Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

svn commit: vpnc r444 - in /branches/vpnc-nortel: ./ test/

 

 

vpnc devel RSS feed   Index | Next | Previous | View Threaded


vpnc at unix-ag

Sep 12, 2009, 10:10 AM

Post #1 of 1 (1278 views)
Permalink
svn commit: vpnc r444 - in /branches/vpnc-nortel: ./ test/

Author: Antonio Borneo
Date: Sat Sep 12 19:10:32 2009
New Revision: 444

Log:
Mostly by Dan Williams <dcbw [at] redhat>
gnutls padding fixes by Laurent Goujon <laurent.goujon [at] online>
Additional fixes by Jukka Salmi <j+vpnc [at] 2009>

Merge in Nortel branch all the commits related to gnutls support:
- r416 by Dan Williams, Laurent Goujon and Joerg Mayer;
Initial framework to handle certificates through gnutls.
- r417 by Jukka Salmi;
Replaces libgnutls-config with pkg-config.
- r419 by Joerg Mayer;
Add test-crypt to svn:ignore.
- r420 by Jukka Salmi;
Adds sysdep.o to test-crypto.
- r421 by Jukka Salmi;
Some printf format errors.

Added:
branches/vpnc-nortel/crypto-gnutls.c (with props)
branches/vpnc-nortel/crypto-gnutls.h (with props)
branches/vpnc-nortel/crypto-openssl.c (with props)
branches/vpnc-nortel/crypto-openssl.h (with props)
branches/vpnc-nortel/crypto.c (with props)
branches/vpnc-nortel/crypto.h (with props)
branches/vpnc-nortel/test/
branches/vpnc-nortel/test-crypto.c (with props)
branches/vpnc-nortel/test/cert.pem (with props)
branches/vpnc-nortel/test/cert0.pem (with props)
branches/vpnc-nortel/test/cert1.pem (with props)
branches/vpnc-nortel/test/cert2.pem (with props)
branches/vpnc-nortel/test/root.pem (with props)
Modified:
branches/vpnc-nortel/ (props changed)
branches/vpnc-nortel/Makefile
branches/vpnc-nortel/config.c
branches/vpnc-nortel/supp.c
branches/vpnc-nortel/vpnc.c

Modified: branches/vpnc-nortel/Makefile
==============================================================================
--- branches/vpnc-nortel/Makefile (original)
+++ branches/vpnc-nortel/Makefile Sat Sep 12 19:10:32 2009
@@ -27,16 +27,8 @@
MANDIR=$(PREFIX)/share/man
DOCDIR=$(PREFIX)/share/doc/vpnc

-SRCS = sysdep.c vpnc-debug.c isakmp-pkt.c tunip.c config.c dh.c math_group.c supp.c decrypt-utils.c
-BINS = vpnc cisco-decrypt
-OBJS = $(addsuffix .o,$(basename $(SRCS)))
-BINOBJS = $(addsuffix .o,$(BINS))
-BINSRCS = $(addsuffix .c,$(BINS))
-VERSION := $(shell sh mk-version)
-RELEASE_VERSION := $(shell cat VERSION)
-
# The license of vpnc (Gpl >= 2) is quite likely incompatible with the
-# openssl license. Openssl is currently used to provide certificate
+# openssl license. Openssl is one possible library used to provide certificate
# support for vpnc (hybrid only).
# While it is OK for users to build their own binaries linking in openssl
# with vpnc and even providing dynamically linked binaries it is probably
@@ -47,16 +39,34 @@

# Comment this in to obtain a binary with certificate support which is
# GPL incompliant though.
-#OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
-#OPENSSLLIBS = -lcrypto
+#OPENSSL_GPL_VIOLATION=yes
+
+CRYPTO_LDADD = $(shell pkg-config --libs gnutls)
+CRYPTO_CFLAGS = $(shell pkg-config --cflags gnutls) -DCRYPTO_GNUTLS
+CRYPTO_SRCS = crypto-gnutls.c
+
+ifeq ($(OPENSSL_GPL_VIOLATION), yes)
+CRYPTO_LDADD = -lcrypto
+CRYPTO_CFLAGS = -DOPENSSL_GPL_VIOLATION -DCRYPTO_OPENSSL
+CRYPTO_SRCS = crypto-openssl.c
+endif
+
+SRCS = sysdep.c vpnc-debug.c isakmp-pkt.c tunip.c config.c dh.c math_group.c supp.c decrypt-utils.c crypto.c $(CRYPTO_SRCS)
+BINS = vpnc cisco-decrypt test-crypto
+OBJS = $(addsuffix .o,$(basename $(SRCS)))
+CRYPTO_OBJS = $(addsuffix .o,$(basename $(CRYPTO_SRCS)))
+BINOBJS = $(addsuffix .o,$(BINS))
+BINSRCS = $(addsuffix .c,$(BINS))
+VERSION := $(shell sh mk-version)
+RELEASE_VERSION := $(shell cat VERSION)

CC=gcc
CFLAGS ?= -O3 -g
CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings
-CFLAGS += $(shell libgcrypt-config --cflags)
-CPPFLAGS += -DVERSION=\"$(VERSION)\" $(OPENSSL_GPL_VIOLATION)
+CFLAGS += $(shell libgcrypt-config --cflags) $(CRYPTO_CFLAGS)
+CPPFLAGS += -DVERSION=\"$(VERSION)\"
LDFLAGS ?= -g
-LDFLAGS += $(shell libgcrypt-config --libs) $(OPENSSLLIBS)
+LDFLAGS += $(shell libgcrypt-config --libs) $(CRYPTO_LDADD)

ifeq ($(shell uname -s), SunOS)
LDFLAGS += -lnsl -lresolv -lsocket
@@ -78,6 +88,9 @@
sed -e 's,@''PREFIX''@,$(PREFIX),g' $< > $@ && chmod 755 $@

cisco-decrypt : cisco-decrypt.o decrypt-utils.o
+ $(CC) -o $@ $^ $(LDFLAGS)
+
+test-crypto : sysdep.o test-crypto.o crypto.o $(CRYPTO_OBJS)
$(CC) -o $@ $^ $(LDFLAGS)

.depend: $(SRCS) $(BINSRCS)
@@ -102,6 +115,10 @@
tar -cf - -T - | tar -xf - -C vpnc-$*/
tar -czf ../$@ vpnc-$*
rm -rf vpnc-$*
+
+test : all
+ ./test-crypto test/cert.pem test/cert0.pem test/cert1.pem test/cert2.pem test/root.pem
+ #./test-crypto test/cert.pem test/cert0.crt test/cert1.crt test/cert2.crt test/root.crt

dist : VERSION vpnc.8 vpnc-$(RELEASE_VERSION).tar.gz


Modified: branches/vpnc-nortel/config.c
==============================================================================
--- branches/vpnc-nortel/config.c (original)
+++ branches/vpnc-nortel/config.c Sat Sep 12 19:10:32 2009
@@ -608,10 +608,10 @@
"Public License. For more information about these matters, see the files\n"
"named COPYING.\n");
#ifdef OPENSSL_GPL_VIOLATION
- printf("Built with openssl (certificate) support. Be aware of the\n"
+ printf("Built with openssl certificate support. Be aware of the\n"
"license implications.\n");
#else /* OPENSSL_GPL_VIOLATION */
- printf("Built without openssl (certificate) support.\n");
+ printf("Built with certificate support.\n");
#endif /* OPENSSL_GPL_VIOLATION */
printf("\n");

@@ -789,13 +789,6 @@
exit(1);
}

-#ifndef OPENSSL_GPL_VIOLATION
- if (opt_auth_mode == AUTH_MODE_HYBRID ||
- opt_auth_mode == AUTH_MODE_CERT) {
- printf("%s was built without openssl: Can't do hybrid or cert mode.\n", argv[0]);
- exit(1);
- }
-#endif
opt_no_encryption = (config[CONFIG_ENABLE_NO_ENCRYPTION]) ? 1 : 0;
opt_udpencapport=atoi(config[CONFIG_UDP_ENCAP_PORT]);


