Enable to send either the DN or SubjectAltName of the certificate.

Compared ID payload and the name of certificate if it needed.

kame/kame/racoon/cfparse.y

@@ -774,6 +774,12 @@ sainfo_id
 		{
 			struct ipsecdoi_id_b *id_b;
 
+			if ($1 == LC_IDENTTYPE_CERTNAME
+			 || $1 == LC_IDENTTYPE_CERTALTNAME) {
+				yyerror("forbidden using such id type: %d", $1);
+				return -1;
+			}
+
 			$2->l--;
 
 			$$ = vmalloc(sizeof(*id_b) + $2->l);
@@ -784,6 +790,7 @@ sainfo_id
 
 			id_b = (struct ipsecdoi_id_b *)$$->v;
 			id_b->type = idtype2doi($1);
+
 			id_b->proto_id = 0;
 			id_b->port = 0;
 
@@ -826,7 +833,13 @@ sainfo_spec
 		algorithms EOS
 	|	IDENTIFIER IDENTIFIERTYPE
 		{
-			cur_sainfo->myidenttype = idtype2doi($2);
+			if ($2 == LC_IDENTTYPE_CERTNAME
+			 || $2 == LC_IDENTTYPE_CERTALTNAME) {
+				yyerror("forbidden using such id type: %d", $2);
+				return -1;
+			}
+
+			cur_sainfo->myidenttype = $2;
 		}
 		EOS
 	;
@@ -919,6 +932,14 @@ remote_statement
 		}
 		BOC remote_specs EOC
 		{
+			if ((cur_rmconf->identtype == LC_IDENTTYPE_CERTNAME
+			  || cur_rmconf->identtype == LC_IDENTTYPE_CERTALTNAME)
+			 && cur_rmconf->mycertfile == NULL) {
+				yyerror("id type mismatched due to "
+					"no CERT defined.\n");
+				return -1;
+			}
+
 			if (set_isakmp_proposal(cur_rmconf, prhead) != 0)
 				return -1;
 
@@ -990,10 +1011,7 @@ remote_spec
 			vfree($2);
 		}
 		EOS
-	|	IDENTIFIER IDENTIFIERTYPE EOS
-		{
-			cur_rmconf->identtype = idtype2doi($2);
-		}
+	|	IDENTIFIER IDENTIFIERTYPE EOS { cur_rmconf->identtype = $2; }
 	|	NONCE_SIZE NUMBER EOS { cur_rmconf->nonce_size = $2; }
 	|	DH_GROUP
 		{

kame/kame/racoon/cftoken.l

@@ -391,7 +391,8 @@ user_fqdn	{ YYD; yylval.num = LC_IDENTTYPE_USERFQDN; return(IDENTIFIERTYPE); }
 fqdn		{ YYD; yylval.num = LC_IDENTTYPE_FQDN; return(IDENTIFIERTYPE); }
 keyid		{ YYD; yylval.num = LC_IDENTTYPE_KEYID; return(IDENTIFIERTYPE); }
 address		{ YYD; yylval.num = LC_IDENTTYPE_ADDRESS; return(IDENTIFIERTYPE); }
-asn1dn		{ YYD; yylval.num = LC_IDENTTYPE_ASN1DN; return(IDENTIFIERTYPE); }
+certname	{ YYD; yylval.num = LC_IDENTTYPE_CERTNAME; return(IDENTIFIERTYPE); }
+certaltname	{ YYD; yylval.num = LC_IDENTTYPE_CERTALTNAME; return(IDENTIFIERTYPE); }
 
 	/* units */
 B|byte|bytes		{ YYD; yylval.num = CF_UNITTYPE_B; return(UNITTYPE); }

kame/kame/racoon/ipsec_doi.c

@@ -26,7 +26,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* YIPS @(#)$Id: ipsec_doi.c,v 1.96 2000/08/28 17:50:59 itojun Exp $ */
+/* YIPS @(#)$Id: ipsec_doi.c,v 1.97 2000/08/31 14:39:06 sakane Exp $ */
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -76,6 +76,7 @@
 #include "algorithm.h"
 #include "sainfo.h"
 #include "proposal.h"
+#include "crypto_openssl.h"
 #include "strnames.h"
 
 static vchar_t *get_ph1approval __P((struct ph1handle *, struct prop_pair **));
@@ -2894,6 +2895,23 @@ ipsecdoi_checkid1(iph1)
 	return -1;
 }
 
+static int
+genid2doi(genid)
+	int genid;
+{
+	switch (genid) {
+	case GENT_IPADD:
+		return 0;
+	case GENT_DNS:
+		return IPSECDOI_ID_FQDN;
+	case GENT_EMAIL:
+		return IPSECDOI_ID_USER_FQDN;
+	default:
+		return -1;
+	}
+	/*NOTREACHED*/
+}
+
 /*
  * create ID payload for phase 1 and set into iph1->id.
  * NOT INCLUDING isakmp general header.
@@ -2905,32 +2923,48 @@ ipsecdoi_setid1(iph1)
 {
 	vchar_t *ret = NULL;
 	struct ipsecdoi_id_b id_b;
-	int lctype;
-	vchar_t *ident = NULL, idtmp;
-
-	lctype = doi2idtype(iph1->rmconf->identtype);
+	vchar_t *ident, idtmp;
+	char idbuf[128]; /* XXX */
+	char *altname;
+	int len, type;
 
