regress/rsakeygen/Makefile: Merge with EOM 1.4

regress/rsakeygen/rsakeygen.c: Merge with EOM 1.8
regress/x509/Makefile: Merge with EOM 1.6
regress/x509/x509test.c: Merge with EOM 1.6
regress/Makefile: Merge with EOM 1.8
samples/VPN-east.conf: Merge with EOM 1.6
samples/VPN-west.conf: Merge with EOM 1.6
samples/singlehost-east.conf: Merge with EOM 1.3
samples/singlehost-west.conf: Merge with EOM 1.3
sysdep/openbsd/Makefile.sysdep: Merge with EOM 1.5
x509.h: Merge with EOM 1.6
x509.c: Merge with EOM 1.17
DESIGN-NOTES: Merge with EOM 1.46
Makefile: Merge with EOM 1.55
cert.c: Merge with EOM 1.11
cert.h: Merge with EOM 1.6
exchange.c: Merge with EOM 1.109
exchange.h: Merge with EOM 1.26
ike_auth.c: Merge with EOM 1.32
ike_phase_1.c: Merge with EOM 1.7
init.c: Merge with EOM 1.16
isakmpd.conf.5: Merge with EOM 1.27
README.PKI: Merge with EOM 1.1

author: niklas
From Niels Provos, edited by me: certificate support using SSLeay

5 files changed, 239 insertions, 113 deletions

diff --git a/sbin/isakmpd/regress/Makefile b/sbin/isakmpd/regress/Makefile
index 0253e40ec24..23c845ae88d 100644
--- a/sbin/isakmpd/regress/Makefile
+++ b/sbin/isakmpd/regress/Makefile
@@ -1,8 +1,8 @@
-#	$OpenBSD: Makefile,v 1.6 1999/02/26 03:28:59 niklas Exp $
-#	$EOM: Makefile,v 1.7 1998/08/11 20:32:01 provos Exp $
+#	$OpenBSD: Makefile,v 1.7 1999/07/17 21:54:38 niklas Exp $
+#	$EOM: Makefile,v 1.8 1999/07/17 20:44:13 niklas Exp $
 
 #
-# Copyright (c) 1998 Niklas Hallqvist.  All rights reserved.
+# Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -34,6 +34,6 @@
 # This code was written under funding by Ericsson Radio Systems.
 #
 
-SUBDIR=	asn b2n crypto dh ec2n exchange group hmac pkcs prf rsakeygen x509
+SUBDIR=	b2n crypto dh ec2n exchange group hmac prf rsakeygen x509
 
 .include <bsd.subdir.mk>
diff --git a/sbin/isakmpd/regress/rsakeygen/Makefile b/sbin/isakmpd/regress/rsakeygen/Makefile
index 92f7a4a10f6..b9868e57767 100644
--- a/sbin/isakmpd/regress/rsakeygen/Makefile
+++ b/sbin/isakmpd/regress/rsakeygen/Makefile
@@ -1,16 +1,49 @@
-#	$OpenBSD: Makefile,v 1.5 1999/03/02 15:27:36 niklas Exp $
-#	$EOM: Makefile,v 1.3 1999/02/25 15:12:01 niklas Exp $
+#	$OpenBSD: Makefile,v 1.6 1999/07/17 21:54:38 niklas Exp $
+#	$EOM: Makefile,v 1.4 1999/07/17 20:44:13 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
 
