summaryrefslogtreecommitdiff
path: root/usr.sbin/sasyncd
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2005-05-22 20:35:49 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2005-05-22 20:35:49 +0000
commit1ab007e874cbeba337139155761f26c8f44c67c6 (patch)
tree6ef487ecb146e950798fd415b7f4ec02652f8b42 /usr.sbin/sasyncd
parent70630e70ff57f4e98691631edb8aea27a95cc743 (diff)
No more SSL between peers, instead do shared key AES & SHA
Diffstat (limited to 'usr.sbin/sasyncd')
-rw-r--r--usr.sbin/sasyncd/Makefile7
-rw-r--r--usr.sbin/sasyncd/conf.y26
-rw-r--r--usr.sbin/sasyncd/net.c234
-rw-r--r--usr.sbin/sasyncd/net.h12
-rw-r--r--usr.sbin/sasyncd/net_ctl.c5
-rw-r--r--usr.sbin/sasyncd/net_ssl.c239
-rw-r--r--usr.sbin/sasyncd/pfkey.c22
-rw-r--r--usr.sbin/sasyncd/sasyncd.c14
-rw-r--r--usr.sbin/sasyncd/sasyncd.h15
9 files changed, 232 insertions, 342 deletions
diff --git a/usr.sbin/sasyncd/Makefile b/usr.sbin/sasyncd/Makefile
index 5f7a8af1d14..33feeabf7dc 100644
--- a/usr.sbin/sasyncd/Makefile
+++ b/usr.sbin/sasyncd/Makefile
@@ -1,8 +1,7 @@
-# $Id: Makefile,v 1.2 2005/04/03 17:19:26 ho Exp $
+# $Id: Makefile,v 1.3 2005/05/22 20:35:48 ho Exp $
PROG= sasyncd
-SRCS= sasyncd.c carp.c conf.y log.c net.c net_ctl.c net_ssl.c \
- pfkey.c timer.c
+SRCS= sasyncd.c carp.c conf.y log.c net.c net_ctl.c pfkey.c timer.c
MAN= sasyncd.8 sasyncd.conf.5
CFLAGS+= -I${.CURDIR}
@@ -17,6 +16,6 @@ CLEANFILES= y.tab.h
CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes \
-Wmissing-declarations
-LDADD+= -lcrypto -lssl
+LDADD+= -lcrypto
.include <bsd.prog.mk>
diff --git a/usr.sbin/sasyncd/conf.y b/usr.sbin/sasyncd/conf.y
index 419e928c4af..b9ddc7a965d 100644
--- a/usr.sbin/sasyncd/conf.y
+++ b/usr.sbin/sasyncd/conf.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.y,v 1.1 2005/04/03 17:19:26 ho Exp $ */
+/* $OpenBSD: conf.y,v 1.2 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -31,8 +31,10 @@
#include <sys/stat.h>
#include <ctype.h>
#include <fcntl.h>
+#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <pwd.h>
#include "sasyncd.h"
#include "net.h"
@@ -226,10 +228,19 @@ conf_parse_file(char *cfgfile)
struct stat st;
int fd, r;
char *buf, *s, *d;
+ struct passwd *pw = getpwnam(SASYNCD_USER);
if (stat(cfgfile, &st) != 0)
goto bad;
+ /* Valid file? */
+ if ((st.st_uid && st.st_uid != pw->pw_uid) ||
+ ((st.st_mode & S_IFMT) != S_IFREG) ||
+ ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0)) {
+ log_msg(0, "configuration file has bad owner, type or mode");
+ goto bad;
+ }
+
fd = open(cfgfile, O_RDONLY, 0);
if (fd < 0)
goto bad;
@@ -277,7 +288,7 @@ conf_parse_file(char *cfgfile)
return r;
bad:
- log_err("failed to open \"%s\"", cfgfile);
+ log_msg(0, "failed to open \"%s\"", cfgfile);
return 1;
}
@@ -321,12 +332,11 @@ conf_init(int argc, char **argv)
cfgfile = SASYNCD_CFGFILE;
if (conf_parse_file(cfgfile) == 0) {
- if (!cfgstate.certfile)
- cfgstate.certfile = SASYNCD_CERTFILE;
- if (!cfgstate.privkeyfile)
- cfgstate.privkeyfile = SASYNCD_PRIVKEY;
- if (!cfgstate.cafile)
- cfgstate.cafile = SASYNCD_CAFILE;
+ if (!cfgstate.sharedkey) {
+ fprintf(stderr, "config: "
+ "no shared key specified, cannot continue");
+ return 1;
