src - OpenBSD base system

diff options


context:
space:
mode:

author	Theo de Raadt <deraadt@cvs.openbsd.org>	2005-04-08 17:15:02 +0000
committer	Theo de Raadt <deraadt@cvs.openbsd.org>	2005-04-08 17:15:02 +0000
commit	279fdb6b313cbaa9614199eff4369a838ea60403 (patch)
tree	da7fa3e019d18b71a75b3a02bbc72d0a76b291c0 /sbin/isakmpd
parent	b023c387d825596bb473a8b891ff5d2fc703bef8 (diff)

keynote and policy always compiled in

Diffstat (limited to 'sbin/isakmpd')

-rw-r--r--

sbin/isakmpd/Makefile

-rw-r--r--

sbin/isakmpd/cert.c

-rw-r--r--

sbin/isakmpd/conf.c

-rw-r--r--

sbin/isakmpd/features/policy

-rw-r--r--

sbin/isakmpd/ike_auth.c

-rw-r--r--

sbin/isakmpd/ike_quick_mode.c

-rw-r--r--

sbin/isakmpd/init.c

-rw-r--r--

sbin/isakmpd/isakmpd.c

-rw-r--r--

sbin/isakmpd/libcrypto.c

-rw-r--r--

sbin/isakmpd/monitor.c

-rw-r--r--

sbin/isakmpd/pf_key_v2.c

-rw-r--r--

sbin/isakmpd/sa.c

-rw-r--r--

sbin/isakmpd/x509.c

13 files changed, 15 insertions, 137 deletions

diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile
index b99649bb781..2d1af2be5a9 100644
--- a/sbin/isakmpd/Makefile
+++ b/sbin/isakmpd/Makefile

@@ -1,4 +1,4 @@

-# $OpenBSD: Makefile,v 1.67 2005/04/08 17:03:04 deraadt Exp $

+# $OpenBSD: Makefile,v 1.68 2005/04/08 17:15:01 deraadt Exp $

# $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $

@@ -113,38 +113,17 @@ DPADD+= ${LIBGMP}

CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL

.endif

-.ifdef USE_KEYNOTE

-USE_LIBCRYPTO= yes

-USE_LIBDES= yes

-LDADD+= -lkeynote -lm

-DPADD+= ${LIBKEYNOTE} ${LIBM}

-CFLAGS+= -DUSE_KEYNOTE

-.endif

.ifdef USE_RAWKEY

-USE_LIBCRYPTO= yes

CFLAGS+= -DUSE_RAWKEY

.endif

-.ifdef USE_LIBCRYPTO

-CFLAGS+= -DUSE_LIBCRYPTO

-LDADD+= -lcrypto

-DPADD+= ${LIBCRYPTO}

-.endif

-.ifdef USE_LIBDES

-CFLAGS+= -DUSE_LIBDES

-LDADD+= -ldes

-DPADD+= ${LIBDES}

-.endif

-SRCS+= ${IPSEC_SRCS} ${POLICY} math_ec2n.c ${DNSSEC} \

+SRCS+= ${IPSEC_SRCS} ${DNSSEC} policy.c math_ec2n.c \

ike_aggressive.c isakmp_cfg.c dpd.c monitor.c monitor_fdpass.c \

nat_traversal.c udp_encap.c

CFLAGS+= ${IPSEC_CFLAGS} ${DNSSEC_CFLAGS}

-LDADD+= ${DESLIB} ${LWRESLIB}

-DPADD+= ${DESLIBDEP} ${LWRESLIB}

+LDADD+= ${LWRESLIB} -lkeynote -lcrypto -ldes -lm

+DPADD+= ${LWRESLIB} ${LIBKEYNOTE} ${LIBCRYPTO} ${LIBDES} ${LIBM}

exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst

/bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/exchange_num

diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c
index 28cd848605f..28ea639bfca 100644
--- a/sbin/isakmpd/cert.c
+++ b/sbin/isakmpd/cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: cert.c,v 1.29 2005/04/05 20:46:20 cloder Exp $ */

+/* $OpenBSD: cert.c,v 1.30 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */

@@ -42,9 +42,7 @@

#include "cert.h"

#include "x509.h"

-#ifdef USE_KEYNOTE

#include "policy.h"

-#endif

struct cert_handler cert_handler[] = {

{

@@ -55,7 +53,6 @@ struct cert_handler cert_handler[] = {

x509_cert_obtain, x509_cert_get_key, x509_cert_get_subjects,

x509_cert_dup, x509_serialize, x509_printable, x509_from_printable

-#ifdef USE_KEYNOTE

{

ISAKMP_CERTENC_KEYNOTE,

keynote_cert_init, NULL, keynote_cert_get, keynote_cert_validate,

@@ -65,7 +62,6 @@ struct cert_handler cert_handler[] = {

keynote_cert_dup, keynote_serialize, keynote_printable,

keynote_from_printable

-#endif

};

