Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-3]: src/crypto/dist/ipsec-tools/src/racoon Pull up revision 1.2 (...



details:   https://anonhg.NetBSD.org/src/rev/000a1713c3dc
branches:  netbsd-3
changeset: 576601:000a1713c3dc
user:      tron <tron%NetBSD.org@localhost>
date:      Tue Jul 12 17:30:02 2005 +0000

description:
Pull up revision 1.2 (requested by manu in ticket #578):
pkcs7 support

diffstat:

 crypto/dist/ipsec-tools/src/racoon/oakley.c |  227 +++++++++++++++++++++------
 1 files changed, 175 insertions(+), 52 deletions(-)

diffs (263 lines):

diff -r a78415438b6a -r 000a1713c3dc crypto/dist/ipsec-tools/src/racoon/oakley.c
--- a/crypto/dist/ipsec-tools/src/racoon/oakley.c       Tue Jul 12 11:56:25 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/oakley.c       Tue Jul 12 17:30:02 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: oakley.c,v 1.1.1.3 2005/03/14 08:14:31 manu Exp $      */
+/*     $NetBSD: oakley.c,v 1.1.1.3.2.1 2005/07/12 17:30:02 tron Exp $  */
 
 /* Id: oakley.c,v 1.17.2.1 2005/03/01 09:51:48 vanhu Exp */
 
@@ -38,6 +38,9 @@
 #include <sys/socket.h>        /* XXX for subjectaltname */
 #include <netinet/in.h>        /* XXX for subjectaltname */
 
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -122,6 +125,7 @@
 static int oakley_check_certid __P((struct ph1handle *iph1));
 static int check_typeofcertname __P((int, int));
 static cert_t *save_certbuf __P((struct isakmp_gen *));
+static cert_t *save_certx509 __P((X509 *));
 static int oakley_padlen __P((int, int));
 