 # RSA Key Generation
 
 PROG=		rsakeygen
-SRCS=		log.c asn.c gmp_util.c pkcs.c rsakeygen.c sysdep.c
+SRCS=		log.c rsakeygen.c sysdep.c
 TOPSRC=		${.CURDIR}/../..
 TOPOBJ!=	cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
 OS!=		awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
 .PATH:		${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
 CFLAGS+=	-I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
-LDADD+=		-lgmp
+LDADD+=		-lgmp -lcrypto
 DPADD+=		${LIBDES}
 NOMAN=
 DEBUG=		-g
diff --git a/sbin/isakmpd/regress/rsakeygen/rsakeygen.c b/sbin/isakmpd/regress/rsakeygen/rsakeygen.c
index fbc4be408c1..684896c3297 100644
--- a/sbin/isakmpd/regress/rsakeygen/rsakeygen.c
+++ b/sbin/isakmpd/regress/rsakeygen/rsakeygen.c
@@ -1,8 +1,8 @@
-/*	$OpenBSD: rsakeygen.c,v 1.7 1999/04/27 21:02:56 niklas Exp $	*/
-/*	$EOM: rsakeygen.c,v 1.7 1999/04/05 18:27:38 niklas Exp $	*/
+/*	$OpenBSD: rsakeygen.c,v 1.8 1999/07/17 21:54:38 niklas Exp $	*/
+/*	$EOM: rsakeygen.c,v 1.8 1999/07/17 20:44:13 niklas Exp $	*/
 
 /*
- * Copyright (c) 1998 Niels Provos.  All rights reserved.
+ * Copyright (c) 1998, 1999 Niels Provos.  All rights reserved.
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,15 +42,16 @@
 #include <string.h>
 #include <gmp.h>
 
+#include <ssl/rsa.h>
+
 #include "log.h"
-#include "gmp_util.h"
-#include "asn.h"
-#include "pkcs.h"
 
 #define nibble2bin(y) (tolower((y)) < 'a' ? (y) - '0': tolower((y)) - 'a' + 10)
 #define hexchar2bin(x) ((nibble2bin((x)[0]) << 4) + nibble2bin((x)[1]))
 #define nibble2c(x) ((x) >= 10 ? ('a'-10+(x)) : ('0' + (x)))
 
+#define TEST_STRING "!Dies ist ein Test"
+
 void asc2bin (u_int8_t *bin, u_int8_t *asc, u_int16_t len)
 {
   int i;
@@ -64,60 +65,67 @@ void asc2bin (u_int8_t *bin, u_int8_t *asc, u_int16_t len)
 int
 main (void)
 {
-  char *data = "Niels ist ein Luser!";
-  u_int8_t *enc, *dec, *asn;
-  u_int32_t enclen;
-  u_int16_t len;
+  u_int8_t enc[256], dec[256], *asn, *foo;
+  int len;
   FILE *fd;
   int erg = 0;
 
-  struct rsa_public_key key;
-  struct rsa_private_key priv;
+  RSA *key;
 
   log_debug_cmd ((enum log_classes)LOG_CRYPTO, 99);
-  pkcs_generate_rsa_keypair (&key, &priv, 1024);
+  strcpy(dec, TEST_STRING);
+
+  key = RSA_generate_key(1024, RSA_F4, NULL, NULL);
+  if (key == NULL) 
+    {
+      printf("Failed to generate key\n");
+      return 0;
+    }
 
-  printf ("n: 0x"); mpz_out_str (stdout, 16, key.n);
-  printf ("\ne: 0x"); mpz_out_str (stdout, 16, key.e);
+  printf ("n: 0x"); BN_print_fp(stdout, key->n);
+  printf ("\ne: 0x"); BN_print_fp (stdout, key->e);
   printf ("\n");
 
-  printf ("n: 0x"); mpz_out_str (stdout, 16, priv.n);
-  printf ("\ne: 0x"); mpz_out_str (stdout, 16, priv.e);
-  printf ("\nd: 0x"); mpz_out_str (stdout, 16, priv.d);
-  printf ("\np: 0x"); mpz_out_str (stdout, 16, priv.p);
-  printf ("\nq: 0x"); mpz_out_str (stdout, 16, priv.q);
+  printf ("n: 0x"); BN_print_fp (stdout, key->n);
+  printf ("\ne: 0x"); BN_print_fp (stdout, key->e);
+  printf ("\nd: 0x"); BN_print_fp (stdout, key->d);
+  printf ("\np: 0x"); BN_print_fp (stdout, key->p);
+  printf ("\nq: 0x"); BN_print_fp (stdout, key->q);
   printf ("\n");
 
   printf ("Testing Signing/Verifying: ");
   /* Sign with Private Key */
-  if (!pkcs_rsa_encrypt (PKCS_PRIVATE, NULL, &priv, data, strlen(data)+1,
-			 &enc, &enclen))
+  if ((len = RSA_private_encrypt (strlen(dec)+1, dec, enc, key,
+				  RSA_PKCS1_PADDING)) == -1)
     printf ("FAILED ");
   else
     /* Decrypt/Verify with Public Key */
-    erg = pkcs_rsa_decrypt (PKCS_PRIVATE, &key, NULL, enc, &dec, &len);
+    erg = RSA_public_decrypt (len, enc, dec, key, RSA_PKCS1_PADDING);
 
