| Summary: | eay_cmp_asn1dn() in libcrypto.so.6 is broken after update to openssl 0.9.8za | ||
|---|---|---|---|
| Product: | Base System | Reporter: | longwitz |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed Not A Bug | ||
| Severity: | Affects Many People | CC: | longwitz |
| Priority: | --- | ||
| Version: | 8.4-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
In the meantime I found openssl #3469 and see that the raccon problem arises after commit "global_mask needs to be more liberal" in the openssl source /usr/src/crypto/openssl/crypto/asn1/a_strnid.c . Reverting the last change in this source solves the problem for me. The commit for openssl 0.9.8za breaks compatibility, but probably the use of eay_cmp_asn1dn() in racoon must be changed. |
After update 8.4 Stable from r256119 with openssl 0.9.8y to r268802 with openssl 0.9.8za racoon from the ipsec-tools package can't verify identifiers anymore. This can be demonstrated with the program eaytest --> eaytest (from ipsec-tools package) with old libcrypto.so.6 .... **Test for Certificate.** check to convert the string into subjectName. C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane exact match: succeed. wildcard 1 match: succeed. wildcard 2 match: succeed. --> eaytest with new libcrypto.so.6 .... **Test for Certificate.** check to convert the string into subjectName. C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane eaytest: asn1dn mismatched. From eaytest.c: if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) errx(1, "asn1dn mismatched.\n"); ~