 int
@@ -2009,58 +2013,144 @@
                return 0;
        }
 
-       *c = save_certbuf(gen);
-       if (!*c) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "Failed to get CERT buffer.\n");
-               return -1;
-       }
-
-       switch ((*c)->type) {
-       case ISAKMP_CERT_DNS:
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "CERT payload is unnecessary in DNSSEC. "
-                       "ignore it.\n");
-               return 0;
-       case ISAKMP_CERT_PKCS7:
-       case ISAKMP_CERT_PGP:
-       case ISAKMP_CERT_X509SIGN:
-       case ISAKMP_CERT_KERBEROS:
-       case ISAKMP_CERT_SPKI:
-               /* Ignore cert if it doesn't match identity
-                * XXX If verify cert is disabled, we still just take
-                * the first certificate....
+        if (type == ISAKMP_CERT_PKCS7) {
+                 PKCS7 *p7;
+                 u_char *bp;
+                 int i;
+
+                 /* Skip the header */
+                 bp = (u_char *)(gen + 1);
+                 /* And the first byte is the certificate type, 
+                   we know that already
                 */
-               if(iph1->rmconf->verify_cert &&
-                  oakley_check_certid(iph1)){
-                       plog(LLV_DEBUG, LOCATION, NULL,
-                                "Discarding CERT: does not match ID.\n");
-                       oakley_delcert((*c));
-                       *c = NULL;
-                       return 0;
-               }
-               plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
-               plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-               {
-                       char *p = eay_get_x509text(&(*c)->cert);
-                       plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
-                       racoon_free(p);
-               }
-               break;
-       case ISAKMP_CERT_CRL:
-               plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
-               plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-               break;
-       case ISAKMP_CERT_X509KE:
-       case ISAKMP_CERT_X509ATTR:
-       case ISAKMP_CERT_ARL:
-       default:
-               /* XXX */
-               oakley_delcert((*c));
-               *c = NULL;
-               return 0;
-       }
-
+                 bp++;
+                 p7 = d2i_PKCS7(NULL, &bp, ntohs(gen->len) - sizeof(*gen) - 1);
+                
+                 if (!p7) {
+                  plog(LLV_ERROR, LOCATION, NULL,
+                       "Failed to parse PKCS#7 CERT.\n");
+                  return -1;
+                 }
+
+                 /* Copied this from the openssl pkcs7 application;
+                  * there"s little by way of documentation for any of
+                  * it. I can only presume it"s correct.
+                  */
+                STACK_OF(X509) *certs=NULL;
+                
+                i = OBJ_obj2nid(p7->type);
+                switch (i) {
+                case NID_pkcs7_signed:
+                  certs=p7->d.sign->cert;
+                  break;
+                 case NID_pkcs7_signedAndEnveloped:
+                  certs=p7->d.signed_and_enveloped->cert;
+                  break;
+                 default:
+                         break;
+                 }
+
+                 if (!certs) {
+                         plog(LLV_ERROR, LOCATION, NULL,
+                              "CERT PKCS#7 bundle contains no certs.\n");
+                         PKCS7_free(p7);
+                         return -1;
+                 }
+
+                 for (i = 0; i < sk_X509_num(certs); i++) {
+                         int len;
+                         u_char *bp;
+                         X509 *cert = sk_X509_value(certs,i);
+
+                         plog(LLV_DEBUG, LOCATION, NULL, 
+                             "Trying PKCS#7 cert %d.\n", i);
+
+                         /* We"ll just try each cert in turn */
+                         *c = save_certx509(cert);
+
+                         if (!*c) {
+                                 plog(LLV_ERROR, LOCATION, NULL,
+                                      "Failed to get CERT buffer.\n");
+                                 continue;
+                         }
+
+                         /* Ignore cert if it doesn't match identity
+                          * XXX If verify cert is disabled, we still just take
+                          * the first certificate....
+                          */
+                         if(iph1->rmconf->verify_cert &&
+                            oakley_check_certid(iph1)){
+                                 plog(LLV_DEBUG, LOCATION, NULL,
+                                      "Discarding CERT: does not match ID.\n");
+                                 oakley_delcert((*c));
+                                 *c = NULL;
+                                 continue;
+                         }
+                         plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+                         plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+                         {
+                                 char *p = eay_get_x509text(&(*c)->cert);
+                                 plog(LLV_DEBUG, LOCATION, NULL, "%s", 
+                                     p ? p : "\n");
+                                 racoon_free(p);
+                         }
+                         break;
+                 }
+
+                 PKCS7_free(p7);
+         } else {
+          *c = save_certbuf(gen);
+          if (!*c) {
+            plog(LLV_ERROR, LOCATION, NULL,
+                 "Failed to get CERT buffer.\n");
+            return -1;
+          }
+          
+          switch ((*c)->type) {
+          case ISAKMP_CERT_DNS:
+            plog(LLV_WARNING, LOCATION, NULL,
+                 "CERT payload is unnecessary in DNSSEC. "
+                 "ignore it.\n");
+            return 0;
+          case ISAKMP_CERT_PGP:
+          case ISAKMP_CERT_X509SIGN:
+          case ISAKMP_CERT_KERBEROS:
+          case ISAKMP_CERT_SPKI:
+            /* Ignore cert if it doesn't match identity
+             * XXX If verify cert is disabled, we still just take
+             * the first certificate....
+             */
+            if(iph1->rmconf->verify_cert &&
+               oakley_check_certid(iph1)){
+              plog(LLV_DEBUG, LOCATION, NULL,
+                   "Discarding CERT: does not match ID.\n");
+              oakley_delcert((*c));
+              *c = NULL;
+              return 0;
+            }
+            plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
+            plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+            {
+              char *p = eay_get_x509text(&(*c)->cert);
+              plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
+              racoon_free(p);
+            }
+            break;
+          case ISAKMP_CERT_CRL:
+            plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
+            plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
+            break;
+          case ISAKMP_CERT_X509KE:
+          case ISAKMP_CERT_X509ATTR:
+          case ISAKMP_CERT_ARL:
+          default:
+            /* XXX */
+            oakley_delcert((*c));
+            *c = NULL;
+            return 0;
+          }
+        }
+       
        return 0;
 }
 
@@ -2144,6 +2234,39 @@
        return new;
 }
 
+static cert_t *
+save_certx509(cert)
+       X509 *cert;
+{
+       cert_t *new;
+        int len;
+        u_char *bp;
+
+       new = oakley_newcert();
+       if (!new) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                       "Failed to get CERT buffer.\n");
+               return NULL;
+       }
+
+        len = i2d_X509(cert, NULL);
+       new->pl = vmalloc(len);
+       if (new->pl == NULL) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                       "Failed to copy CERT from packet.\n");
+               oakley_delcert(new);
+               new = NULL;
+               return NULL;
+       }
+        bp = new->pl->v;
+        len = i2d_X509(cert, &bp);
+       new->type = ISAKMP_CERT_X509SIGN;
+       new->cert.v = new->pl->v;
+       new->cert.l = new->pl->l;
+
+       return new;
+}
+
 /*
  * get my CR.
  * NOTE: No Certificate Authority field is included to CR payload at the



Home | Main Index | Thread Index | Old Index