Module Name: src
Committed By: gdt
Date: Thu Dec 16 16:59:05 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
When encountering a certificate where "ID mismatched with ASN1
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.
Patch sent for review long ago:
http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.17 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.17 Mon Aug 24 09:33:03 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Dec 16 16:59:05 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.17 2009/08/24 09:33:03 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.18 2010/12/16 16:59:05 gdt Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1817,7 +1817,8 @@
"ID mismatched with ASN1 SubjectName.\n");
plogdump(LLV_DEBUG, id_b + 1, idlen);
plogdump(LLV_DEBUG, name->v, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ if (iph1->rmconf->verify_identifier)
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
return 0;
case IPSECDOI_ID_IPV4_ADDR:
@@ -1889,7 +1890,8 @@
"ID mismatched with subjectAltName.\n");
plogdump(LLV_DEBUG, id_b + 1, idlen);
plogdump(LLV_DEBUG, a, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ if (iph1->rmconf->verify_identifier)
+ return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
return 0;
}
