src - OpenBSD base system

diff options


context:
space:
mode:

author	Reyk Floeter <reyk@cvs.openbsd.org>	2010-10-07 12:23:15 +0000
committer	Reyk Floeter <reyk@cvs.openbsd.org>	2010-10-07 12:23:15 +0000
commit	6a36f6dbb48252c868a2ca2d3596e1fd4cf8fb5e (patch)
tree	cc23eff6fc4990352eac993e6d11b9379b07bdc0 /usr.sbin/ikectl
parent	14ffeff175a8de445d01cb7dc7e3ddd49b610b9b (diff)

- add a -q (quiet) command line option that will be used by ikeca to

set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h. ok phessler@

Diffstat (limited to 'usr.sbin/ikectl')

-rw-r--r--

usr.sbin/ikectl/ikeca.c

106

-rw-r--r--

usr.sbin/ikectl/ikectl.8

-rw-r--r--

usr.sbin/ikectl/ikectl.c

-rw-r--r--

usr.sbin/ikectl/parser.c

-rw-r--r--

usr.sbin/ikectl/parser.h

5 files changed, 152 insertions, 73 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 9acf82b2309..99db0c35914 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikeca.c,v 1.11 2010/10/07 10:56:22 phessler Exp $ */

+/* $OpenBSD: ikeca.c,v 1.12 2010/10/07 12:23:14 reyk Exp $ */

/* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */

@@ -52,25 +52,13 @@ struct ca {

char passfile[PATH_MAX];

char sslcnf[PATH_MAX];

char extcnf[PATH_MAX];

+ char batch[PATH_MAX];

char *caname;

};

-struct ca *ca_setup(char *, int);

-int ca_create(struct ca *);

-int ca_delete(struct ca *);

-int ca_delkey(struct ca *, char *);

-int ca_sign(struct ca *, char *, int);

-int ca_request(char *, char *, char *);

-int ca_certificate(struct ca *, char *, int);

-int ca_cert_install(struct ca *, char *);

-int ca_key_install(struct ca *, char *);

-int ca_key_create(struct ca *, char *);

-int ca_key_delete(struct ca *, char *);

-int ca_key_import(struct ca *, char *, char *);

-int ca_newpass(char *);

-int ca_export(struct ca *, char *, char *);

-int ca_revoke(struct ca *, char *);

-int ca_install(struct ca *);

+int ca_sign(struct ca *, char *, int, char *);

+int ca_request(struct ca *, char *);

+int ca_newpass(char *, char *);

int ca_show_certs(struct ca *);

char * ca_readpass(char *, size_t *);

int fcopy(char *, char *, mode_t);

@@ -154,15 +142,17 @@ ca_delkey(struct ca *ca, char *keyname)

}

int

-ca_request(char *sslpath, char *sslcnf, char *keyname)

+ca_request(struct ca *ca, char *keyname)

{

char cmd[PATH_MAX * 2];

char path[PATH_MAX];

- snprintf(path, sizeof(path), "%s/private/%s.csr", sslpath, keyname);

- snprintf(cmd, sizeof(cmd), "env CERT_CN=%s %s req -new"

+ snprintf(path, sizeof(path), "%s/private/%s.csr", ca->sslpath, keyname);

+ snprintf(cmd, sizeof(cmd), "env CERT_CN=%s %s req %s-new"

" -key %s/private/%s.key -out %s -config %s",

- keyname, PATH_OPENSSL, sslpath, keyname, path, sslcnf);

+ keyname, PATH_OPENSSL, ca->batch, ca->sslpath, keyname,

+ path, ca->sslcnf);

system(cmd);

chmod(path, 0600);

@@ -170,7 +160,7 @@ ca_request(char *sslpath, char *sslcnf, char *keyname)

}

int

-ca_sign(struct ca *ca, char *keyname, int type)

+ca_sign(struct ca *ca, char *keyname, int type, char *envargs)

{

char cmd[PATH_MAX * 2];

char hostname[MAXHOSTNAMELEN];

@@ -178,27 +168,30 @@ ca_sign(struct ca *ca, char *keyname, int type)

strlcpy(name, keyname, sizeof(name));

+ if (envargs == NULL)

+ envargs = "";

if (type == HOST_IPADDR) {

- snprintf(cmd, sizeof(cmd), "env CERTIP=%s %s x509 -req"

+ snprintf(cmd, sizeof(cmd), "env CERTIP=%s%s %s x509 -req"

" -days 365 -in %s/private/%s.csr"