-  if (!erg || strcmp(data,dec))
+  if (erg == -1 || strcmp(dec, TEST_STRING))
     printf ("FAILED ");
   else
     printf ("OKAY ");
 
   printf ("\n");
 
-  asn = pkcs_public_key_to_asn (&key);
+  len = i2d_RSAPublicKey(key, NULL);
+  foo = asn = malloc(len);
+  len = i2d_RSAPublicKey(key, &foo);
   fd = fopen ("isakmpd_key.pub", "w");
-  fwrite (asn, asn_get_len (asn), 1, fd);
+  fwrite (asn, len, 1, fd);
   fclose (fd);
   free (asn);
 
-  asn = pkcs_private_key_to_asn (&priv);
+  len = i2d_RSAPrivateKey(key, NULL);
+  foo = asn = malloc(len);
+  len = i2d_RSAPrivateKey(key, &foo);
   fd = fopen ("isakmpd_key", "w");
-  fwrite (asn, asn_get_len (asn), 1, fd);
+  fwrite (asn, len, 1, fd);
   fclose (fd);
   free (asn);
 
-  pkcs_free_public_key (&key);
-  pkcs_free_private_key (&priv);
+  RSA_free(key);
 
   return 1;
 }
diff --git a/sbin/isakmpd/regress/x509/Makefile b/sbin/isakmpd/regress/x509/Makefile
index 0097e050cee..27a8f11784f 100644
--- a/sbin/isakmpd/regress/x509/Makefile
+++ b/sbin/isakmpd/regress/x509/Makefile
@@ -1,17 +1,51 @@
-#	$OpenBSD: Makefile,v 1.5 1999/03/02 15:27:36 niklas Exp $
-#	$EOM: Makefile,v 1.5 1999/02/25 15:10:11 niklas Exp $
+#	$OpenBSD: Makefile,v 1.6 1999/07/17 21:54:38 niklas Exp $
+#	$EOM: Makefile,v 1.6 1999/07/17 20:44:13 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
 
 # Test X509
 
 PROG=		x509test
-SRCS=		x509test.c conf.c asn.c asn_useful.c gmp_util.c log.c pkcs.c \
-		sysdep.c hash.c x509.c
+SRCS=		x509test.c conf.c log.c sysdep.c x509.c field.c util.c \
+		isakmp_fld.c ipsec_fld.c ipsec_num.c isakmp_num.c constants.c
 TOPSRC=		${.CURDIR}/../..
 TOPOBJ!=	cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
 OS!=		awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
 .PATH:		${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
 CFLAGS+=	-I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
-LDADD+=		-lgmp
+LDADD+=		-lgmp -lcrypto
 DPADD+=		${LIBDES}
 NOMAN=
 DEBUG=		-g
diff --git a/sbin/isakmpd/regress/x509/x509test.c b/sbin/isakmpd/regress/x509/x509test.c
index 8ee150e979a..2c070dc6788 100644
--- a/sbin/isakmpd/regress/x509/x509test.c
+++ b/sbin/isakmpd/regress/x509/x509test.c
@@ -1,8 +1,9 @@
-/*	$OpenBSD: x509test.c,v 1.7 1999/07/07 22:14:31 niklas Exp $	*/
-/*	$EOM: x509test.c,v 1.5 1999/06/10 13:39:20 niklas Exp $	*/
+/*	$OpenBSD: x509test.c,v 1.8 1999/07/17 21:54:38 niklas Exp $	*/
+/*	$EOM: x509test.c,v 1.6 1999/07/17 20:44:14 niklas Exp $	*/
 
