diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2005-05-22 20:35:49 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2005-05-22 20:35:49 +0000 |
commit | 1ab007e874cbeba337139155761f26c8f44c67c6 (patch) | |
tree | 6ef487ecb146e950798fd415b7f4ec02652f8b42 /usr.sbin/sasyncd | |
parent | 70630e70ff57f4e98691631edb8aea27a95cc743 (diff) |
No more SSL between peers, instead do shared key AES & SHA
Diffstat (limited to 'usr.sbin/sasyncd')
-rw-r--r-- | usr.sbin/sasyncd/Makefile | 7 | ||||
-rw-r--r-- | usr.sbin/sasyncd/conf.y | 26 | ||||
-rw-r--r-- | usr.sbin/sasyncd/net.c | 234 | ||||
-rw-r--r-- | usr.sbin/sasyncd/net.h | 12 | ||||
-rw-r--r-- | usr.sbin/sasyncd/net_ctl.c | 5 | ||||
-rw-r--r-- | usr.sbin/sasyncd/net_ssl.c | 239 | ||||
-rw-r--r-- | usr.sbin/sasyncd/pfkey.c | 22 | ||||
-rw-r--r-- | usr.sbin/sasyncd/sasyncd.c | 14 | ||||
-rw-r--r-- | usr.sbin/sasyncd/sasyncd.h | 15 |
9 files changed, 232 insertions, 342 deletions
diff --git a/usr.sbin/sasyncd/Makefile b/usr.sbin/sasyncd/Makefile index 5f7a8af1d14..33feeabf7dc 100644 --- a/usr.sbin/sasyncd/Makefile +++ b/usr.sbin/sasyncd/Makefile @@ -1,8 +1,7 @@ -# $Id: Makefile,v 1.2 2005/04/03 17:19:26 ho Exp $ +# $Id: Makefile,v 1.3 2005/05/22 20:35:48 ho Exp $ PROG= sasyncd -SRCS= sasyncd.c carp.c conf.y log.c net.c net_ctl.c net_ssl.c \ - pfkey.c timer.c +SRCS= sasyncd.c carp.c conf.y log.c net.c net_ctl.c pfkey.c timer.c MAN= sasyncd.8 sasyncd.conf.5 CFLAGS+= -I${.CURDIR} @@ -17,6 +16,6 @@ CLEANFILES= y.tab.h CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes \ -Wmissing-declarations -LDADD+= -lcrypto -lssl +LDADD+= -lcrypto .include <bsd.prog.mk> diff --git a/usr.sbin/sasyncd/conf.y b/usr.sbin/sasyncd/conf.y index 419e928c4af..b9ddc7a965d 100644 --- a/usr.sbin/sasyncd/conf.y +++ b/usr.sbin/sasyncd/conf.y @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.y,v 1.1 2005/04/03 17:19:26 ho Exp $ */ +/* $OpenBSD: conf.y,v 1.2 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -31,8 +31,10 @@ #include <sys/stat.h> #include <ctype.h> #include <fcntl.h> +#include <stdio.h> #include <string.h> #include <unistd.h> +#include <pwd.h> #include "sasyncd.h" #include "net.h" @@ -226,10 +228,19 @@ conf_parse_file(char *cfgfile) struct stat st; int fd, r; char *buf, *s, *d; + struct passwd *pw = getpwnam(SASYNCD_USER); if (stat(cfgfile, &st) != 0) goto bad; + /* Valid file? */ + if ((st.st_uid && st.st_uid != pw->pw_uid) || + ((st.st_mode & S_IFMT) != S_IFREG) || + ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0)) { + log_msg(0, "configuration file has bad owner, type or mode"); + goto bad; + } + fd = open(cfgfile, O_RDONLY, 0); if (fd < 0) goto bad; @@ -277,7 +288,7 @@ conf_parse_file(char *cfgfile) return r; bad: - log_err("failed to open \"%s\"", cfgfile); + log_msg(0, "failed to open \"%s\"", cfgfile); return 1; } @@ -321,12 +332,11 @@ conf_init(int argc, char **argv) cfgfile = SASYNCD_CFGFILE; if (conf_parse_file(cfgfile) == 0) { - if (!cfgstate.certfile) - cfgstate.certfile = SASYNCD_CERTFILE; - if (!cfgstate.privkeyfile) - cfgstate.privkeyfile = SASYNCD_PRIVKEY; - if (!cfgstate.cafile) - cfgstate.cafile = SASYNCD_CAFILE; + if (!cfgstate.sharedkey) { + fprintf(stderr, "config: " + "no shared key specified, cannot continue"); + return 1; + } return 0; } diff --git a/usr.sbin/sasyncd/net.c b/usr.sbin/sasyncd/net.c index 8cb3dddc0e7..637f3f3258a 100644 --- a/usr.sbin/sasyncd/net.c +++ b/usr.sbin/sasyncd/net.c @@ -1,4 +1,4 @@ -/* $OpenBSD: net.