diff options
| author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-08-26 22:30:47 +0000 |
|---|---|---|
| committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-08-26 22:30:47 +0000 |
| commit | ae165cea910737d35809f45b764d68aa0c929b0e (patch) | |
| tree | 42df1c2473f84798712db5acbaa988c1bcf194af | |
| parent | 9577c566ef4b3999ee85edfd741d7bb43790fe46 (diff) | |
regress/rsakeygen/rsakeygen.c: Merge with EOM 1.9
regress/x509/x509test.c: Merge with EOM 1.7
DESIGN-NOTES: Merge with EOM 1.48
README.PKI: Merge with EOM 1.6
TO-DO: Merge with EOM 1.44
cert.c: Merge with EOM 1.12
author: niklas
Add support for dynamic loading of optional facilities, libcrypto first.
| -rw-r--r-- | sbin/isakmpd/DESIGN-NOTES | 22 | ||||
| -rw-r--r-- | sbin/isakmpd/README.PKI | 15 | ||||
| -rw-r--r-- | sbin/isakmpd/TO-DO | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/cert.c | 9 | ||||
| -rw-r--r-- | sbin/isakmpd/regress/rsakeygen/rsakeygen.c | 91 | ||||
| -rw-r--r-- | sbin/isakmpd/regress/x509/x509test.c | 45 |
6 files changed, 115 insertions, 73 deletions
diff --git a/sbin/isakmpd/DESIGN-NOTES b/sbin/isakmpd/DESIGN-NOTES index ecdfafbb24c..43a1e953f7d 100644 --- a/sbin/isakmpd/DESIGN-NOTES +++ b/sbin/isakmpd/DESIGN-NOTES @@ -1,5 +1,5 @@ -$OpenBSD: DESIGN-NOTES,v 1.14 1999/08/05 22:41:08 niklas Exp $ -$EOM: DESIGN-NOTES,v 1.47 1999/08/05 14:57:59 niklas Exp $ +$OpenBSD: DESIGN-NOTES,v 1.15 1999/08/26 22:30:46 niklas Exp $ +$EOM: DESIGN-NOTES,v 1.48 1999/08/12 22:34:25 niklas Exp $ General coding conventions -------------------------- @@ -41,6 +41,7 @@ cookie.c Cookie generation. crypto.c Generic cryptography. dh.c Diffie-Hellman exchange logic. doi.c Generic handling of different DOIs. +dyn.c Support for dynamic loading of executable code. exchange.c Exchange state machinery. exchange_num.cst Some constants used for exhange scripts. @@ -67,6 +68,7 @@ isakmp_doi.c The ISAKMP pseudo-DOI. isakmp_fld.fld Generic packet layout. isakmp_num.cst ISAKMP constants. isakmpd.c Main loop. +libcrypto.c Deal with both statically and dynamically loaded libcrypto. log.c Logging of exceptional or informational messages. math_2n.c Polynomial math. math_ec2n.c Elliptic curve math. @@ -381,6 +383,22 @@ with the provided private Key. The resulting certificate then needs to be stored in the directory pointed to by "Certs-directory" in section "X509-certificates". +Dynamic loading +--------------- + +There is some rudimentary support to dynamically load executable code. +What you need to do in order to load code, is to make sure that your +system supports dlopen(3) and then you write scripts like this: + +static struct dynload_script my_script[] = { + { LOAD, "libmine.so", &libmine }, + { SYM, "MySymbol", &MySymbol } +}; + +and then call dyn_load (my_script). Then libmine.so will be loaded, and +external references resolved, and then the specified symbols will be looked +up and their value put in the given pointer. + License to use -------------- /* diff --git a/sbin/isakmpd/README.PKI b/sbin/isakmpd/README.PKI index 8c815443e9a..11e4385b6ef 100644 --- a/sbin/isakmpd/README.PKI +++ b/sbin/isakmpd/README.PKI @@ -1,7 +1,12 @@ -$OpenBSD: README.PKI,v 1.5 1999/08/05 22:41:47 niklas Exp $ -$EOM: README.PKI,v 1.5 1999/07/18 21:46:07 niklas Exp $ +$OpenBSD: README.PKI,v 1.6 1999/08/26 22:30:46 niklas Exp $ +$EOM: README.PKI,v 1.6 1999/08/12 22:34:26 niklas Exp $ -1 Create your own CA as root. +1 Make sure you have an RSA-enabled