/* Initialize all certificate handlers */

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 2168eea451c..515e396f19c 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: conf.c,v 1.80 2005/04/08 16:04:17 deraadt Exp $ */

+/* $OpenBSD: conf.c,v 1.81 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */

@@ -484,10 +484,8 @@ conf_load_defaults(int tr)

conf_set(tr, "X509-certificates", "CRL-directory",

CONF_DFLT_X509_CRL_DIR, 0, 1);

-#ifdef USE_KEYNOTE

conf_set(tr, "KeyNote", "Credential-directory",

CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1);

-#endif

/* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */

dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime");

diff --git a/sbin/isakmpd/features/policy b/sbin/isakmpd/features/policy
deleted file mode 100644
index 680cc3753e8..00000000000
--- a/sbin/isakmpd/features/policy
+++ /dev/null

@@ -1,33 +0,0 @@

-# $OpenBSD: policy,v 1.6 2003/06/03 14:29:41 ho Exp $

-# $EOM: policy,v 1.4 2000/02/20 16:38:15 niklas Exp $

-# Redistribution and use in source and binary forms, with or without

-# modification, are permitted provided that the following conditions

-# are met:

-# 1. Redistributions of source code must retain the above copyright

-# notice, this list of conditions and the following disclaimer.

-# 2. Redistributions in binary form must reproduce the above copyright

-# notice, this list of conditions and the following disclaimer in the

-# documentation and/or other materials provided with the distribution.

-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

-# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-# This code was written under funding by Wireless Networks Inc.

-# NOTE: KeyNote policy support requires the keynote library

-POLICY= policy.c

diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 19fe75e710d..599a24ca3ad 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike_auth.c,v 1.98 2005/04/05 20:46:20 cloder Exp $ */

+/* $OpenBSD: ike_auth.c,v 1.99 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */

@@ -43,9 +43,7 @@

#include <string.h>

#include <unistd.h>

#include <regex.h>

-#if defined (USE_KEYNOTE)

#include <keynote.h>

-#endif

#include <policy.h>

#include "sysdep.h"

@@ -188,7 +186,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)

break;

case IKE_AUTH_RSA_SIG:

-#if defined (USE_KEYNOTE)

if (local_id && (keyfile = conf_get_str("KeyNote",

"Credential-directory")) != 0) {

struct stat sb;

@@ -269,7 +266,6 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)

return dc.dec_key;

}

ignorekeynote:

-#endif /* USE_KEYNOTE */

/* Otherwise, try X.509 */

keyfile = conf_get_str("X509-certificates", "Private-key");

@@ -577,7 +573,6 @@ rsa_sig_decode_hash(struct message *msg)

p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1);

return -1;

}

-#if defined (USE_POLICY) || defined (USE_KEYNOTE)

* We need the policy session initialized now, so we can add

* credentials etc.

@@ -588,7 +583,6 @@ rsa_sig_decode_hash(struct message *msg)

"session");

return -1;

}

-#endif /* USE_POLICY || USE_KEYNOTE */

/* Obtain a certificate from our certificate storage. */

if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) {

@@ -609,10 +603,8 @@ rsa_sig_decode_hash(struct message *msg)

"of type %d", handler->id));

exchange->recv_cert = cert;

exchange->recv_certtype = handler->id;

-#if defined (USE_POLICY)

x509_generate_kn(exchange->policy_id,

cert);

-#endif /* USE_POLICY */

}

} else if (handler->id == ISAKMP_CERTENC_KEYNOTE)

@@ -695,7 +687,6 @@ rsa_sig_decode_hash(struct message *msg)

exchange->recv_cert = cert;

exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p);

-#if defined (USE_POLICY) || defined (USE_KEYNOTE)

if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) {

struct keynote_deckey dc;

char *pp;

@@ -725,8 +716,6 @@ rsa_sig_decode_hash(struct message *msg)

pp);

free(pp);

}

-#endif

found++;

}

diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 09ce2fab9c8..b8e3d640f27 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike_quick_mode.c,v 1.93 2005/04/06 16:00:20 deraadt Exp $ */

+/* $OpenBSD: ike_quick_mode.c,v 1.94 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */

@@ -34,11 +34,9 @@

#include <stdlib.h>

#include <string.h>

-#if defined (USE_POLICY) || defined (USE_KEYNOTE)

