passphrase-md5-hex: and passphrase-sha1-hex: formats for passphrases.

2 files changed, 70 insertions, 29 deletions

diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 3ac23a32772..2b3f87263ba 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike_quick_mode.c,v 1.44 2001/02/08 22:37:34 angelos Exp $	*/
+/*	$OpenBSD: ike_quick_mode.c,v 1.45 2001/02/19 16:58:04 angelos Exp $	*/
 /*	$EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $	*/
 
 /*
@@ -109,6 +109,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
   char **principal = NULL;
   int i, result = 0, nprinc = 0;
   int *x509_ids = NULL, *keynote_ids = NULL;
+  unsigned char hashbuf[20]; /* Set to the largest digest result */
 #ifdef USE_X509
   struct keynote_deckey dc;
   X509_NAME *subject;
@@ -194,7 +195,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
        * For shared keys, just duplicate the passphrase with the
        * appropriate prefix tag.
        */
-      nprinc = 1;
+      nprinc = 3;
       principal = calloc (nprinc, sizeof(*principal));
       if (principal == NULL)
         {
@@ -209,13 +210,42 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
         {
 	  log_print ("check_policy: failed to allocate %d bytes",
 		     isakmp_sa->recv_certlen + 1 + strlen ("passphrase:"));
-	  free (principal);
 	  goto policydone;
 	}
 
       strcpy (principal[0], "passphrase:");
       memcpy (principal[0] + strlen ("passphrase:"), isakmp_sa->recv_cert,
 	      isakmp_sa->recv_certlen);
+
+      principal[1] = calloc (strlen ("passphrase-md5-hex:") +
+			     32 + 1, sizeof (char));
+      if (principal[1] == NULL)
+        {
+	    log_print ("check_policy: failed to allocate %d bytes",
+		       strlen ("passphrase-md5-hex:") + 33);
+	    goto policydone;
+	}
+
+      strcpy (principal[1], "passphrase-md5-hex:");
+      MD5 (isakmp_sa->recv_cert, isakmp_sa->recv_certlen, hashbuf);
+      for (i = 0; i < 16; i++)
+	sprintf (principal[1] + (2 * i) + strlen ("passphrase-md5-hex:"),
+		 "%02x", hashbuf[i]);
+      
+      principal[2] = calloc (strlen ("passphrase-sha1-hex:") +
+			     32 + 1, sizeof (char));
+      if (principal[2] == NULL)
+        {
+	    log_print ("check_policy: failed to allocate %d bytes",
+		       strlen ("passphrase-sha1-hex:") + 33);
+	    goto policydone;
+	}
+
+      strcpy (principal[2], "passphrase-sha1-hex:");
+      SHA1 (isakmp_sa->recv_cert, isakmp_sa->recv_certlen, hashbuf);
+      for (i = 0; i < 20; i++)
+	sprintf (principal[2] + (2 * i) + strlen ("passphrase-sha1-hex:"),
+		 "%02x", hashbuf[i]);
       break;
 
     case ISAKMP_CERTENC_KEYNOTE:
@@ -236,7 +266,6 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
         {
 	  log_print ("check_policy: failed to allocate %d bytes",
 		     strlen (isakmp_sa->recv_key));
-	  free (principal);
 	  goto policydone;
 	}
 #endif
@@ -267,7 +296,6 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
 	{
 	  log_print ("check_policy: failed to get memory for public key");
 	  LC (RSA_free, (key));
-	  free (principal);
 	  goto policydone;
 	}
 
@@ -275,7 +303,6 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
 	{
 	  log_print ("check_policy: failed to allocate memory for principal");
 	  LC (RSA_free, (key));
-	  free (principal);
 	  goto policydone;
 	}
 
@@ -284,8 +311,6 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
       if (principal[1] == NULL)
 	{
 	  log_print ("check_policy: failed to allocate memory for principal");
-	  free (principal[0]);
-	  free (principal);
 	  LC (RSA_free, (key));
 	  goto policydone;
 	}
@@ -305,8 +330,6 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
           if (principal[1] == NULL)
             {
 	      log_print ("check_policy: failed to allocate memory for principal[1]");
-	      free (principal[0]);
-	      free (principal);
 	      LC (RSA_free, (key));
 	      goto policydone;
             }
@@ -343,28 +366,21 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
    */
   for (i = 0; i < nprinc; i++)
     {
-      LOG_DBG ((LOG_MISC, 40, "check_policy: adding authorizer [%s]", principal[i]));
+      LOG_DBG ((LOG_MISC, 40, "check_policy: adding authorizer [%s]",
+		principal[i]));
+
       if (LK (kn_add_authorizer, (isakmp_sa->policy_id, principal[i])) == -1)
         {
 	  int j;
 
 	  for (j = 0; j < i; j++)
-	    {
-		LK (kn_remove_authorizer, (isakmp_sa->policy_id,
-					   principal[j]));
-		free (principal[j]);
-	    }
-
-	  for (; j < nprinc; j++)
-	    free (principal[j]);
-
-	  free (principal);
+	    LK (kn_remove_authorizer, (isakmp_sa->policy_id, principal[j]));
 	  log_print ("check_policy: kn_add_authorizer failed");
 	  goto policydone;
 	}
     }
 
