summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2005-04-08 17:15:02 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2005-04-08 17:15:02 +0000
commit279fdb6b313cbaa9614199eff4369a838ea60403 (patch)
treeda7fa3e019d18b71a75b3a02bbc72d0a76b291c0
parentb023c387d825596bb473a8b891ff5d2fc703bef8 (diff)
keynote and policy always compiled in
-rw-r--r--sbin/isakmpd/Makefile29
-rw-r--r--sbin/isakmpd/cert.c6
-rw-r--r--sbin/isakmpd/conf.c4
-rw-r--r--sbin/isakmpd/features/policy33
-rw-r--r--sbin/isakmpd/ike_auth.c13
-rw-r--r--sbin/isakmpd/ike_quick_mode.c23
-rw-r--r--sbin/isakmpd/init.c8
-rw-r--r--sbin/isakmpd/isakmpd.c6
-rw-r--r--sbin/isakmpd/libcrypto.c6
-rw-r--r--sbin/isakmpd/monitor.c4
-rw-r--r--sbin/isakmpd/pf_key_v2.c6
-rw-r--r--sbin/isakmpd/sa.c6
-rw-r--r--sbin/isakmpd/x509.c8
13 files changed, 15 insertions, 137 deletions
diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile
index b99649bb781..2d1af2be5a9 100644
--- a/sbin/isakmpd/Makefile
+++ b/sbin/isakmpd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.67 2005/04/08 17:03:04 deraadt Exp $
+# $OpenBSD: Makefile,v 1.68 2005/04/08 17:15:01 deraadt Exp $
# $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $
#
@@ -113,38 +113,17 @@ DPADD+= ${LIBGMP}
CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL
.endif
-.ifdef USE_KEYNOTE
-USE_LIBCRYPTO= yes
-USE_LIBDES= yes
-LDADD+= -lkeynote -lm
-DPADD+= ${LIBKEYNOTE} ${LIBM}
-CFLAGS+= -DUSE_KEYNOTE
-.endif
-
.ifdef USE_RAWKEY
-USE_LIBCRYPTO= yes
CFLAGS+= -DUSE_RAWKEY
.endif
-.ifdef USE_LIBCRYPTO
-CFLAGS+= -DUSE_LIBCRYPTO
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
-.endif
-
-.ifdef USE_LIBDES
-CFLAGS+= -DUSE_LIBDES
-LDADD+= -ldes
-DPADD+= ${LIBDES}
-.endif
-
-SRCS+= ${IPSEC_SRCS} ${POLICY} math_ec2n.c ${DNSSEC} \
+SRCS+= ${IPSEC_SRCS} ${DNSSEC} policy.c math_ec2n.c \
ike_aggressive.c isakmp_cfg.c dpd.c monitor.c monitor_fdpass.c \
nat_traversal.c udp_encap.c
CFLAGS+= ${IPSEC_CFLAGS} ${DNSSEC_CFLAGS}
-LDADD+= ${DESLIB} ${LWRESLIB}
-DPADD+= ${DESLIBDEP} ${LWRESLIB}
+LDADD+= ${LWRESLIB} -lkeynote -lcrypto -ldes -lm
+DPADD+= ${LWRESLIB} ${LIBKEYNOTE} ${LIBCRYPTO} ${LIBDES} ${LIBM}
exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst
/bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/exchange_num
diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c
index 28cd848605f..28ea639bfca 100644
--- a/sbin/isakmpd/cert.c
+++ b/sbin/isakmpd/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.29 2005/04/05 20:46:20 cloder Exp $ */
+/* $OpenBSD: cert.c,v 1.30 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */
/*
@@ -42,9 +42,7 @@
#include "cert.h"
#include "x509.h"
-#ifdef USE_KEYNOTE
#include "policy.h"
-#endif
struct cert_handler cert_handler[] = {
{
@@ -55,7 +53,6 @@ struct cert_handler cert_handler[] = {
x509_cert_obtain, x509_cert_get_key, x509_cert_get_subjects,
x509_cert_dup, x509_serialize, x509_printable, x509_from_printable
},
-#ifdef USE_KEYNOTE
{
ISAKMP_CERTENC_KEYNOTE,
keynote_cert_init, NULL, keynote_cert_get, keynote_cert_validate,
@@ -65,7 +62,6 @@ struct cert_handler cert_handler[] = {
keynote_cert_dup, keynote_serialize, keynote_printable,
keynote_from_printable
},
-#endif
};
/* Initialize all certificate handlers */
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 2168eea451c..515e396f19c 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.80 2005/04/08 16:04:17 deraadt Exp $ */
+/* $OpenBSD: conf.c,v 1.81 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */
/*
@@ -484,10 +484,8 @@ conf_load_defaults(int tr)
conf_set(tr, "X509-certificates", "CRL-directory",
CONF_DFLT_X509_CRL_DIR, 0, 1);
-#ifdef USE_KEYNOTE
conf_set(tr, "KeyNote", "Credential-directory",
CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1);
-#endif
/* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */
dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime");
diff --git a/sbin/isakmpd/features/policy b/sbin/isakmpd/features/policy
deleted file mode 100644
index 680cc3753e8..00000000000
--- a/sbin/isakmpd/features/policy
+++ /dev/null
@@ -1,33 +0,0 @@
-# $OpenBSD: policy,v 1.6 2003/06/03 14:29:41 ho Exp $
-# $EOM: policy,v 1.4 2000/02/20 16:38:15 niklas Exp $
-
-#
-# Copyright (c) 2000 Niklas Hallqvist. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-
-#
-# This code was written under funding by Wireless Networks Inc.
