--- ipsec-tools-0.2.5/src/racoon/crypto_openssl.h.certfix 2004-04-05 08:46:37.000000000 -0600 +++ ipsec-tools-0.2.5/src/racoon/crypto_openssl.h 2004-06-24 14:40:42.000000000 -0600 @@ -46,7 +46,7 @@ extern vchar_t *eay_str2asn1dn __P((char *, int)); extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); -extern int eay_check_x509cert __P((vchar_t *, char *)); +extern int eay_check_x509cert __P((vchar_t *, char *, int)); extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int)); extern char *eay_get_x509text __P((vchar_t *)); --- ipsec-tools-0.2.5/src/racoon/crypto_openssl.c.certfix 2004-04-05 08:47:32.000000000 -0600 +++ ipsec-tools-0.2.5/src/racoon/crypto_openssl.c 2004-06-24 14:40:42.000000000 -0600 @@ -107,7 +107,8 @@ */ #ifdef HAVE_SIGNING_C -static int cb_check_cert __P((int, X509_STORE_CTX *)); +static int cb_check_cert_local __P((int, X509_STORE_CTX *)); +static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); static X509 *mem2x509 __P((vchar_t *)); #endif @@ -228,9 +229,10 @@ * this functions is derived from apps/verify.c in OpenSSL0.9.5 */ int -eay_check_x509cert(cert, CApath) +eay_check_x509cert(cert, CApath, local) vchar_t *cert; char *CApath; + int local; { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; @@ -252,7 +254,11 @@ cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert); + + if (local) + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); + else + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) @@ -309,11 +315,14 @@ } /* - * callback function for verifing certificate. - * this function is derived from cb() in openssl/apps/s_server.c + * Callback function for verifing certificate. + * Derived from cb() in openssl/apps/s_server.c + * + * This one is called for certificates obtained from + * 'peers_certfile' directive. */ static int -cb_check_cert(ok, ctx) +cb_check_cert_local(ok, ctx) int ok; X509_STORE_CTX *ctx; { @@ -334,9 +343,8 @@ case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: #if OPENSSL_VERSION_NUMBER >= 0x00905100L - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_UNABLE_TO_GET_CRL: #endif ok = 1; log_tag = LLV_WARNING; @@ -344,21 +352,50 @@ default: log_tag = LLV_ERROR; } -#ifndef EAYDEBUG plog(log_tag, LOCATION, NULL, "%s(%d) at depth:%d SubjectName:%s\n", X509_verify_cert_error_string(ctx->error), ctx->error, ctx->error_depth, buf); -#else - printf("%d: %s(%d) at depth:%d SubjectName:%s\n", - log_tag, + } + ERR_clear_error(); + + return ok; +} + +/* + * Similar to cb_check_cert_local() but this one is called + * for certificates obtained from the IKE payload. + */ +static int +cb_check_cert_remote(ok, ctx) + int ok; + X509_STORE_CTX *ctx; +{ + char buf[256]; + int log_tag; + + if (!ok) { + X509_NAME_oneline( + X509_get_subject_name(ctx->current_cert), + buf, + 256); + + switch (ctx->error) { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + log_tag = LLV_WARNING; + break; + default: + log_tag = LLV_ERROR; + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", X509_verify_cert_error_string(ctx->error), ctx->error, ctx->error_depth, buf); -#endif } ERR_clear_error(); @@ -397,11 +434,7 @@ end: if (error) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif if (name) { vfree(name); name = NULL; @@ -455,10 +488,8 @@ /* make sure if the data is terminated by '\0'. */ if (gen->d.ia5->data[gen->d.ia5->length] != '\0') { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "data is not terminated by '\0'."); -#endif hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); goto end; } @@ -479,11 +510,7 @@ racoon_free(*altname); *altname = NULL; } -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif } if (x509) X509_free(x509); @@ -535,11 +562,7 @@ racoon_free(text); text = NULL; } -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif } if (bio) BIO_free(bio); @@ -671,17 +694,13 @@ x509 = d2i_X509(NULL, &bp, cert->l); if (x509 == NULL) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif return -1; } evp = X509_get_pubkey(x509); if (! evp) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey: %s\n", eay_strerror()); -#endif return -1; } @@ -898,18 +917,14 @@ len = RSA_size(evp->pkey.rsa); xbuf = vmalloc(len); if (xbuf == NULL) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif EVP_PKEY_free(evp); return -1; } len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad); -#ifndef EAYDEBUG if (len == 0 || len != src->l) plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif EVP_PKEY_free(evp); if (len == 0 || len != src->l) { vfree(xbuf); @@ -1597,12 +1612,8 @@ (void)racoon_free(c); if (SHA512_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_512 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_512 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1657,12 +1668,8 @@ (void)racoon_free(c); if (SHA384_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_384 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_384 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1717,12 +1724,8 @@ (void)racoon_free(c); if (SHA256_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_256 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_256 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1778,12 +1781,8 @@ (void)racoon_free(c); if (SHA_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha1 length mismatch %d.\n", res->l); -#else - printf("hmac sha1 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1838,12 +1837,8 @@ (void)racoon_free(c); if (MD5_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac md5 length mismatch %d.\n", res->l); -#else - printf("hmac md5 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } --- ipsec-tools-0.2.5/src/racoon/oakley.c.certfix 2004-01-19 10:45:43.000000000 -0700 +++ ipsec-tools-0.2.5/src/racoon/oakley.c 2004-06-24 14:40:42.000000000 -0600 @@ -1323,7 +1323,7 @@ switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT]); + lcconf->pathinfo[LC_PATHTYPE_CERT], 0); break; default: plog(LLV_ERROR, LOCATION, NULL, --- ipsec-tools-0.2.5/src/racoon/eaytest.c.certfix 2004-01-19 10:45:42.000000000 -0700 +++ ipsec-tools-0.2.5/src/racoon/eaytest.c 2004-06-24 14:52:48.000000000 -0600 @@ -59,7 +59,7 @@ #define PVDUMP(var) hexdump((var)->v, (var)->l) -u_int32_t loglevel = 4; +int f_foreground = 1; /* prototype */ @@ -275,7 +275,7 @@ } } - error = eay_check_x509cert(&c, certpath); + error = eay_check_x509cert(&c, certpath, 1); if (error) printf("ERROR: cert is invalid.\n"); printf("\n"); --- ipsec-tools-0.2.5/src/racoon/Makefile.in.certfix 2004-06-24 14:54:38.000000000 -0600 +++ ipsec-tools-0.2.5/src/racoon/Makefile.in 2004-06-24 14:56:17.000000000 -0600 @@ -40,7 +40,7 @@ RACOON_OBJS = $(OBJS) @LIBOBJS@ @CRYPTOBJS@ @DEBUGRMOBJS@ RACOON_CTL_OBJS = kmpstat.o vmbuf.o str2val.o -EAYTEST_OBJS = eaytest.o vmbuf.o str2val.o +EAYTEST_OBJS = eaytest.o vmbuf.o str2val.o plog.o logger.o all: $(PROG)