 /*
- * Copyright (c) 1998 Niels Provos.  All rights reserved.
+ * Copyright (c) 1998, 1999 Niels Provos.  All rights reserved.
+ * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -34,6 +35,14 @@
  * This code was written under funding by Ericsson Radio Systems.
  */
 
+/*
+ * This program takes a certificate generated by ssleay and a key pair
+ * from rsakeygen. It reads the IP address from certificate.txt and
+ * includes this as subject alt name extension into the certifcate.
+ * The result gets written as new certificate that can be used by
+ * isakmpd.
+ */
+
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/mman.h>
@@ -43,23 +52,25 @@
 #include <stdio.h>
 #include <gmp.h>
 #include <stdlib.h>
+#include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ssl/rsa.h>
+#include <ssl/x509.h>
+#include <ssl/pem.h>
+
 #include "conf.h"
-#include "asn.h"
-#include "asn_useful.h"
-#include "pkcs.h"
-#include "x509.h"
 #include "log.h"
+#include "ipsec_num.h"
+#include "x509.h"
 
 u_int32_t file_sz;
 
-#define LINECOL(x,y)   (x) = strsep (&(y), "\n\r"); \
-  (x) = strchr ((x), ':') + 1; \
-  while (isspace((x)[0])) (x)++; \
-
-
 u_int8_t *
 open_file (char *name)
 {
@@ -84,83 +95,123 @@ open_file (char *name)
 }
 
 int
-main (void)
+main (int argc, char *argv[])
 {
-  struct rsa_private_key priv;
-  struct x509_certificate cert;
-  FILE *fd;
-  char *p, *p2;
-  u_int8_t *addr, *asn;
-  u_int32_t asnlen, len;
-
-  addr = open_file ("isakmpd_key");
-  if (!pkcs_private_key_from_asn (&priv, addr, asn_get_len (addr)))
+  RSA *pub_key, *priv_key;
+  X509 *cert;
+  BIO *certfile, *keyfile;
+  EVP_PKEY *pkey_pub;
+  u_char ipaddr[6];
+  struct in_addr saddr;
+  char enc[256], dec[256];
+  u_int8_t idpayload[8];
+  int err, len;
+
+  if (argc < 3 || argc > 4)
     {
-      munmap (addr, file_sz);
+      fprintf (stderr, "usage: x509test private-key certificate ip-address\n");
       exit (1);
     }
-  munmap (addr, file_sz);
 