Added: branches/vpnc-nortel/crypto-gnutls.c
==============================================================================
--- branches/vpnc-nortel/crypto-gnutls.c (added)
+++ branches/vpnc-nortel/crypto-gnutls.c Sat Sep 12 19:10:32 2009
@@ -1,0 +1,540 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gcrypt.h>
+
+#include "config.h"
+#include "sysdep.h"
+#include "crypto.h"
+
+static int gnutls_initialized = 0;
+
+#define CERT_STACK_DEPTH 20
+
+crypto_ctx *crypto_ctx_new(crypto_error **error)
+{
+ crypto_ctx *ctx;
+
+ if (!gnutls_initialized) {
+ if (gnutls_global_init() != 0) {
+ crypto_error_set(error, 1, 0, "error initializing gnutls globals");
+ return NULL;
+ }
+ gnutls_initialized = 1;
+ }
+
+ ctx = gnutls_calloc(1, sizeof(crypto_ctx));
+ if (!ctx) {
+ crypto_error_set(error, 1, ENOMEM, "not enough memory for crypto context");
+ return NULL;
+ }
+
+ ctx->stack = gnutls_calloc(CERT_STACK_DEPTH, sizeof(gnutls_x509_crt_t));
+ if (!ctx->stack) {
+ crypto_ctx_free(ctx);
+ crypto_error_set(error, 1, ENOMEM,
+ "not enough memory for crypto certificate stack");
+ ctx = NULL;
+ }
+
+ return ctx;
+}
+
+void crypto_ctx_free(crypto_ctx *ctx)
+{
+ if (ctx) {
+ int i;
+
+ for (i = 0; i < ctx->num; i++)
+ gnutls_x509_crt_deinit(ctx->stack[i]);
+ gnutls_free(ctx->stack);
+ memset(ctx, 0, sizeof(crypto_ctx));
+ gnutls_free(ctx);
+ }
+}
+
+unsigned char *crypto_read_cert(const char *path,
+ size_t *out_len,
+ crypto_error **error)
+{
+ gnutls_x509_crt_t cert;
+ unsigned char *data = NULL;
+ gnutls_datum dt;
+ size_t fsize = 0;
+ int err;
+
+ dt.data = crypto_read_file(path, &fsize, error);
+ if (!dt.data)
+ return NULL;
+
+ dt.size = (unsigned int) fsize;
+ if (gnutls_x509_crt_init(&cert) != GNUTLS_E_SUCCESS) {
+ crypto_error_set(error, 1, ENOMEM, "not enough memory for certificate");
+ goto out;
+ }
+
+ err = gnutls_x509_crt_import(cert, &dt, GNUTLS_X509_FMT_PEM);
+ if (err != GNUTLS_E_SUCCESS)
+ err = gnutls_x509_crt_import(cert, &dt, GNUTLS_X509_FMT_DER);
+ if (err != GNUTLS_E_SUCCESS) {
+ crypto_error_set(error, 1, 0, "certificate (%s) format unknown", path);
+ goto out;
+ }
+
+ *out_len = 10000;
+ data = malloc(*out_len);
+ err = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, data, out_len);
+ if (err != GNUTLS_E_SUCCESS) {
+ free(data);
+ *out_len = 0;
+ crypto_error_set(error, 1, 0, "certificate could not be exported");
+ }
+
+out:
+ if (dt.data)
+ gnutls_free(dt.data);
+ gnutls_x509_crt_deinit(cert);
+ return data;
+}
+
+int crypto_push_cert(crypto_ctx *ctx,
+ const unsigned char *data,
+ size_t len,
+ crypto_error **error)
+{
+ gnutls_x509_crt_t cert;
+ gnutls_datum dt;
+ int err;
+
+ if (!ctx || !data || (len <= 0)) {
+ crypto_error_set(error, 1, 0, "invalid crypto context or data");
+ return 1;
+ }
+
+ if (ctx->num >= CERT_STACK_DEPTH) {
+ crypto_error_set(error, 1, 0, "too many certificates in the chain.");
+ return 1;
+ }
+
+ gnutls_x509_crt_init (&cert);
+
+ dt.data = (unsigned char *) data;
+ dt.size = len;
+ err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_DER);
+ if (err != GNUTLS_E_SUCCESS) {
+ gnutls_x509_crt_deinit (cert);
+ crypto_error_set(error, 1, 0, "failed to decode certificate");
+ return 1;
+ }
+
+ ctx->stack[ctx->num] = cert;
+ ctx->num++;
+ return 0;
+}
+
+static int verify_issuer(gnutls_x509_crt_t crt,
+ gnutls_x509_crt_t issuer,
+ crypto_error **error)
+{
+ unsigned int output;
+ time_t now = time (0);
+
+ if (gnutls_x509_crt_verify(crt, &issuer, 1, 0, &output) < 0) {
+ crypto_error_set(error, 1, 0, "failed to verify against issuer");
+ return 1;
+ }
+
+ if (output & GNUTLS_CERT_INVALID) {
+ if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+ crypto_error_set(error, 1, 0, "certificate signer not found");
+ return 1;
+ }
+ if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
+ crypto_error_set(error, 1, 0, "certificate signer not a CA");
+ return 1;
+ }
+ }
+
+ if (gnutls_x509_crt_get_activation_time(crt) > now) {
+ crypto_error_set(error, 1, 0, "certificate activation in the future");
+ return 1;
+ }
+
+ if (gnutls_x509_crt_get_expiration_time(crt) < now) {
+ crypto_error_set(error, 1, 0, "certificate expired");
+ return 1;
+ }
+
+ return 0;
+}
+
+static int verify_last(gnutls_x509_crt_t crt,
+ gnutls_x509_crt_t *ca_list,
+ size_t ca_list_size,
+ crypto_error **error)
+{
+ unsigned int output;
+ time_t now = time (0);
+
+ if (gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+ &output) < 0) {
+ crypto_error_set(error, 1, 0, "failed to verify against CA list");
+ return 1;
+ }
+
+ if (output & GNUTLS_CERT_INVALID) {
+ if (output & GNUTLS_CERT_SIGNER_NOT_CA) {
+ crypto_error_set(error, 1, 0, "certificate signer not a CA");
+ return 1;
+ }
+ }
+
+ if (gnutls_x509_crt_get_activation_time(crt) > now) {
+ crypto_error_set(error, 1, 0, "certificate activation in the future");
+ return 1;
+ }
+
+ if (gnutls_x509_crt_get_expiration_time(crt) < now) {
+ crypto_error_set(error, 1, 0, "certificate expired");
+ return 1;
+ }
+
+ return 0;
+}
+
+static gnutls_x509_crt_t *load_one_ca_file(const char *path, crypto_error **error)
+{
+ gnutls_x509_crt_t *list = NULL;
+ gnutls_x509_crt_t cert;
+ gnutls_datum dt;
+ size_t fsize = 0;
+ int err;
+
+ dt.data = crypto_read_file(path, &fsize, error);
+ if (!dt.data)
+ return NULL;
+
+ dt.size = (unsigned int) fsize;
+ if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) {
+ gnutls_free(dt.data);
+ crypto_error_set(error, 1, ENOMEM, "not enough memory for certificate");
+ goto out;
+ }
+
+ err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_PEM);
+ if (err != GNUTLS_E_SUCCESS)
+ err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_DER);
+ gnutls_free(dt.data);
+ if (err != GNUTLS_E_SUCCESS) {
+ crypto_error_set(error, 1, 0, "certificate (%s) format unknown", path);
+ goto out;
+ }
+
+ list = gnutls_malloc(sizeof(gnutls_x509_crt_t));
+ if (!list) {
+ crypto_error_set(error, 1, ENOMEM, "not enough memory for certificate list");
+ goto out;
+ } else
+ list[0] = cert;
+
+out:
+ gnutls_x509_crt_deinit (cert);
+ return list;
+}
+
+static gnutls_x509_crt_t *load_ca_list_file(const char *path,
+ size_t *out_list_size,
+ crypto_error **error)
+{
+ gnutls_x509_crt_t *list = NULL, *old;
+ gnutls_datum dt = { NULL, 0 };
+ size_t fsize = 0;
+ int err;
+ unsigned int num = 200;
+
+ dt.data = crypto_read_file(path, &fsize, error);
+ if (!dt.data)
+ return NULL;
+
+ dt.size = (unsigned int) fsize;
+ old = list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * num);
+ if (!list) {
+ crypto_error_set(error, 1, ENOMEM, "not enough memory for CA list");
+ goto out;
+ }
+
+ err = gnutls_x509_crt_list_import(list, &num, &dt, GNUTLS_X509_FMT_PEM, 0);
+ if (err <= 0) {
+ /* DER then maybe */
+ gnutls_free(list);
+ list = load_one_ca_file(path, error);
+ if (!list)
+ goto out;
+ num = 1;
+ } else
+ num = err; /* gnutls_x509_crt_list_import() returns # read */
+
+ if (err < 0) {
+ crypto_error_set(error, 1, 0, "importing CA list (%d)", err);
+ gnutls_free(list);
+ list = NULL;
+ } else
+ *out_list_size = num;
+
+out:
+ gnutls_free(dt.data);
+ return list;
+}
+
+int crypto_verify_chain(crypto_ctx *ctx,
+ const char *ca_file,
+ const char *ca_dir,
+ crypto_error **error)
+{
+ int err, i, ret = 1, start = 0;
+ gnutls_x509_crt_t *ca_list = NULL;
+ size_t ca_list_size = 0;
+
+ if (!ctx)
+ return 1;
+
+ if (ctx->num == 0)
+ return 0;
+
+ if (ca_file) {
+ ca_list = load_ca_list_file(ca_file, &ca_list_size, error);
+ if (!ca_list)
+ return 1;
+ } else if (ca_dir) {
+ /* FIXME: Try to load all files in the directory I guess... */
+ crypto_error_set(error, 1, 0, "ca_dir not yet supported");
+ return 1;
+ }
+
+ /* If the server cert is self-signed, ignore it in the issuers check */
+ err = gnutls_x509_crt_check_issuer(ctx->stack[0], ctx->stack[0]);
+ if (err > 0)
+ start++;
+
+ /* Check each certificate against its issuer */
+ for (i = start; i < ctx->num - 1; i++) {
+ if (verify_issuer(ctx->stack[i], ctx->stack[i + 1], error))
+ goto out;
+ }
+
+ /* Verify the last certificate */
+ if (verify_last(ctx->stack[ctx->num - 1], ca_list, ca_list_size, error))
+ goto out;
+
+ ret = 0;
+
+out:
+ if (ca_list) {
+ for (i = 0; i < (int) ca_list_size; i++)
+ gnutls_x509_crt_deinit(ca_list[i]);
+ gnutls_free(ca_list);
+ }
+ return ret;
+}
+
+static unsigned char *check_pkcs1_padding(unsigned char* from,
+ size_t from_len,
+ size_t *out_len,
+ crypto_error **error)
+{
+ int i = 0;
+ unsigned char *rec_hash = NULL;
+ size_t hash_len = 0;
+
+ /* No function provided to check that hash conforms to
+ * PKCS#1 1.5 padding scheme. Moreover gcrypt trim first
+ * 0 bytes */
+ if (from[i++] != 0x01) {
+ crypto_error_set(error, 1, 0, "hash doesn't conform to PKCS#1 padding");
+ goto out;
+ }
+
+ while (from[i] != 0x00) {
+ if (from[i++] != 0xFF) {
+ crypto_error_set(error, 1, 0, "hash doesn't conform to PKCS#1 padding");
+ goto out;
+ }
+ }
+
+ i++; /* Skips 00 byte */
+
+ if (i < 10) {
+ crypto_error_set(error, 1, 0, "PKCS#1 padding too short");
+ goto out;
+ }
+
+ hash_len = from_len - i;
+ rec_hash = calloc(1, hash_len);
+ if (!rec_hash)
+ goto out;
+
+ memcpy(rec_hash, from + i, hash_len);
+ *out_len = hash_len;
+
+out:
+ return rec_hash;
+}
+
+
+unsigned char *crypto_decrypt_signature(crypto_ctx *ctx,
+ const unsigned char *sig_data,
+ size_t sig_len,
+ size_t *out_len,
+ unsigned int padding,
+ crypto_error **error)
+{
+ unsigned char *buf = NULL, *rec_hash = NULL;
+ gnutls_datum_t n = { NULL, 0 }, e = { NULL, 0 };
+ int err, algo;
+ gcry_sexp_t key = NULL, sig = NULL, decrypted = NULL, child = NULL;
+ gcry_mpi_t n_mpi = NULL, e_mpi = NULL, sig_mpi = NULL, dec_mpi = NULL;
+ size_t buf_len = 0, hash_len = 0;
+
+ if (!ctx) {
+ crypto_error_set(error, 1, 0, "invalid crypto context");
+ return NULL;
+ }
+
+ if (!ctx->num) {
+ crypto_error_set(error, 1, 0, "no certificates in the stack");
+ return NULL;
+ }
+
+ algo = gnutls_x509_crt_get_pk_algorithm(ctx->stack[ctx->num - 1], NULL);
+ if (algo != GNUTLS_PK_RSA) {
+ crypto_error_set(error, 1, 0, "certificate public key algorithm not RSA");
+ return NULL;
+ }
+
+ err = gnutls_x509_crt_get_pk_rsa_raw(ctx->stack[ctx->num - 1], &n, &e);
+ if (err != GNUTLS_E_SUCCESS) {
+ crypto_error_set(error, 1, 0, "error getting certificate public key");
+ return NULL;
+ }
+
+ err = gcry_mpi_scan(&n_mpi, GCRYMPI_FMT_USG, n.data, n.size, NULL);
+ if (err) {
+ crypto_error_set(error, 1, 0, "invalid RSA key 'n' format");
+ goto out;
+ }
+
+ err = gcry_mpi_scan(&e_mpi, GCRYMPI_FMT_USG, e.data, e.size, NULL);
+ if (err) {
+ crypto_error_set(error, 1, 0, "invalid RSA key 'e' format");
+ goto out;
+ }
+
+ err = gcry_sexp_build(&key, NULL, "(public-key (rsa (n %m) (e %m)))", n_mpi, e_mpi);
+ if (err) {
+ crypto_error_set(error, 1, 0, "could not create public-key expression");
+ goto out;
+ }
+
+ err = gcry_mpi_scan(&sig_mpi, GCRYMPI_FMT_USG, sig_data, sig_len, NULL);
+ if (err) {
+ crypto_error_set(error, 1, 0, "invalid signature format");
+ goto out;
+ }
+
+ err = gcry_sexp_build(&sig, NULL, "(data (flags raw) (value %m))", sig_mpi);
+ if (err) {
+ crypto_error_set(error, 1, 0, "could not create signature expression");
+ goto out;
+ }
+
+ /* encrypt is equivalent to public key decryption for RSA keys */
+ err = gcry_pk_encrypt(&decrypted, sig, key);
+ if (err) {
+ crypto_error_set(error, 1, 0, "could not decrypt signature");
+ goto out;
+ }
+
+ child = gcry_sexp_find_token(decrypted, "a", 1);
+ if (!child) {
+ crypto_error_set(error, 1, 0, "could not get decrypted signature result");
+ goto out;
+ }
+
+ dec_mpi = gcry_sexp_nth_mpi(child, 1, GCRYMPI_FMT_USG);
+ gcry_sexp_release(child);
+
+ if (!dec_mpi) {
+ crypto_error_set(error, 1, 0, "could not get decrypted signature result");
+ goto out;
+ }
+
+ gcry_mpi_aprint(GCRYMPI_FMT_USG, &buf, &buf_len, dec_mpi);
+ if (!buf) {
+ crypto_error_set(error, 1, 0, "could not get extract decrypted signature");
+ goto out;
+ }
+
+ switch (padding) {
+ case CRYPTO_PAD_NONE:
+ rec_hash = buf;
+ hash_len = buf_len;
+ buf = NULL;
+ *out_len = (int) hash_len;
+ break;
+ case CRYPTO_PAD_PKCS1:
+ rec_hash = check_pkcs1_padding(buf, buf_len, &hash_len, error);
+ if (!rec_hash) {
+ crypto_error_set(error, 1, 0, "could not get extract decrypted padded signature");
+ goto out;
+ }
+ *out_len = (int) hash_len;
+ break;
+ default:
+ crypto_error_set(error, 1, 0, "unknown padding mechanism %d", padding);
+ break;
+ }
+
+out:
+ if (buf)
+ free(buf);
+ if (dec_mpi)
+ gcry_mpi_release(dec_mpi);
+ if (decrypted)
+ gcry_sexp_release(decrypted);
+ if (key)
+ gcry_sexp_release(key);
+ if (sig)
+ gcry_sexp_release(sig);
+ if (sig_mpi)
+ gcry_mpi_release(sig_mpi);
+ if (n_mpi)
+ gcry_mpi_release(n_mpi);
+ if (e_mpi)
+ gcry_mpi_release(e_mpi);
+ if (n.data)
+ gcry_free(n.data);
+ if (e.data)
+ gcry_free(e.data);
+
+ return rec_hash;
+}
+

