Content-Type: multipart/alternative; boundary="----=_NextPart_001_0002_01CA9F2D.3E7ACB60" ------=_NextPart_001_0002_01CA9F2D.3E7ACB60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The following patch (also included as an attachment) sets REMOTE_CERT and LOCAL_CERT environment variables to be the DN of the respective certificates in the phase1 up/down scripts. These environment variables are useful in creating policy and logging information in up/down scripts when using certificates for mutual authentication. -Russ --- ipsec-tools-0.7.3/src/racoon/crypto_openssl.h.orig 2006-10-06 08:02:27.000000000 -0400 +++ ipsec-tools-0.7.3/src/racoon/crypto_openssl.h 2009-12-11 22:12:32.000000000 -0500 @@ -50,6 +50,7 @@ #define GENT_RID GEN_RID extern vchar_t *eay_str2asn1dn __P((const char *, int)); +extern char *eay_asn1dn2str __P((vchar_t *, char *, int)); extern vchar_t *eay_hex2asn1dn __P((const char *, int)); extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); extern int eay_check_x509cert __P((vchar_t *, char *, char *, int)); --- ipsec-tools-0.7.3/src/racoon/crypto_openssl.c.orig 2009-04-29 06:50:25.000000000 -0400 +++ ipsec-tools-0.7.3/src/racoon/crypto_openssl.c 2009-12-11 22:17:15.000000000 -0500 @@ -224,6 +224,63 @@ } /* + * convert DER subject name to a one line string + */ +char *eay_asn1dn2str( + vchar_t *n, + char *buf, + int len +) { + char *text; + char *bp; + BIO *bio; + int error; + X509_NAME *a; + caddr_t p; + + error = -1; + bio = NULL; + text = NULL; + a = NULL; + p = n->v; + + if (!d2i_X509_NAME(&a, (void *)&p, n->l)) + goto end; + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) + goto end; + + error = X509_NAME_print(bio, a, 0); + if (error != 1) { + error = -1; + goto end; + } + + len = BIO_get_mem_data(bio, &bp); + text = racoon_malloc(len + 1); + if (text == NULL) + goto end; + memcpy(text, bp, len); + text[len] = '\0'; + + error = 0; + end: + if (error) { + if (text) { + racoon_free(text); + text = NULL; + } + plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); + } + if (bio) + BIO_free(bio); + if (a) + X509_NAME_free(a); + return text; +} + +/* * convert the hex string of the subject name into DER */ vchar_t * --- ipsec-tools-0.7.3/src/racoon/isakmp.c.orig 2008-09-25 05:34:39.000000000 -0400 +++ ipsec-tools-0.7.3/src/racoon/isakmp.c 2009-12-11 22:12:32.000000000 -0500 @@ -3093,6 +3093,64 @@ } } + /* + * set script environment LOCAL_CERT to be local certificate DN + */ + if (iph1->id != NULL && iph1->id->l >= sizeof(struct ipsecdoi_id_b)) { + + struct ipsecdoi_id_b *id_b; + + id_b = (struct ipsecdoi_id_b *)iph1->id->v; + if (doi2idtype(id_b->type) == IDTYPE_ASN1DN) { + + char * str; + vchar_t ident; + + ident.v = iph1->id->v + sizeof(struct ipsecdoi_id_b); + ident.l = iph1->id->l - sizeof(struct ipsecdoi_id_b); + + str = eay_asn1dn2str(&ident, NULL, 1024); + if (str != NULL) { + if (script_env_append(&envp, &envc, "LOCAL_CERT", str) != 0) { + free(str); + plog(LLV_ERROR, LOCATION, NULL, + "Cannot set LOCAL_CERT\n"); + goto out; + } + free(str); + } + } + } + + /* + * set script environment REMOTE_CERT to be remote certificate DN + */ + if (iph1->id_p != NULL && iph1->id_p->l >= sizeof(struct ipsecdoi_id_b)) { + + struct ipsecdoi_id_b *id_b; + + id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; + if (doi2idtype(id_b->type) == IDTYPE_ASN1DN) { + + char * str; + vchar_t ident; + + ident.v = iph1->id_p->v + sizeof(struct ipsecdoi_id_b); + ident.l = iph1->id_p->l - sizeof(struct ipsecdoi_id_b); + + str = eay_asn1dn2str(&ident, NULL, 1024); + if (str != NULL) { + if (script_env_append(&envp, &envc, "REMOTE_CERT", str) != 0) { + free(str); + plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTE_CERT\n"); + goto out; + } + free(str); + } + } + } + if (privsep_script_exec(iph1->rmconf->script[script]->v, script, envp) != 0) plog(LLV_ERROR, LOCATION, NULL, ------=_NextPart_001_0002_01CA9F2D.3E7ACB60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The following patch (also included as an = attachment) sets REMOTE_CERT and LOCAL_CERT environment variables to be the DN of the = respective certificates in the phase1 up/down scripts.

 

These environment variables are useful in creating = policy and logging information in up/down scripts when using certificates for = mutual authentication.