+ }
return 0;
}
diff --git a/usr.sbin/sasyncd/net.c b/usr.sbin/sasyncd/net.c
index 8cb3dddc0e7..637f3f3258a 100644
--- a/usr.sbin/sasyncd/net.c
+++ b/usr.sbin/sasyncd/net.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: net.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */
+/* $OpenBSD: net.c,v 1.2 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -36,7 +36,12 @@
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <openssl/aes.h>
+#include <openssl/sha.h>
+
#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -45,9 +50,7 @@
struct msg {
u_int8_t *buf;
- u_int8_t *obuf; /* Original buf w/o offset. */
u_int32_t len;
- u_int32_t type;
int refcnt;
};
@@ -57,12 +60,31 @@ struct qmsg {
};
int listen_socket;
+AES_KEY aes_key[2];
+#define AES_IV_LEN AES_BLOCK_SIZE
/* Local prototypes. */
static u_int8_t *net_read(struct syncpeer *, u_int32_t *, u_int32_t *);
static int net_set_sa(struct sockaddr *, char *, in_port_t);
static void net_check_peers(void *);
+static void
+dump_buf(int lvl, u_int8_t *b, u_int32_t len, char *title)
+{
+ u_int32_t i, off, blen = len*2 + 3 + strlen(title);
+ u_int8_t *buf = calloc(1, blen);
+
+ if (!buf || cfgstate.verboselevel < lvl)
+ return;
+
+ snprintf(buf, blen, "%s:\n", title);
+ off = strlen(buf);
+ for (i = 0; i < len; i++, off+=2)
+ snprintf(buf + off, blen - off, "%02x", b[i]);
+ log_msg(lvl, "%s", buf);
+ free(buf);
+}
+
int
net_init(void)
{
@@ -71,8 +93,19 @@ net_init(void)
struct syncpeer *p;
int r;
- if (net_SSL_init())
+ /* The shared key needs to be 128, 192 or 256 bits */
+ r = (strlen(cfgstate.sharedkey) - 1) << 3;
+ if (r != 128 && r != 192 && r != 256) {
+ fprintf(stderr, "Bad shared key length (%d bits), "
+ "should be 128, 192 or 256\n", r);
return -1;
+ }
+
+ if (AES_set_encrypt_key(cfgstate.sharedkey, r, &aes_key[0]) ||
+ AES_set_decrypt_key(cfgstate.sharedkey, r, &aes_key[1])) {
+ fprintf(stderr, "Bad AES shared key\n");
+ return -1;
+ }
/* Setup listening socket. */
memset(&sa_storage, 0, sizeof sa_storage);
@@ -124,10 +157,6 @@ net_enqueue(struct syncpeer *p, struct msg *m)
if (p->socket < 0)
return;
- if (!p->ssl)
- if (net_SSL_connect(p))
- return;
-
qm = (struct qmsg *)malloc(sizeof *qm);
if (!qm) {
log_err("malloc()");
@@ -147,23 +176,87 @@ net_enqueue(struct syncpeer *p, struct msg *m)
* or to all peers if no peer is specified.
*/
int
-net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf,
- u_int32_t offset, u_int32_t len)
+net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf, u_int32_t len)
{
struct syncpeer *p = p0;
struct msg *m;
+ SHA_CTX ctx;
+ u_int8_t hash[SHA_DIGEST_LENGTH];
+ u_int8_t iv[AES_IV_LEN], tmp_iv[AES_IV_LEN];
+ u_int32_t v, padlen = 0;
+ int i, offset;
- m = (struct msg *)malloc(sizeof *m);
+ m = (struct msg *)calloc(1, sizeof *m);
if (!m) {
- log_err("malloc()");
+ log_err("calloc()");
free(buf);
return -1;
}
- memset(m, 0, sizeof *m);
- m->obuf = buf;
- m->buf = buf + offset;
- m->len = len;
- m->type = msgtype;
+
+ /* Generate hash */
+ SHA1_Init(&ctx);
+ SHA1_Update(&ctx, buf, len);
+ SHA1_Final(hash, &ctx);
+ dump_buf(5, hash, sizeof hash, "Hash");
+
+ /* Padding required? */
+ i = len % AES_IV_LEN;
+ if (i) {
