Menu
▾
▴
[Ipsec-tools-commits] ipsec-tools/src/racoon crypto_openssl.c,1.17,1.17.2.1 crypto_openssl.h,1.2,1.2.2.1 eaytest.c,1.12,1.12.2.1 oakley.c,1.2,1.2.4.1
|
From: Aidas K. <mo...@us...> - 2004-06-15 13:33:37
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv8777/src/racoon Modified Files: Tag: ipsec-tools-0_3-branch crypto_openssl.c crypto_openssl.h eaytest.c oakley.c Log Message: SECURITY: Certificate authentication bugfix. Index: crypto_openssl.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/crypto_openssl.c,v retrieving revision 1.17 retrieving revision 1.17.2.1 diff -u -d -r1.17 -r1.17.2.1 --- crypto_openssl.c 9 Apr 2004 16:55:56 -0000 1.17 +++ crypto_openssl.c 15 Jun 2004 13:33:27 -0000 1.17.2.1 @@ -111,7 +111,8 @@ */ #ifdef HAVE_SIGNING_C -static int cb_check_cert __P((int, X509_STORE_CTX *)); +static int cb_check_cert_local __P((int, X509_STORE_CTX *)); +static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); static X509 *mem2x509 __P((vchar_t *)); #endif @@ -232,9 +233,10 @@ * this functions is derived from apps/verify.c in OpenSSL0.9.5 */ int -eay_check_x509cert(cert, CApath) +eay_check_x509cert(cert, CApath, local) vchar_t *cert; char *CApath; + int local; { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; @@ -256,7 +258,11 @@ cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert); + + if (local) + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); + else + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) @@ -317,7 +323,7 @@ * this function is derived from cb() in openssl/apps/s_server.c */ static int -cb_check_cert(ok, ctx) +cb_check_cert_local(ok, ctx) int ok; X509_STORE_CTX *ctx; { @@ -362,6 +368,36 @@ } /* + * callback function for verifing remote certificates. + * this function is derived from cb() in openssl/apps/s_server.c + */ +static int +cb_check_cert_remote(ok, ctx) + int ok; + X509_STORE_CTX *ctx; +{ + char buf[256]; + int log_tag; + + if (!ok) { + X509_NAME_oneline( + X509_get_subject_name(ctx->current_cert), + buf, + 256); + } + plog(LLV_ERROR, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", + X509_verify_cert_error_string(ctx->error), + ctx->error, + ctx->error_depth, + buf); + } + ERR_clear_error(); + + return ok; +} + +/* * get a subjectAltName from X509 certificate. */ vchar_t * Index: crypto_openssl.h =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/crypto_openssl.h,v retrieving revision 1.2 retrieving revision 1.2.2.1 diff -u -d -r1.2 -r1.2.2.1 --- crypto_openssl.h 5 Apr 2004 15:05:16 -0000 1.2 +++ crypto_openssl.h 15 Jun 2004 13:33:27 -0000 1.2.2.1 @@ -46,7 +46,7 @@ extern vchar_t *eay_str2asn1dn __P((char *, int)); extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); -extern int eay_check_x509cert __P((vchar_t *, char *)); +extern int eay_check_x509cert __P((vchar_t *, char *, int)); extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int)); extern char *eay_get_x509text __P((vchar_t *)); Index: oakley.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/oakley.c,v retrieving revision 1.2 retrieving revision 1.2.4.1 diff -u -d -r1.2 -r1.2.4.1 --- oakley.c 12 Jan 2004 21:38:10 -0000 1.2 +++ oakley.c 15 Jun 2004 13:33:27 -0000 1.2.4.1 @@ -1325,7 +1325,7 @@ switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT]); + lcconf->pathinfo[LC_PATHTYPE_CERT], 0); break; default: plog(LLV_ERROR, LOCATION, NULL, Index: eaytest.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/eaytest.c,v retrieving revision 1.12 retrieving revision 1.12.2.1 diff -u -d -r1.12 -r1.12.2.1 --- eaytest.c 6 Apr 2004 08:54:38 -0000 1.12 +++ eaytest.c 15 Jun 2004 13:33:27 -0000 1.12.2.1 @@ -331,7 +331,7 @@ } } - error = eay_check_x509cert(&c, certpath); + error = eay_check_x509cert(&c, certpath, 1); if (error) printf("ERROR: cert is invalid.\n"); printf("\n"); |
