diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-04-08 17:15:02 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-04-08 17:15:02 +0000 |
commit | 279fdb6b313cbaa9614199eff4369a838ea60403 (patch) | |
tree | da7fa3e019d18b71a75b3a02bbc72d0a76b291c0 | |
parent | b023c387d825596bb473a8b891ff5d2fc703bef8 (diff) |
keynote and policy always compiled in
-rw-r--r-- | sbin/isakmpd/Makefile | 29 | ||||
-rw-r--r-- | sbin/isakmpd/cert.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/conf.c | 4 | ||||
-rw-r--r-- | sbin/isakmpd/features/policy | 33 | ||||
-rw-r--r-- | sbin/isakmpd/ike_auth.c | 13 | ||||
-rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 23 | ||||
-rw-r--r-- | sbin/isakmpd/init.c | 8 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/libcrypto.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/monitor.c | 4 | ||||
-rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/sa.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/x509.c | 8 |
13 files changed, 15 insertions, 137 deletions
diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile index b99649bb781..2d1af2be5a9 100644 --- a/sbin/isakmpd/Makefile +++ b/sbin/isakmpd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.67 2005/04/08 17:03:04 deraadt Exp $ +# $OpenBSD: Makefile,v 1.68 2005/04/08 17:15:01 deraadt Exp $ # $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $ # @@ -113,38 +113,17 @@ DPADD+= ${LIBGMP} CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL .endif -.ifdef USE_KEYNOTE -USE_LIBCRYPTO= yes -USE_LIBDES= yes -LDADD+= -lkeynote -lm -DPADD+= ${LIBKEYNOTE} ${LIBM} -CFLAGS+= -DUSE_KEYNOTE -.endif - .ifdef USE_RAWKEY -USE_LIBCRYPTO= yes CFLAGS+= -DUSE_RAWKEY .endif -.ifdef USE_LIBCRYPTO -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -.endif - -.ifdef USE_LIBDES -CFLAGS+= -DUSE_LIBDES -LDADD+= -ldes -DPADD+= ${LIBDES} -.endif - -SRCS+= ${IPSEC_SRCS} ${POLICY} math_ec2n.c ${DNSSEC} \ +SRCS+= ${IPSEC_SRCS} ${DNSSEC} policy.c math_ec2n.c \ ike_aggressive.c isakmp_cfg.c dpd.c monitor.c monitor_fdpass.c \ nat_traversal.c udp_encap.c CFLAGS+= ${IPSEC_CFLAGS} ${DNSSEC_CFLAGS} -LDADD+= ${DESLIB} ${LWRESLIB} -DPADD+= ${DESLIBDEP} ${LWRESLIB} +LDADD+= ${LWRESLIB} -lkeynote -lcrypto -ldes -lm +DPADD+= ${LWRESLIB} ${LIBKEYNOTE} ${LIBCRYPTO} ${LIBDES} ${LIBM} exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/exchange_num diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c index 28cd848605f..28ea639bfca 100644 --- a/sbin/isakmpd/cert.c +++ b/sbin/isakmpd/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.29 2005/04/05 20:46:20 cloder Exp $ */ +/* $OpenBSD: cert.c,v 1.30 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -42,9 +42,7 @@ #include "cert.h" #include "x509.h" -#ifdef USE_KEYNOTE #include "policy.h" -#endif struct cert_handler cert_handler[] = { { @@ -55,7 +53,6 @@ struct cert_handler cert_handler[] = { x509_cert_obtain, x509_cert_get_key, x509_cert_get_subjects, x509_cert_dup, x509_serialize, x509_printable, x509_from_printable }, -#ifdef USE_KEYNOTE { ISAKMP_CERTENC_KEYNOTE, keynote_cert_init, NULL, keynote_cert_get, keynote_cert_validate, @@ -65,7 +62,6 @@ struct cert_handler cert_handler[] = { keynote_cert_dup, keynote_serialize, keynote_printable, keynote_from_printable }, -#endif }; /* Initialize all certificate handlers */ diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index 2168eea451c..515e396f19c 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.80 2005/04/08 16:04:17 deraadt Exp $ */ +/* $OpenBSD: conf.c,v 1.81 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -484,10 +484,8 @@ conf_load_defaults(int tr) conf_set(tr, "X509-certificates", "CRL-directory", CONF_DFLT_X509_CRL_DIR, 0, 1); -#ifdef USE_KEYNOTE conf_set(tr, "KeyNote", "Credential-directory", CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1); -#endif /* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */ dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime"); diff --git a/sbin/isakmpd/features/policy b/sbin/isakmpd/features/policy deleted file mode 100644 index 680cc3753e8..00000000000 --- a/sbin/isakmpd/features/policy +++ /dev/null @@ -1,33 +0,0 @@ -# $OpenBSD: policy,v 1.6 2003/06/03 14:29:41 ho Exp $ -# $EOM: policy,v 1.4 2000/02/20 16:38:15 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Wireless Networks Inc. -# - -# NOTE: KeyNote policy support requires the keynote library -POLICY= policy.c diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 19fe75e710d..599a24ca3ad 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.98 2005/04/05 20:46:20 cloder Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.99 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -43,9 +43,7 @@ #include <string.h> #include <unistd.h> #include <regex.h> -#if defined (USE_KEYNOTE) #include <keynote.h> -#endif #include <policy.h> #include "sysdep.h" @@ -188,7 +186,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) break; case IKE_AUTH_RSA_SIG: -#if defined (USE_KEYNOTE) if (local_id && (keyfile = conf_get_str("KeyNote", "Credential-directory")) != 0) { struct stat sb; @@ -269,7 +266,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) return dc.dec_key; } ignorekeynote: -#endif /* USE_KEYNOTE */ /* Otherwise, try X.509 */ keyfile = conf_get_str("X509-certificates", "Private-key"); @@ -577,7 +573,6 @@ rsa_sig_decode_hash(struct message *msg) p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1); return -1; } -#if defined (USE_POLICY) || defined (USE_KEYNOTE) /* * We need the policy session initialized now, so we can add * credentials etc. @@ -588,7 +583,6 @@ rsa_sig_decode_hash(struct message *msg) "session"); return -1; } -#endif /* USE_POLICY || USE_KEYNOTE */ /* Obtain a certificate from our certificate storage. */ if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) { @@ -609,10 +603,8 @@ rsa_sig_decode_hash(struct message *msg) "of type %d", handler->id)); exchange->recv_cert = cert; exchange->recv_certtype = handler->id; -#if defined (USE_POLICY) x509_generate_kn(exchange->policy_id, cert); -#endif /* USE_POLICY */ } } } else if (handler->id == ISAKMP_CERTENC_KEYNOTE) @@ -695,7 +687,6 @@ rsa_sig_decode_hash(struct message *msg) exchange->recv_cert = cert; exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p); -#if defined (USE_POLICY) || defined (USE_KEYNOTE) if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) { struct keynote_deckey dc; char *pp; @@ -725,8 +716,6 @@ rsa_sig_decode_hash(struct message *msg) pp); free(pp); } -#endif - found++; } diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 09ce2fab9c8..b8e3d640f27 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.93 2005/04/06 16:00:20 deraadt Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.94 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -34,11 +34,9 @@ #include <stdlib.h> #include <string.h> -#if defined (USE_POLICY) || defined (USE_KEYNOTE) #include <sys/types.h> #include <regex.h> #include <keynote.h> -#endif #include "sysdep.h" @@ -71,9 +69,7 @@ static int responder_recv_HASH_SA_NONCE(struct message *); static int responder_send_HASH_SA_NONCE(struct message *); static int responder_recv_HASH(struct message *); -#ifdef USE_POLICY