From: Brian H. <bri...@hp...> - 2009-08-21 15:14:45
|
I noticed this blank warning message while trying to debug a certificate problem: 2009-08-21 07:18:24: ERROR: CRL has expired(12) at depth:0 SubjectName:<snip> 2009-08-21 07:18:24: WARNING: 2009-08-21 07:18:24: ERROR: the peer's certificate is not verified. I tracked this down to code in eay_check_x509cert() where the call to X509_verify_cert(csc) fails. In that case we don't need to print any message since we had set up a callback function earlier using X509_STORE_set_verify_cb_func(). Both of the callback functions are going to plog() and then clear the error, so there's nothing left to print. This patch removes the extra "WARNING" by only printing it when other calls in this function generate an error. -Brian --- src/racoon/crypto_openssl.c.orig 2009-04-29 06:50:25.000000000 -0400 +++ src/racoon/crypto_openssl.c 2009-08-21 10:38:13.000000000 -0400 @@ -444,11 +444,11 @@ X509_LOOKUP *lookup = NULL; X509 *x509 = NULL; X509_STORE_CTX *csc; - int error = -1; + int error; cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) - goto end; + goto err_end; if (local) X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); @@ -457,29 +457,26 @@ lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) - goto end; + goto err_end; X509_LOOKUP_load_file(lookup, CAfile, (CAfile == NULL) ? X509_FILETYPE_DEFAULT : X509_FILETYPE_PEM); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) - goto end; + goto err_end; error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); - if(!error) { - error = -1; - goto end; - } - error = -1; /* initialized */ + if (!error) + goto err_end; /* read the certificate to be verified */ x509 = mem2x509(cert); if (x509 == NULL) - goto end; + goto err_end; csc = X509_STORE_CTX_new(); if (csc == NULL) - goto end; + goto err_end; X509_STORE_CTX_init(csc, cert_ctx, x509, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK); @@ -495,14 +492,16 @@ error = error ? 0 : -1; end: - if (error) - plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror()); if (cert_ctx != NULL) X509_STORE_free(cert_ctx); if (x509 != NULL) X509_free(x509); return(error); +err_end: + error = -1; + plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror()); + goto end; } /* |