" -CA %s/ca.crt -CAkey %s/private/ca.key -CAcreateserial"

" -extfile %s -extensions x509v3_IPAddr -out %s/%s.crt"

- " -passin file:%s", name, PATH_OPENSSL, ca->sslpath,

- keyname, ca->sslpath, ca->sslpath, ca->extcnf, ca->sslpath,

- keyname, ca->passfile);

+ " -passin file:%s", name, envargs, PATH_OPENSSL,

+ ca->sslpath, keyname, ca->sslpath, ca->sslpath,

+ ca->extcnf, ca->sslpath, keyname, ca->passfile);

} else if (type == HOST_FQDN) {

if (!strcmp(keyname, "local")) {

if (gethostname(hostname, sizeof(hostname)))

err(1, "gethostname");

strlcpy(name, hostname, sizeof(name));

}

- snprintf(cmd, sizeof(cmd), "env CERTFQDN=%s %s x509 -req"

+ snprintf(cmd, sizeof(cmd), "env CERTFQDN=%s%s %s x509 -req"

" -days 365 -in %s/private/%s.csr"

" -CA %s/ca.crt -CAkey %s/private/ca.key -CAcreateserial"

" -extfile %s -extensions x509v3_FQDN -out %s/%s.crt"

- " -passin file:%s", name, PATH_OPENSSL, ca->sslpath,

- keyname, ca->sslpath, ca->sslpath, ca->extcnf, ca->sslpath,

- keyname, ca->passfile);

+ " -passin file:%s", name, envargs, PATH_OPENSSL,

+ ca->sslpath, keyname, ca->sslpath, ca->sslpath,

+ ca->extcnf, ca->sslpath, keyname, ca->passfile);

} else

err(1, "unknown host type %d", type);

@@ -208,11 +201,24 @@ ca_sign(struct ca *ca, char *keyname, int type)

}

int

-ca_certificate(struct ca *ca, char *keyname, int type)

+ca_certificate(struct ca *ca, char *keyname, int type, int action)

{

+ char *envargs = "";

+ switch (action) {

+ case CA_SERVER:

+ envargs = " EXTCERTUSAGE=serverAuth";

+ break;

+ case CA_CLIENT:

+ envargs = " EXTCERTUSAGE=clientAuth";

+ break;

+ default:

+ break;

+ }

ca_key_create(ca, keyname);

- ca_request(ca->sslpath, ca->sslcnf, keyname);

- ca_sign(ca, keyname, type);

+ ca_request(ca, keyname);

+ ca_sign(ca, keyname, type, envargs);

return (0);

}

@@ -264,12 +270,17 @@ ca_cert_install(struct ca *ca, char *keyname)

}

int

-ca_newpass(char *passfile)

+ca_newpass(char *passfile, char *password)

{

FILE *f;

char *pass;

char prev[_PASSWORD_LEN + 1];

+ if (password != NULL) {

+ pass = password;

+ goto done;

+ }

pass = getpass("CA passphrase:");

if (pass == NULL || *pass == '\0')

err(1, "password not set");

@@ -279,6 +290,7 @@ ca_newpass(char *passfile)

if (pass == NULL || strcmp(prev, pass) != 0)

errx(1, "passphrase does not match!");

+ done:

if ((f = fopen(passfile, "wb")) == NULL)

err(1, "could not open passfile %s", passfile);

chmod(passfile, 0600);

@@ -304,10 +316,10 @@ ca_create(struct ca *ca)

chmod(path, 0600);

snprintf(path, sizeof(path), "%s/private/ca.csr", ca->sslpath);

- snprintf(cmd, sizeof(cmd), "env CERT_CN='VPN CA' %s req -new"

+ snprintf(cmd, sizeof(cmd), "env CERT_CN='VPN CA' %s req %s-new"

" -key %s/private/ca.key"

- " -config %s -out %s -passin file:%s",

- PATH_OPENSSL, ca->sslpath, ca->sslcnf, path, ca->passfile);

+ " -config %s -out %s -passin file:%s", PATH_OPENSSL,

+ ca->batch, ca->sslpath, ca->sslcnf, path, ca->passfile);

system(cmd);

chmod(path, 0600);

@@ -682,26 +694,26 @@ ca_revoke(struct ca *ca, char *keyname)

if (keyname) {

snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "

- " %s ca -config %s -keyfile %s/private/ca.key"

+ " %s ca %s-config %s -keyfile %s/private/ca.key"

" -key %s"

" -cert %s/ca.crt"

" -md sha1"