 	/* init */
-	id_b.type = iph1->rmconf->identtype;
 	id_b.proto_id = 0;
 	id_b.port = 0;
+	ident = NULL;
 
 	switch (iph1->rmconf->identtype) {
-	case IPSECDOI_ID_FQDN:
-		ident = lcconf->ident[lctype];
+	case LC_IDENTTYPE_FQDN:
+	case LC_IDENTTYPE_USERFQDN:
+	case LC_IDENTTYPE_KEYID:
+		id_b.type = idtype2doi(iph1->rmconf->identtype);
+		ident = lcconf->ident[iph1->rmconf->identtype];
 		break;
-	case IPSECDOI_ID_USER_FQDN:
-		ident = lcconf->ident[lctype];
+	case LC_IDENTTYPE_CERTNAME:
+		id_b.type = IPSECDOI_ID_DER_ASN1_DN;
+		if (oakley_getmycert(iph1) < 0)
+			goto err;
+		ident = eay_get_x509asn1subjectname(&iph1->cert->cert);
 		break;
-	case IPSECDOI_ID_KEY_ID:
-		ident = lcconf->ident[lctype];
+	case LC_IDENTTYPE_CERTALTNAME:
+		if (oakley_getmycert(iph1) < 0)
+			goto err;
+		if (eay_get_x509subjectaltname(&iph1->cert->cert,
+				&altname, &type) < 0)
+			goto err;
+		id_b.type = genid2doi(type);
+		if (id_b.type == 0) {
+			printf("XXXX");
+			goto err;
+		}
+		len = snprintf(idbuf, sizeof(idbuf), "%s", altname);
+		idtmp.l = strlen(altname);
+		idtmp.v = idbuf;
+		ident = &idtmp;
+		free(altname);
 		break;
+	case LC_IDENTTYPE_ADDRESS:
 	default:
-		ident = NULL;
-	}
-
-	/* use local IP address as identifier */
-	if (ident == NULL) {
 		/* use IP address */
 		switch (iph1->local->sa_family) {
 		case AF_INET:
@@ -2991,26 +3025,11 @@ int
 ipsecdoi_setid2(iph2)
 	struct ph2handle *iph2;
 {
-	int lctype;
 	vchar_t *ident = NULL;
 	struct secpolicy *sp;
 
-	/* local side */
-	lctype = doi2idtype(iph2->sainfo->myidenttype);
-
-	switch (iph2->sainfo->myidenttype) {
-	case IPSECDOI_ID_FQDN:
-		ident = lcconf->ident[lctype];
-		break;
-	case IPSECDOI_ID_USER_FQDN:
-		ident = lcconf->ident[lctype];
-		break;
-	case IPSECDOI_ID_KEY_ID:
-		ident = lcconf->ident[lctype];
-		break;
-	default:
-		ident = NULL;
-	}
+	/* init */
+	ident = lcconf->ident[iph2->sainfo->myidenttype];
 
 	/* check there is phase 2 handler ? */
 	sp = getspbyspid(iph2->spid);
@@ -3036,7 +3055,7 @@ ipsecdoi_setid2(iph2)
 	} else {
 		struct ipsecdoi_id_b id_b;
 
-		id_b.type = iph2->sainfo->myidenttype;
+		id_b.type = idtype2doi(iph2->sainfo->myidenttype);
 		id_b.proto_id = 0;
 		id_b.port = 0;
 

kame/kame/racoon/localconf.c

@@ -26,7 +26,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* YIPS @(#)$Id: localconf.c,v 1.18 2000/08/30 17:26:51 sakane Exp $ */
+/* YIPS @(#)$Id: localconf.c,v 1.19 2000/08/31 14:39:06 sakane Exp $ */
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -274,7 +274,7 @@ static int lc_doi2idtype[] = {
 	-1,
 	-1,
 	-1,
-	-1,
+	LC_IDENTTYPE_CERTNAME,
 	-1,
 	LC_IDENTTYPE_KEYID,
 };
@@ -297,7 +297,9 @@ static int lc_idtype2doi[] = {
 	IPSECDOI_ID_FQDN,
 	IPSECDOI_ID_USER_FQDN,
 	IPSECDOI_ID_KEY_ID,
-	0,	/* When type is "address", then it's dealed with default. */
+	-1,	/* if type is "address", it expands to 4 types. */
+	IPSECDOI_ID_DER_ASN1_DN,
+	-1,	/* if type is "certaltname", it expands to a lot of type. */
 };
 
 /*

kame/kame/racoon/localconf.h

@@ -26,7 +26,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* YIPS @(#)$Id: localconf.h,v 1.14 2000/08/22 11:30:46 sakane Exp $ */
+/* YIPS @(#)$Id: localconf.h,v 1.15 2000/08/31 14:39:06 sakane Exp $ */
 
 /* local configuration */
 
@@ -39,12 +39,13 @@
 #define LC_PATHTYPE_CERT	2
 #define LC_PATHTYPE_MAX		3
 
-#define LC_IDENTTYPE_FQDN	0
-#define LC_IDENTTYPE_USERFQDN	1
-#define LC_IDENTTYPE_KEYID	2
-#define LC_IDENTTYPE_ADDRESS	3
-#define LC_IDENTTYPE_ASN1DN	4
-#define LC_IDENTTYPE_MAX	5
+#define LC_IDENTTYPE_FQDN		0
+#define LC_IDENTTYPE_USERFQDN		1
+#define LC_IDENTTYPE_KEYID		2
+#define LC_IDENTTYPE_ADDRESS		3
+#define LC_IDENTTYPE_CERTNAME		4
+#define LC_IDENTTYPE_CERTALTNAME	5
+#define LC_IDENTTYPE_MAX		6
 
 #define LC_DEFAULT_PAD_MAXSIZE		20
 #define LC_DEFAULT_PAD_RANDOM		TRUE