Added: branches/vpnc-nortel/crypto-gnutls.h
==============================================================================
--- branches/vpnc-nortel/crypto-gnutls.h (added)
+++ branches/vpnc-nortel/crypto-gnutls.h Sat Sep 12 19:10:32 2009
@@ -1,0 +1,30 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#ifndef __CRYPTO_GNUTLS_H__
+#define __CRTPTO_GNUTLS_H__
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+typedef struct {
+ int num;
+ gnutls_x509_crt_t *stack;
+} crypto_ctx;
+
+#endif /* __CRYPTO_GNUTLS_H__ */
+

Added: branches/vpnc-nortel/crypto-openssl.c
==============================================================================
--- branches/vpnc-nortel/crypto-openssl.c (added)
+++ branches/vpnc-nortel/crypto-openssl.c Sat Sep 12 19:10:32 2009
@@ -1,0 +1,323 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <openssl/pem.h>
+#include "config.h"
+#include "sysdep.h"
+#include "crypto.h"
+
+crypto_ctx *crypto_ctx_new(crypto_error **error)
+{
+ crypto_ctx *ctx;
+
+ ctx = malloc(sizeof(crypto_ctx));
+ if (!ctx) {
+ crypto_error_set(error, 1, ENOMEM,
+ "not enough memory for crypto context");
+ return NULL;
+ }
+
+ OpenSSL_add_all_ciphers();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+
+ memset(ctx, 0, sizeof(crypto_ctx));
+ ctx->stack = sk_X509_new_null();
+ if (!ctx->stack) {
+ crypto_ctx_free(ctx);
+ crypto_error_set(error, 1, ENOMEM,
+ "not enough memory for crypto certificate stack");
+ ctx = NULL;
+ }
+
+ return ctx;
+}
+
+void crypto_ctx_free(crypto_ctx *ctx)
+{
+ if (ctx) {
+ if (ctx->stack)
+ sk_X509_free(ctx->stack);
+
+ memset(ctx, 0, sizeof(crypto_ctx));
+ free(ctx);
+ }
+}
+
+static int password_cb(char *buf, int size, int rwflag, void *userdata)
+{
+ /* Dummy callback to ensure openssl doesn't prompt for a password */
+ return 0;
+}
+
+unsigned char *crypto_read_cert(const char *path,
+ size_t *out_len,
+ crypto_error **error)
+{
+ FILE *fp;
+ X509 *cert = NULL;
+ unsigned char *data = NULL, *p;
+
+ fp = fopen(path, "r");
+ if (!fp) {
+ crypto_error_set(error, 1, 0, "certificate (%s) could not be opened", path);
+ return NULL;
+ }
+
+ cert = PEM_read_X509(fp, NULL, password_cb, NULL);
+ fclose (fp);
+
+ if (!cert) {
+ /* Try DER then */
+ p = data = crypto_read_file(path, out_len, error);
+ if (!data || !*out_len) {
+ crypto_error_set(error, 1, 0, "could not read certificate %s", path);
+ return NULL;
+ }
+
+ cert = d2i_X509(NULL, (const unsigned char **) &p, (int) (*out_len));
+ if (!cert) {
+ free(data);
+ crypto_error_set(error, 1, 0, "could not allocate memory for certificate");
+ return NULL;
+ }
+
+ return data;
+ }
+
+ /* Get length of DER data */
+ *out_len = i2d_X509(cert, NULL);
+ if (!*out_len) {
+ crypto_error_set(error, 1, 0, "invalid certificate length");
+ goto out;
+ }
+
+ p = data = malloc(*out_len);
+ if (!data) {
+ crypto_error_set(error, 1, 0, "could not allocate memory for certificate");
+ goto out;
+ }
+
+ /* Encode the certificate to DER */
+ *out_len = i2d_X509(cert, &p);
+ if (!*out_len) {
+ crypto_error_set(error, 1, 0, "could not export certificate data");
+ if (data) {
+ free(data);
+ data = NULL;
+ }
+ goto out;
+ }
+
+out:
+ if (cert)
+ X509_free(cert);
+ return data;
+}
+
+int crypto_push_cert(crypto_ctx *ctx,
+ const unsigned char *data,
+ size_t len,
+ crypto_error **error)
+{
+ X509 *cert = NULL;
+
+ if (!ctx || !data || (len <= 0)) {
+ crypto_error_set(error, 1, 0, "invalid crypto context or data");
+ return 1;
+ }
+
+ /* convert the certificate to an openssl-X509 structure and push it onto the chain stack */
+ cert = d2i_X509(NULL, &data, (int) len);
+ if (!cert) {
+ ERR_print_errors_fp(stderr);
+ crypto_error_set(error, 1, 0, "failed to decode certificate");
+ return 1;
+ }
+ sk_X509_push(ctx->stack, cert);
+ return 0;
+}
+
+int crypto_verify_chain(crypto_ctx *ctx,
+ const char *ca_file,
+ const char *ca_dir,
+ crypto_error **error)
+{
+ X509 *x509;
+ X509_STORE *store = NULL;
+ X509_LOOKUP *lookup = NULL;
+ X509_STORE_CTX *verify_ctx = NULL;
+ int ret = 1;
+
+ if (!ctx) {
+ crypto_error_set(error, 1, 0, "invalid crypto context");
+ return 1;
+ }
+
+ x509 = sk_X509_value(ctx->stack, sk_X509_num(ctx->stack) - 1);
+ if (x509 == NULL) {
+ ERR_print_errors_fp (stderr);
+ crypto_error_set(error, 1, 0, "no certificates in the stack");
+ return 1;
+ }
+
+ /* BEGIN - verify certificate chain */
+ /* create the cert store */
+ if (!(store = X509_STORE_new())) {
+ crypto_error_set(error, 1, 0, "error creating X509_STORE object");
+ return 1;
+ }
+ /* load the CA certificates */
+ if (X509_STORE_load_locations (store, ca_file, ca_dir) != 1) {
+ crypto_error_set(error, 1, 0, "error loading the CA file (%s) "
+ "or directory (%s)", ca_file, ca_dir);
+ goto out;
+ }
+ if (X509_STORE_set_default_paths (store) != 1) {
+ crypto_error_set(error, 1, 0, "error loading the system-wide CA"
+ " certificates");
+ goto out;
+ }
+
+#if 0
+ /* check CRLs */
+ /* add the corresponding CRL for each CA in the chain to the lookup */
+#define CRL_FILE "root-ca-crl.crl.pem"
+
+ if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
+ crypto_error_set(error, 1, 0, "error creating X509 lookup object.");
+ goto out;
+ }
+ if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
+ ERR_print_errors_fp(stderr);
+ crypto_error_set(error, 1, 0, "error reading CRL file");
+ goto out;
+ }
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+#endif /* 0 */
+
+ /* create a verification context and initialize it */
+ if (!(verify_ctx = X509_STORE_CTX_new ())) {
+ crypto_error_set(error, 1, 0, "error creating X509_STORE_CTX object");
+ goto out;
+ }
+ /* X509_STORE_CTX_init did not return an error condition in prior versions */
+ if (X509_STORE_CTX_init (verify_ctx, store, x509, ctx->stack) != 1) {
+ crypto_error_set(error, 1, 0, "error intializing verification context");
+ goto out;
+ }
+
+ /* verify the certificate */
+ if (X509_verify_cert(verify_ctx) != 1) {
+ ERR_print_errors_fp(stderr);
+ crypto_error_set(error, 2, 0, "error verifying the certificate "
+ "chain");
+ goto out;
+ }
+
+ ret = 0;
+
+out:
+ if (lookup)
+ X509_LOOKUP_free(lookup);
+ if (store)
+ X509_STORE_free(store);
+ if (verify_ctx)
+ X509_STORE_CTX_free(verify_ctx);
+ return ret;
+}
+
+unsigned char *crypto_decrypt_signature(crypto_ctx *ctx,
+ const unsigned char *sig_data,
+ size_t sig_len,
+ size_t *out_len,
+ unsigned int padding,
+ crypto_error **error)
+{
+ X509 *x509;
+ EVP_PKEY *pkey = NULL;
+ RSA *rsa;
+ unsigned char *hash = NULL;
+ int tmp_len = -1, ossl_pad;
+
+ *out_len = 0;
+
+ if (!ctx) {
+ crypto_error_set(error, 1, 0, "invalid crypto context");
+ return NULL;
+ }
+
+ x509 = sk_X509_value(ctx->stack, sk_X509_num(ctx->stack) - 1);
+ if (x509 == NULL) {
+ ERR_print_errors_fp (stderr);
+ crypto_error_set(error, 1, 0, "no certificates in the stack");
+ return NULL;
+ }
+
+ pkey = X509_get_pubkey(x509);
+ if (pkey == NULL) {
+ ERR_print_errors_fp (stderr);
+ crypto_error_set(error, 1, 0, "error getting certificate public key");
+ return NULL;
+ }
+
+ rsa = EVP_PKEY_get1_RSA(pkey);
+ if (rsa == NULL) {
+ ERR_print_errors_fp (stderr);
+ crypto_error_set(error, 1, 0, "error getting public key RSA");
+ goto out;
+ }
+
+ hash = calloc(1, RSA_size(rsa));
+ if (!hash) {
+ crypto_error_set(error, 1, 0, "not enough memory to decrypt signature");
+ goto out;
+ }
+
+ switch (padding) {
+ case CRYPTO_PAD_NONE:
+ ossl_pad = RSA_NO_PADDING;
+ break;
+ case CRYPTO_PAD_PKCS1:
+ ossl_pad = RSA_PKCS1_PADDING;
+ break;
+ default:
+ crypto_error_set(error, 1, 0, "unknown padding mechanism %d", padding);
+ goto out;
+ }
+
+ tmp_len = RSA_public_decrypt(sig_len, sig_data, hash, rsa, ossl_pad);
+ if (tmp_len > 0) {
+ *out_len = (size_t) tmp_len;
+ } else {
+ ERR_print_errors_fp (stderr);
+ crypto_error_set(error, 1, 0, "could not decrypt signature");
+ free(hash);
+ hash = NULL;
+ }
+
+out:
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ return hash;
+}
+

