From Cyrus Rahman:

Accept RFC2253 compliant escaped special characters for asn1dn identifier.

crypto/dist/ipsec-tools/ChangeLog

@@ -1,3 +1,8 @@
+2009-01-10  Timo Teras  <timo.teras@iki.fi>
+	From Cyrus Rahman <crahman@gmail.com>:
+	* src/racoon/{crypto_openssl.c|racoon.conf.5}: accept RFC2253
+	  compliant escaped special characters for asn1dn identifier
+
 2009-01-09  Timo Teras  <timo.teras@iki.fi>
 	* configure.ac: fix a CPPLAGS typo
 

crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.15 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.16 2009/01/10 19:08:40 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -130,9 +130,9 @@ eay_str2asn1dn(str, len)
 	int len;
 {
 	X509_NAME *name;
-	char *buf;
+	char *buf, *dst;
 	char *field, *value;
-	int i, j;
+	int i;
 	vchar_t *ret = NULL;
 	caddr_t p;
 
@@ -148,15 +148,38 @@ eay_str2asn1dn(str, len)
 
 	name = X509_NAME_new();
 
-	field = &buf[0];
+	dst = field = &buf[0];
 	value = NULL;
 	for (i = 0; i < len; i++) {
+		if (buf[i] == '\\') {
+			/* Escape characters specified in RFC 2253 */
+			if (i < len - 1 &&
+			    strchr("\\,=+<>#;", buf[i+1]) != NULL) {
+				*dst++ = buf[++i];
+				continue;
+			} else if (i < len - 2) {
+				/* RFC 2253 hexpair character escape */
+				long u;
+				char esc_str[3];
+				char *endptr;
+
+				esc_str[0] = buf[++i];
+				esc_str[1] = buf[++i];
+				esc_str[2] = '\0';
+				u = strtol(esc_str, &endptr, 16);
+				if (*endptr != '\0' || u < 0 || u > 255)
+					goto err;
+				*dst++ = u;
+				continue;
+			} else
+				goto err;
+		}
 		if (!value && buf[i] == '=') {
-			buf[i] = '\0';
-			value = &buf[i + 1];
+			*dst = '\0';
+			dst = value = &buf[i + 1];
 			continue;
 		} else if (buf[i] == ',' || buf[i] == '/') {
-			buf[i] = '\0';
+			*dst = '\0';
 
 			plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
 			     field, value);
@@ -173,16 +196,16 @@ eay_str2asn1dn(str, len)
 				     "%s\n", eay_strerror());
 				goto err;
 			}
-			for (j = i + 1; j < len; j++) {
-				if (buf[j] != ' ')
-					break;
-			}
-			field = &buf[j];
+
+			while (i + 1 < len && buf[i + 1] == ' ') i++;
+			dst = field = &buf[i + 1];
 			value = NULL;
 			continue;
+		} else {
+			*dst++  = buf[i];
 		}
 	}
-	buf[len] = '\0';
+	*dst = '\0';
 
 	plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
 	     field, value);

crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.51 2009/01/05 06:03:58 tteras Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.52 2009/01/10 19:08:40 tteras Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 5, 2009
+.Dd January 10, 2009
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -491,6 +491,13 @@ except that the individual component values of an
 identifier may specified as
 .Ic *
 to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
+The format of the
+specification should correspond to RFC 2253; in particular, commas and certain
+other characters -
+.Ic ,=+<>#;
+- may be included in a name by preceeding them with a backslash "\\", and
+arbitrary characters may be inserted in a name with the "\\nn" escape, where
+nn is the hex representation of the ascii value of the desired character.
 Alternative acceptable peer identifiers may be specified by repeating the
 .Ic peers_identifier
 statement.
@@ -1010,6 +1017,7 @@ directive.
 Sainfos will only be used if their remoteid matches the ph1id of the
 remote section used for phase 1.
 Defaults to 0, which is also the default for ph1id.
+.El
 .\"
 .Pp
 .Xr racoon 8