Keynote policy checking can now be disabled by "-K" switch and config tag

"Use-Keynote".  Default is to use keynote.

ok henning@ ho@

6 files changed, 28 insertions, 8 deletions

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index b7d7b6113a2..32af77c05e7 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.70 2004/06/14 13:53:31 hshoexer Exp $	 */
+/* $OpenBSD: conf.c,v 1.71 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	 */
 
 /*
@@ -471,6 +471,7 @@ conf_load_defaults(int tr)
 	conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);
 	conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,
 	    0, 1);
+	conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1);
 	conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);
 	conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,
 	    1);
diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h
index 96447d6c9a7..7c66620d4b6 100644
--- a/sbin/isakmpd/conf.h
+++ b/sbin/isakmpd/conf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.h,v 1.29 2004/05/14 08:42:56 hshoexer Exp $	 */
+/* $OpenBSD: conf.h,v 1.30 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $	 */
 
 /*
@@ -57,6 +57,7 @@
 #define CONF_DFLT_RETRANSMITS          "3"
 #define CONF_DFLT_EXCH_MAX_TIME        "120"
 
+#define CONF_DFLT_USE_KEYNOTE          "yes"
 #define CONF_DFLT_POLICY_FILE          ISAKMPD_ROOT "isakmpd.policy"
 
 #define CONF_DFLT_X509_CA_DIR          ISAKMPD_ROOT "ca/"
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 547dc23d04f..4d5e3ca1d80 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.83 2004/06/20 17:17:35 ho Exp $	 */
+/* $OpenBSD: ike_quick_mode.c,v 1.84 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $	 */
 
 /*
@@ -112,6 +112,11 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
 	X509_NAME      *subject;
 #endif
 
+	/* Do we want to use keynote policies? */
+	if (ignore_policy ||
+	    strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
+		return 1;
+
 	/* Initialize if necessary -- e.g., if pre-shared key auth was used */
 	if (isakmp_sa->policy_id < 0) {
 		if ((isakmp_sa->policy_id = kn_init()) == -1) {
diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index bb871fe9da9..4df958b3b6c 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmpd.c,v 1.66 2004/06/23 00:55:59 hshoexer Exp $	 */
+/* $OpenBSD: isakmpd.c,v 1.67 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $	 */
 
 /*
@@ -118,7 +118,7 @@ usage(void)
 {
 	fprintf(stderr,
 	    "usage: %s [-4] [-6] [-a] [-c config-file] [-d] [-D class=level]\n"
-	    "          [-f fifo] [-i pid-file] [-n] [-p listen-port]\n"
+	    "          [-f fifo] [-i pid-file] [-K] [-n] [-p listen-port]\n"
 	    "          [-P local-port] [-L] [-l packetlog-file] [-r seed]\n"
 	    "          [-R report-file] [-v]\n",
 	    sysdep_progname());
@@ -135,7 +135,7 @@ parse_args(int argc, char *argv[])
 	int             do_packetlog = 0;
 #endif
 
-	while ((ch = getopt(argc, argv, "46ac:dD:f:i:np:P:Ll:r:R:v")) != -1) {
+	while ((ch = getopt(argc, argv, "46ac:dD:f:i:Knp:P:Ll:r:R:v")) != -1) {
 		switch (ch) {
 		case '4':
 			bind_family |= BIND_FAMILY_INET4;
@@ -180,6 +180,12 @@ parse_args(int argc, char *argv[])
 			pid_file = optarg;
 			break;
 
+#ifdef USE_POLICY
+		case 'K':
+			ignore_policy++;
+			break;
+#endif
+
 		case 'n':
 			app_none++;
 			break;
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index b20c9841e5c..d1ab5558df7 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.76 2004/06/24 15:58:58 hshoexer Exp $	 */
+/* $OpenBSD: policy.c,v 1.77 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
 
 /*
@@ -67,6 +67,7 @@
 #include "x509.h"
 
 char          **policy_asserts = NULL;
+int		ignore_policy = 0;
 int             policy_asserts_num = 0;
 struct exchange *policy_exchange = 0;
 struct sa      *policy_sa = 0;
@@ -1938,6 +1939,11 @@ policy_init(void)
 
 	LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
 
+	/* Do we want to use the policy modules?  */
+	if (ignore_policy ||
+	    strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
+		return;
+
 	/* Get policy file from configuration.  */
 	policy_file = conf_get_str("General", "Policy-file");
 	if (!policy_file)
diff --git a/sbin/isakmpd/policy.h b/sbin/isakmpd/policy.h
index 4b39c78f24c..e4b5e9a016c 100644
--- a/sbin/isakmpd/policy.h
+++ b/sbin/isakmpd/policy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.h,v 1.14 2004/04/28 20:20:32 hshoexer Exp $	 */
+/* $OpenBSD: policy.h,v 1.15 2004/06/25 20:25:34 hshoexer Exp $	 */
 /* $EOM: policy.h,v 1.12 2000/09/28 12:53:27 niklas Exp $ */
 
 /*
@@ -38,6 +38,7 @@
 #define PRIVATE_KEY_FILE	"private_key"
 #endif
 
+extern int	ignore_policy;
 extern int      policy_asserts_num;
 extern int      x509_policy_asserts_num;
 extern int      x509_policy_asserts_num_alloc;