted, so I can't be any more help on that front :) The rest of the patch is my and Mark Hymer's work, so no issues there - feel free to use it as you see fit. Take care, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