Added: branches/vpnc-nortel/crypto-openssl.h
==============================================================================
--- branches/vpnc-nortel/crypto-openssl.h (added)
+++ branches/vpnc-nortel/crypto-openssl.h Sat Sep 12 19:10:32 2009
@@ -1,0 +1,33 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#ifndef OPENSSL_GPL_VIOLATION
+#error "openssl support cannot be built without defining OPENSSL_GPL_VIOLATION"
+#endif
+
+#ifndef __CRYPTO_OPENSSL_H__
+#define __CRYPTO_OPENSSL_H__
+
+#include <openssl/x509.h>
+#include <openssl/err.h>
+
+typedef struct {
+ STACK_OF(X509) *stack;
+} crypto_ctx;
+
+#endif /* __CRYPTO_OPENSSL_H__ */
+

Added: branches/vpnc-nortel/crypto.c
==============================================================================
--- branches/vpnc-nortel/crypto.c (added)
+++ branches/vpnc-nortel/crypto.c Sat Sep 12 19:10:32 2009
@@ -1,0 +1,143 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "sysdep.h"
+#include "crypto.h"
+
+
+#define MSG_SIZE 200
+void crypto_error_set(crypto_error **error,
+ int code,
+ int in_errno,
+ const char *fmt, ...)
+{
+ va_list args;
+
+ if (!error)
+ return;
+ if (*error) {
+ fprintf(stderr, "%s: called with non-NULL *error\n", __func__);
+ return;
+ }
+
+ *error = calloc(1, sizeof(crypto_error));
+ if (!*error)
+ return;
+
+ (*error)->code = code;
+ (*error)->err = in_errno;
+
+ (*error)->msg = malloc(MSG_SIZE);
+ if (!(*error)->msg) {
+ fprintf(stderr, "%s: not enough memory for error message\n", __func__);
+ crypto_error_clear(error);
+ return;
+ }
+
+ va_start(args, fmt);
+ if (vsnprintf((*error)->msg, MSG_SIZE, fmt, args) == -1)
+ (*error)->msg[0] = '\0';
+ va_end(args);
+}
+
+void crypto_error_free(crypto_error *error)
+{
+ if (error) {
+ if (error->msg)
+ free(error->msg);
+ memset(error, 0, sizeof(crypto_error));
+ free(error);
+ }
+}
+
+void crypto_error_clear(crypto_error **error)
+{
+ if (error && *error) {
+ crypto_error_free(*error);
+ *error = NULL;
+ }
+}
+
+void crypto_call_error(crypto_error *err)
+{
+ if (err)
+ error(err->code, err->err, "%s\n", err->msg);
+ else
+ error(1, 0, "unknown error");
+}
+
+unsigned char *
+crypto_read_file(const char *path, size_t *out_len, crypto_error **error)
+{
+ struct stat st;
+ int fd;
+ ssize_t bytes_read;
+ size_t file_size;
+ unsigned char *data = NULL;
+
+ *out_len = 0;
+
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ crypto_error_set(error, 1, errno, "failed to open file '%s'", path);
+ return NULL;
+ }
+
+ if (fstat(fd, &st) < 0) {
+ crypto_error_set(error, 1, errno, "failed to stat file '%s'", path);
+ goto out;
+ }
+
+ if (st.st_size <= 0 || st.st_size > INT_MAX) {
+ crypto_error_set(error, 1, errno, "invalid file '%s' length %ld", path, st.st_size);
+ goto out;
+ }
+
+ file_size = st.st_size;
+ data = malloc(file_size);
+ if (!data) {
+ crypto_error_set(error, 1, ENOMEM, "not enough memory to read file '%s'", path);
+ goto out;
+ }
+
+ do {
+ bytes_read = read(fd, &(data[*out_len]), (st.st_size - *out_len));
+ if (bytes_read < 0) {
+ free(data);
+ data = NULL;
+ *out_len = 0;
+ crypto_error_set(error, 1, errno, "failed to read file '%s'", path);
+ goto out;
+ }
+ *out_len += bytes_read;
+ } while ((bytes_read > 0) && (*out_len <= file_size));
+
+out:
+ close(fd);
+ return data;
+}
+

Added: branches/vpnc-nortel/crypto.h
==============================================================================
--- branches/vpnc-nortel/crypto.h (added)
+++ branches/vpnc-nortel/crypto.h Sat Sep 12 19:10:32 2009
@@ -1,0 +1,139 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#ifndef __CRYPTO_H__
+#define __CRYPTO_H__
+
+#include <stdarg.h>
+
+typedef struct {
+ int code;
+ int err;
+ char *msg;
+} crypto_error;
+
+void crypto_error_set(crypto_error **error, int code, int in_errno, const char *fmt, ...);
+
+void crypto_error_free(crypto_error *error);
+
+void crypto_error_clear(crypto_error **error);
+
+void crypto_call_error(crypto_error *err);
+
+unsigned char *crypto_read_file(const char *path, size_t *out_len, crypto_error **error);
+
+#if CRYPTO_GNUTLS
+#include "crypto-gnutls.h"
+#elif CRYPTO_OPENSSL
+#include "crypto-openssl.h"
+#else
+#error "no crypto library defined"
+#endif
+
+#define CRYPTO_PAD_NONE 0
+#define CRYPTO_PAD_PKCS1 1
+
+/**
+ * crypto_push_cert:
+ *
+ * Allocates a crypto context with the resources necessary for the specific
+ * crypto library being used.
+ *
+ * Returns: a valid crypto context, or #NULL on error
+ **/
+crypto_ctx *crypto_ctx_new(crypto_error **error);
+
+/**
+ * crypto_ctx_free:
+ * @ctx: a valid crypto context created with crypto_ctx_new()
+ *
+ * Frees resources allocated by crypo_ctx_new().
+ **/
+void crypto_ctx_free(crypto_ctx *ctx);
+
+/**
+ * crypto_read_cert:
+ * @path: path to certificate file in either PEM or DER format
+ * @out_len: length of raw certificate data
+ * @error: return location for an error
+ *
+ * Loads a certificate and returns the binary ASN certificate data;
+ *
+ * Returns: certificate data on success, NULL on error
+ **/
+unsigned char *crypto_read_cert(const char *path,
+ size_t *out_len,
+ crypto_error **error);
+
+/**
+ * crypto_push_cert:
+ * @ctx: a valid crypto context created with crypto_ctx_new()
+ * @data: buffer containing raw certificate data
+ * @len: length of raw certificate data
+ * @error: return location for an error
+ *
+ * Pushes the given certificate onto the context's certificate stack.
+ *
+ * Returns: 0 on success, 1 on error
+ **/
+int crypto_push_cert(crypto_ctx *ctx,
+ const unsigned char *data,
+ size_t len,
+ crypto_error **error);
+
+/**
+ * crypto_verify_chain:
+ * @ctx: a valid crypto context created with crypto_ctx_new()
+ * @ca_file: path of a CA certificate file to use for verification of the
+ * certificate stack. File may be a PEM-encoded file containing
+ * multiple CA certificates. @ca_file is preferred over @ca_dir
+ * @ca_dir: directory containing CA certificates to use for verification of the
+ * certificate stack
+ * @error: return location for an error
+ *
+ * Verifies the certificate stack previously built with crypto_push_cert() using
+ * the supplied CA certificates or certificate locations.
+ *
+ * Returns: 0 on success, 1 on error
+ **/
+int crypto_verify_chain(crypto_ctx *ctx,
+ const char *ca_file,
+ const char *ca_dir,
+ crypto_error **error);
+
+/**
+ * crypto_decrypt_signature:
+ * @ctx: a valid crypto context created with crypto_ctx_new()
+ * @sig_data: encrypted signature data
+ * @sig_len: length of encrypted signature data
+ * @out_len: size of decrypted signature data
+ * @error: return location for an error
+ *
+ * Recovers the message digest stored in @sig_data using the public key of the
+ * last certificate on the certificate stack
+ *
+ * Returns: decrypted message digest, or #NULL on error
+ **/
+unsigned char *crypto_decrypt_signature(crypto_ctx *ctx,
+ const unsigned char *sig_data,
+ size_t sig_len,
+ size_t *out_hash_len,
+ unsigned int padding,
+ crypto_error **error);
+
+#endif /* __CRYPTO_H__ */
+

Modified: branches/vpnc-nortel/supp.c
==============================================================================
--- branches/vpnc-nortel/supp.c (original)
+++ branches/vpnc-nortel/supp.c Sat Sep 12 19:10:32 2009
@@ -55,14 +55,12 @@
const supported_algo_t supp_auth[] = {
{"psk", 0, IKE_AUTH_PRESHARED, 0, 0},
{"psk+xauth", 0, IKE_AUTH_XAUTHInitPreShared, 0, 0},
-#ifdef OPENSSL_GPL_VIOLATION
#if 0
{"cert(dsa)", 0, IKE_AUTH_RSA_SIG, 0, 0},
{"cert(rsasig)", 0, IKE_AUTH_DSS, 0, 0},
{"hybrid(dsa)", 0, IKE_AUTH_DSS, 0, 0},
#endif /* 0 */
{"hybrid(rsa)", 0, IKE_AUTH_HybridInitRSA, 0, 0},
-#endif /* OPENSSL_GPL_VIOLATION */
{NULL, 0, 0, 0, 0}
};