#include <sys/types.h>

#include <regex.h>

#include <keynote.h>

-#endif

#include "sysdep.h"

@@ -71,9 +69,7 @@ static int responder_recv_HASH_SA_NONCE(struct message *);

static int responder_send_HASH_SA_NONCE(struct message *);

static int responder_recv_HASH(struct message *);

-#ifdef USE_POLICY

static int check_policy(struct exchange *, struct sa *, struct sa *);

-#endif

int (*ike_quick_mode_initiator[])(struct message *) = {

initiator_send_HASH_SA_NONCE,

@@ -87,8 +83,6 @@ int (*ike_quick_mode_responder[])(struct message *) = {

responder_recv_HASH

};

-#ifdef USE_POLICY

/* How many return values will policy handle -- true/false for now */

#define RETVALUES_NUM 2

@@ -217,7 +211,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)

break;

case ISAKMP_CERTENC_KEYNOTE:

-#ifdef USE_KEYNOTE

nprinc = 1;

principal = calloc(nprinc, sizeof *principal);

@@ -234,7 +227,6 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)

(unsigned long)sizeof(char));

goto policydone;

}

-#endif

break;

case ISAKMP_CERTENC_X509_SIG:

@@ -395,7 +387,6 @@ policydone:

return result;

}

-#endif /* USE_POLICY */

* Offer several sets of transforms to the responder.

@@ -1230,13 +1221,11 @@ initiator_recv_HASH_SA_NONCE(struct message *msg)

proto_free(proto);

}

-#ifdef USE_POLICY

if (!check_policy(exchange, sa, msg->isakmp_sa)) {

message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);

log_print("initiator_recv_HASH_SA_NONCE: policy check failed");

return -1;

}

-#endif

/* Mark the SA as handled. */

sa_p->flags |= PL_MARK;

@@ -1625,18 +1614,8 @@ responder_recv_HASH_SA_NONCE(struct message *msg)

sockaddr_addrlen(dst));

}

-#ifdef USE_POLICY

-#ifdef USE_KEYNOTE

if (message_negotiate_sa(msg, check_policy))

goto cleanup;

-#else

- if (message_negotiate_sa(msg, 0))

- goto cleanup;

-#endif

-#else

- if (message_negotiate_sa(msg, 0))

- goto cleanup;

-#endif /* USE_POLICY */

for (sa = TAILQ_FIRST(&exchange->sa_list); sa;

sa = TAILQ_NEXT(sa, next)) {

diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c
index d301155b5ae..07e6e21550b 100644
--- a/sbin/isakmpd/init.c
+++ b/sbin/isakmpd/init.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: init.c,v 1.34 2005/04/08 16:37:14 deraadt Exp $ */

+/* $OpenBSD: init.c,v 1.35 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */

@@ -58,9 +58,7 @@

#include "ui.h"

#include "util.h"

-#if defined (USE_POLICY)

#include "policy.h"

-#endif

#include "nat_traversal.h"

#include "udp_encap.h"

@@ -86,10 +84,8 @@ init(void)

/* This depends on conf_init, thus check as soon as possible. */

log_reinit();

-#if defined (USE_POLICY)

/* policy_init depends on conf_init having run. */

policy_init();

-#endif

/* Depends on conf_init and policy_init having run */

cert_init();

@@ -127,10 +123,8 @@ reinit(void)

log_reinit();

-#if defined (USE_POLICY)

/* Reread the policies. */

policy_init();

-#endif

/* Reinitialize certificates */

cert_init();

diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index c409c2cfd0b..bae5e549546 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: isakmpd.c,v 1.81 2005/04/08 16:37:14 deraadt Exp $ */

+/* $OpenBSD: isakmpd.c,v 1.82 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */

@@ -64,9 +64,7 @@

#include "util.h"

#include "cert.h"

-#ifdef USE_POLICY

#include "policy.h"

-#endif

static void usage(void);

@@ -185,11 +183,9 @@ parse_args(int argc, char *argv[])

pid_file = optarg;

break;

-#ifdef USE_POLICY

case 'K':

ignore_policy++;

break;

-#endif

case 'n':

app_none++;

diff --git a/sbin/isakmpd/libcrypto.c b/sbin/isakmpd/libcrypto.c
index 00d4345ef3b..5191750abbd 100644
--- a/sbin/isakmpd/libcrypto.c
+++ b/sbin/isakmpd/libcrypto.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: libcrypto.c,v 1.17 2005/04/05 20:46:20 cloder Exp $ */

+/* $OpenBSD: libcrypto.c,v 1.18 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: libcrypto.c,v 1.14 2000/09/28 12:53:27 niklas Exp $ */