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */ +/* $OpenBSD: net.c,v 1.2 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -36,7 +36,12 @@ #include <netinet/in.h> #include <arpa/inet.h> +#include <openssl/aes.h> +#include <openssl/sha.h> + #include <errno.h> +#include <stdio.h> +#include <stdlib.h> #include <string.h> #include <unistd.h> @@ -45,9 +50,7 @@ struct msg { u_int8_t *buf; - u_int8_t *obuf; /* Original buf w/o offset. */ u_int32_t len; - u_int32_t type; int refcnt; }; @@ -57,12 +60,31 @@ struct qmsg { }; int listen_socket; +AES_KEY aes_key[2]; +#define AES_IV_LEN AES_BLOCK_SIZE /* Local prototypes. */ static u_int8_t *net_read(struct syncpeer *, u_int32_t *, u_int32_t *); static int net_set_sa(struct sockaddr *, char *, in_port_t); static void net_check_peers(void *); +static void +dump_buf(int lvl, u_int8_t *b, u_int32_t len, char *title) +{ + u_int32_t i, off, blen = len*2 + 3 + strlen(title); + u_int8_t *buf = calloc(1, blen); + + if (!buf || cfgstate.verboselevel < lvl) + return; + + snprintf(buf, blen, "%s:\n", title); + off = strlen(buf); + for (i = 0; i < len; i++, off+=2) + snprintf(buf + off, blen - off, "%02x", b[i]); + log_msg(lvl, "%s", buf); + free(buf); +} + int net_init(void) { @@ -71,8 +93,19 @@ net_init(void) struct syncpeer *p; int r; - if (net_SSL_init()) + /* The shared key needs to be 128, 192 or 256 bits */ + r = (strlen(cfgstate.sharedkey) - 1) << 3; + if (r != 128 && r != 192 && r != 256) { + fprintf(stderr, "Bad shared key length (%d bits), " + "should be 128, 192 or 256\n", r); return -1; + } + + if (AES_set_encrypt_key(cfgstate.sharedkey, r, &aes_key[0]) || + AES_set_decrypt_key(cfgstate.sharedkey, r, &aes_key[1])) { + fprintf(stderr, "Bad AES shared key\n"); + return -1; + } /* Setup listening socket. */ memset(&sa_storage, 0, sizeof sa_storage); @@ -124,10 +157,6 @@ net_enqueue(struct syncpeer *p, struct msg *m) if (p->socket < 0) return; - if (!p->ssl) - if (net_SSL_connect(p)) - return; - qm = (struct qmsg *)malloc(sizeof *qm); if (!qm) { log_err("malloc()"); @@ -147,23 +176,87 @@ net_enqueue(struct syncpeer *p, struct msg *m) * or to all peers if no peer is specified. */ int -net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf, - u_int32_t offset, u_int32_t len) +net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf, u_int32_t len) { struct syncpeer *p = p0; struct msg *m; + SHA_CTX ctx; + u_int8_t hash[SHA_DIGEST_LENGTH]; + u_int8_t iv[AES_IV_LEN], tmp_iv[AES_IV_LEN]; + u_int32_t v, padlen = 0; + int i, offset; - m = (struct msg *)malloc(sizeof *m); + m = (struct msg *)calloc(1, sizeof *m); if (!m) { - log_err("malloc()"); + log_err("calloc()"); free(buf); return -1; } - memset(m, 0, sizeof *m); - m->obuf = buf; - m->buf = buf + offset; - m->len = len; - m->type = msgtype; + + /* Generate hash */ + SHA1_Init(&ctx); + SHA1_Update(&ctx, buf, len); + SHA1_Final(hash, &ctx); + dump_buf(5, hash, sizeof