-  /* Ask policy.  */
+  /* Ask policy */
   result = LK (kn_do_query, (isakmp_sa->policy_id, return_values,
 			     RETVALUES_NUM));
   LOG_DBG ((LOG_MISC, 40, "check_policy: kn_do_query returned %d", result));
@@ -372,7 +388,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
   /* Cleanup environment */
   LK (kn_cleanup_action_environment, (isakmp_sa->policy_id));
 
-  /* Remove authorizers from the session.  */
+  /* Remove authorizers from the session */
   for (i = 0; i < nprinc; i++)
     {
       LK (kn_remove_authorizer, (isakmp_sa->policy_id, principal[i]));
@@ -380,16 +396,25 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
     }
 
   free (principal);
+  principal = NULL;
+  nprinc = 0;
 
   /* Check what policy said.  */
   if (result < 0)
     {
-	LOG_DBG ((LOG_MISC, 40, "check_policy: proposal refused"));
+      LOG_DBG ((LOG_MISC, 40, "check_policy: proposal refused"));
       result = 0;
       goto policydone;
     }
 
  policydone:
+  for (i = 0; i < nprinc; i++)
+    if (principal && principal[i])
+      free (principal[i]);
+
+  if (principal)
+    free (principal);
+
   /* Remove the policies */
   for (i = 0; i < keynote_policy_asserts_num; i++)
     {
diff --git a/sbin/isakmpd/isakmpd.policy.5 b/sbin/isakmpd/isakmpd.policy.5
index bc65e8b5d7c..b71092123c5 100644
--- a/sbin/isakmpd/isakmpd.policy.5
+++ b/sbin/isakmpd/isakmpd.policy.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.policy.5,v 1.15 2000/11/23 12:56:42 niklas Exp $
+.\" $OpenBSD: isakmpd.policy.5,v 1.16 2001/02/19 16:58:05 angelos Exp $
 .\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $
 .\"
 .\" Copyright (c) 1999, Angelos D. Keromytis.  All rights reserved.
@@ -165,7 +165,9 @@ For an explanation of these fields and their semantics, see
 For example, the following policy assertion:
 .Bd -literal
     Authorizer: "POLICY"
-    Licensees: "passphrase:foobar" || "x509-base64:abcd=="
+    Licensees: "passphrase:foobar" || "x509-base64:abcd==" ||
+      "passphrase-md5-hex:3858f62230ac3c915f300c664312c63f" ||
+      "passphrase-sha1-hex:8843d7f92416211de9ebb963ff4ce28125932878"
     Conditions: app_domain == "IPsec policy" && esp_present == "yes"
 		&& esp_enc_alg != "null" -> "true";
 .Ed
@@ -175,6 +177,11 @@ passphrase "foobar" or the public key contained in the X509
 certificate encoded as "abcd==" will be accepted, as long as it
 contains ESP with a non-null algorithm (i.e., the packet will be
 encrypted).
+The last two authorizers are the MD5 and SHA1 hashes respectively of
+the passphrase "foobar".
+This form may be used instead of the "passphrase:..." one to protect
+the passphrase as included in the policy file (or as distributed in a
+signed credential).
 .Pp
 The following policy assertion:
 .Bd -literal
@@ -204,6 +211,14 @@ on how to specify what credentials to send in an IKE exchange.
 Passphrases that appear in the Licensees field are encoded as the
 string "passphrase:", followed by the passphrase itself
 (case-sensitive).
+Alternately (and preferably), they may be encoded using the
+"passphrase-md5-hex:" or "passphrase-sha1-hex:" prefixes, followed
+by the
+.Xr md5 1
+or
+.Xr sha1 1
+hash of the passphrase itself, encoded as a hexadecimal string (using
+lower-case letters only).
 .Pp
 When X509-based authentication is performed in Main Mode, any X509
 certificates received from the remote IKE daemon are converted to very
@@ -472,7 +487,7 @@ Set to the local date/time, in YYYYMMDDHHmmSS format.
 
 
     Authorizer: "POLICY"
-    Licensees: "passphrase:mekmitasisgoat"
+    Licensees: "passphrase-md5-hex:10838982612aff543e2e62a67c786550"
     Comment: This policy accepts anyone using shared-secret
 	     authentication using the password mekmitasisgoat,
 	     and does ESP with some form of encryption (not null).
@@ -493,7 +508,7 @@ Set to the local date/time, in YYYYMMDDHHmmSS format.
 
 
     KeyNote-Version: 2
-    Licensees: "passphrase:somepassword"
+    Licensees: "passphrase-md5-hex:9c42a1346e333a770904b2a2b37fa7d3"
     Conditions: esp_present == "yes" -> "true";
     Authorizer: "subpolicy1"
 
@@ -505,7 +520,8 @@ Set to the local date/time, in YYYYMMDDHHmmSS format.
                        ah_auth_alg == "sha" &&
                        esp_present == "no" -> "true";
                    };
-    Licensees: "passphrase:otherpassword" || "passphrase:thirdpassword"
+    Licensees: "passphrase:otherpassword" ||
+       "passphrase-sha1-hex:f5ed6e4abd30c36a89409b5da7ecb542c9fbf00f"
     Authorizer: "subpolicy2"