-#
-
-# NOTE: KeyNote policy support requires the keynote library
-POLICY= policy.c
diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 19fe75e710d..599a24ca3ad 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_auth.c,v 1.98 2005/04/05 20:46:20 cloder Exp $ */
+/* $OpenBSD: ike_auth.c,v 1.99 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
/*
@@ -43,9 +43,7 @@
#include <string.h>
#include <unistd.h>
#include <regex.h>
-#if defined (USE_KEYNOTE)
#include <keynote.h>
-#endif
#include <policy.h>
#include "sysdep.h"
@@ -188,7 +186,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
break;
case IKE_AUTH_RSA_SIG:
-#if defined (USE_KEYNOTE)
if (local_id && (keyfile = conf_get_str("KeyNote",
"Credential-directory")) != 0) {
struct stat sb;
@@ -269,7 +266,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
return dc.dec_key;
}
ignorekeynote:
-#endif /* USE_KEYNOTE */
/* Otherwise, try X.509 */
keyfile = conf_get_str("X509-certificates", "Private-key");
@@ -577,7 +573,6 @@ rsa_sig_decode_hash(struct message *msg)
p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1);
return -1;
}
-#if defined (USE_POLICY) || defined (USE_KEYNOTE)
/*
* We need the policy session initialized now, so we can add
* credentials etc.
@@ -588,7 +583,6 @@ rsa_sig_decode_hash(struct message *msg)
"session");
return -1;
}
-#endif /* USE_POLICY || USE_KEYNOTE */
/* Obtain a certificate from our certificate storage. */
if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) {
@@ -609,10 +603,8 @@ rsa_sig_decode_hash(struct message *msg)
"of type %d", handler->id));
exchange->recv_cert = cert;
exchange->recv_certtype = handler->id;
-#if defined (USE_POLICY)
x509_generate_kn(exchange->policy_id,
cert);
-#endif /* USE_POLICY */
}
}
} else if (handler->id == ISAKMP_CERTENC_KEYNOTE)
@@ -695,7 +687,6 @@ rsa_sig_decode_hash(struct message *msg)
exchange->recv_cert = cert;
exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p);
-#if defined (USE_POLICY) || defined (USE_KEYNOTE)
if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) {
struct keynote_deckey dc;
char *pp;
@@ -725,8 +716,6 @@ rsa_sig_decode_hash(struct message *msg)
pp);
free(pp);
}
-#endif
-
found++;
}
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 09ce2fab9c8..b8e3d640f27 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.93 2005/04/06 16:00:20 deraadt Exp $ */
+/* $OpenBSD: ike_quick_mode.c,v 1.94 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
/*
@@ -34,11 +34,9 @@
#include <stdlib.h>
#include <string.h>
-#if defined (USE_POLICY) || defined (USE_KEYNOTE)
#include <sys/types.h>
#include <regex.h>
#include <keynote.h>
-#endif
#include "sysdep.h"
@@ -71,9 +69,7 @@ static int responder_recv_HASH_SA_NONCE(struct message *);
static int responder_send_HASH_SA_NONCE(struct message *);
static int responder_recv_HASH(struct message *);
-#ifdef USE_POLICY
static int check_policy(struct exchange *, struct sa *, struct sa *);
-#endif
int (*ike_quick_mode_initiator[])(struct message *) = {
initiator_send_HASH_SA_NONCE,
@@ -87,8 +83,6 @@ int (*ike_quick_mode_responder[])(struct message *) = {
responder_recv_HASH
};
-#ifdef USE_POLICY
-
/* How many return values will policy handle -- true/false for now */
#define RETVALUES_NUM 2
@@ -217,7 +211,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
break;
case ISAKMP_CERTENC_KEYNOTE:
-#ifdef USE_KEYNOTE
nprinc = 1;
principal = calloc(nprinc, sizeof *principal);
@@ -234,7 +227,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
(unsigned long)sizeof(char));
goto policydone;
}
-#endif
break;
case ISAKMP_CERTENC_X509_SIG:
@@ -395,7 +387,6 @@ policydone:
*/
return result;
}
-#endif /* USE_POLICY */
/*
* Offer several sets of transforms to the responder.