" -revoke %s/%s.crt",

- ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass,

- ca->sslpath, ca->sslpath, keyname);

+ ca->sslpath, PATH_OPENSSL, ca->batch, ca->sslcnf,

+ ca->sslpath, pass, ca->sslpath, ca->sslpath, keyname);

system(cmd);

}

snprintf(cmd, sizeof(cmd), "env CADB='%s/index.txt' "

- " %s ca -config %s -keyfile %s/private/ca.key"

+ " %s ca %s-config %s -keyfile %s/private/ca.key"

" -key %s"

" -gencrl"

" -cert %s/ca.crt"

" -md sha1"

" -crldays 365"

" -out %s/ca.crl",

- ca->sslpath, PATH_OPENSSL, ca->sslcnf, ca->sslpath, pass,

- ca->sslpath, ca->sslpath);

+ ca->sslpath, PATH_OPENSSL, ca->batch, ca->sslcnf, ca->sslpath,

+ pass, ca->sslpath, ca->sslpath);

system(cmd);

bzero(pass, len);

@@ -711,7 +723,7 @@ ca_revoke(struct ca *ca, char *keyname)

}

struct ca *

-ca_setup(char *caname, int create)

+ca_setup(char *caname, int create, int quiet, char *pass)

{

struct stat st;

struct ca *ca;

@@ -727,10 +739,12 @@ ca_setup(char *caname, int create)

ca->caname = strdup(caname);

strlcpy(ca->sslpath, "/etc/ssl/", sizeof(ca->sslpath));

strlcat(ca->sslpath, caname, sizeof(ca->sslpath));

strlcpy(ca->passfile, ca->sslpath, sizeof(ca->passfile));

strlcat(ca->passfile, "/ikeca.passwd", sizeof(ca->passfile));

+ if (quiet)

+ strlcpy(ca->batch, "-batch ", sizeof(ca->batch));

if (stat(IKECA_CNF, &st) == 0) {

strlcpy(ca->extcnf, IKECA_CNF, sizeof(ca->extcnf));

strlcpy(ca->sslcnf, IKECA_CNF, sizeof(ca->sslcnf));

@@ -753,7 +767,7 @@ ca_setup(char *caname, int create)

err(1, "failed to create dir %s", path);

if (stat(ca->passfile, &st) == -1 && errno == ENOENT)

- ca_newpass(ca->passfile);

+ ca_newpass(ca->passfile, pass);

arc4random_buf(rnd, sizeof(rnd));

RAND_seed(rnd, sizeof(rnd));

diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 57d88121a2d..2bbe19c0c46 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8

@@ -1,4 +1,4 @@

-.\" $OpenBSD: ikectl.8,v 1.9 2010/10/01 07:08:25 jmc Exp $

+.\" $OpenBSD: ikectl.8,v 1.10 2010/10/07 12:23:14 reyk Exp $

.\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $

.\"

@@ -15,7 +15,7 @@

.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

.\"

-.Dd $Mdocdate: October 1 2010 $

+.Dd $Mdocdate: October 7 2010 $

.Dt IKECTL 8

.Os

.Sh NAME

@@ -23,6 +23,7 @@

.Nd control the IKEv2 daemon

.Sh SYNOPSIS

.Nm

+.Op Fl q

.Op Fl s Ar socket

.Ar command

.Op Ar arg ...

@@ -36,6 +37,8 @@ authority (CA) for IKEv2 peers.

.Pp

The options are as follows:

.Bl -tag -width Ds

+.It Fl q

+Don't ask for confirmation of any default options.

.It Fl s Ar socket

Use

.Ar socket

@@ -99,9 +102,16 @@ and its peers.

.Pp

The following commands are available to control the CA:

.Bl -tag -width Ds

-.It Cm ca Ar name Cm create

+.It Cm ca Ar name Cm create Op Ar password

Create a new certificate authority with the specified

.Ar name .

+The command will prompt for a CA password unless it is specified with

+the optional

+.Ar password

+argument.

+The password will be saved in a protected file

+.Pa ikeca.passwd

+in the CA directory and used for subsequent commands.

.It Cm ca Ar name Cm delete

Delete the certificate authority with the specified

.Ar name .

@@ -126,11 +136,19 @@ and included in the archives.

Install the certificate and Certificate Revocation List (CRL) for CA

.Ar name

as the currently active CA.

-.It Cm ca Ar name Cm certificate Ar host Cm create

+.It Cm ca Ar name Cm certificate Ar host Cm create Op Ic server \*(Ba client

Create a private key and certificate for

.Ar host

and sign then with the key of certificate authority with the specified

.Ar name .