Added: branches/vpnc-nortel/test-crypto.c
==============================================================================
--- branches/vpnc-nortel/test-crypto.c (added)
+++ branches/vpnc-nortel/test-crypto.c Sat Sep 12 19:10:32 2009
@@ -1,0 +1,133 @@
+/* IPSec VPN client compatible with Cisco equipment.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <limits.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include "crypto.h"
+
+int main(int argc, char *argv[])
+{
+ crypto_ctx *cctx;
+ crypto_error *error = NULL;
+ int i;
+ unsigned char *data;
+ size_t size = 0;
+ const unsigned char sig_data[] = {
+ 0x30, 0x82, 0x04, 0xb5, 0x30, 0x82, 0x03, 0x9d, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x02,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
+ 0x81, 0x9f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x09, 0x42, 0x65, 0x72, 0x6b, 0x73, 0x68,
+
+ 0x69, 0x72, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x4e, 0x65,
+ 0x77, 0x62, 0x75, 0x72, 0x79, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e,
+ 0x4d, 0x79, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x31, 0x11,
+ 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x08, 0x54, 0x68, 0x65, 0x20, 0x55, 0x6e, 0x69,
+
+ 0x74, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x74, 0x65, 0x73, 0x74,
+ 0x2e, 0x73, 0x6f, 0x6d, 0x65, 0x77, 0x68, 0x65, 0x72, 0x65, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x74,
+ 0x65, 0x73, 0x74, 0x40, 0x73, 0x6f, 0x6d, 0x65, 0x77, 0x68, 0x65, 0x72, 0x65, 0x2e, 0x6f, 0x72,
+
+ 0x67, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x39, 0x30, 0x34, 0x32, 0x38, 0x30, 0x32, 0x35, 0x30, 0x35,
+ 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x34, 0x32, 0x36, 0x30, 0x32, 0x35, 0x30, 0x35, 0x32,
+ 0x5a, 0x30, 0x81, 0x8f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x09, 0x42, 0x65, 0x72, 0x6b,
+ };
+ const unsigned char dec_data[] = {
+ 0x7c, 0x2a, 0xe4, 0x60, 0x10, 0x9f, 0xab, 0xd6, 0x76, 0x7b, 0x9d, 0x16, 0xbb, 0xd3, 0x16, 0xa3,
+ 0x61, 0x50, 0x56, 0x13, 0xe4, 0x61, 0x0e, 0x90, 0x71, 0x5c, 0x47, 0xae, 0x4a, 0xc2, 0x89, 0xf8,
+ 0x47, 0x61, 0x4c, 0x3f, 0xd6, 0x11, 0x97, 0xb7, 0x0d, 0x84, 0x86, 0xdd, 0xe9, 0x6d, 0x3e, 0x89,
+ 0xe0, 0x4f, 0x7a, 0x95, 0x3f, 0x6e, 0xe4, 0xcd, 0xb2, 0x80, 0x3e, 0x19, 0x3e, 0x97, 0x7c, 0xdf,
+ 0xd5, 0xff, 0xcb, 0x90, 0xfb, 0x71, 0x9c, 0xef, 0xa1, 0xf6, 0x8c, 0x36, 0xb3, 0x1f, 0x63, 0x7f,
+ 0x32, 0xf5, 0x00, 0x12, 0x5e, 0x13, 0x84, 0x88, 0xe3, 0x13, 0x1c, 0x11, 0x2d, 0x9a, 0xd7, 0xec,
+ 0x51, 0x94, 0x20, 0x6e, 0x8f, 0x69, 0xdf, 0x07, 0xe9, 0x46, 0x3b, 0xd9, 0x1c, 0x0a, 0xc0, 0x60,
+ 0x90, 0x3a, 0x9a, 0x18, 0xa8, 0x19, 0xc6, 0x78, 0xc9, 0xf3, 0x1a, 0xbb, 0xca, 0xa8, 0xb5, 0x05,
+ 0x6b, 0xa8, 0xfb, 0xeb, 0xdd, 0x19, 0x56, 0xc4, 0xfe, 0x7c, 0x84, 0xb1, 0xfd, 0x92, 0xbd, 0xe2,
+ 0xb2, 0x94, 0x57, 0x3d, 0x03, 0x0a, 0xf1, 0xee, 0xca, 0xec, 0x8a, 0x0f, 0xb6, 0x23, 0x0b, 0x44,
+ 0x14, 0x0d, 0xe0, 0xb1, 0x68, 0x38, 0x56, 0x7c, 0x66, 0x60, 0x8f, 0x54, 0x8b, 0x5c, 0x80, 0x37,
+ 0x94, 0x27, 0x89, 0x47, 0x2c, 0x24, 0x45, 0x6b, 0x76, 0xdd, 0xfb, 0xf1, 0x31, 0xef, 0x7f, 0xa4,
+ 0xba, 0x95, 0x4b, 0x91, 0x9c, 0x86, 0xa6, 0x48, 0xa2, 0x5a, 0x41, 0x64, 0x31, 0x14, 0x80, 0x6b,
+ 0xb3, 0x0d, 0x46, 0x14, 0xb2, 0x61, 0x49, 0x81, 0xf5, 0x14, 0x2e, 0x1c, 0x3b, 0x7b, 0xc2, 0x23,
+ 0x9d, 0x31, 0x66, 0x49, 0x56, 0x50, 0x69, 0x69, 0x5a, 0x5c, 0x82, 0x68, 0x96, 0x04, 0xc1, 0x76,
+ 0x18, 0x19, 0x13, 0x95, 0xad, 0xbd, 0x5f, 0x96, 0x6d, 0xfe, 0xde, 0x65, 0x6a, 0x78, 0x47, 0x63,
+ };
+
+ if (argc < 4) {
+ fprintf(stderr, "Need at least 3 arguments: <ca> <cert1> <server>\n");
+ return 1;
+ }
+
+ cctx = crypto_ctx_new(&error);
+ if (!cctx) {
+ fprintf(stderr, "Error initializing crypto: %s\n", error->msg);
+ return error->code;
+ }
+
+ /* Load certificates */
+ for (i = 2; i < argc; i++) {
+ data = crypto_read_cert(argv[i], &size, &error);
+ if (!data) {
+ fprintf(stderr, "Error reading cert %d: %s\n", i + 1, error->msg);
+ return error->code;
+ }
+ if (crypto_push_cert(cctx, data, size, &error)) {
+ free(data);
+ fprintf(stderr, "Error pushing cert %d: %s\n", i + 1, error->msg);
+ return error->code;
+ }
+ free(data);
+ }
+
+ /* Verify the cert chain */
+ if (crypto_verify_chain(cctx, argv[1], NULL, &error) != 0) {
+ fprintf(stderr, "Error verifying chain: %s\n", error && error->msg ? error->msg : "(none)");
+ return error->code;
+ }
+
+ /* Decrypt something using the public key of the server certificate */
+ size = 0;
+ data = crypto_decrypt_signature(cctx, &sig_data[0], sizeof(sig_data), &size, CRYPTO_PAD_NONE, &error);
+ if (!data || !size) {
+ fprintf(stderr, "Error decrypting signature: %s\n", error && error->msg ? error->msg : "(none)");
+ return error->code;
+ }
+
+ if (size != sizeof(dec_data)) {
+ fprintf(stderr, "Error decrypting signature: unexpected "
+ "decrypted size %zd (expected %u)\n", size, sizeof(dec_data));
+ return 1;
+ }
+
+ if (memcmp(data, dec_data, sizeof(dec_data))) {
+ fprintf(stderr, "Error decrypting signature: decrypted data did"
+ " not match expected decrypted data\n");
+ return 1;
+ }
+ free(data);
+
+ fprintf(stdout, "Success\n");
+
+ crypto_ctx_free(cctx);
+ return 0;
+}
+

