[Ipsec-tools-devel] Remove extra WARNING message in eay_check_x509cert()

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I noticed this blank warning message while trying to debug a certificate
problem:

2009-08-21 07:18:24: ERROR: CRL has expired(12) at depth:0 SubjectName:<snip>
2009-08-21 07:18:24: WARNING:
2009-08-21 07:18:24: ERROR: the peer's certificate is not verified.

I tracked this down to code in eay_check_x509cert() where the call to
X509_verify_cert(csc) fails.  In that case we don't need to print any
message since we had set up a callback function earlier using
X509_STORE_set_verify_cb_func().  Both of the callback functions are
going to plog() and then clear the error, so there's nothing left to
print.

This patch removes the extra "WARNING" by only printing it when other
calls in this function generate an error.

-Brian

--- src/racoon/crypto_openssl.c.orig	2009-04-29 06:50:25.000000000 -0400
+++ src/racoon/crypto_openssl.c	2009-08-21 10:38:13.000000000 -0400
@@ -444,11 +444,11 @@
 	X509_LOOKUP *lookup = NULL;
 	X509 *x509 = NULL;
 	X509_STORE_CTX *csc;
-	int error = -1;
+	int error;
 
 	cert_ctx = X509_STORE_new();
 	if (cert_ctx == NULL)
-		goto end;
+		goto err_end;
 
 	if (local)
 		X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
@@ -457,29 +457,26 @@
 
 	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
 	if (lookup == NULL)
-		goto end;
+		goto err_end;
 
 	X509_LOOKUP_load_file(lookup, CAfile, 
 	    (CAfile == NULL) ? X509_FILETYPE_DEFAULT : X509_FILETYPE_PEM);
 
 	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
 	if (lookup == NULL)
-		goto end;
+		goto err_end;
 	error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
-	if(!error) {
-		error = -1;
-		goto end;
-	}
-	error = -1;	/* initialized */
+	if (!error)
+		goto err_end;
 
 	/* read the certificate to be verified */
 	x509 = mem2x509(cert);
 	if (x509 == NULL)
-		goto end;
+		goto err_end;
 
 	csc = X509_STORE_CTX_new();
 	if (csc == NULL)
-		goto end;
+		goto err_end;
 	X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
@@ -495,14 +492,16 @@
 	error = error ? 0 : -1;
 
 end:
-	if (error)
-		plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror());
 	if (cert_ctx != NULL)
 		X509_STORE_free(cert_ctx);
 	if (x509 != NULL)
 		X509_free(x509);
 
 	return(error);
+err_end:
+	error = -1;
+	plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror());
+	goto end;
 }
 
 /*