isakmpd. An easy way to do this + is to find a dynamically linkable version of libcrypto from SSLeay + or perhaps OpenSSL (not tested by me) and install it where the + run-time linker can find it. + +2 Create your own CA as root. ssleay genrsa -out /etc/ssl/private/ca.key 1024 ssleay req -new -key /etc/ssl/private/ca.key \ @@ -17,7 +22,7 @@ $EOM: README.PKI,v 1.5 1999/07/18 21:46:07 niklas Exp $ -signkey /etc/ssl/private/ca.key \ -out /etc/ssl/ca.crt -2 Create keys and certificates for your isakmpd peers. This step as well +3 Create keys and certificates for your isakmpd peers. This step as well as the next one, needs to be done for every peer. Furthermore the last step will need to be done once for each ID you want the peer to have. The 10.0.0.1 below symbolizes that ID, and should be @@ -45,7 +50,7 @@ $EOM: README.PKI,v 1.5 1999/07/18 21:46:07 niklas Exp $ on your local system. Also carry over the CA cert /etc/ssl/ca.crt and put it in /etc/isakmpd/ca/. -3 See to that your config files will point out the directories where +4 See to that your config files will point out the directories where you keep certificates. I.e. add something like this to /etc/isakmpd/isakmpd.conf: diff --git a/sbin/isakmpd/TO-DO b/sbin/isakmpd/TO-DO index 91d0474932f..a96297738c8 100644 --- a/sbin/isakmpd/TO-DO +++ b/sbin/isakmpd/TO-DO @@ -1,5 +1,5 @@ -$OpenBSD: TO-DO,v 1.17 1999/08/05 22:41:53 niklas Exp $ -$EOM: TO-DO,v 1.43 1999/08/05 14:58:14 niklas Exp $ +$OpenBSD: TO-DO,v 1.18 1999/08/26 22:30:46 niklas Exp $ +$EOM: TO-DO,v 1.44 1999/08/12 22:34:26 niklas Exp $ This file mixes small nitpicks with large projects to be done. @@ -119,8 +119,6 @@ This file mixes small nitpicks with large projects to be done. * See to the commit bit will never be used in phase 1. Give INVALID-FLAGS if seeing it. -* Can we do the X.509 stuff optional for systems without libcrypto? - * Base mode. * IKECFG diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c index c5e88c8155d..4f0c5b041a4 100644 --- a/sbin/isakmpd/cert.c +++ b/sbin/isakmpd/cert.c @@ -1,5 +1,5 @@ -/* $OpenBSD: cert.c,v 1.10 1999/07/17 21:54:39 niklas Exp $ */ -/* $EOM: cert.c,v 1.11 1999/07/17 20:44:09 niklas Exp $ */ +/* $OpenBSD: cert.c,v 1.11 1999/08/26 22:30:46 niklas Exp $ */ +/* $EOM: cert.c,v 1.12 1999/08/12 22:34:26 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. @@ -50,6 +50,7 @@ #include "x509.h" struct cert_handler cert_handler[] = { +#if defined (USE_LIBCRYPTO) || defined (USE_DLOPEN) { ISAKMP_CERTENC_X509_SIG, x509_cert_init, x509_cert_get, x509_cert_validate, @@ -57,6 +58,7 @@ struct cert_handler cert_handler[] = { x509_certreq_validate, x509_certreq_decode, x509_free_aca, x509_cert_obtain, x509_cert_get_key, x509_cert_get_subject } +#endif }; /* Initialize all certificate handlers */ @@ -66,9 +68,6 @@ cert_init (void) { int i, err = 1; - /* Add all algorithms know by SSL */ - SSLeay_add_all_algorithms (); - for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) if (cert_handler[i].cert_init && !