Added: branches/vpnc-nortel/test/cert.pem
==============================================================================
--- branches/vpnc-nortel/test/cert.pem (added)
+++ branches/vpnc-nortel/test/cert.pem Sat Sep 12 19:10:32 2009
@@ -1,0 +1,373 @@
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 985026699 (0x3ab6508b)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
+ Validity
+ Not Before: Mar 19 18:33:33 2001 GMT
+ Not After : Mar 17 18:33:33 2021 GMT
+ Subject: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:bf:61:b5:95:53:ba:57:fc:fa:f2:67:0b:3a:1a:
+ df:11:80:64:95:b4:d1:bc:cd:7a:cf:f6:29:96:2e:
+ 24:54:40:24:38:f7:1a:85:dc:58:4c:cb:a4:27:42:
+ 97:d0:9f:83:8a:c3:e4:06:03:5b:00:a5:51:1e:70:
+ 04:74:e2:c1:d4:3a:ab:d7:ad:3b:07:18:05:8e:fd:
+ 83:ac:ea:66:d9:18:1b:68:8a:f5:57:1a:98:ba:f5:
+ ed:76:3d:7c:d9:de:94:6a:3b:4b:17:c1:d5:8f:bd:
+ 65:38:3a:95:d0:3d:55:36:4e:df:79:57:31:2a:1e:
+ d8:59:65:49:58:20:98:7e:ab:5f:7e:9f:e9:d6:4d:
+ ec:83:74:a9:c7:6c:d8:ee:29:4a:85:2a:06:14:f9:
+ 54:e6:d3:da:65:07:8b:63:37:12:d7:d0:ec:c3:7b:
+ 20:41:44:a3:ed:cb:a0:17:e1:71:65:ce:1d:66:31:
+ f7:76:01:19:c8:7d:03:58:b6:95:49:1d:a6:12:26:
+ e8:c6:0c:76:e0:e3:66:cb:ea:5d:a6:26:ee:e5:cc:
+ 5f:bd:67:a7:01:27:0e:a2:ca:54:c5:b1:7a:95:1d:
+ 71:1e:4a:29:8a:03:dc:6a:45:c1:a4:19:5e:6f:36:
+ cd:c3:a2:b0:b7:fe:5c:38:e2:52:bc:f8:44:43:e6:
+ 90:bb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ Authority Information Access:
+ OCSP - URI:https://ocsp.quovadisoffshore.com
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Certificate Policies:
+ Policy: 1.3.6.1.4.1.8024.0.1
+ User Notice:
+ Explicit Text: Reliance on the QuoVadis Root Certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certification practices, and the QuoVadis Certificate Policy.
+ CPS: http://www.quovadis.bm
+
+ X509v3 Subject Key Identifier:
+ 8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF
+ X509v3 Authority Key Identifier:
+ keyid:8B:4B:6D:ED:D3:29:B9:06:19:EC:39:39:A9:F0:97:84:6A:CB:EF:DF
+ DirName:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
+ serial:3A:B6:50:8B
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha1WithRSAEncryption
+ 8a:d4:14:b5:fe:f4:9a:92:a7:19:d4:a4:7e:72:18:8f:d9:68:
+ 7c:52:24:dd:67:6f:39:7a:c4:aa:5e:3d:e2:58:b0:4d:70:98:
+ 84:61:e8:1b:e3:69:18:0e:ce:fb:47:50:a0:4e:ff:f0:24:1f:
+ bd:b2:ce:f5:27:fc:ec:2f:53:aa:73:7b:03:3d:74:6e:e6:16:
+ 9e:eb:a5:2e:c4:bf:56:27:50:2b:62:ba:be:4b:1c:3c:55:5c:
+ 41:1d:24:be:82:20:47:5d:d5:44:7e:7a:16:68:df:7d:4d:51:
+ 70:78:57:1d:33:1e:fd:02:99:9c:0c:cd:0a:05:4f:c7:bb:8e:
+ a4:75:fa:4a:6d:b1:80:8e:09:56:b9:9c:1a:60:fe:5d:c1:d7:
+ 7a:dc:11:78:d0:d6:5d:c1:b7:d5:ad:32:99:03:3a:8a:cc:54:
+ 25:39:31:81:7b:13:22:51:ba:46:6c:a1:bb:9e:fa:04:6c:49:
+ 26:74:8f:d2:73:eb:cc:30:a2:e6:ea:59:22:87:f8:97:f5:0e:
+ fd:ea:cc:92:a4:16:c4:52:18:ea:21:ce:b1:f1:e6:84:81:e5:
+ ba:a9:86:28:f2:43:5a:5d:12:9d:ac:1e:d9:a8:e5:0a:6a:a7:
+ 7f:a0:87:29:cf:f2:89:4d:d4:ec:c5:e2:e6:7a:d0:36:23:8a:
+ 4a:74:36:f9
+SHA1 Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
+-----BEGIN CERTIFICATE-----
+MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz
+MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw
+IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR
+dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp
+li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D
+rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ
+WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug
+F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU
+xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC
+Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
+dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw
+ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl
+IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh
+c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy
+ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
+Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI
+KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T
+KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq
+y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
+dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD
+VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk
+fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8
+7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R
+cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y
+mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW
+xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK
+SnQ2+Q==
+-----END CERTIFICATE-----
+
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1289 (0x509)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
+ Validity
+ Not Before: Nov 24 18:27:00 2006 GMT
+ Not After : Nov 24 18:23:33 2031 GMT
+ Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (4096 bit)
+ Modulus (4096 bit):
+ 00:9a:18:ca:4b:94:0d:00:2d:af:03:29:8a:f0:0f:
+ 81:c8:ae:4c:19:85:1d:08:9f:ab:29:44:85:f3:2f:
+ 81:ad:32:1e:90:46:bf:a3:86:26:1a:1e:fe:7e:1c:
+ 18:3a:5c:9c:60:17:2a:3a:74:83:33:30:7d:61:54:
+ 11:cb:ed:ab:e0:e6:d2:a2:7e:f5:6b:6f:18:b7:0a:
+ 0b:2d:fd:e9:3e:ef:0a:c6:b3:10:e9:dc:c2:46:17:
+ f8:5d:fd:a4:da:ff:9e:49:5a:9c:e6:33:e6:24:96:
+ f7:3f:ba:5b:2b:1c:7a:35:c2:d6:67:fe:ab:66:50:
+ 8b:6d:28:60:2b:ef:d7:60:c3:c7:93:bc:8d:36:91:
+ f3:7f:f8:db:11:13:c4:9c:77:76:c1:ae:b7:02:6a:
+ 81:7a:a9:45:83:e2:05:e6:b9:56:c1:94:37:8f:48:
+ 71:63:22:ec:17:65:07:95:8a:4b:df:8f:c6:5a:0a:
+ e5:b0:e3:5f:5e:6b:11:ab:0c:f9:85:eb:44:e9:f8:
+ 04:73:f2:e9:fe:5c:98:8c:f5:73:af:6b:b4:7e:cd:
+ d4:5c:02:2b:4c:39:e1:b2:95:95:2d:42:87:d7:d5:
+ b3:90:43:b7:6c:13:f1:de:dd:f6:c4:f8:89:3f:d1:
+ 75:f5:92:c3:91:d5:8a:88:d0:90:ec:dc:6d:de:89:
+ c2:65:71:96:8b:0d:03:fd:9c:bf:5b:16:ac:92:db:
+ ea:fe:79:7c:ad:eb:af:f7:16:cb:db:cd:25:2b:e5:
+ 1f:fb:9a:9f:e2:51:cc:3a:53:0c:48:e6:0e:bd:c9:
+ b4:76:06:52:e6:11:13:85:72:63:03:04:e0:04:36:
+ 2b:20:19:02:e8:74:a7:1f:b6:c9:56:66:f0:75:25:
+ dc:67:c1:0e:61:60:88:b3:3e:d1:a8:fc:a3:da:1d:
+ b0:d1:b1:23:54:df:44:76:6d:ed:41:d8:c1:b2:22:
+ b6:53:1c:df:35:1d:dc:a1:77:2a:31:e4:2d:f5:e5:
+ e5:db:c8:e0:ff:e5:80:d7:0b:63:a0:ff:33:a1:0f:
+ ba:2c:15:15:ea:97:b3:d2:a2:b5:be:f2:8c:96:1e:
+ 1a:8f:1d:6c:a4:61:37:b9:86:73:33:d7:97:96:9e:
+ 23:7d:82:a4:4c:81:e2:a1:d1:ba:67:5f:95:07:a3:
+ 27:11:ee:16:10:7b:bc:45:4a:4c:b2:04:d2:ab:ef:
+ d5:fd:0c:51:ce:50:6a:08:31:f9:91:da:0c:8f:64:
+ 5c:03:c3:3a:8b:20:3f:6e:8d:67:3d:3a:d6:fe:7d:
+ 5b:88:c9:5e:fb:cc:61:dc:8b:33:77:d3:44:32:35:
+ 09:62:04:92:16:10:d8:9e:27:47:fb:3b:21:e3:f8:
+ eb:1d:5b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B
+ X509v3 Authority Key Identifier:
+ keyid:1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B
+ DirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
+ serial:05:09
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 3e:0a:16:4d:9f:06:5b:a8:ae:71:5d:2f:05:2f:67:e6:13:45:
+ 83:c4:36:f6:f3:c0:26:0c:0d:b5:47:64:5d:f8:b4:72:c9:46:
+ a5:03:18:27:55:89:78:7d:76:ea:96:34:80:17:20:dc:e7:83:
+ f8:8d:fc:07:b8:da:5f:4d:2e:67:b2:84:fd:d9:44:fc:77:50:
+ 81:e6:7c:b4:c9:0d:0b:72:53:f8:76:07:07:41:47:96:0c:fb:
+ e0:82:26:93:55:8c:fe:22:1f:60:65:7c:5f:e7:26:b3:f7:32:
+ 90:98:50:d4:37:71:55:f6:92:21:78:f7:95:79:fa:f8:2d:26:
+ 87:66:56:30:77:a6:37:78:33:52:10:58:ae:3f:61:8e:f2:6a:
+ b1:ef:18:7e:4a:59:63:ca:8d:a2:56:d5:a7:2f:bc:56:1f:cf:
+ 39:c1:e2:fb:0a:a8:15:2c:7d:4d:7a:63:c6:6c:97:44:3c:d2:
+ 6f:c3:4a:17:0a:f8:90:d2:57:a2:19:51:a5:2d:97:41:da:07:
+ 4f:a9:50:da:90:8d:94:46:e1:3e:f0:94:fd:10:00:38:f5:3b:
+ e8:40:e1:b4:6e:56:1a:20:cc:6f:58:8d:ed:2e:45:8f:d6:e9:
+ 93:3f:e7:b1:2c:df:3a:d6:22:8c:dc:84:bb:22:6f:d0:f8:e4:
+ c6:39:e9:04:88:3c:c3:ba:eb:55:7a:6d:80:99:24:f5:6c:01:
+ fb:f8:97:b0:94:5b:eb:fd:d2:6f:f1:77:68:0d:35:64:23:ac:
+ b8:55:a1:03:d1:4d:42:19:dc:f8:75:59:56:a3:f9:a8:49:79:
+ f8:af:0e:b9:11:a0:7c:b7:6a:ed:34:d0:b6:26:62:38:1a:87:
+ 0c:f8:e8:fd:2e:d3:90:7f:07:91:2a:1d:d6:7e:5c:85:83:99:
+ b0:38:08:3f:e9:5e:f9:35:07:e4:c9:62:6e:57:7f:a7:50:95:
+ f7:ba:c8:9b:e6:8e:a2:01:c5:d6:66:bf:79:61:f3:3c:1c:e1:
+ b9:82:5c:5d:a0:c3:e9:d8:48:bd:19:a2:11:14:19:6e:b2:86:
+ 1b:68:3e:48:37:1a:88:b7:5d:96:5e:9c:c7:ef:27:62:08:e2:
+ 91:19:5c:d2:f1:21:dd:ba:17:42:82:97:71:81:53:31:a9:9f:
+ f6:7d:62:bf:72:e1:a3:93:1d:cc:8a:26:5a:09:38:d0:ce:d7:
+ 0d:80:16:b4:78:a5:3a:87:4c:8d:8a:a5:d5:46:97:f2:2c:10:
+ b9:bc:54:22:c0:01:50:69:43:9e:f4:b2:ef:6d:f8:ec:da:f1:
+ e3:b1:ef:df:91:8f:54:2a:0b:25:c1:26:19:c4:52:10:05:65:
+ d5:82:10:ea:c2:31:cd:2e
+SHA1 Fingerprint=CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
+-----BEGIN CERTIFICATE-----
+MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
+b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
+BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
+YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa
+GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg
+Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J
+WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB
+rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp
++ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1
+ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i
+Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz
+PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og
+/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH
+oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI
+yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud
+EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2
+A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL
+MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT
+ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f
+BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn
+g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl
+fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K
+WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha
+B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc
+hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR
+TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD
+mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z
+ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
+4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza
+8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
+-----END CERTIFICATE-----
+
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1478 (0x5c6)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
+ Validity
+ Not Before: Nov 24 19:11:23 2006 GMT
+ Not After : Nov 24 19:06:44 2031 GMT
+ Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (4096 bit)
+ Modulus (4096 bit):
+ 00:cc:57:42:16:54:9c:e6:98:d3:d3:4d:ee:fe:ed:
+ c7:9f:43:39:4a:65:b3:e8:16:88:34:db:0d:59:91:
+ 74:cf:92:b8:04:40:ad:02:4b:31:ab:bc:8d:91:68:
+ d8:20:0e:1a:01:e2:1a:7b:4e:17:5d:e2:8a:b7:3f:
+ 99:1a:cd:eb:61:ab:c2:65:a6:1f:b7:b7:bd:b7:8f:
+ fc:fd:70:8f:0b:a0:67:be:01:a2:59:cf:71:e6:0f:
+ 29:76:ff:b1:56:79:45:2b:1f:9e:7a:54:e8:a3:29:
+ 35:68:a4:01:4f:0f:a4:2e:37:ef:1b:bf:e3:8f:10:
+ a8:72:ab:58:57:e7:54:86:c8:c9:f3:5b:da:2c:da:
+ 5d:8e:6e:3c:a3:3e:da:fb:82:e5:dd:f2:5c:b2:05:
+ 33:6f:8a:36:ce:d0:13:4e:ff:bf:4a:0c:34:4c:a6:
+ c3:21:bd:50:04:55:eb:b1:bb:9d:fb:45:1e:64:15:
+ de:55:01:8c:02:76:b5:cb:a1:3f:42:69:bc:2f:bd:
+ 68:43:16:56:89:2a:37:61:91:fd:a6:ae:4e:c0:cb:
+ 14:65:94:37:4b:92:06:ef:04:d0:c8:9c:88:db:0b:
+ 7b:81:af:b1:3d:2a:c4:65:3a:78:b6:ee:dc:80:b1:
+ d2:d3:99:9c:3a:ee:6b:5a:6b:b3:8d:b7:d5:ce:9c:
+ c2:be:a5:4b:2f:16:b1:9e:68:3b:06:6f:ae:7d:9f:
+ f8:de:ec:cc:29:a7:98:a3:25:43:2f:ef:f1:5f:26:
+ e1:88:4d:f8:5e:6e:d7:d9:14:6e:19:33:69:a7:3b:
+ 84:89:93:c4:53:55:13:a1:51:78:40:f8:b8:c9:a2:
+ ee:7b:ba:52:42:83:9e:14:ed:05:52:5a:59:56:a7:
+ 97:fc:9d:3f:0a:29:d8:dc:4f:91:0e:13:bc:de:95:
+ a4:df:8b:99:be:ac:9b:33:88:ef:b5:81:af:1b:c6:
+ 22:53:c8:f6:c7:ee:97:14:b0:c5:7c:78:52:c8:f0:
+ ce:6e:77:60:84:a6:e9:2a:76:20:ed:58:01:17:30:
+ 93:e9:1a:8b:e0:73:63:d9:6a:92:94:49:4e:b4:ad:
+ 4a:85:c4:a3:22:30:fc:09:ed:68:22:73:a6:88:0c:
+ 55:21:58:c5:e1:3a:9f:2a:dd:ca:e1:90:e0:d9:73:
+ ab:6c:80:b8:e8:0b:64:93:a0:9c:8c:19:ff:b3:d2:
+ 0c:ec:91:26:87:8a:b3:a2:e1:70:8f:2c:0a:e5:cd:
+ 6d:68:51:eb:da:3f:05:7f:8b:32:e6:13:5c:6b:fe:
+ 5f:40:e2:22:c8:b4:b4:64:4f:d6:ba:7d:48:3e:a8:
+ 69:0c:d7:bb:86:71:c9:73:b8:3f:3b:9d:25:4b:da:
+ ff:40:eb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Certificate Policies:
+ Policy: 1.3.6.1.4.1.8024.0.3
+ User Notice:
+ Explicit Text: Any use of this Certificate constitutes acceptance of the QuoVadis Root CA 3 Certificate Policy / Certification Practice Statement.
+ CPS: http://www.quovadisglobal.com/cps
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ F2:C0:13:E0:82:43:3E:FB:EE:2F:67:32:96:35:5C:DB:B8:CB:02:D0
+ X509v3 Authority Key Identifier:
+ keyid:F2:C0:13:E0:82:43:3E:FB:EE:2F:67:32:96:35:5C:DB:B8:CB:02:D0
+ DirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
+ serial:05:C6
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 4f:ad:a0:2c:4c:fa:c0:f2:6f:f7:66:55:ab:23:34:ee:e7:29:
+ da:c3:5b:b6:b0:83:d9:d0:d0:e2:21:fb:f3:60:a7:3b:5d:60:
+ 53:27:a2:9b:f6:08:22:2a:e7:bf:a0:72:e5:9c:24:6a:31:b1:
+ 90:7a:27:db:84:11:89:27:a6:77:5a:38:d7:bf:ac:86:fc:ee:
+ 5d:83:bc:06:c6:d1:77:6b:0f:6d:24:2f:4b:7a:6c:a7:07:96:
+ ca:e3:84:9f:ad:88:8b:1d:ab:16:8d:5b:66:17:d9:16:f4:8b:
+ 80:d2:dd:f8:b2:76:c3:fc:38:13:aa:0c:de:42:69:2b:6e:f3:
+ 3c:eb:80:27:db:f5:a6:44:0d:9f:5a:55:59:0b:d5:0d:52:48:
+ c5:ae:9f:f2:2f:80:c5:ea:32:50:35:12:97:2e:c1:e1:ff:f1:
+ 23:88:51:38:9f:f2:66:56:76:e7:0f:51:97:a5:52:0c:4d:49:
+ 51:95:36:3d:bf:a2:4b:0c:10:1d:86:99:4c:aa:f3:72:11:93:
+ e4:ea:f6:9b:da:a8:5d:a7:4d:b7:9e:02:ae:73:00:c8:da:23:
+ 03:e8:f9:ea:19:74:62:00:94:cb:22:20:be:94:a7:59:b5:82:
+ 6a:be:99:79:7a:a9:f2:4a:24:52:f7:74:fd:ba:4e:e6:a8:1d:
+ 02:6e:b1:0d:80:44:c1:ae:d3:23:37:5f:bb:85:7c:2b:92:2e:
+ e8:7e:a5:8b:dd:99:e1:bf:27:6f:2d:5d:aa:7b:87:fe:0a:dd:
+ 4b:fc:8e:f5:26:e4:6e:70:42:6e:33:ec:31:9e:7b:93:c1:e4:
+ c9:69:1a:3d:c0:6b:4e:22:6d:ee:ab:58:4d:c6:d0:41:c1:2b:
+ ea:4f:12:87:5e:eb:45:d8:6c:f5:98:02:d3:a0:d8:55:8a:06:
+ 99:19:a2:a0:77:d1:30:9e:ac:cc:75:ee:83:f5:b0:62:39:cf:
+ 6c:57:e2:4c:d2:91:0b:0e:75:28:1b:9a:bf:fd:1a:43:f1:ca:
+ 77:fb:3b:8f:61:b8:69:28:16:42:04:5e:70:2a:1c:21:d8:8f:
+ e1:bd:23:5b:2d:74:40:92:d9:63:19:0d:73:dd:69:bc:62:47:
+ bc:e0:74:2b:b2:eb:7d:be:41:1b:b5:c0:46:c5:a1:22:cb:5f:
+ 4e:c1:28:92:de:18:ba:d5:2a:28:bb:11:8b:17:93:98:99:60:
+ 94:5c:23:cf:5a:27:97:5e:0b:05:06:93:37:1e:3b:69:36:eb:
+ a9:9e:61:1d:8f:32:da:8e:0c:d6:74:3e:7b:09:24:da:01:77:
+ 47:c4:3b:cd:34:8c:99:f5:ca:e1:25:61:33:b2:59:1b:e2:6e:
+ d7:37:57:b6:0d:a9:12:da
+SHA1 Fingerprint=1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
+-----BEGIN CERTIFICATE-----
+MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
+b3QgQ0EgMzAeFw0wNjExMjQxOTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNV
+BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
+YWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
+V0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNggDhoB
+4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUr
+H556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd
+8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9Cabwv
+vWhDFlaJKjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLT
+mZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhe
+btfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjc
+T5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDt
+WAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZ
+c6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A
+4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYD
+VR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG
+CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0
+aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0
+aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVu
+dC4wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2Nw
+czALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4G
+A1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQoUmkRzBFMQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UEAxMSUXVvVmFkaXMg
+Um9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZVqyM0
+7ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem
+d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd
++LJ2w/w4E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B
+4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadN
+t54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6x
+DYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBCbjPsMZ57
+k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6s
+zHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0j
+Wy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeT
+mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
+4SVhM7JZG+Ju1zdXtg2pEto=
+-----END CERTIFICATE-----