static int check_policy(struct exchange *, struct sa *, struct sa *); -#endif int (*ike_quick_mode_initiator[])(struct message *) = { initiator_send_HASH_SA_NONCE, @@ -87,8 +83,6 @@ int (*ike_quick_mode_responder[])(struct message *) = { responder_recv_HASH }; -#ifdef USE_POLICY - /* How many return values will policy handle -- true/false for now */ #define RETVALUES_NUM 2 @@ -217,7 +211,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) break; case ISAKMP_CERTENC_KEYNOTE: -#ifdef USE_KEYNOTE nprinc = 1; principal = calloc(nprinc, sizeof *principal); @@ -234,7 +227,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) (unsigned long)sizeof(char)); goto policydone; } -#endif break; case ISAKMP_CERTENC_X509_SIG: @@ -395,7 +387,6 @@ policydone: */ return result; } -#endif /* USE_POLICY */ /* * Offer several sets of transforms to the responder. @@ -1230,13 +1221,11 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) proto_free(proto); } -#ifdef USE_POLICY if (!check_policy(exchange, sa, msg->isakmp_sa)) { message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); log_print("initiator_recv_HASH_SA_NONCE: policy check failed"); return -1; } -#endif /* Mark the SA as handled. */ sa_p->flags |= PL_MARK; @@ -1625,18 +1614,8 @@ responder_recv_HASH_SA_NONCE(struct message *msg) sockaddr_addrlen(dst)); } -#ifdef USE_POLICY -#ifdef USE_KEYNOTE if (message_negotiate_sa(msg, check_policy)) goto cleanup; -#else - if (message_negotiate_sa(msg, 0)) - goto cleanup; -#endif -#else - if (message_negotiate_sa(msg, 0)) - goto cleanup; -#endif /* USE_POLICY */ for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = TAILQ_NEXT(sa, next)) { diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c index d301155b5ae..07e6e21550b 100644 --- a/sbin/isakmpd/init.c +++ b/sbin/isakmpd/init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init.c,v 1.34 2005/04/08 16:37:14 deraadt Exp $ */ +/* $OpenBSD: init.c,v 1.35 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ /* @@ -58,9 +58,7 @@ #include "ui.h" #include "util.h" -#if defined (USE_POLICY) #include "policy.h" -#endif #include "nat_traversal.h" #include "udp_encap.h" @@ -86,10 +84,8 @@ init(void) /* This depends on conf_init, thus check as soon as possible. */ log_reinit(); -#if defined (USE_POLICY) /* policy_init depends on conf_init having run. */ policy_init(); -#endif /* Depends on conf_init and policy_init having run */ cert_init(); @@ -127,10 +123,8 @@ reinit(void) log_reinit(); -#if defined (USE_POLICY) /* Reread the policies. */ policy_init(); -#endif /* Reinitialize certificates */ cert_init(); diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index c409c2cfd0b..bae5e549546 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.81 2005/04/08 16:37:14 deraadt Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.82 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -64,9 +64,7 @@ #include "util.h" #include "cert.h" -#ifdef USE_POLICY #include "policy.h" -#endif static void usage(void); @@ -185,11 +183,9 @@ parse_args(int argc, char *argv[]) pid_file = optarg; break; -#ifdef USE_POLICY case 'K': ignore_policy++; break; -#endif case 'n': app_none++; diff --git a/sbin/isakmpd/libcrypto.c b/sbin/isakmpd/libcrypto.c index 00d4345ef3b..5191750abbd 100644 --- a/sbin/isakmpd/libcrypto.c +++ b/sbin/isakmpd/libcrypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: libcrypto.c,v 1.17 2005/04/05 20:46:20 cloder Exp $ */ +/* $OpenBSD: libcrypto.c,v 1.18 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: libcrypto.c,v 1.14 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -36,14 +36,10 @@ void libcrypto_init(void) { -#if defined (USE_LIBCRYPTO) - /* Add all algorithms known by SSL */ #if OPENSSL_VERSION_NUMBER >= 0x00905100L OpenSSL_add_all_algorithms(); #else SSLeay_add_all_algorithms(); #endif - -#endif /* USE_LIBCRYPTO */ } diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c index ba14f16ba0e..33aa75392e8 100644 --- a/sbin/isakmpd/monitor.c +++ b/sbin/isakmpd/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.37 2005/04/04 19:31:11 deraadt Exp $ */ +/* $OpenBSD: monitor.c,v 1.38 2005/04/08 17:15:01 deraadt Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -41,10 +41,8 @@ #include <string.h> #include <unistd.h> -#if defined (USE_POLICY) #include <regex.h> #include <keynote.h> -#endif #include "sysdep.h" diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 6711106b39e..993c4121d60 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.161 2005/04/08 16:37:14 deraadt Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.162 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -67,9 +67,7 @@ #include "transport.h" #include "util.h" -#if defined (USE_KEYNOTE) #include "policy.h" -#endif #include "udp_encap.h" @@ -1586,7 +1584,6 @@ nodid: /* Nothing to be done here. */ break; -#if defined (USE_KEYNOTE) && defined (SADB_X_EXT_REMOTE_CREDENTIALS) case ISAKMP_CERTENC_KEYNOTE: len = strlen(isakmp_sa->recv_cert); cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, @@ -1606,7 +1603,6 @@ nodid: PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; break; -#endif /* USE_KEYNOTE */ #if defined (SADB_X_EXT_REMOTE_CREDENTIALS) case ISAKMP_CERTENC_X509_SIG: diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index a09ac8c07ec..bfefefe52c2 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.95 2005/04/08 16:52:41 deraadt Exp $ */ +/* $OpenBSD: sa.c,v 1.96 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -35,10 +35,8 @@ #include <stdlib.h> #include <string.h> -#if defined (USE_KEYNOTE) || defined (USE_POLICY) #include <regex.h> #include <keynote.h> -#endif /* USE_KEYNOTE || USE_POLICY */ #include "sysdep.h" @@ -789,10 +787,8 @@ sa_release(struct sa *sa) sa->recv_key); if (sa->keynote_key) free(sa->keynote_key); /* This is just a string */ -#if defined (USE_POLICY) || defined (USE_KEYNOTE) if (sa->policy_id != -1) kn_close(sa->policy_id); -#endif if (sa->name) free(sa->name); if (sa->keystate) diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index d7a28ca5331..8442643039e 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.99 2005/04/08 16:24:12 deraadt Exp $ */ +/* $OpenBSD: x509.c,v 1.100 2005/04/08 17:15:01 deraadt Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -43,10 +43,8 @@ #include <string.h> #include <unistd.h> -#ifdef USE_POLICY #include <regex.h> #include <keynote.h> -#endif /* USE_POLICY */ #include "sysdep.h" @@ -96,7 +94,6 @@ static LIST_HEAD(x509_list, x509_hash) *x509_tab = 0; /* Works both as a maximum index and a mask. */ static int bucket_mask; -#ifdef USE_POLICY /* * Given an X509 certificate, create a KeyNote assertion where * Issuer/Subject -> Authorizer/Licensees. @@ -478,7 +475,6 @@ x509_generate_kn(int id, X509 *cert) free(buf); return 1; } -#endif /* USE_POLICY */ static u_int16_t x509_hash(u_int8_t *id, size_t len) @@ -961,14 +957,12 @@ x509_cert_insert(int id, void *scert) log_print("x509_cert_insert: X509_dup failed"); return 0; } -#ifdef USE_POLICY if (x509_generate_kn(id, cert) == 0) { LOG_DBG((LOG_POLICY, 50, "x509_cert_insert: x509_generate_kn failed")); X509_free(cert); return 0; } -#endif /* USE_POLICY */ res = x509_hash_enter(cert); if (!res) |