hash, "Hash"); + + /* Padding required? */ + i = len % AES_IV_LEN; + if (i) { + u_int8_t *pbuf; + i = AES_IV_LEN - i; + pbuf = realloc(buf, len + i); + if (!pbuf) { + log_err("net_queue: realloc()"); + free(buf); + free(m); + return -1; + } + padlen = i; + while (i > 0) + pbuf[len++] = (u_int8_t)i--; + buf = pbuf; + } + + /* Get random IV */ + for (i = 0; i <= sizeof iv - sizeof v; i += sizeof v) { + v = arc4random(); + memcpy(&iv[i], &v, sizeof v); + } + dump_buf(5, iv, sizeof iv, "IV"); + memcpy(tmp_iv, iv, sizeof tmp_iv); + + /* Encrypt */ + dump_buf(5, buf, len, "Pre-enc"); + AES_cbc_encrypt(buf, buf, len, &aes_key[0], tmp_iv, AES_ENCRYPT); + dump_buf(5, buf, len, "Post-enc"); + + /* Allocate send buffer */ + m->len = len + sizeof iv + sizeof hash + 3 * sizeof(u_int32_t); + m->buf = (u_int8_t *)malloc(m->len); + if (!m->buf) { + free(m); + free(buf); + log_err("net_queue: calloc()"); + return -1; + } + offset = 0; + + /* Fill it (order must match parsing code in net_read()) */ + v = htonl(m->len - sizeof(u_int32_t)); + memcpy(m->buf + offset, &v, sizeof v); + offset += sizeof v; + v = htonl(msgtype); + memcpy(m->buf + offset, &v, sizeof v); + offset += sizeof v; + v = htonl(padlen); + memcpy(m->buf + offset, &v, sizeof v); + offset += sizeof v; + memcpy(m->buf + offset, hash, sizeof hash); + offset += sizeof hash; + memcpy(m->buf + offset, iv, sizeof iv); + offset += sizeof iv; + memcpy(m->buf + offset, buf, len); + free(buf); if (p) net_enqueue(p, m); @@ -173,7 +266,7 @@ net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf, net_enqueue(p, m); if (!m->refcnt) { - free(m->obuf); + free(m->buf); free(m); } @@ -265,7 +358,6 @@ net_handle_messages(fd_set *fds) /* Match! */ found++; p->socket = newsock; - p->ssl = NULL; log_msg(1, "peer \"%s\" connected", p->name); } if (!found) { @@ -324,7 +416,7 @@ net_send_messages(fd_set *fds) struct syncpeer *p; struct qmsg *qm; struct msg *m; - u_int32_t v; + ssize_t r; for (p = LIST_FIRST(&cfgstate.peerlist); p; p = LIST_NEXT(p, link)) { if (p->socket < 0 || !FD_ISSET(p->socket, fds)) @@ -337,27 +429,25 @@ net_send_messages(fd_set *fds) } m = qm->msg; - log_msg(4, "sending msg %p (qm %p ref %d) to peer %s", m, qm, - m->refcnt, p->name); + log_msg(4, "sending msg %p len %d ref %d to peer %s", m, + m->len, m->refcnt, p->name); - /* Send the message. */ - v = htonl(m->type); - if (net_SSL_write(p, &v, sizeof v)) + /* write message */ + r = write(p->socket, m->buf, m->len); + if (r == -1) + log_err("net_send_messages: write()"); + else if (r < (ssize_t)m->len) { + /* XXX retransmit? */ continue; + } - v = htonl(m->len); - if (net_SSL_write(p, &v, sizeof v)) - continue; - - (void)net_SSL_write(p, m->buf, m->len); - - /* Cleanup. */ + /* cleanup */ SIMPLEQ_REMOVE_HEAD(&p->msgs, next); free(qm); if (--m->refcnt < 1) { log_msg(4, "freeing msg %p", m); - free(m->obuf); + free(m->buf); free(m); } } @@ -367,7 +457,6 @@ net_send_messages(fd_set *fds) void net_disconnect_peer(struct syncpeer *p) { - net_SSL_disconnect(p); if (p->socket > -1) close(p->socket); p->socket = -1; @@ -385,7 +474,7 @@ net_shutdown(void) SIMPLEQ_REMOVE_HEAD(&p->msgs, next); m = qm->msg; if (--m->refcnt < 1) { - free(m->obuf); + free(m->buf); free(m); } free(qm); @@ -399,7 +488,6 @@ net_shutdown(void) if (listen_socket > -1) close(listen_socket); - net_SSL_shutdown(); } /* @@ -409,29 +497,77 @@ net_shutdown(void) static u_int8_t * net_read(struct syncpeer *p, u_int32_t *msgtype, u_int32_t *msglen) { - u_int8_t *msg; - u_int32_t v; + u_int8_t *msg, *blob, *rhash, *iv, hash[SHA_DIGEST_LENGTH]; + u_int32_t v, blob_len; + int padlen = 0, offset = 0, r; + SHA_CTX ctx; - if (net_SSL_read(p, &v, sizeof v)) + /* Read blob length */ + if (read(p->socket, &v, sizeof v) != (ssize_t)sizeof v) return NULL; - *msgtype = ntohl(v); + blob_len = ntohl(v); + if (blob_len < sizeof hash + AES_IV_LEN + 2 * sizeof(u_int32_t)) + return NULL; + *msglen = blob_len - sizeof hash - AES_IV_LEN - 2 * sizeof(u_int32_t); - if (*msgtype > MSG_MAXTYPE) + /* Read message blob */ + blob = (u_int8_t *)malloc(blob_len); + if (!blob) { + log_err("net_read: malloc()"); + return NULL; + } + r = read(p->socket, blob, blob_len); + if (r == -1) { + free(blob); + return NULL; + } else if (r < (ssize_t)blob_len) { + /* XXX wait and read more? */ + fprintf(stderr, "net_read: wanted %d, got %d\n", blob_len, r); + free(blob); return NULL; + } + + offset = 0; + memcpy(&v, blob + offset, sizeof v); + *msgtype = ntohl(v); + offset += sizeof v; - if (net_SSL_read(p, &v, sizeof v)) + if (*msgtype > MSG_MAXTYPE) { + free(blob); return NULL; - *msglen = ntohl(v); + } - /* XXX msglen sanity */ + memcpy(&v, blob + offset, sizeof v); + padlen = ntohl(v); + offset += sizeof v; + rhash = blob + offset; + iv = rhash + sizeof hash; msg = (u_int8_t *)malloc(*msglen); - memset(msg, 0, *msglen); - if (net_SSL_read(p, msg, *msglen)) { - free(msg); + if (!msg) { + free(blob); return NULL; } - + memcpy(msg, iv + AES_IV_LEN, *msglen); + + dump_buf(5, rhash, sizeof hash, "Recv hash"); + dump_buf(5, iv, sizeof iv, "Recv IV"); + dump_buf(5, msg, *msglen, "Pre-decrypt"); + AES_cbc_encrypt(msg, msg, *msglen, &aes_key[1], iv, AES_DECRYPT); + dump_buf(5, msg, *msglen, "Post-decrypt"); + *msglen -= padlen; + + SHA1_Init(&ctx); + SHA1_Update(&ctx, msg, *msglen); + SHA1_Final(hash, &ctx); + dump_buf(5, hash, sizeof hash, "Local hash"); + + if (memcmp(hash, rhash, sizeof hash) != 0) { + free(blob); + log_msg(0, "net_read: bad msg hash (shared key typo?)"); + return NULL; + } + free(blob); return msg; } @@ -487,7 +623,7 @@ net_connect_peers(void) setitimer(ITIMER_REAL, &iv, NULL); for (p = LIST_FIRST(&cfgstate.peerlist); p; p = LIST_NEXT(p, link)) { - if (p->ssl || p->socket > -1) + if (p->socket > -1) continue; memset(sa, 0, sizeof sa_storage); diff --git a/usr.sbin/sasyncd/net.h b/usr.sbin/sasyncd/net.h index b3a5569a187..901ea1b35f9 100644 --- a/usr.sbin/sasyncd/net.h +++ b/usr.sbin/sasyncd/net.h @@ -1,4 +1,4 @@ -/* $OpenBSD: net.h,v 1.1 2005/03/30 18:44:49 ho Exp $ */ +/* $OpenBSD: net.h,v 1.2 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -30,14 +30,11 @@ */ -#include <openssl/ssl.h> - struct qmsg; struct syncpeer { LIST_ENTRY(syncpeer) link; char *name; /* FQDN or an IP, from conf */ - SSL *ssl; int socket; enum RUNSTATE runstate; @@ -60,10 +57,3 @@ int