@@ -36,14 +36,10 @@

void

libcrypto_init(void)

{

-#if defined (USE_LIBCRYPTO)

/* Add all algorithms known by SSL */

#if OPENSSL_VERSION_NUMBER >= 0x00905100L

OpenSSL_add_all_algorithms();

#else

SSLeay_add_all_algorithms();

#endif

-#endif /* USE_LIBCRYPTO */

}

diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c
index ba14f16ba0e..33aa75392e8 100644
--- a/sbin/isakmpd/monitor.c
+++ b/sbin/isakmpd/monitor.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: monitor.c,v 1.37 2005/04/04 19:31:11 deraadt Exp $ */

+/* $OpenBSD: monitor.c,v 1.38 2005/04/08 17:15:01 deraadt Exp $ */

@@ -41,10 +41,8 @@

#include <string.h>

#include <unistd.h>

-#if defined (USE_POLICY)

#include <regex.h>

#include <keynote.h>

-#endif

#include "sysdep.h"

diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 6711106b39e..993c4121d60 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pf_key_v2.c,v 1.161 2005/04/08 16:37:14 deraadt Exp $ */

+/* $OpenBSD: pf_key_v2.c,v 1.162 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */

@@ -67,9 +67,7 @@

#include "transport.h"

#include "util.h"

-#if defined (USE_KEYNOTE)

#include "policy.h"

-#endif

#include "udp_encap.h"

@@ -1586,7 +1584,6 @@ nodid:

/* Nothing to be done here. */

break;

-#if defined (USE_KEYNOTE) && defined (SADB_X_EXT_REMOTE_CREDENTIALS)

case ISAKMP_CERTENC_KEYNOTE:

len = strlen(isakmp_sa->recv_cert);

cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred,

@@ -1606,7 +1603,6 @@ nodid:

PF_KEY_V2_NODE_MALLOCED) == -1)

goto cleanup;

break;

-#endif /* USE_KEYNOTE */

#if defined (SADB_X_EXT_REMOTE_CREDENTIALS)

case ISAKMP_CERTENC_X509_SIG:

diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index a09ac8c07ec..bfefefe52c2 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sa.c,v 1.95 2005/04/08 16:52:41 deraadt Exp $ */

+/* $OpenBSD: sa.c,v 1.96 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */

@@ -35,10 +35,8 @@

#include <stdlib.h>

#include <string.h>

-#if defined (USE_KEYNOTE) || defined (USE_POLICY)

#include <regex.h>

#include <keynote.h>

-#endif /* USE_KEYNOTE || USE_POLICY */

#include "sysdep.h"

@@ -789,10 +787,8 @@ sa_release(struct sa *sa)

sa->recv_key);

if (sa->keynote_key)

free(sa->keynote_key); /* This is just a string */

-#if defined (USE_POLICY) || defined (USE_KEYNOTE)

if (sa->policy_id != -1)

kn_close(sa->policy_id);

-#endif

if (sa->name)

free(sa->name);

if (sa->keystate)

diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index d7a28ca5331..8442643039e 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: x509.c,v 1.99 2005/04/08 16:24:12 deraadt Exp $ */

+/* $OpenBSD: x509.c,v 1.100 2005/04/08 17:15:01 deraadt Exp $ */

/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */

@@ -43,10 +43,8 @@

#include <string.h>

#include <unistd.h>

-#ifdef USE_POLICY

#include <regex.h>

#include <keynote.h>

-#endif /* USE_POLICY */

#include "sysdep.h"

@@ -96,7 +94,6 @@ static LIST_HEAD(x509_list, x509_hash) *x509_tab = 0;

/* Works both as a maximum index and a mask. */

static int bucket_mask;

-#ifdef USE_POLICY

* Given an X509 certificate, create a KeyNote assertion where

* Issuer/Subject -> Authorizer/Licensees.

@@ -478,7 +475,6 @@ x509_generate_kn(int id, X509 *cert)

free(buf);

return 1;

}

-#endif /* USE_POLICY */

static u_int16_t

x509_hash(u_int8_t *id, size_t len)

@@ -961,14 +957,12 @@ x509_cert_insert(int id, void *scert)

log_print("x509_cert_insert: X509_dup failed");

return 0;

}

-#ifdef USE_POLICY

if (x509_generate_kn(id, cert) == 0) {

LOG_DBG((LOG_POLICY, 50,

"x509_cert_insert: x509_generate_kn failed"));

X509_free(cert);

return 0;

}

-#endif /* USE_POLICY */

res = x509_hash_enter(cert);

if (!res)