--- ipsec-tools-0.2.5/src/racoon/crypto_openssl.h.certfix 2004-04-05 08:46:37.000000000 -0600
+++ ipsec-tools-0.2.5/src/racoon/crypto_openssl.h 2004-06-24 14:40:42.000000000 -0600
@@ -46,7 +46,7 @@
extern vchar_t *eay_str2asn1dn __P((char *, int));
extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *));
-extern int eay_check_x509cert __P((vchar_t *, char *));
+extern int eay_check_x509cert __P((vchar_t *, char *, int));
extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *));
extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int));
extern char *eay_get_x509text __P((vchar_t *));
--- ipsec-tools-0.2.5/src/racoon/crypto_openssl.c.certfix 2004-04-05 08:47:32.000000000 -0600
+++ ipsec-tools-0.2.5/src/racoon/crypto_openssl.c 2004-06-24 14:40:42.000000000 -0600
@@ -107,7 +107,8 @@
*/
#ifdef HAVE_SIGNING_C
-static int cb_check_cert __P((int, X509_STORE_CTX *));
+static int cb_check_cert_local __P((int, X509_STORE_CTX *));
+static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
static X509 *mem2x509 __P((vchar_t *));
#endif
@@ -228,9 +229,10 @@
* this functions is derived from apps/verify.c in OpenSSL0.9.5
*/
int
-eay_check_x509cert(cert, CApath)
+eay_check_x509cert(cert, CApath, local)
vchar_t *cert;
char *CApath;
+ int local;
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
@@ -252,7 +254,11 @@
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
- X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);
+
+ if (local)
+ X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
+ else
+ X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
@@ -309,11 +315,14 @@
}
/*
- * callback function for verifing certificate.
- * this function is derived from cb() in openssl/apps/s_server.c
+ * Callback function for verifing certificate.
+ * Derived from cb() in openssl/apps/s_server.c
+ *
+ * This one is called for certificates obtained from
+ * 'peers_certfile' directive.
*/
static int
-cb_check_cert(ok, ctx)
+cb_check_cert_local(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
{
@@ -334,9 +343,8 @@
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
#if OPENSSL_VERSION_NUMBER >= 0x00905100L
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_PURPOSE:
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
#endif
ok = 1;
log_tag = LLV_WARNING;
@@ -344,21 +352,50 @@
default:
log_tag = LLV_ERROR;
}
-#ifndef EAYDEBUG
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
X509_verify_cert_error_string(ctx->error),
ctx->error,
ctx->error_depth,
buf);
-#else
- printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
- log_tag,
+ }
+ ERR_clear_error();
+
+ return ok;
+}
+
+/*
+ * Similar to cb_check_cert_local() but this one is called
+ * for certificates obtained from the IKE payload.
+ */
+static int
+cb_check_cert_remote(ok, ctx)
+ int ok;
+ X509_STORE_CTX *ctx;
+{
+ char buf[256];
+ int log_tag;
+
+ if (!ok) {
+ X509_NAME_oneline(
+ X509_get_subject_name(ctx->current_cert),
+ buf,
+ 256);
+
+ switch (ctx->error) {
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
+ ok = 1;
+ log_tag = LLV_WARNING;
+ break;
+ default:
+ log_tag = LLV_ERROR;
+ }
+ plog(log_tag, LOCATION, NULL,
+ "%s(%d) at depth:%d SubjectName:%s\n",
X509_verify_cert_error_string(ctx->error),
ctx->error,
ctx->error_depth,
buf);
-#endif
}
ERR_clear_error();
@@ -397,11 +434,7 @@
end:
if (error) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#else
- printf("%s\n", eay_strerror());
-#endif
if (name) {
vfree(name);
name = NULL;
@@ -455,10 +488,8 @@
/* make sure if the data is terminated by '\0'. */
if (gen->d.ia5->data[gen->d.ia5->length] != '\0') {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"data is not terminated by '\0'.");
-#endif
hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
