Menu
▾
▴
[Ipsec-tools-commits] ipsec-tools/src/racoon crypto_openssl.c,1.22,1.23 crypto_openssl.h,1.6,1.7 eaytest.c,1.12,1.13 oakley.c,1.4,1.5
|
From: Aidas K. <mo...@us...> - 2004-06-15 13:02:23
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv13793/src/racoon Modified Files: crypto_openssl.c crypto_openssl.h eaytest.c oakley.c Log Message: SECURITY: Certificate authentication bugfix. Index: crypto_openssl.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/crypto_openssl.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -d -r1.22 -r1.23 --- crypto_openssl.c 11 Jun 2004 16:00:15 -0000 1.22 +++ crypto_openssl.c 15 Jun 2004 13:02:12 -0000 1.23 @@ -120,7 +120,8 @@ */ #ifdef HAVE_SIGNING_C -static int cb_check_cert __P((int, X509_STORE_CTX *)); +static int cb_check_cert_local __P((int, X509_STORE_CTX *)); +static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); static X509 *mem2x509 __P((vchar_t *)); #endif @@ -241,9 +242,10 @@ * this functions is derived from apps/verify.c in OpenSSL0.9.5 */ int -eay_check_x509cert(cert, CApath) +eay_check_x509cert(cert, CApath, local) vchar_t *cert; char *CApath; + int local; { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; @@ -254,7 +256,11 @@ cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert); + + if (local) + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); + else + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) @@ -309,7 +315,7 @@ * this function is derived from cb() in openssl/apps/s_server.c */ static int -cb_check_cert(ok, ctx) +cb_check_cert_local(ok, ctx) int ok; X509_STORE_CTX *ctx; { @@ -352,6 +358,36 @@ } /* + * callback function for verifing remote certificates. + * this function is derived from cb() in openssl/apps/s_server.c + */ +static int +cb_check_cert_remote(ok, ctx) + int ok; + X509_STORE_CTX *ctx; +{ + char buf[256]; + int log_tag; + + if (!ok) { + X509_NAME_oneline( + X509_get_subject_name(ctx->current_cert), + buf, + 256); + } + plog(LLV_ERROR, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", + X509_verify_cert_error_string(ctx->error), + ctx->error, + ctx->error_depth, + buf); + } + ERR_clear_error(); + + return ok; +} + +/* * get a subjectAltName from X509 certificate. */ vchar_t * Index: crypto_openssl.h =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/crypto_openssl.h,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- crypto_openssl.h 11 Jun 2004 16:00:16 -0000 1.6 +++ crypto_openssl.h 15 Jun 2004 13:02:13 -0000 1.7 @@ -49,7 +49,7 @@ extern vchar_t *eay_str2asn1dn __P((char *, int)); extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); -extern int eay_check_x509cert __P((vchar_t *, char *)); +extern int eay_check_x509cert __P((vchar_t *, char *, int)); extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int)); extern char *eay_get_x509text __P((vchar_t *)); Index: oakley.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/oakley.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- oakley.c 11 Jun 2004 16:00:17 -0000 1.4 +++ oakley.c 15 Jun 2004 13:02:13 -0000 1.5 @@ -1325,7 +1325,7 @@ switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT]); + lcconf->pathinfo[LC_PATHTYPE_CERT], 0); break; default: plog(LLV_ERROR, LOCATION, NULL, Index: eaytest.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/eaytest.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -d -r1.12 -r1.13 --- eaytest.c 6 Apr 2004 08:54:38 -0000 1.12 +++ eaytest.c 15 Jun 2004 13:02:13 -0000 1.13 @@ -331,7 +331,7 @@ } } - error = eay_check_x509cert(&c, certpath); + error = eay_check_x509cert(&c, certpath, 1); if (error) printf("ERROR: cert is invalid.\n"); printf("\n"); |