@@ -1230,13 +1221,11 @@ initiator_recv_HASH_SA_NONCE(struct message *msg)
proto_free(proto);
}
-#ifdef USE_POLICY
if (!check_policy(exchange, sa, msg->isakmp_sa)) {
message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
log_print("initiator_recv_HASH_SA_NONCE: policy check failed");
return -1;
}
-#endif
/* Mark the SA as handled. */
sa_p->flags |= PL_MARK;
@@ -1625,18 +1614,8 @@ responder_recv_HASH_SA_NONCE(struct message *msg)
sockaddr_addrlen(dst));
}
-#ifdef USE_POLICY
-#ifdef USE_KEYNOTE
if (message_negotiate_sa(msg, check_policy))
goto cleanup;
-#else
- if (message_negotiate_sa(msg, 0))
- goto cleanup;
-#endif
-#else
- if (message_negotiate_sa(msg, 0))
- goto cleanup;
-#endif /* USE_POLICY */
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c
index d301155b5ae..07e6e21550b 100644
--- a/sbin/isakmpd/init.c
+++ b/sbin/isakmpd/init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: init.c,v 1.34 2005/04/08 16:37:14 deraadt Exp $ */
+/* $OpenBSD: init.c,v 1.35 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */
/*
@@ -58,9 +58,7 @@
#include "ui.h"
#include "util.h"
-#if defined (USE_POLICY)
#include "policy.h"
-#endif
#include "nat_traversal.h"
#include "udp_encap.h"
@@ -86,10 +84,8 @@ init(void)
/* This depends on conf_init, thus check as soon as possible. */
log_reinit();
-#if defined (USE_POLICY)
/* policy_init depends on conf_init having run. */
policy_init();
-#endif
/* Depends on conf_init and policy_init having run */
cert_init();
@@ -127,10 +123,8 @@ reinit(void)
log_reinit();
-#if defined (USE_POLICY)
/* Reread the policies. */
policy_init();
-#endif
/* Reinitialize certificates */
cert_init();
diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index c409c2cfd0b..bae5e549546 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmpd.c,v 1.81 2005/04/08 16:37:14 deraadt Exp $ */
+/* $OpenBSD: isakmpd.c,v 1.82 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */
/*
@@ -64,9 +64,7 @@
#include "util.h"
#include "cert.h"
-#ifdef USE_POLICY
#include "policy.h"
-#endif
static void usage(void);
@@ -185,11 +183,9 @@ parse_args(int argc, char *argv[])
pid_file = optarg;
break;
-#ifdef USE_POLICY
case 'K':
ignore_policy++;
break;
-#endif
case 'n':
app_none++;
diff --git a/sbin/isakmpd/libcrypto.c b/sbin/isakmpd/libcrypto.c
index 00d4345ef3b..5191750abbd 100644
--- a/sbin/isakmpd/libcrypto.c
+++ b/sbin/isakmpd/libcrypto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: libcrypto.c,v 1.17 2005/04/05 20:46:20 cloder Exp $ */
+/* $OpenBSD: libcrypto.c,v 1.18 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: libcrypto.c,v 1.14 2000/09/28 12:53:27 niklas Exp $ */
/*
@@ -36,14 +36,10 @@
void
libcrypto_init(void)
{
-#if defined (USE_LIBCRYPTO)
-
/* Add all algorithms known by SSL */
#if OPENSSL_VERSION_NUMBER >= 0x00905100L
OpenSSL_add_all_algorithms();
#else
SSLeay_add_all_algorithms();
#endif
-
-#endif /* USE_LIBCRYPTO */
}
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c
index ba14f16ba0e..33aa75392e8 100644
--- a/sbin/isakmpd/monitor.c
+++ b/sbin/isakmpd/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.37 2005/04/04 19:31:11 deraadt Exp $ */
+/* $OpenBSD: monitor.c,v 1.38 2005/04/08 17:15:01 deraadt Exp $ */
/*
* Copyright (c) 2003 Håkan Olsson. All rights reserved.