(*cert_handler[i].cert_init) ()) err = 0; diff --git a/sbin/isakmpd/regress/rsakeygen/rsakeygen.c b/sbin/isakmpd/regress/rsakeygen/rsakeygen.c index 684896c3297..c566548bcfa 100644 --- a/sbin/isakmpd/regress/rsakeygen/rsakeygen.c +++ b/sbin/isakmpd/regress/rsakeygen/rsakeygen.c @@ -1,5 +1,5 @@ -/* $OpenBSD: rsakeygen.c,v 1.8 1999/07/17 21:54:38 niklas Exp $ */ -/* $EOM: rsakeygen.c,v 1.8 1999/07/17 20:44:13 niklas Exp $ */ +/* $OpenBSD: rsakeygen.c,v 1.9 1999/08/26 22:30:46 niklas Exp $ */ +/* $EOM: rsakeygen.c,v 1.9 1999/08/12 22:34:30 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. @@ -42,13 +42,12 @@ #include <string.h> #include <gmp.h> -#include <ssl/rsa.h> - +#include "libcrypto.h" #include "log.h" -#define nibble2bin(y) (tolower((y)) < 'a' ? (y) - '0': tolower((y)) - 'a' + 10) -#define hexchar2bin(x) ((nibble2bin((x)[0]) << 4) + nibble2bin((x)[1])) -#define nibble2c(x) ((x) >= 10 ? ('a'-10+(x)) : ('0' + (x))) +#define nibble2bin(y) (tolower (y) < 'a' ? (y) - '0' : tolower (y) - 'a' + 10) +#define hexchar2bin(x) ((nibble2bin ((x)[0]) << 4) + nibble2bin ((x)[1])) +#define nibble2c(x) ((x) >= 10 ? ('a' - 10 + (x)) : ('0' + (x))) #define TEST_STRING "!Dies ist ein Test" @@ -57,9 +56,7 @@ void asc2bin (u_int8_t *bin, u_int8_t *asc, u_int16_t len) int i; for (i = 0; i < len; i += 2, asc += 2) - { - *bin++ = hexchar2bin(asc); - } + *bin++ = hexchar2bin (asc); } int @@ -69,63 +66,83 @@ main (void) int len; FILE *fd; int erg = 0; - RSA *key; - log_debug_cmd ((enum log_classes)LOG_CRYPTO, 99); - strcpy(dec, TEST_STRING); + libcrypto_init (); - key = RSA_generate_key(1024, RSA_F4, NULL, NULL); +#ifndef USE_LIBCRYPTO + if (!libcrypto) + { + fprintf (stderr, "I did not find the RSA support, giving up..."); + exit (1); + } +#endif + + log_debug_cmd (LOG_CRYPTO, 99); + memset (dec, '\0', sizeof dec); + strcpy (dec, TEST_STRING); + + key = LC (RSA_generate_key, (1024, RSA_F4, NULL, NULL)); if (key == NULL) { printf("Failed to generate key\n"); return 0; } - printf ("n: 0x"); BN_print_fp(stdout, key->n); - printf ("\ne: 0x"); BN_print_fp (stdout, key->e); + printf ("n: 0x"); + LC (BN_print_fp, (stdout, key->n)); + printf ("\ne: 0x"); + LC (BN_print_fp, (stdout, key->e)); printf ("\n"); - printf ("n: 0x"); BN_print_fp (stdout, key->n); - printf ("\ne: 0x"); BN_print_fp (stdout, key->e); - printf ("\nd: 0x"); BN_print_fp (stdout, key->d); - printf ("\np: 0x"); BN_print_fp (stdout, key->p); - printf ("\nq: 0x"); BN_print_fp (stdout, key->q); + printf ("n: 0x"); + LC (BN_print_fp, (stdout, key->n)); + printf ("\ne: 0x"); + LC (BN_print_fp, (stdout, key->e)); + printf ("\nd: 0x"); + LC (BN_print_fp, (stdout, key->d)); + printf ("\np: 0x"); + LC (BN_print_fp, (stdout, key->p)); + printf ("\nq: 0x"); + LC (BN_print_fp, (stdout, key->q)); printf ("\n"); printf ("Testing Signing/Verifying: "); /* Sign with Private Key */ - if ((len = RSA_private_encrypt (strlen(dec)+1, dec, enc, key, - RSA_PKCS1_PADDING)) == -1) - printf ("FAILED "); + len = LC (RSA_private_encrypt, (strlen (dec) + 1, dec, enc, key, + RSA_PKCS1_PADDING)); + if (len == -1) + printf ("SIGN FAILED "); else - /* Decrypt/Verify with Public Key */ - erg = RSA_public_decrypt (len, enc, dec, key, RSA_PKCS1_PADDING); + { + /* Decrypt/Verify with Public Key */ + erg = LC (RSA_public_decrypt, (len, enc, dec, key, RSA_PKCS1_PADDING)); - if (erg == -1 || strcmp(dec, TEST_STRING)) - printf ("FAILED "); - else - printf ("OKAY "); + if (erg == -1 || strcmp (dec, TEST_STRING)) + printf ("VERIFY FAILED"); + else + printf ("OKAY"); + } printf ("\n"); - len = i2d_RSAPublicKey(key, NULL); - foo = asn = malloc(len); - len = i2d_RSAPublicKey(key, &foo); + len = LC (i2d_RSAPublicKey, (key, NULL)); + foo = asn = malloc (len); + len = LC (i2d_RSAPublicKey, (key, &foo)); fd = fopen ("isakmpd_key.pub", "w"); fwrite (asn, len, 1, fd); fclose (fd); free (asn); - len = i2d_RSAPrivateKey(key, NULL); - foo = asn = malloc(len); - len = i2d_RSAPrivateKey(key, &foo); + len = LC (i2d_RSAPrivateKey, (key, NULL)); + foo = asn = malloc (len); + len = LC (i2d_RSAPrivateKey, (key, &foo)); fd = fopen ("isakmpd_key", "w"); fwrite (asn, len, 1, fd); fclose (fd); free (asn); - RSA_free(key); + LC (RSA_free, (key)); return 1; } diff --git a/sbin/isakmpd/regress/x509/x509test.c b/sbin/isakmpd/regress/x509/x509test.c index 2c070dc6788..a16500a2697 100644 --- a/sbin/isakmpd/regress/x509/x509test.c +++ b/sbin/isakmpd/regress/x509/x509test.c @@ -1,5 +1,5 @@ -/* $OpenBSD: x509test.c,v 1.8 1999/07/17 21:54:38 niklas Exp $ */ -/* $EOM: x509test.c,v 1.6 1999/07/17 20:44:14 niklas Exp $ */ +/* $OpenBSD: x509test.c,v 1.9 1999/08/26 22:30:46 niklas Exp $ */ +/* $EOM: x509test.c,v 1.7 1999/08/12 22:34:31 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. @@ -60,11 +60,8 @@ #include <netinet/in.h> #include <arpa/inet.h> -#include <ssl/rsa.h> -#include <ssl/x509.h> -#include <ssl/pem.h> - #include "conf.h" +#include "libcrypto.h" #include "log.h" #include "ipsec_num.h" #include "x509.h" @@ -118,17 +115,25 @@ main (int argc, char *argv[]) * EVP_get_digest_byname. */ - SSLeay_add_all_algorithms (); + libcrypto_init (); + +#ifndef USE_LIBCRYPTO + if (!libcrypto) + { + fprintf (stderr, "I did not find the X.509 support, giving up..."); + exit (1); + } +#endif printf ("Reading private key %s\n", argv[1]); - keyfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (keyfile, argv[1]) == -1) + keyfile = LC (BIO_new, (LC (BIO_s_file, ()))); + if (LC (BIO_read_filename, (keyfile, argv[1])) == -1) { perror ("read"); exit (1); } - priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL); - BIO_free (keyfile); + priv_key = LC (PEM_read_bio_RSAPrivateKey, (keyfile, NULL, NULL)); + LC (BIO_free, (keyfile)); if (priv_key == NULL) { printf("PEM_read_bio_RSAPrivateKey () failed\n"); @@ -137,21 +142,21 @@ main (int argc, char *argv[]) /* Use a certificate created by ssleay. */ printf ("Reading ssleay created certificate %s\n", argv[2]); - certfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (certfile, argv[2]) == -1) + certfile = LC (BIO_new, (LC (BIO_s_file, ()))); + if (LC (BIO_read_filename, (certfile, argv[2])) == -1) { perror ("read"); exit (1); } - cert = PEM_read_bio_X509 (certfile, NULL, NULL); - BIO_free (certfile); + cert = LC (PEM_read_bio_X509, (certfile, NULL, NULL)); + LC (BIO_free, (certfile)); if (cert == NULL) { printf("PEM_read_bio_X509 () failed\n"); exit (1); } - pkey_pub = X509_get_pubkey (cert); + pkey_pub = LC (X509_get_pubkey, (cert)); /* XXX Violation of the interface? */ pub_key = pkey_pub->pkey.rsa; if (pub_key == NULL) @@ -163,12 +168,12 @@ main (int argc, char *argv[]) err = 0; strcpy (dec, "Eine kleine Testmeldung"); - if ((len = RSA_private_encrypt (strlen (dec), dec, enc, priv_key, - RSA_PKCS1_PADDING)) == -1) + if ((len = LC (RSA_private_encrypt, (strlen (dec), dec, enc, priv_key, + RSA_PKCS1_PADDING))) == -1) printf ("SIGN FAILED "); else - err = RSA_public_decrypt (len, enc, dec, pub_key, RSA_PKCS1_PADDING); + err = LC (RSA_public_decrypt, (len, enc, dec, pub_key, RSA_PKCS1_PADDING)); if (err == -1 || strcmp (dec, "Eine kleine Testmeldung")) printf ("SIGN/VERIFY FAILED"); @@ -178,7 +183,7 @@ main (int argc, char *argv[]) printf ("Validate SIGNED: "); - err = X509_verify (cert, pkey_pub); + err = LC (X509_verify, (cert, pkey_pub)); printf ("X509 verify: %d ", err); if (err == -1) printf ("FAILED "); |