 

-Russ

 

 

--- ipsec-tools-0.7.3/src/racoon/crypto_openssl.h.orig    = ;  2006-10-06 08:02:27.000000000 -0400

+++ = ipsec-tools-0.7.3/src/racoon/crypto_openssl.h     = 2009-12-11 22:12:32.000000000 -0500

@@ -50,6 +50,7 @@

 #define GENT_RID = GEN_RID

 

 extern vchar_t *eay_str2asn1dn = __P((const char *, int));

+extern char *eay_asn1dn2str __P((vchar_t *, = char *, int));

 extern vchar_t *eay_hex2asn1dn = __P((const char *, int));

 extern int eay_cmp_asn1dn __P((vchar_t = *, vchar_t *));

 extern int eay_check_x509cert = __P((vchar_t *, char *, char *, int));

--- ipsec-tools-0.7.3/src/racoon/crypto_openssl.c.orig    = ;  2009-04-29 06:50:25.000000000 -0400

+++ = ipsec-tools-0.7.3/src/racoon/crypto_openssl.c     = 2009-12-11 22:17:15.000000000 -0500

@@ -224,6 +224,63 @@

 }

 

 /*

+ * convert DER subject name to a one line = string

+ */

+char *eay_asn1dn2str(

+     vchar_t = *n,

+     char = *buf,

+     int = len

+) {

+     char = *text;

+     char = *bp;

+     BIO = *bio;

+     int = error;

+     X509_NAME = *a;

+     caddr_t = p;

+

+     error =3D = -1;

+     bio =3D = NULL;

+     text =3D = NULL;

+     a =3D = NULL;  

+     p =3D = n->v;

+

+     if = (!d2i_X509_NAME(&a, (void *)&p, n->l))

+           goto end;

+

+     bio =3D BIO_new(BIO_s_mem());

+     if (bio =3D=3D = NULL)

+           goto end;

+

+     error =3D X509_NAME_print(bio, a, 0);

+     if (error !=3D 1) = {

+           = error =3D -1;

+           goto end;

+     = }

+

+     len =3D BIO_get_mem_data(bio, &bp);

+     text =3D = racoon_malloc(len + 1);

+     if (text =3D=3D = NULL)

+           goto end;

+     memcpy(text, bp, = len);

+     text[len] =3D = '\0';

+

+     error =3D = 0;

+ end:

+     if (error) = {

+           if (text) {

+           =       racoon_free(text);

+           =       text =3D NULL;

+           = }

+           = plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());

+     = }

+     if = (bio)

+           = BIO_free(bio);

+     if = (a)

+           = X509_NAME_free(a);

+     return = text;

+}

+

+/*

  * convert the hex string of the = subject name into DER

  */

 vchar_t *

--- = ipsec-tools-0.7.3/src/racoon/isakmp.c.orig  2008-09-25 05:34:39.000000000 -0400

+++ ipsec-tools-0.7.3/src/racoon/isakmp.c = 2009-12-11 22:12:32.000000000 -0500

@@ -3093,6 +3093,64 @@

            = }

      = }

 

+     = /*

+     * set script = environment LOCAL_CERT to be local certificate DN

+     = */

+     if (iph1->id = !=3D NULL && iph1->id->l >=3D sizeof(struct ipsecdoi_id_b)) = {

+

+           = struct ipsecdoi_id_b *id_b;

+

+           id_b =3D (struct ipsecdoi_id_b *)iph1->id->v;

+           if (doi2idtype(id_b->type) =3D=3D IDTYPE_ASN1DN) {

+

+           =       char * str;

+           =       vchar_t ident;

+

+           =       ident.v =3D iph1->id->v + sizeof(struct = ipsecdoi_id_b);

+           =       ident.l =3D iph1->id->l - sizeof(struct = ipsecdoi_id_b);

+

+           =       str =3D eay_asn1dn2str(&ident, NULL, 1024);

+           =       if (str !=3D NULL) {

+           =             if (script_env_append(&envp, &envc, "LOCAL_CERT", str) = !=3D 0) {

+           =             &= nbsp;     free(str);

+           =             &= nbsp;     plog(LLV_ERROR, LOCATION, NULL,

+           =             &= nbsp;         "Cannot set LOCAL_CERT\n");

+           =             &= nbsp;     goto out;

+           =             = }

+           =             = free(str);

+           =       }

+           = }

+     = }

+

+     = /*

+     * set script = environment REMOTE_CERT to be remote certificate DN

+     = */

+     if (iph1->id_p = !=3D NULL && iph1->id_p->l >=3D sizeof(struct ipsecdoi_id_b)) = {

+

+           = struct ipsecdoi_id_b *id_b;

+

+           id_b =3D (struct ipsecdoi_id_b *)iph1->id_p->v;

+           if (doi2idtype(id_b->type) =3D=3D IDTYPE_ASN1DN) {

+

+           =       char * str;

+           =       vchar_t ident;

+

+           =       ident.v =3D iph1->id_p->v + sizeof(struct = ipsecdoi_id_b);

+           =       ident.l =3D iph1->id_p->l - sizeof(struct = ipsecdoi_id_b);

+

+           =       str =3D eay_asn1dn2str(&ident, NULL, 1024);

+     =             if (str !=3D NULL) {

+           =             if (script_env_append(&envp, &envc, "REMOTE_CERT", str) = !=3D 0) {

+           =             &= nbsp;     free(str);

+           =             &= nbsp;     plog(LLV_ERROR, LOCATION, NULL,

+           =             &= nbsp;         "Cannot set REMOTE_CERT\n");

+           =             &= nbsp;     goto out;

+           =             = }

+           =             = free(str);

+           =       }

+           = }

+     = }

+

      if = (privsep_script_exec(iph1->rmconf->script[script]->v,

      =     script, envp) !=3D 0)

            = plog(LLV_ERROR, LOCATION, NULL,

 

 

------=_NextPart_001_0002_01CA9F2D.3E7ACB60--