-  addr = open_file ("isakmpd_key.pub");
-  if (!pkcs_public_key_from_asn (&cert.key, addr, asn_get_len (addr)))
+  /*
+   * X509_verify will fail, as will all other functions that call
+   * EVP_get_digest_byname.
+   */
+
+  SSLeay_add_all_algorithms ();
+
+  printf ("Reading private key %s\n", argv[1]);
+  keyfile = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (keyfile, argv[1]) == -1) 
     {
-      munmap (addr, file_sz);
+      perror ("read");
       exit (1);
     }
-  munmap (addr, file_sz);
-
-  cert.signaturetype = strdup (ASN_ID_MD5WITHRSAENC);
-  cert.issuer1.type = strdup (ASN_ID_COUNTRY_NAME);
-  cert.issuer2.type = strdup (ASN_ID_ORGANIZATION_NAME);
-  cert.subject1.type = strdup (ASN_ID_COUNTRY_NAME);
-  cert.subject2.type = strdup (ASN_ID_ORGANIZATION_NAME);
-
-  addr = open_file ("certificate.txt");
-  p = addr;
-
-  LINECOL (p2, p); cert.version = atoi (p2);
-  LINECOL (p2, p); cert.serialnumber = atoi (p2);
-  LINECOL (p2, p); cert.issuer1.val = strdup (p2);
-  LINECOL (p2, p); cert.issuer2.val = strdup (p2);
-  LINECOL (p2, p); cert.subject1.val = strdup (p2);
-  LINECOL (p2, p); cert.subject2.val = strdup (p2);
-  LINECOL (p2, p); cert.start = strdup (p2);
-  LINECOL (p2, p); cert.end = strdup (p2);
-  munmap (addr, file_sz);
-
-  /* XXX Just put any IP number in there.  */
-  cert.extension.type = strdup (ASN_ID_SUBJECT_ALT_NAME);
-  cert.extension.val = p = malloc (8);
-  /* XXX This could also be encoded as norm_type, but time is lacking.  */
-  p[0] = 0x30; p[1] = 0x06; p[2] = 0x87; p[3] = 0x04;
-  memset (p + 4, 0, 4);
-
-  printf ("Encoding Certificate: ");
-  if (!x509_encode_certificate(&cert, &asn, &asnlen))
-    printf ("FAILED ");
+  priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL);
+  BIO_free (keyfile);
+  if (priv_key == NULL)
+    {
+      printf("PEM_read_bio_RSAPrivateKey () failed\n");
+      exit (1);
+    }
+
+  /* Use a certificate created by ssleay.  */
+  printf ("Reading ssleay created certificate %s\n", argv[2]);
+  certfile = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (certfile, argv[2]) == -1) 
+    {
+      perror ("read");
+      exit (1);
+    }
+  cert = PEM_read_bio_X509 (certfile, NULL, NULL);
+  BIO_free (certfile);
+  if (cert == NULL) 
+    {
+      printf("PEM_read_bio_X509 () failed\n");
+      exit (1);
+    }
+
+  pkey_pub = X509_get_pubkey (cert);
+  /* XXX Violation of the interface?  */
+  pub_key = pkey_pub->pkey.rsa;
+  if (pub_key == NULL)
+    {
+      exit (1);
+    }
+
+  printf ("Testing RSA keys: ");
+
+  err = 0;
+  strcpy (dec, "Eine kleine Testmeldung");
+  if ((len = RSA_private_encrypt (strlen (dec), dec, enc, priv_key,
+				  RSA_PKCS1_PADDING)) == -1)
+  
+    printf ("SIGN FAILED ");
   else
-    printf ("OKAY ");
-  printf ("\n");
+    err = RSA_public_decrypt (len, enc, dec, pub_key, RSA_PKCS1_PADDING);
 
-  printf ("Creating Signature: ");
-  if (!x509_create_signed (asn, asnlen, &priv, &addr, &len))
-    printf ("FAILED ");
+  if (err == -1 || strcmp (dec, "Eine kleine Testmeldung"))
+    printf ("SIGN/VERIFY FAILED");
   else
-    printf ("OKAY ");
+    printf ("OKAY");
   printf ("\n");
+  
 
   printf ("Validate SIGNED: ");
-  if (!x509_validate_signed (addr, len, &cert.key, &asn, &asnlen))
+  err = X509_verify (cert, pkey_pub);
+  printf ("X509 verify: %d ", err);
+  if (err == -1)
     printf ("FAILED ");
   else
     printf ("OKAY ");
   printf ("\n");
 
-  fd = fopen ("cert.asn", "w");
-  fwrite (addr, len, 1, fd);
-  fclose (fd);
-
-  free (addr);
+  if (argc == 4)
+    {
+      printf ("Verifying extension: ");
+      if (inet_aton (argv[3], &saddr) == -1)
+	{
+	  printf ("inet_aton () failed\n");
+	  exit (1);
+	}
+
+      saddr.s_addr = htonl (saddr.s_addr);
+      ipaddr[0] = 0x87;
+      ipaddr[1] = 0x04;
+      ipaddr[2] = saddr.s_addr >> 24;
+      ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
+      ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
+      ipaddr[5] = saddr.s_addr & 0xff;
+      bzero (idpayload, sizeof idpayload);
+      idpayload[0] = IPSEC_ID_IPV4_ADDR;
+      bcopy (ipaddr + 2, idpayload + 4, 4);
+
+      if (!x509_check_subjectaltname (idpayload, sizeof idpayload, cert))
+	printf("FAILED ");
+      else
+	printf("OKAY ");
+      printf ("\n");
+    }
 
   return 1;
 }