src - OpenBSD base system

diff options


context:
space:
mode:

author	Hakan Olsson <ho@cvs.openbsd.org>	2002-09-05 15:47:23 +0000
committer	Hakan Olsson <ho@cvs.openbsd.org>	2002-09-05 15:47:23 +0000
commit	b9f1aa3298d2738545d159bae34134deb05c863a (patch)
tree	ced440399a0f7a151ce3cf193d0d6348d286d975
parent	d9e43ee8c38452c43d6ffd21c585a617bf6ad602 (diff)

Do not require the presence of subjectAltName in certificates used for

IKE auth. Should make interoperating with for example FreeS/WAN easier (Pluto).

Diffstat

-rw-r--r--

sbin/isakmpd/x509.c

113

1 files changed, 60 insertions, 53 deletions

diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index 87fe812d199..f9448864eb4 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: x509.c,v 1.75 2002/08/29 12:13:19 ho Exp $ */

+/* $OpenBSD: x509.c,v 1.76 2002/09/05 15:47:22 ho Exp $ */

/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */

@@ -1289,9 +1289,16 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id,

* XXX There can be a collection of subjectAltNames, but for now

- * I only return the subjectName and a single subjectAltName.

+ * I only return the subjectName and a single subjectAltName, if present.

- *cnt = 2;

+ type = x509_cert_subjectaltname (cert, &altname, &altlen);

+ if (!type)

+ {

+ *cnt = 1;

+ altlen = 0;

+ }

+ else

+ *cnt = 2;

*id = calloc (*cnt, sizeof **id);

if (!*id)

@@ -1314,7 +1321,6 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id,

if (!subject)

goto fail;

(*id_len)[0] =

ISAKMP_ID_DATA_OFF + i2d_X509_NAME (subject, NULL) - ISAKMP_GEN_SZ;

(*id)[0] = malloc ((*id_len)[0]);

@@ -1327,67 +1333,68 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id,

ubuf = (*id)[0] + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;

i2d_X509_NAME (subject, &ubuf);

- /* Stash the subjectAltName into the second slot. */

- type = x509_cert_subjectaltname (cert, &altname, &altlen);

- if (!type)

- goto fail;

- buf = malloc (altlen + ISAKMP_ID_DATA_OFF);

- if (!buf)

- {

- log_print ("x509_cert_get_subject: malloc (%d) failed",

- altlen + ISAKMP_ID_DATA_OFF);

- goto fail;

- }

- switch (type)

+ if (altlen)

{

- case X509v3_DNS_NAME:

- SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_FQDN);

- break;

- case X509v3_RFC_NAME:

- SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_USER_FQDN);

- break;

+ /* Stash the subjectAltName into the second slot. */

+ buf = malloc (altlen + ISAKMP_ID_DATA_OFF);

+ if (!buf)

+ {

+ log_print ("x509_cert_get_subject: malloc (%d) failed",

+ altlen + ISAKMP_ID_DATA_OFF);

+ goto fail;

+ }

- case X509v3_IP_ADDR:

- /*

- * XXX I dislike the numeric constants, but I don't know what we

- * should use otherwise.

- */

- switch (altlen)

+ switch (type)

{

- case 4:

- SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR);

+ case X509v3_DNS_NAME:

+ SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_FQDN);

break;

- case 16:

- SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV6_ADDR);

+ case X509v3_RFC_NAME:

+ SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_USER_FQDN);

break;

- default:

- log_print ("x509_cert_get_subject: "

- "invalid subjectAltName iPAdress length %d ", altlen);

- goto fail;

+ case X509v3_IP_ADDR:

+ /*

+ * XXX I dislike the numeric constants, but I don't know what we

+ * should use otherwise.

+ */

+ switch (altlen)

+ {

+ case 4:

+ SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR);

+ break;

+ case 16:

+ SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV6_ADDR);

+ break;

+ default:

+ log_print ("x509_cert_get_subject: "

+ "invalid subjectAltName iPAdress length %d ", altlen);

+ goto fail;

+ }

+ break;

}

- break;

- }

- SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0);

- SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0);

- memcpy (buf + ISAKMP_ID_DATA_OFF, altname, altlen);

+ SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0);

+ SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0);

+ memcpy (buf + ISAKMP_ID_DATA_OFF, altname, altlen);

- (*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ;

- (*id)[1] = malloc ((*id_len)[1]);

- if (!(*id)[1])

- {

- log_print ("x509_cert_get_subject: malloc (%d) failed", (*id_len)[1]);

- goto fail;

+ (*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ;

+ (*id)[1] = malloc ((*id_len)[1]);

+ if (!(*id)[1])

+ {

+ log_print ("x509_cert_get_subject: malloc (%d) failed",

+ (*id_len)[1]);

+ goto fail;

+ }

+ memcpy ((*id)[1], buf + ISAKMP_GEN_SZ, (*id_len)[1]);

+ free (buf);

+ buf = 0;

}

- memcpy ((*id)[1], buf + ISAKMP_GEN_SZ, (*id_len)[1]);

- free (buf);

- buf = 0;

return 1;

fail: