src - OpenBSD base system

diff options


context:
space:
mode:

author	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2004-06-14 13:53:32 +0000
committer	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2004-06-14 13:53:32 +0000
commit	c16191c9a13fe874af2df610136c41bb0d467edc (patch)
tree	e5a329a054979755188ae2225fb8f2179087bc32 /sbin/isakmpd
parent	8624517f70ffee7664516072d2bb9cf56f406c73 (diff)

avoid stat before open

ok ho@

Diffstat (limited to 'sbin/isakmpd')

-rw-r--r--

sbin/isakmpd/conf.c

-rw-r--r--

sbin/isakmpd/ike_auth.c

-rw-r--r--

sbin/isakmpd/x509.c

3 files changed, 81 insertions, 59 deletions

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 27b4a1e5325..b7d7b6113a2 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: conf.c,v 1.69 2004/06/14 09:55:41 ho Exp $ */

+/* $OpenBSD: conf.c,v 1.70 2004/06/14 13:53:31 hshoexer Exp $ */

/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */

@@ -374,7 +374,7 @@ conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,

snprintf(sect, sizeof sect, "%s-%s%s%s", mme_p, mmh, dhg_p, mma_p);

- LOG_DBG((LOG_MISC, 90, "conf_load_defaults : main mode %s", sect));

+ LOG_DBG((LOG_MISC, 90, "conf_load_defaults_mm: main mode %s", sect));

conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1);

if (strcmp(mme, "BLOWFISH_CBC") == 0)

@@ -411,7 +411,7 @@ conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,

strlcpy(sect, tmp, CONF_SECT_MAX);

strlcat(sect, "-SUITE", CONF_SECT_MAX);

- LOG_DBG((LOG_MISC, 90, "conf_load_defaults : quick mode %s", sect));

+ LOG_DBG((LOG_MISC, 90, "conf_load_defaults_qm: quick mode %s", sect));

conf_set(tr, sect, "Protocols", tmp, 0, 1);

snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto));

@@ -567,18 +567,11 @@ conf_reinit(void)

unsigned int i;

size_t sz;

char *new_conf_addr = 0;

- struct stat sb;

- if ((monitor_stat(conf_path, &sb) == 0) || (errno != ENOENT)) {

- if (check_file_secrecy(conf_path, &sz))

- return;

+ if ((fd = monitor_open(conf_path, O_RDONLY, 0)) != -1) {

+ if (check_file_secrecy_fd(fd, conf_path, &sz))

+ goto fail;

- fd = monitor_open(conf_path, O_RDONLY, 0);

- if (fd == -1) {

- log_error("conf_reinit: "

- "open (\"%s\", O_RDONLY) failed", conf_path);

- return;

- }

new_conf_addr = malloc(sz);

if (!new_conf_addr) {

log_error("conf_reinit: malloc (%lu) failed",

@@ -597,8 +590,13 @@ conf_reinit(void)

/* XXX Should we not care about errors and rollback? */

conf_parse(trans, new_conf_addr, sz);

- } else

+ } else {

+ if (errno != ENOENT)

+ log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) "

+ "failed", conf_path);

trans = conf_begin();

+ }

/* Load default configuration values. */

conf_load_defaults(trans);

diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 0615c16b60c..0947e1814fa 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike_auth.c,v 1.90 2004/06/14 09:55:41 ho Exp $ */

+/* $OpenBSD: ike_auth.c,v 1.91 2004/06/14 13:53:31 hshoexer Exp $ */

/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */

@@ -34,12 +34,14 @@

#include <sys/types.h>

#include <sys/stat.h>

-#include <unistd.h>

-#include <fcntl.h>

#include <netinet/in.h>

#include <arpa/inet.h>

+#include <errno.h>

+#include <fcntl.h>

#include <stdlib.h>

#include <string.h>

+#include <unistd.h>

#include <regex.h>

#if defined (USE_KEYNOTE)

#include <keynote.h>

@@ -173,7 +175,7 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)

buf = malloc(*keylen);

if (!buf) {

log_error("ike_auth_get_key: malloc (%lu) "

- "failed", (unsigned long) *keylen);

+ "failed", (unsigned long)*keylen);

return 0;

}

if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) {

@@ -217,19 +219,20 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)

local_id, PRIVATE_KEY_FILE);

keyfile = privkeyfile;

- if (monitor_stat(keyfile, &sb) < 0) {

+ fd = monitor_open(keyfile, O_RDONLY, 0);

+ if (fd < 0) {

free(keyfile);

goto ignorekeynote;

}

- size = (size_t) sb.st_size;

- fd = monitor_open(keyfile, O_RDONLY, 0);

- if (fd < 0) {

- log_print("ike_auth_get_key: failed opening "

- "\"%s\"", keyfile);

+ if (fstat(fd, &sb) < 0) {

+ log_print("ike_auth_get_key: fstat failed");

free(keyfile);

+ close(fd);

return 0;

}

+ size = (size_t)sb.st_size;

buf = calloc(size + 1, sizeof(char));

if (!buf) {

log_print("ike_auth_get_key: failed allocating"

@@ -238,7 +241,7 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)

close(fd);

return 0;

}

- if (read(fd, buf, size) != (ssize_t) size) {

+ if (read(fd, buf, size) != (ssize_t)size) {

free(buf);

log_print("ike_auth_get_key: "

"failed reading %lu bytes from \"%s\"",

@@ -1110,7 +1113,6 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)

{

char filename[FILENAME_MAX];

char *fstr;

- struct stat st;

FILE *keyfp;

if (type != IKE_AUTH_RSA_SIG) { /* XXX More types? */

@@ -1138,15 +1140,14 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)

free(fstr);

/* If the file does not exist, fail silently. */

- if (monitor_stat(filename, &st) == 0) {

- keyfp = monitor_fopen(filename, "r");

- if (!keyfp) {

- log_error("get_raw_key_from_file: monitor_fopen "

- "(\"%s\", \"r\") failed", filename);

- return -1;

- }

+ keyfp = monitor_fopen(filename, "r");

+ if (keyfp) {

*rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL);

fclose(keyfp);

+ } else if (errno != ENOENT) {

+ log_error("get_raw_key_from_file: monitor_fopen "

+ "(\"%s\", \"r\") failed", filename);

+ return -1;

} else

LOG_DBG((LOG_NEGOTIATION, 50,

"get_raw_key_from_file: file %s not found", filename));

diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index 1fab3a52a8c..02d75172594 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: x509.c,v 1.91 2004/06/14 09:55:42 ho Exp $ */

+/* $OpenBSD: x509.c,v 1.92 2004/06/14 13:53:31 hshoexer Exp $ */

/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */

@@ -620,8 +620,9 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)

#endif

FILE *certfp;

X509 *cert;

+ struct stat sb;

char fullname[PATH_MAX];

- int off, size;

+ int fd, off, size;

if (strlen(name) >= sizeof fullname - 1) {

log_print("x509_read_from_dir: directory name too long");

@@ -647,25 +648,35 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)

if (file->d_type != DT_UNKNOWN) {

if (file->d_type != DT_REG && file->d_type != DT_LNK)

continue;

- } else {

- struct stat sb;

- if (monitor_stat(fullname, &sb) == -1 ||

- !(sb.st_mode & S_IFREG))

- continue;

}

LOG_DBG((LOG_CRYPTO, 60,

"x509_read_from_dir: reading certificate %s",

file->d_name));

- certfp = monitor_fopen(fullname, "r");

- if (!certfp) {

- log_error("x509_read_from_dir: monitor_fopen "

- "(\"%s\", \"r\") failed",

- fullname);

+ if ((fd = monitor_open(fullname, O_RDONLY, 0)) == -1) {

+ log_error("x509_read_from_dir: monitor_open"

+ "(\"%s\", O_RDONLY, 0) failed", fullname);

+ continue;

+ }

+ if (fstat(fd, &sb) == -1) {

+ log_error("x509_read_from_dir: fstat failed");

+ close(fd);

+ continue;

+ }

+ if (!(sb.st_mode & S_IFREG)) {

+ close(fd);

continue;

}

+ if ((certfp = fdopen(fd, "r")) == NULL) {

+ log_error("x509_read_from_dir: fdopen failed");

+ close(fd);

+ continue;

+ }

#if SSLEAY_VERSION_NUMBER >= 0x00904100L

cert = PEM_read_X509(certfp, NULL, NULL, NULL);

#else

@@ -714,8 +725,9 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)

#endif

FILE *crlfp;

X509_CRL *crl;

+ struct stat sb;

char fullname[PATH_MAX];

- int off, size;

+ int fd, off, size;

if (strlen(name) >= sizeof fullname - 1) {

log_print("x509_read_crls_from_dir: directory name too long");

@@ -740,30 +752,41 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)

if (file->d_type != DT_UNKNOWN) {

if (file->d_type != DT_REG && file->d_type != DT_LNK)

continue;

- } else {

- struct stat sb;

- if (monitor_stat(fullname, &sb) == -1 ||

- !(sb.st_mode & S_IFREG))

- continue;

- }

+ }

LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading "

"CRL %s", file->d_name));

- crlfp = monitor_fopen(fullname, "r");

- if (!crlfp) {

- log_error("x509_read_crls_from_dir: monitor_fopen "

- "(\"%s\", \"r\") failed", fullname);

+ if ((fd = monitor_open(fullname, O_RDONLY, 0)) == -1) {

+ log_error("x509_read_crls_from_dir: monitor_open"

+ "(\"%s\", O_RDONLY, 0) failed", fullname);

continue;

}

+ if (fstat(fd, &sb) == -1) {

+ log_error("x509_read_crls_from_dir: fstat failed");

+ close(fd);

+ continue;

+ }

+ if (!(sb.st_mode & S_IFREG)) {

+ close(fd);

+ continue;

+ }

+ if ((crlfp = fdopen(fd, "r")) == NULL) {

+ log_error("x509_read_crls_from_dir: fdopen failed");

+ close(fd);

+ continue;

+ }

crl = PEM_read_X509_CRL(crlfp, NULL, NULL, NULL);

fclose(crlfp);

if (crl == NULL) {

log_print("x509_read_crls_from_dir: "

- "PEM_read_bio_X509_CRL failed for %s",

+ "PEM_read_X509_CRL failed for %s",

file->d_name);

continue;

}