Added: branches/vpnc-nortel/test/cert0.pem
==============================================================================
--- branches/vpnc-nortel/test/cert0.pem (added)
+++ branches/vpnc-nortel/test/cert0.pem Sat Sep 12 19:10:32 2009
@@ -1,0 +1,36 @@
+ 0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/1.3.6.1.4.1.311.60.2.1.2=Bern/2.5.4.15=V1.0, Clause 5(b)/serialNumber=CH-035.7.001.278-9/C=CH/ST=Zuerich/L=Zuerich/O=SWITCH/CN=www.switch.ch
+ i:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
+-----BEGIN CERTIFICATE-----
+MIIFpjCCBI6gAwIBAgICD4YwDQYJKoZIhvcNAQEFBQAwazELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAdBgNVBAsTFnd3dy5xdW92YWRp
+c2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBMB4X
+DTA5MDExNTA5MjEzM1oXDTExMDExNTA5MjEzM1owgb8xEzARBgsrBgEEAYI3PAIB
+AxMCQ0gxFTATBgsrBgEEAYI3PAIBAhMEQmVybjEaMBgGA1UEDxMRVjEuMCwgQ2xh
+dXNlIDUoYikxGzAZBgNVBAUTEkNILTAzNS43LjAwMS4yNzgtOTELMAkGA1UEBhMC
+Q0gxEDAOBgNVBAgTB1p1ZXJpY2gxEDAOBgNVBAcTB1p1ZXJpY2gxDzANBgNVBAoT
+BlNXSVRDSDEWMBQGA1UEAxMNd3d3LnN3aXRjaC5jaDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKqwpnO5zcYxC829nQpHkFeZp9Hp4gzlyvHj0BHaLx9F
+pQxaFw7bsgbrMR+M+OjI+NXbWhPbc6ftY5VjqYwaVQAWmA3vvo5ELsy11lzyQusi
+ZT2wjx0Rx1SV7ocP20rDS0gkFqrej0ymdQKO/mcyht53a076goaUuacOElhNttlM
+baXiGwSMFURVUA/9dcOC8HhYPokzWnQD7BkFl3pg3BsmHz5mQ+rh79e+rKJylsXS
+qfSI1zD0QQTLd01JBzX4iOM37IlHBAJb/EWAuNJPjA9SHZlfILhphaAiEtKUlcyL
+4atAUUgbM2SI9yFfwALHliyBgoBcsZSd7ZlzhaFVA6UCAwEAAaOCAf0wggH5MHQG
+CCsGAQUFBwEBBGgwZjAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNn
+bG9iYWwuY29tMDgGCCsGAQUFBzAChixodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9i
+YWwuY29tL3F2c3NsaWNhLmNydDBRBgNVHSAESjBIMEYGDCsGAQQBvlgAAmQBAjA2
+MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBv
+c2l0b3J5MIGEBgNVHREEfTB7gg13d3cuc3dpdGNoLmNogglzd2l0Y2guY2iCEXd3
+dy1kYXYuc3dpdGNoLmNoggxjbXMuc21zY2cuY2iCEWNtcy53d3cuc3dpdGNoLmNo
+ggllZHVodWIuY2iCDXd3dy5lZHVodWIuY2iCEWNtcy53d3cuZWR1aHViLmNoMAsG
+A1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0j
+BBgwFoAUMk2hT+rwrpm27psHLIQIEVCL4n4wOwYDVR0fBDQwMjAwoC6gLIYqaHR0
+cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xpY2EuY3JsMB0GA1UdDgQW
+BBRj4EuKFVw3hT+IAecPzu1V+KBfRDANBgkqhkiG9w0BAQUFAAOCAQEAOGUv6vmY
+Bz1d8aewypeEpfGG6HEM59xXEnawhywiT7642y0ZCrAIYQASpKhI4sLPKOJpmQRg
+IzApWKaYvLhUsqvnaEvGS+zj+WGvPps7Ky23mwNmLr4qlMdlW6HuXacZvePAUp9v
+qCzQzcxD2QRncZ1vmG1uz/2gR34b/pgb2HnUS4tT6HbUQxTbQAEEbRubTMjFAD5w
+MXIFvNdOl+fhsehC9xxRnXy0dprXE2Wtk29fqnnXmpTSaOOuzc5BhXamdjebCeY/
+ACI+6A2o7ZbwRLN/J/lnBItJuWam78u0ypLOpWpDImt7eWMP+3JjJcegxVwp80dU
+2TumER72gt2EOA==
+-----END CERTIFICATE-----
+

Added: branches/vpnc-nortel/test/cert1.pem
==============================================================================
--- branches/vpnc-nortel/test/cert1.pem (added)
+++ branches/vpnc-nortel/test/cert1.pem Sat Sep 12 19:10:32 2009
@@ -1,0 +1,34 @@
+ 1 s:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
+ i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
+-----BEGIN CERTIFICATE-----
+MIIFTjCCAzagAwIBAgICBXowDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
+b3QgQ0EgMjAeFw0wNzAxMTIxNjEzMzNaFw0xNzAxMTIxNjEzMTFaMGsxCzAJBgNV
+BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR8wHQYDVQQLExZ3d3cu
+cXVvdmFkaXNnbG9iYWwuY29tMSAwHgYDVQQDExdRdW9WYWRpcyBHbG9iYWwgU1NM
+IElDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk1mD/CiG1+aGcM
+xI7LJL0x4qQpmljkCt1BFL1oaoyuFW4l0GKVTNPFsJ6w4a7pLejG1uQJgeRmKy8n
+xm12NXgIshfqBvTqVFAcuGViwCreo5S+oZWlLxTIYRVJZB3OujED5IyXVibMLR7g
+xWwcXS2BCSNDUnCAN2x+sGHSR9o4sGTbiYFMZPWZfOc0rIbWtms/cUSVfqneyRGN
+WgoIvKPdT2vGvf70RpszxqjEEBLT2A1F2QwM/BxgxylzyelGCN6qVDJrE2rP1KRq
+AN+qiV7kK9MphZ9RYRkjtHE3qNkIxTi4KLy/FBWCy9abwK7t8+AGP6y+N8Oxf7Ed
+9AU37VcCAwEAAaOCASAwggEcMA8GA1UdEwEB/wQFMAMBAf8wOgYIKwYBBQUHAQEE
+LjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20w
+QgYDVR0gBDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVv
+dmFkaXNnbG9iYWwuY29tL2NwczAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU
+GoRivEhMMyUE1O7Q9gPEGUbRlGswOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2Ny
+bC5xdW92YWRpc2dsb2JhbC5jb20vcXZyY2EyLmNybDAdBgNVHQ4EFgQUMk2hT+rw
+rpm27psHLIQIEVCL4n4wDQYJKoZIhvcNAQEFBQADggIBAI5zWxH+LIAvrc/dYIWZ
+8zHozDuc1kbd7IaiSgjJCZwNo1vMSLbNfgPg7XIoTDJ903URzDUWh4l8/XncwRil
+rRafR23N/iFkM+NF+LoABd9qpF/oAmOGuJ6GwPUf/yhioc8nQ/WXuMVF4/OTdvGF
+0QRsk7rivttpGx2aQhGBwO39ft4cySvXToNsBjH4VWcduEooZDg6plIec8S2zrFA
+dXvxSgz/sV41QHwyUokTxEY1UoXF9aA5VeGLKIkC1NasTyy26bzuOYOKxgqRUXIu
+n6M+CdWiKKJWVi3rBpbnFQWSrsotp4jeQn9zBuovTR0OOijTBWHj9ThxrIG5pb4g
+Nmd03/NZDe5l3ja59+UtBUpfCbdqPCCZSUy7t6PLAoDo5JwQKCEOrmNpwD/207GP
+2WMo77wh5/mvJRJMFfEZ+CwQXk5LPXXU7EJr+7PYpJB67hryxts1I6FJI0AF3ET9
+3YZ4sgEK009h6bdeZbIOvcT4e0v33EAJggFtxU/5xRdtk/PmwxBjSxeg+jBK2xeH
+3TScxc6nNvtcw22Lds5GucMsoxmpblYV1adrowg3twQvSXQZ96jzyT3qfmk09M+e
+bBTqd3GFwZcJNaQigOw8EQHQtjJm9Zco7FtJ+SxEqcQYFJ+M7QZz+0wWCPwlflMo
+7aGlYILpWH4iR3ZhuH/3xMkx
+-----END CERTIFICATE-----
+

