diff --git a/src/shrpx_log.cc b/src/shrpx_log.cc index c803378c..7c27236f 100644 --- a/src/shrpx_log.cc +++ b/src/shrpx_log.cc @@ -544,7 +544,8 @@ void upstream_accesslog(const std::vector &lfv, break; } std::array buf; - auto len = tls::get_x509_fingerprint(buf.data(), buf.size(), x); + auto len = + tls::get_x509_fingerprint(buf.data(), buf.size(), x, EVP_sha256()); X509_free(x); if (len <= 0) { std::tie(p, last) = copy('-', p, last); diff --git a/src/shrpx_mruby_module_env.cc b/src/shrpx_mruby_module_env.cc index 5a7b9469..5729e1c7 100644 --- a/src/shrpx_mruby_module_env.cc +++ b/src/shrpx_mruby_module_env.cc @@ -160,7 +160,8 @@ mrb_value env_get_tls_client_fingerprint(mrb_state *mrb, mrb_value self) { // Fingerprint is SHA-256, so we need 32 bytes buffer. std::array buf; - auto slen = tls::get_x509_fingerprint(buf.data(), buf.size(), x); + auto slen = + tls::get_x509_fingerprint(buf.data(), buf.size(), x, EVP_sha256()); X509_free(x); if (slen == -1) { mrb_raise(mrb, E_RUNTIME_ERROR, "could not compute client fingerprint"); diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 806ae103..8126b5ce 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -1920,10 +1920,10 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, return 0; } -ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, X509 *x) { - assert(dstlen >= 32); +ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x, + const EVP_MD *md) { unsigned int len = dstlen; - if (X509_digest(x, EVP_sha256(), dst, &len) != 1) { + if (X509_digest(x, md, dst, &len) != 1) { return -1; } return len; diff --git a/src/shrpx_tls.h b/src/shrpx_tls.h index 6fd8d2b6..87ed7f3e 100644 --- a/src/shrpx_tls.h +++ b/src/shrpx_tls.h @@ -269,10 +269,12 @@ int proto_version_from_string(const StringRef &v); int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, size_t ocsp_resplen); -// Stores SHA-256 fingerprint of |x| in |dst| of length |dstlen|. -// |dstlen| must be larger than 32 bytes. This function returns the -// number of bytes written in |dst|, or -1. -ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, X509 *x); +// Stores fingerprint of |x| in |dst| of length |dstlen|. |md| +// specifies hash function to use, and |dstlen| must be large enough +// to include hash value (e.g., 32 bytes for SHA-256). This function +// returns the number of bytes written in |dst|, or -1. +ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x, + const EVP_MD *md); // Returns subject name of |x|. If this function fails to get subject // name, it returns an empty string.