From: Michal L. <lu...@us...> - 2004-06-15 14:05:42
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv31754/src/racoon Modified Files: Tag: ipsec-tools-0_3-branch crypto_openssl.c Log Message: Sync with mainline. Index: crypto_openssl.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/crypto_openssl.c,v retrieving revision 1.17.2.1 retrieving revision 1.17.2.2 diff -u -d -r1.17.2.1 -r1.17.2.2 --- crypto_openssl.c 15 Jun 2004 13:33:27 -0000 1.17.2.1 +++ crypto_openssl.c 15 Jun 2004 14:05:31 -0000 1.17.2.2 @@ -319,8 +319,11 @@ } /* - * callback function for verifing certificate. - * this function is derived from cb() in openssl/apps/s_server.c + * Callback function for verifing certificate. + * Derived from cb() in openssl/apps/s_server.c + * + * This one is called for certificates obtained from + * 'peers_certfile' directive. */ static int cb_check_cert_local(ok, ctx) @@ -344,8 +347,6 @@ case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: #if OPENSSL_VERSION_NUMBER >= 0x00905100L - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: case X509_V_ERR_INVALID_PURPOSE: case X509_V_ERR_UNABLE_TO_GET_CRL: #endif @@ -368,8 +369,8 @@ } /* - * callback function for verifing remote certificates. - * this function is derived from cb() in openssl/apps/s_server.c + * Similar to cb_check_cert_local() but this one is called + * for certificates obtained from the IKE payload. */ static int cb_check_cert_remote(ok, ctx) @@ -384,8 +385,16 @@ X509_get_subject_name(ctx->current_cert), buf, 256); + + switch (ctx->error) { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + log_tag = LLV_WARNING; + break; + default: + log_tag = LLV_ERROR; } - plog(LLV_ERROR, LOCATION, NULL, + plog(log_tag, LOCATION, NULL, "%s(%d) at depth:%d SubjectName:%s\n", X509_verify_cert_error_string(ctx->error), ctx->error, |