goto end;
}
@@ -479,11 +510,7 @@
racoon_free(*altname);
*altname = NULL;
}
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#else
- printf("%s\n", eay_strerror());
-#endif
}
if (x509)
X509_free(x509);
@@ -535,11 +562,7 @@
racoon_free(text);
text = NULL;
}
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#else
- printf("%s\n", eay_strerror());
-#endif
}
if (bio)
BIO_free(bio);
@@ -671,17 +694,13 @@
x509 = d2i_X509(NULL, &bp, cert->l);
if (x509 == NULL) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#endif
return -1;
}
evp = X509_get_pubkey(x509);
if (! evp) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey: %s\n", eay_strerror());
-#endif
return -1;
}
@@ -898,18 +917,14 @@
len = RSA_size(evp->pkey.rsa);
xbuf = vmalloc(len);
if (xbuf == NULL) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#endif
EVP_PKEY_free(evp);
return -1;
}
len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad);
-#ifndef EAYDEBUG
if (len == 0 || len != src->l)
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-#endif
EVP_PKEY_free(evp);
if (len == 0 || len != src->l) {
vfree(xbuf);
@@ -1597,12 +1612,8 @@
(void)racoon_free(c);
if (SHA512_DIGEST_LENGTH != res->l) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_512 length mismatch %d.\n", res->l);
-#else
- printf("hmac sha2_512 length mismatch %d.\n", res->l);
-#endif
vfree(res);
return NULL;
}
@@ -1657,12 +1668,8 @@
(void)racoon_free(c);
if (SHA384_DIGEST_LENGTH != res->l) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_384 length mismatch %d.\n", res->l);
-#else
- printf("hmac sha2_384 length mismatch %d.\n", res->l);
-#endif
vfree(res);
return NULL;
}
@@ -1717,12 +1724,8 @@
(void)racoon_free(c);
if (SHA256_DIGEST_LENGTH != res->l) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_256 length mismatch %d.\n", res->l);
-#else
- printf("hmac sha2_256 length mismatch %d.\n", res->l);
-#endif
vfree(res);
return NULL;
}
@@ -1778,12 +1781,8 @@
(void)racoon_free(c);
if (SHA_DIGEST_LENGTH != res->l) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha1 length mismatch %d.\n", res->l);
-#else
- printf("hmac sha1 length mismatch %d.\n", res->l);
-#endif
vfree(res);
return NULL;
}
@@ -1838,12 +1837,8 @@
(void)racoon_free(c);
if (MD5_DIGEST_LENGTH != res->l) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac md5 length mismatch %d.\n", res->l);
-#else
- printf("hmac md5 length mismatch %d.\n", res->l);
-#endif
vfree(res);
return NULL;
}
--- ipsec-tools-0.2.5/src/racoon/oakley.c.certfix 2004-01-19 10:45:43.000000000 -0700
+++ ipsec-tools-0.2.5/src/racoon/oakley.c 2004-06-24 14:40:42.000000000 -0600
@@ -1323,7 +1323,7 @@
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
error = eay_check_x509cert(&iph1->cert_p->cert,
- lcconf->pathinfo[LC_PATHTYPE_CERT]);
+ lcconf->pathinfo[LC_PATHTYPE_CERT], 0);
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
--- ipsec-tools-0.2.5/src/racoon/eaytest.c.certfix 2004-01-19 10:45:42.000000000 -0700
+++ ipsec-tools-0.2.5/src/racoon/eaytest.c 2004-06-24 14:52:48.000000000 -0600
@@ -59,7 +59,7 @@
#define PVDUMP(var) hexdump((var)->v, (var)->l)
-u_int32_t loglevel = 4;
+int f_foreground = 1;
/* prototype */
@@ -275,7 +275,7 @@
}
}
- error = eay_check_x509cert(&c, certpath);
+ error = eay_check_x509cert(&c, certpath, 1);
if (error)
printf("ERROR: cert is invalid.\n");
printf("\n");
--- ipsec-tools-0.2.5/src/racoon/Makefile.in.certfix 2004-06-24 14:54:38.000000000 -0600
+++ ipsec-tools-0.2.5/src/racoon/Makefile.in 2004-06-24 14:56:17.000000000 -0600
@@ -40,7 +40,7 @@
RACOON_OBJS = $(OBJS) @LIBOBJS@ @CRYPTOBJS@ @DEBUGRMOBJS@
RACOON_CTL_OBJS = kmpstat.o vmbuf.o str2val.o
-EAYTEST_OBJS = eaytest.o vmbuf.o str2val.o
+EAYTEST_OBJS = eaytest.o vmbuf.o str2val.o plog.o logger.o
all: $(PROG)