Added: branches/vpnc-nortel/test/cert2.pem
==============================================================================
--- branches/vpnc-nortel/test/cert2.pem (added)
+++ branches/vpnc-nortel/test/cert2.pem Sat Sep 12 19:10:32 2009
@@ -1,0 +1,34 @@
+ 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
+ i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
+-----BEGIN CERTIFICATE-----
+MIIFQjCCBCqgAwIBAgIEQh/RwTANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3MTAxNDMyMjFaFw0xNzA3MTAxNDMx
+MDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRsw
+GQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+j
+hiYaHv5+HBg6XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp
+3MJGF/hd/aTa/55JWpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02
+kfN/+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw
+419eaxGrDPmF60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7ds
+E/He3fbE+Ik/0XX1ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3
+FsvbzSUr5R/7mp/iUcw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslW
+ZvB1JdxnwQ5hYIizPtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C31
+5eXbyOD/5YDXC2Og/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9
+gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqL
+ID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQAB
+o4H/MIH8MA8GA1UdEwEB/wQFMAMBAf8wQgYDVR0gBDswOTA3BgRVHSAAMC8wLQYI
+KwYBBQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczA6Bggr
+BgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xv
+YmFsLmNvbTAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAUi0tt7dMpuQYZ7Dk5
+qfCXhGrL798wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5xdW92YWRpc2ds
+b2JhbC5jb20vcXZyY2EuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBMcgnQQhxa0o7B
+SMNVmyE8suH3nmg3+FC6sAWUsYEKZUZU+PdUrOYGTybAjdPSghSzyhWf/h+l1zwb
+/vxiaZET3ikOni1G1L9rmNPNd0o8Omr/sxTtNyCIEugoJtiBV324XD9wjYr4TjzH
+fn5pq33j+5iqCS0oaynouNevRB/Kcn36esUBg5eEL84cu7JxoOgyPxIccskf5Zp+
+4pqUlQod9cedCi2NaSJ6ZyNExTTtsWXRZM2DYfwMNilHBwPhgj472vQqxN3wb7f6
+ndMU7j2DXbO6G9V891AT1OM6J0JC1DYaA4bMr4m31lJs2sIn99IgrondrOsPSWuu
+TYzbyDZK
+-----END CERTIFICATE-----
+

Added: branches/vpnc-nortel/test/root.pem
==============================================================================
--- branches/vpnc-nortel/test/root.pem (added)
+++ branches/vpnc-nortel/test/root.pem Sat Sep 12 19:10:32 2009
@@ -1,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz
+MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw
+IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR
+dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp
+li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D
+rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ
+WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug
+F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU
+xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC
+Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
+dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw
+ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl
+IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh
+c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy
+ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
+Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI
+KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T
+KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq
+y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
+dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD
+VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk
+fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8
+7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R
+cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y
+mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW
+xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK
+SnQ2+Q==
+-----END CERTIFICATE-----
+

Modified: branches/vpnc-nortel/vpnc.c
==============================================================================
--- branches/vpnc-nortel/vpnc.c (original)
+++ branches/vpnc-nortel/vpnc.c Sat Sep 12 19:10:32 2009
@@ -41,12 +41,7 @@

#include <gcrypt.h>

-#ifdef OPENSSL_GPL_VIOLATION
-/* OpenSSL */
-#include <openssl/x509.h>
-#include <openssl/err.h>
-#endif /* OPENSSL_GPL_VIOLATION */
-
+#include "crypto.h"
#include "sysdep.h"
#include "config.h"
#include "isakmp-pkt.h"
@@ -1353,13 +1348,12 @@
DEBUGTOP(2, printf("S4.4 AM_packet2\n"));
/* Decode the recieved packet. */
{
- int reject;
+ int reject, ret;
struct isakmp_packet *r;
struct isakmp_payload *rp;
struct isakmp_payload *nonce = NULL;
struct isakmp_payload *ke = NULL;
struct isakmp_payload *hash = NULL;
- struct isakmp_payload *last_cert = NULL;
struct isakmp_payload *sig = NULL;
struct isakmp_payload *idp = NULL;
int seen_sa = 0, seen_xauth_vid = 0;
@@ -1369,12 +1363,12 @@
uint8_t *dh_shared_secret;
int seen_natt_vid = 0, seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0;
int natt_draft = -1;
-
-#ifdef OPENSSL_GPL_VIOLATION
- X509 *current_cert;
- /* structure to store the certificate chain */
- STACK_OF(X509) *cert_stack = sk_X509_new_null();
-#endif /* OPENSSL_GPL_VIOLATION */
+ crypto_ctx *cctx;
+ crypto_error *crerr = NULL;
+
+ cctx = crypto_ctx_new (&crerr);
+ if (crerr)
+ crypto_call_error(crerr);

reject = 0;
r = parse_isakmp_packet(r_packet, r_length, &reject);
@@ -1533,14 +1527,15 @@
hash = rp;
break;
case ISAKMP_PAYLOAD_CERT:
- last_cert = rp;
- if (last_cert->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
-#ifdef OPENSSL_GPL_VIOLATION
- /* convert the certificate to an openssl-X509 structure and push it onto the chain stack */
- current_cert = d2i_X509(NULL, (const unsigned char **)&last_cert->u.cert.data, last_cert->u.cert.length);
- sk_X509_push(cert_stack, current_cert);
- last_cert->u.cert.data -= last_cert->u.cert.length; /* 'rewind' the pointer */
-#endif /* OPENSSL_GPL_VIOLATION */
+ if (rp->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
+ hex_dump("cert", rp->u.cert.data, rp->u.cert.length, NULL);
+
+ ret = crypto_push_cert(cctx,
+ (const unsigned char *) rp->u.cert.data,
+ rp->u.cert.length,
+ &crerr);
+ if (ret)
+ crypto_call_error(crerr);
}
break;
case ISAKMP_PAYLOAD_SIG:
@@ -1752,9 +1747,10 @@
/* Verify the hash. */
{
gcry_md_hd_t hm;
- unsigned char *expected_hash;
+ unsigned char *expected_hash, *rec_hash;
uint8_t *idp_f;
size_t idp_size;
+ size_t decr_size = 0;

flatten_isakmp_payload(idp, &idp_f, &idp_size);

@@ -1779,104 +1775,34 @@
hex_dump("received hash", hash->u.hash.data, hash->u.hash.length, NULL);
} else if (opt_auth_mode == AUTH_MODE_CERT ||
opt_auth_mode == AUTH_MODE_HYBRID) {
-#ifdef OPENSSL_GPL_VIOLATION
-
- /* BEGIN - check the signature using OpenSSL */
-
- X509 *x509;
- EVP_PKEY *pkey;
- RSA *rsa;
- X509_STORE *store;
- /* X509_LOOKUP *lookup; */
- X509_STORE_CTX *verify_ctx;
- unsigned char *rec_hash;
- int decr_size;
-
hex_dump("received signature", sig->u.sig.data, sig->u.sig.length, NULL);
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
- OpenSSL_add_all_algorithms();
-
- ERR_load_crypto_strings();
-
- hex_dump("last cert", last_cert->u.cert.data, last_cert->u.cert.length, NULL);
- x509 = d2i_X509(NULL, (const unsigned char **)&last_cert->u.cert.data, last_cert->u.cert.length);
- if (x509 == NULL) {
- ERR_print_errors_fp (stderr);
- error(1, 0, "x509 error\n");
- }
- DEBUG(3, printf("Subject name hash: %08lx\n",X509_subject_name_hash(x509)));
-
- /* BEGIN - verify certificate chain */
- /* create the cert store */
- if (!(store = X509_STORE_new())) {
- error(1, 0, "Error creating X509_STORE object\n");
- }
- /* load the CA certificates */
- if (X509_STORE_load_locations (store, config[CONFIG_CA_FILE], config[CONFIG_CA_DIR]) != 1) {
- error(1, 0, "Error loading the CA file or directory\n");
- }
- if (X509_STORE_set_default_paths (store) != 1) {
- error(1, 0, "Error loading the system-wide CA certificates\n");
- }
-
-#if 0
- /* check CRLs */
- /* add the corresponding CRL for each CA in the chain to the lookup */
-#define CRL_FILE "root-ca-crl.crl.pem"
-
- if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
- error(1, 0, "Error creating X509 lookup object.\n");
- }
- if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
- ERR_print_errors_fp(stderr);
- error(1, 0, "Error reading CRL file\n");
- }
- X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#endif /* 0 */
- /* create a verification context and initialize it */
- if (!(verify_ctx = X509_STORE_CTX_new ())) {
- error(1, 0, "Error creating X509_STORE_CTX object\n");
- }
- /* X509_STORE_CTX_init did not return an error condition
- in prior versions */
- if (X509_STORE_CTX_init (verify_ctx, store, x509, cert_stack) != 1)
- printf("Error intializing verification context\n");
-
- /* verify the certificate */
- if (X509_verify_cert(verify_ctx) != 1) {
- ERR_print_errors_fp(stderr);
- error(2, 0, "Error verifying the certificate-chain\n");
- } else
- DEBUG(3, printf("Certificate-chain verified correctly!\n"));
-
- /* END - verify certificate chain */
-
-
- /* BEGIN - Signature Verification */
- pkey = X509_get_pubkey(x509);
- if (pkey == NULL) {
- ERR_print_errors_fp (stderr);
- exit (1);
- }
-
- rsa = EVP_PKEY_get1_RSA(pkey);
- if (rsa == NULL) {
- ERR_print_errors_fp (stderr);
- exit (1);
- }
- rec_hash = xallocc(s->ike.md_len);
- decr_size = RSA_public_decrypt(sig->u.sig.length, sig->u.sig.data, rec_hash, rsa, RSA_PKCS1_PADDING);
-
- if (decr_size != (int) s->ike.md_len) {
- printf("Decrypted-Size: %d\n",decr_size);
+
+ ret = crypto_verify_chain(cctx,
+ config[CONFIG_CA_FILE],
+ config[CONFIG_CA_DIR],
+ &crerr);
+ if (ret)
+ crypto_call_error(crerr);
+
+ /* Verify signature */
+ rec_hash = crypto_decrypt_signature (cctx,
+ sig->u.sig.data,
+ sig->u.sig.length,
+ &decr_size,
+ CRYPTO_PAD_PKCS1,
+ &crerr);
+ if (!rec_hash)
+ crypto_call_error(crerr);
+
+ if (decr_size != s->ike.md_len) {
+ printf("Decrypted-Size: %zd\n",decr_size);
hex_dump(" decr_hash", rec_hash, decr_size, NULL);
hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);

error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ in size.\n");
} else {
if (memcmp(rec_hash, expected_hash, decr_size) != 0) {
- printf("Decrypted-Size: %d\n",decr_size);
+ printf("Decrypted-Size: %zd\n",decr_size);
hex_dump(" decr_hash", rec_hash, decr_size, NULL);
hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);

@@ -1887,11 +1813,7 @@
}
/* END - Signature Verification */

- EVP_PKEY_free(pkey);
free(rec_hash);
-
- /* END - check the signature using OpenSSL */
-#endif /* OPENSSL_GPL_VIOLATION */
}

gcry_md_close(hm);
@@ -2029,6 +1951,7 @@
}

gcry_md_close(skeyid_ctx);
+ crypto_ctx_free(cctx);
free(dh_shared_secret);

/* Determine presence of NAT */
@@ -2106,17 +2029,6 @@
uint8_t *p2kt;
size_t p2kt_len;
struct isakmp_payload *pl;
-#if 0 /* cert support */
-#ifdef OPENSSL_GPL_VIOLATION
- struct isakmp_payload *last_cert = NULL;
- struct isakmp_payload *sig = NULL;
-
-
- X509 *current_cert;
- /* structure to store the certificate chain */
- STACK_OF(X509) *cert_stack = sk_X509_new_null();
-#endif /* OPENSSL_GPL_VIOLATION */
-#endif /* 0 */

p2 = new_isakmp_packet();
memcpy(p2->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
@@ -3432,6 +3344,10 @@
close_tunnel(s);
error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
}
+#ifdef FD_CLOEXEC
+ /* do not pass socket to vpnc-script, etc. */
+ fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
+#endif
#ifdef IP_HDRINCL
if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
close_tunnel(s);

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.