+.Pp

+The certificate will be valid for client and server authentication by

+default by setting both flags as the extended key usage in the certificate;

+this can be restricted using the optional

+.Ic server

+or

+.Ic client

+argument.

.It Cm ca Ar name Cm certificate Ar host Cm delete

Deletes the private key and and certificates associated with

.Ar host .

diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index c1a169ec08f..3e82584180e 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ikectl.c,v 1.5 2010/06/23 16:01:01 jsg Exp $ */

+/* $OpenBSD: ikectl.c,v 1.6 2010/10/07 12:23:14 reyk Exp $ */

@@ -50,20 +50,6 @@ void monitor_id(struct imsg *);

int monitor(struct imsg *);

int ca_opt(struct parse_result *);

-struct ca *ca_setup(char *, int);

-int ca_create(struct ca *);

-int ca_certificate(struct ca *, char *, int);

-int ca_export(struct ca *, char *, char *);

-int ca_revoke(struct ca *, char *);

-int ca_delete(struct ca *);

-int ca_delkey(struct ca *, char *);

-int ca_install(struct ca *);

-int ca_cert_install(struct ca *, char *);

-int ca_show_certs(struct ca *);

-int ca_key_create(struct ca *, char *);

-int ca_key_delete(struct ca *, char *);

-int ca_key_install(struct ca *, char *);

-int ca_key_import(struct ca *, char *, char *);

struct imsgname imsgs[] = {

{ IMSG_CTL_OK, "ok", NULL },

@@ -95,7 +81,8 @@ ca_opt(struct parse_result *res)

{

struct ca *ca;

- ca = ca_setup(res->caname, (res->action == CA_CREATE));

+ ca = ca_setup(res->caname, (res->action == CA_CREATE),

+ res->quiet, res->pass);

if (ca == NULL)

errx(1, "ca_setup failed");

@@ -113,7 +100,9 @@ ca_opt(struct parse_result *res)

ca_export(ca, NULL, res->peer);

break;

case CA_CERT_CREATE:

- ca_certificate(ca, res->host, res->htype);

+ case CA_SERVER:

+ case CA_CLIENT:

+ ca_certificate(ca, res->host, res->htype, res->action);

break;

case CA_CERT_DELETE:

ca_delkey(ca, res->host);

@@ -160,13 +149,17 @@ main(int argc, char *argv[])

int n;

int ch;

int v = 0;

+ int quiet = 0;

const char *sock = IKED_SOCKET;

if ((env = calloc(1, sizeof(struct snmpd *))) == NULL)

err(1, "calloc");

- while ((ch = getopt(argc, argv, "s:")) != -1) {

+ while ((ch = getopt(argc, argv, "qs:")) != -1) {

switch (ch) {

+ case 'q':

+ quiet = 1;

+ break;

case 's':

sock = optarg;

break;

@@ -182,12 +175,16 @@ main(int argc, char *argv[])

if ((res = parse(argc, argv)) == NULL)

exit(1);

+ res->quiet = quiet;

switch (res->action) {

case CA_CREATE:

case CA_DELETE:

case CA_INSTALL:

case CA_EXPORT:

case CA_CERT_CREATE:

+ case CA_CLIENT:

+ case CA_SERVER:

case CA_CERT_DELETE:

case CA_CERT_INSTALL:

case CA_CERT_EXPORT:

diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index c82e3d071b4..752c775c4d4 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: parser.c,v 1.5 2010/06/23 16:01:01 jsg Exp $ */

+/* $OpenBSD: parser.c,v 1.6 2010/10/07 12:23:14 reyk Exp $ */

@@ -44,7 +44,8 @@ enum token_type {

CANAME,

PEER,

ADDRESS,

- FQDN

+ FQDN,

+ PASSWORD

};

struct token {

@@ -59,9 +60,11 @@ static const struct token t_reset[];

static const struct token t_log[];

static const struct token t_load[];

static const struct token t_ca[];

+static const struct token t_ca_pass[];

static const struct token t_ca_ex_peer[];

static const struct token t_ca_modifiers[];

static const struct token t_ca_cert[];

+static const struct token t_ca_cert_extusage[];

static const struct token t_ca_cert_ex_peer[];

static const struct token t_ca_cert_modifiers[];

static const struct token t_ca_key[];

