Bug 192292 - eay_cmp_asn1dn() in libcrypto.so.6 is broken after update to openssl 0.9.8za
Summary: eay_cmp_asn1dn() in libcrypto.so.6 is broken after update to openssl 0.9.8za
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 8.4-STABLE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-31 14:33 UTC by longwitz
Modified: 2018-02-12 09:51 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description longwitz 2014-07-31 14:33:58 UTC 
After update 8.4 Stable from r256119 with openssl 0.9.8y to r268802 with openssl 0.9.8za racoon from the ipsec-tools package can't verify identifiers anymore. This can be demonstrated with the program eaytest


--> eaytest (from ipsec-tools package) with old libcrypto.so.6
....
**Test for Certificate.**
check to convert the string into subjectName.
C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane
exact match: succeed.
wildcard 1 match: succeed.
wildcard 2 match: succeed.


--> eaytest with new libcrypto.so.6
....
**Test for Certificate.**
check to convert the string into subjectName.
C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane
eaytest: asn1dn mismatched.

From eaytest.c:
   if (eay_cmp_asn1dn(&asn1dn0,  asn1dn))
      errx(1, "asn1dn mismatched.\n");
~
Comment 1 longwitz 2014-08-02 18:52:32 UTC 
In the meantime I found openssl #3469 and see that the raccon problem arises after commit "global_mask needs to be more liberal" in the openssl source /usr/src/crypto/openssl/crypto/asn1/a_strnid.c . Reverting the last change in this source solves the problem for me. The commit for openssl 0.9.8za breaks compatibility, but probably the use of eay_cmp_asn1dn() in racoon must be changed.