net_ctl_send_ack(struct syncpeer *, enum CTLTYPE, u_int32_t); int net_ctl_send_error(struct syncpeer *, enum CTLTYPE); int net_ctl_send_state(struct syncpeer *); -/* net_ssl.c */ -int net_SSL_init(void); -int net_SSL_connect(struct syncpeer *); -void net_SSL_disconnect(struct syncpeer *); -int net_SSL_read(struct syncpeer *, void *, u_int32_t); -int net_SSL_write(struct syncpeer *, void *, u_int32_t); -void net_SSL_shutdown(void); diff --git a/usr.sbin/sasyncd/net_ctl.c b/usr.sbin/sasyncd/net_ctl.c index f58668363d3..4ffcf92e7b6 100644 --- a/usr.sbin/sasyncd/net_ctl.c +++ b/usr.sbin/sasyncd/net_ctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: net_ctl.c,v 1.2 2005/05/22 12:14:16 ho Exp $ */ +/* $OpenBSD: net_ctl.c,v 1.3 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -37,6 +37,7 @@ #include <arpa/inet.h> #include <errno.h> +#include <stdlib.h> #include <string.h> #include <unistd.h> @@ -155,7 +156,7 @@ net_ctl_send(struct syncpeer *p, u_int32_t type, u_int32_t d, u_int32_t d2) m->data = htonl(d); m->data2 = htonl(d2); - return net_queue(p, MSG_SYNCCTL, (u_int8_t *)m, 0, sizeof *m); + return net_queue(p, MSG_SYNCCTL, (u_int8_t *)m, sizeof *m); } int diff --git a/usr.sbin/sasyncd/net_ssl.c b/usr.sbin/sasyncd/net_ssl.c deleted file mode 100644 index 7cef23bf112..00000000000 --- a/usr.sbin/sasyncd/net_ssl.c +++ /dev/null @@ -1,239 +0,0 @@ -/* $OpenBSD: net_ssl.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */ - -/* - * Copyright (c) 2005 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Multicom Security AB. - */ - - -#include <sys/types.h> - -#include <openssl/ssl.h> -#include <openssl/tls1.h> -#include <openssl/err.h> - -#include <string.h> - -#include "sasyncd.h" -#include "net.h" - -/* Global SSL context. */ -SSL_CTX *ctx; - -static void net_SSL_dump_stack(int); -static void net_SSL_print_error(int, int); - -int -net_SSL_init(void) -{ - SSL_library_init(); - SSL_load_error_strings(); - - ctx = SSL_CTX_new(TLSv1_method()); - if (!ctx) - return -1; - - (void)SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); - - /* Load CA cert. */ - if (!SSL_CTX_load_verify_locations(ctx, cfgstate.cafile, NULL)) { - net_SSL_dump_stack(0); - fprintf(stderr, "cannot read \"%s\": %s\n", cfgstate.cafile, - strerror(errno)); - return -1; - } - - /* Load our certificate. */ - if (!SSL_CTX_use_certificate_chain_file(ctx, cfgstate.certfile)) { - net_SSL_dump_stack(0); - fprintf(stderr, "cannot read \"%s\": %s\n", cfgstate.certfile, - strerror(errno)); - return -1; - } - - /* Load and check private key. */ - if (!SSL_CTX_use_PrivateKey_file(ctx, cfgstate.privkeyfile, - SSL_FILETYPE_PEM)) { - net_SSL_dump_stack(0); - if (ERR_GET_REASON(ERR_peek_error() == EVP_R_BAD_DECRYPT)) { - fprintf(stderr, "bad pass phrase\n"); - return -1; - } else { - fprintf(stderr, "cannot read \"%s\": %s\n", - cfgstate.privkeyfile, strerror(errno)); - return -1; - } - } - if (!SSL_CTX_check_private_key(ctx)) { - net_SSL_dump_stack(0); - fprintf(stderr, "Private key does not match certificate\n"); - return -1; - } - return 0; -} - -int -net_SSL_connect(struct syncpeer *p) -{ - int r, err; - - p->ssl = SSL_new(ctx); - if (!p->ssl) - return -1; - SSL_set_fd(p->ssl, p->socket); - r = SSL_connect(p->ssl); - if (r != 1) { - err = SSL_get_error(p->ssl, r); - net_SSL_print_error(err, r); - return -1; - } - log_msg(2, "TLS connection established with peer " - "\"%s\"", p->name); - return 0; -} - -void -net_SSL_disconnect(struct syncpeer *p) -{ - if (p->ssl) { - SSL_shutdown(p->ssl); - SSL_free(p->ssl); - } - p->ssl = NULL; -} - -static void -net_SSL_dump_stack(int level) -{ - int err; - - while ((err = ERR_get_error()) != 0) - log_msg(level, "%s", ERR_error_string(err, NULL)); -} - -static void -net_SSL_print_error(int r, int prev) -{ - char *msg; - - switch (r) { - case SSL_ERROR_NONE: - msg = "SSL_ERROR_NONE"; - break; - case SSL_ERROR_ZERO_RETURN: - msg = "SSL_ERROR_ZERO_RETURN"; - break; - case SSL_ERROR_WANT_READ: - msg = "SSL_ERROR_WANT_READ"; - break; - case SSL_ERROR_WANT_WRITE: - msg = "SSL_ERROR_WANT_WRITE"; - break; - case SSL_ERROR_WANT_CONNECT: - msg = "SSL_ERROR_WANT_CONNECT"; - break; - case SSL_ERROR_WANT_ACCEPT: - msg = "SSL_ERROR_WANT_ACCEPT"; - break; - case SSL_ERROR_WANT_X509_LOOKUP: - msg = "SSL_ERROR_WANT_X509_LOOKUP"; - break; - case SSL_ERROR_SYSCALL: - msg = "SSL_ERROR_SYSCALL"; - break; - case SSL_ERROR_SSL: - msg = "SSL_ERROR_SSL"; - break; - default: - msg = "<unknown error>"; - break; - } - - log_msg(3, "SSL: \"%s\" original code = %d", msg, prev); - - net_SSL_dump_stack(3); -} - -static int -net_SSL_io(struct syncpeer *p, void *buf, u_int32_t len, int writeflag) -{ - int ret, e; - - retry: - if (writeflag) - ret = SSL_write(p->ssl, buf, len); - else - ret = SSL_read(p->ssl, buf, len); - if (ret == (int)len) - return 0; - - e = SSL_get_error(p->ssl, ret); - net_SSL_print_error(e, ret); - - if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE) - goto retry; /* Enough to just retry here? XXX */ - - log_msg(1, "peer \"%s\" disconnected", p->name); - net_disconnect_peer(p); - return 1; -} - -int -net_SSL_read(struct syncpeer *p, void *buf, u_int32_t len) -{ - int r, err; - - if (!p->ssl) { - p->ssl = SSL_new(ctx); - if (!p->ssl) { - log_msg(0, "SSL_new() failed"); - return NULL; - } - SSL_set_fd(p->ssl, p->socket); - r = SSL_accept(p->ssl); - if (r != 1) { - err = SSL_get_error(p->ssl, r); - net_SSL_print_error(err, r); - return NULL; - } - } - - return net_SSL_io(p, buf, len, 0); -} - -int -net_SSL_write(struct syncpeer *p, void *buf, u_int32_t len) -{ - return net_SSL_io(p, buf, len, 1); -} - -void -net_SSL_shutdown(void) -{ - ERR_free_strings(); - SSL_CTX_free(ctx); -} diff --git a/usr.sbin/sasyncd/pfkey.c b/usr.sbin/sasyncd/pfkey.c index 6ec09d5c327..e5892863297 100644 --- a/usr.sbin/sasyncd/pfkey.c +++ b/usr.sbin/sasyncd/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */ +/* $OpenBSD: pfkey.c,v 1.2 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -112,7 +112,7 @@ pfkey_print_type(struct sadb_msg *msg) static int pfkey_handle_message(struct sadb_msg *m) { - struct sadb_msg *msg = m; + struct sadb_msg *msg = m; /* * Report errors, but ignore for DELETE (both isakmpd and kernel will @@ -125,10 +125,11 @@ pfkey_handle_message(struct sadb_msg *m) /* We only want promiscuous messages here, skip all others. */ if (msg->sadb_msg_type != SADB_X_PROMISC || - (msg->sadb_msg_len * CHUNK) <= 2 * sizeof *msg) { + (msg->sadb_msg_len * CHUNK) < 2 * sizeof *msg) { free(m); return 0; } + /* Move next msg to start of the buffer. */ msg++; /* @@ -162,9 +163,10 @@ pfkey_handle_message(struct sadb_msg *m) /* FALLTHROUGH */ default: - /* The rest should just be passed along to our peers. */ - return net_queue(NULL, MSG_PFKEYDATA, (u_int8_t *)m, sizeof *m, - msg->sadb_msg_len * CHUNK); + /* Pass the the rest along to our peers. */ + memmove(m, msg, msg->sadb_msg_len * CHUNK); /* for realloc */ + return net_queue(NULL, MSG_PFKEYDATA, (u_int8_t *)m, + m->sadb_msg_len * CHUNK); } return 0; @@ -211,11 +213,11 @@ pfkey_init(int reinit) } cfgstate.pfkey_socket = fd; - if (reinit) { - if (cfgstate.runstate == MASTER) - pfkey_set_promisc(); + if (cfgstate.runstate == MASTER) + pfkey_set_promisc(); + + if (reinit) return (fd > -1 ? 0 : -1); - } SIMPLEQ_INIT(&pfkey_msglist); return 0; diff --git a/usr.sbin/sasyncd/sasyncd.c b/usr.sbin/sasyncd/sasyncd.c index b859cb3ed69..c9923279737 100644 --- a/usr.sbin/sasyncd/sasyncd.c +++ b/usr.sbin/sasyncd/sasyncd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sasyncd.c,v 1.6 2005/05/22 12:14:16 ho Exp $ */ +/* $OpenBSD: sasyncd.c,v 1.7 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -145,6 +145,12 @@ main(int argc, char **argv) extern char *__progname; int r; + if (geteuid() != 0) { + /* No point in continuing. */ + fprintf(stderr, "This daemon needs to be run as root.\n"); + return 1; + } + /* Init. */ closefrom(STDERR_FILENO + 1); for (r = 0; r <= 2; r++) @@ -167,12 +173,6 @@ main(int argc, char **argv) if (r) return 1; - if (geteuid() != 0) { - /* No point in continuing. */ - fprintf(stderr, "This daemon needs to be run as root.\n"); - return 1; - } - if (carp_init()) return 1; if (pfkey_init(0)) diff --git a/usr.sbin/sasyncd/sasyncd.h b/usr.sbin/sasyncd/sasyncd.h index 57648575482..3eb107e33c8 100644 --- a/usr.sbin/sasyncd/sasyncd.h +++ b/usr.sbin/sasyncd/sasyncd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sasyncd.h,v 1.3 2005/05/22 12:14:16 ho Exp $ */ +/* $OpenBSD: sasyncd.h,v 1.4 2005/05/22 20:35:48 ho Exp $ */ /* * Copyright (c) 2005 Håkan Olsson. All rights reserved. @@ -47,10 +47,6 @@ struct cfgstate { char *carp_ifname; int carp_check_interval; - char *cafile; - char *certfile; - char *privkeyfile; - char *sharedkey; int pfkey_socket; @@ -67,11 +63,7 @@ extern struct cfgstate cfgstate; #define SASYNCD_CFGFILE "/etc/sasyncd.conf" #define CARP_DEFAULT_INTERVAL 10 - -#define SASYNCD_DEFAULT_PORT 501 -#define SASYNCD_CAFILE "/etc/ssl/ca.crt" -#define SASYNCD_CERTFILE "/etc/ssl/sasyncd.crt" -#define SASYNCD_PRIVKEY "/etc/ssl/private/sasyncd.key" +#define SASYNCD_DEFAULT_PORT 500 /* * sasyncd "protocol" definition @@ -103,8 +95,7 @@ void log_err(const char *, ...); void net_ctl_update_state(void); int net_init(void); void net_handle_messages(fd_set *); -int net_queue(struct syncpeer *, u_int32_t, u_int8_t *, u_int32_t, - u_int32_t); +int net_queue(struct syncpeer *, u_int32_t, u_int8_t *, u_int32_t); void net_send_messages(fd_set *); int net_set_rfds(fd_set *); int net_set_pending_wfds(fd_set *); |