@@ -112,7 +115,7 @@ static const struct token t_ca[] = {

};

static const struct token t_ca_modifiers[] = {

- { KEYWORD, "create", CA_CREATE, NULL },

+ { KEYWORD, "create", CA_CREATE, t_ca_pass },

{ KEYWORD, "delete", CA_DELETE, NULL },

{ KEYWORD, "install", CA_INSTALL, NULL },

{ KEYWORD, "certificate", CA_CERTIFICATE, t_ca_cert },

@@ -121,6 +124,12 @@ static const struct token t_ca_modifiers[] = {

{ ENDTOKEN, "", NONE, NULL }

};

+static const struct token t_ca_pass[] = {

+ { NOTOKEN, "", NONE, NULL },

+ { PASSWORD, "", NONE, NULL },

+ { ENDTOKEN, "", NONE, NULL },

+};

static const struct token t_ca_ex_peer[] = {

{ NOTOKEN, "", NONE, NULL},

{ PEER, "", NONE, NULL },

@@ -134,7 +143,7 @@ static const struct token t_ca_cert[] = {

};

static const struct token t_ca_cert_modifiers[] = {

- { KEYWORD, "create", CA_CERT_CREATE, NULL },

+ { KEYWORD, "create", CA_CERT_CREATE, t_ca_cert_extusage },

{ KEYWORD, "delete", CA_CERT_DELETE, NULL },

{ KEYWORD, "install", CA_CERT_INSTALL, NULL },

{ KEYWORD, "export", CA_CERT_EXPORT, t_ca_cert_ex_peer },

@@ -148,6 +157,13 @@ static const struct token t_ca_cert_ex_peer[] = {

{ ENDTOKEN, "", NONE, NULL },

};

+static const struct token t_ca_cert_extusage[] = {

+ { NOTOKEN, "", NONE, NULL},

+ { KEYWORD, "server", CA_SERVER, NULL },

+ { KEYWORD, "client", CA_CLIENT, NULL },

+ { ENDTOKEN, "", NONE, NULL },

+};

static const struct token t_ca_key[] = {

{ ADDRESS, "", NONE, t_ca_key_modifiers },

{ FQDN, "", NONE, t_ca_key_modifiers },

@@ -294,6 +310,13 @@ match_token(char *word, const struct token table[])

t = &table[i];

}

break;

+ case PASSWORD:

+ if (!match && word != NULL && strlen(word) > 0) {

+ res.pass = strdup(word);

+ match++;

+ t = &table[i];

+ }

+ break;

case ENDTOKEN:

break;

}

@@ -331,6 +354,9 @@ show_valid_args(const struct token table[])

case CANAME:

fprintf(stderr, " <caname>\n");

break;

+ case PASSWORD:

+ fprintf(stderr, " <password>\n");

+ break;

case PEER:

fprintf(stderr, " <peer>\n");

break;

diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index e2e9eb6742a..f89a7b20929 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: parser.h,v 1.5 2010/06/23 16:01:01 jsg Exp $ */

+/* $OpenBSD: parser.h,v 1.6 2010/10/07 12:23:14 reyk Exp $ */

@@ -16,6 +16,9 @@

* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+#ifndef _IKECTL_PARSER_H

+#define _IKECTL_PARSER_H

enum actions {

NONE,

LOAD,

@@ -39,6 +42,8 @@ enum actions {

CA_EXPORT,

CA_CERTIFICATE,

CA_CERT_CREATE,

+ CA_SERVER,

+ CA_CLIENT,

CA_CERT_DELETE,

CA_CERT_INSTALL,

CA_CERT_EXPORT,

@@ -56,12 +61,31 @@ struct parse_result {

struct imsgbuf *ibuf;

char *filename;

char *caname;

+ char *pass;

char *host;

char *peer;

int htype;

+ int quiet;

};

#define HOST_IPADDR 1

#define HOST_FQDN 2

struct parse_result *parse(int, char *[]);

+struct ca *ca_setup(char *, int, int, char *);

+int ca_create(struct ca *);

+int ca_certificate(struct ca *, char *, int, int);

+int ca_export(struct ca *, char *, char *);

+int ca_revoke(struct ca *, char *);

+int ca_delete(struct ca *);

+int ca_delkey(struct ca *, char *);

+int ca_install(struct ca *);

+int ca_cert_install(struct ca *, char *);

+int ca_show_certs(struct ca *);

+int ca_key_create(struct ca *, char *);

+int ca_key_delete(struct ca *, char *);

+int ca_key_install(struct ca *, char *);

+int ca_key_import(struct ca *, char *, char *);

+#endif /* _IKECTL_PARSER_H */