@@ -41,10 +41,8 @@
#include <string.h>
#include <unistd.h>
-#if defined (USE_POLICY)
#include <regex.h>
#include <keynote.h>
-#endif
#include "sysdep.h"
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 6711106b39e..993c4121d60 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.161 2005/04/08 16:37:14 deraadt Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.162 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */
/*
@@ -67,9 +67,7 @@
#include "transport.h"
#include "util.h"
-#if defined (USE_KEYNOTE)
#include "policy.h"
-#endif
#include "udp_encap.h"
@@ -1586,7 +1584,6 @@ nodid:
/* Nothing to be done here. */
break;
-#if defined (USE_KEYNOTE) && defined (SADB_X_EXT_REMOTE_CREDENTIALS)
case ISAKMP_CERTENC_KEYNOTE:
len = strlen(isakmp_sa->recv_cert);
cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred,
@@ -1606,7 +1603,6 @@ nodid:
PF_KEY_V2_NODE_MALLOCED) == -1)
goto cleanup;
break;
-#endif /* USE_KEYNOTE */
#if defined (SADB_X_EXT_REMOTE_CREDENTIALS)
case ISAKMP_CERTENC_X509_SIG:
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index a09ac8c07ec..bfefefe52c2 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.95 2005/04/08 16:52:41 deraadt Exp $ */
+/* $OpenBSD: sa.c,v 1.96 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -35,10 +35,8 @@
#include <stdlib.h>
#include <string.h>
-#if defined (USE_KEYNOTE) || defined (USE_POLICY)
#include <regex.h>
#include <keynote.h>
-#endif /* USE_KEYNOTE || USE_POLICY */
#include "sysdep.h"
@@ -789,10 +787,8 @@ sa_release(struct sa *sa)
sa->recv_key);
if (sa->keynote_key)
free(sa->keynote_key); /* This is just a string */
-#if defined (USE_POLICY) || defined (USE_KEYNOTE)
if (sa->policy_id != -1)
kn_close(sa->policy_id);
-#endif
if (sa->name)
free(sa->name);
if (sa->keystate)
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index d7a28ca5331..8442643039e 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.99 2005/04/08 16:24:12 deraadt Exp $ */
+/* $OpenBSD: x509.c,v 1.100 2005/04/08 17:15:01 deraadt Exp $ */
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */
/*
@@ -43,10 +43,8 @@
#include <string.h>
#include <unistd.h>
-#ifdef USE_POLICY
#include <regex.h>
#include <keynote.h>
-#endif /* USE_POLICY */
#include "sysdep.h"
@@ -96,7 +94,6 @@ static LIST_HEAD(x509_list, x509_hash) *x509_tab = 0;
/* Works both as a maximum index and a mask. */
static int bucket_mask;
-#ifdef USE_POLICY
/*
* Given an X509 certificate, create a KeyNote assertion where
* Issuer/Subject -> Authorizer/Licensees.
@@ -478,7 +475,6 @@ x509_generate_kn(int id, X509 *cert)
free(buf);
return 1;
}
-#endif /* USE_POLICY */
static u_int16_t
x509_hash(u_int8_t *id, size_t len)
@@ -961,14 +957,12 @@ x509_cert_insert(int id, void *scert)
log_print("x509_cert_insert: X509_dup failed");
return 0;
}
-#ifdef USE_POLICY
if (x509_generate_kn(id, cert) == 0) {
LOG_DBG((LOG_POLICY, 50,
"x509_cert_insert: x509_generate_kn failed"));
X509_free(cert);
return 0;
}
-#endif /* USE_POLICY */
res = x509_hash_enter(cert);
if (!res)