+ u_int8_t *pbuf;
+ i = AES_IV_LEN - i;
+ pbuf = realloc(buf, len + i);
+ if (!pbuf) {
+ log_err("net_queue: realloc()");
+ free(buf);
+ free(m);
+ return -1;
+ }
+ padlen = i;
+ while (i > 0)
+ pbuf[len++] = (u_int8_t)i--;
+ buf = pbuf;
+ }
+
+ /* Get random IV */
+ for (i = 0; i <= sizeof iv - sizeof v; i += sizeof v) {
+ v = arc4random();
+ memcpy(&iv[i], &v, sizeof v);
+ }
+ dump_buf(5, iv, sizeof iv, "IV");
+ memcpy(tmp_iv, iv, sizeof tmp_iv);
+
+ /* Encrypt */
+ dump_buf(5, buf, len, "Pre-enc");
+ AES_cbc_encrypt(buf, buf, len, &aes_key[0], tmp_iv, AES_ENCRYPT);
+ dump_buf(5, buf, len, "Post-enc");
+
+ /* Allocate send buffer */
+ m->len = len + sizeof iv + sizeof hash + 3 * sizeof(u_int32_t);
+ m->buf = (u_int8_t *)malloc(m->len);
+ if (!m->buf) {
+ free(m);
+ free(buf);
+ log_err("net_queue: calloc()");
+ return -1;
+ }
+ offset = 0;
+
+ /* Fill it (order must match parsing code in net_read()) */
+ v = htonl(m->len - sizeof(u_int32_t));
+ memcpy(m->buf + offset, &v, sizeof v);
+ offset += sizeof v;
+ v = htonl(msgtype);
+ memcpy(m->buf + offset, &v, sizeof v);
+ offset += sizeof v;
+ v = htonl(padlen);
+ memcpy(m->buf + offset, &v, sizeof v);
+ offset += sizeof v;
+ memcpy(m->buf + offset, hash, sizeof hash);
+ offset += sizeof hash;
+ memcpy(m->buf + offset, iv, sizeof iv);
+ offset += sizeof iv;
+ memcpy(m->buf + offset, buf, len);
+ free(buf);
if (p)
net_enqueue(p, m);
@@ -173,7 +266,7 @@ net_queue(struct syncpeer *p0, u_int32_t msgtype, u_int8_t *buf,
net_enqueue(p, m);
if (!m->refcnt) {
- free(m->obuf);
+ free(m->buf);
free(m);
}
@@ -265,7 +358,6 @@ net_handle_messages(fd_set *fds)
/* Match! */
found++;
p->socket = newsock;
- p->ssl = NULL;
log_msg(1, "peer \"%s\" connected", p->name);
}
if (!found) {
@@ -324,7 +416,7 @@ net_send_messages(fd_set *fds)
struct syncpeer *p;
struct qmsg *qm;
struct msg *m;
- u_int32_t v;
+ ssize_t r;
for (p = LIST_FIRST(&cfgstate.peerlist); p; p = LIST_NEXT(p, link)) {
if (p->socket < 0 || !FD_ISSET(p->socket, fds))
@@ -337,27 +429,25 @@ net_send_messages(fd_set *fds)
}
m = qm->msg;
- log_msg(4, "sending msg %p (qm %p ref %d) to peer %s", m, qm,
- m->refcnt, p->name);
+ log_msg(4, "sending msg %p len %d ref %d to peer %s", m,
+ m->len, m->refcnt, p->name);
- /* Send the message. */
- v = htonl(m->type);
- if (net_SSL_write(p, &v, sizeof v))
+ /* write message */
+ r = write(p->socket, m->buf, m->len);
+ if (r == -1)
+ log_err("net_send_messages: write()");
+ else if (r < (ssize_t)m->len) {
+ /* XXX retransmit? */
continue;
+ }
- v = htonl(m->len);
- if (net_SSL_write(p, &v, sizeof v))
- continue;
-
- (void)net_SSL_write(p, m->buf, m->len);
-
- /* Cleanup. */
+ /* cleanup */
SIMPLEQ_REMOVE_HEAD(&p->msgs, next);
free(qm);
if (--m->refcnt < 1) {
log_msg(4, "freeing msg %p", m);
- free(m->obuf);
+ free(m->buf);
free(m);
}
}
@@ -367,7 +457,6 @@ net_send_messages(fd_set *fds)
void
net_disconnect_peer(struct syncpeer *p)
{
- net_SSL_disconnect(p);
if (p->socket > -1)
close(p->socket);
p->socket = -1;
@@ -385,7 +474,7 @@ net_shutdown(void)
SIMPLEQ_REMOVE_HEAD(&p->msgs, next);
m = qm->msg;
if (--m->refcnt < 1) {
- free(m->obuf);
+ free(m->buf);
free(m);
}
free(qm);
@@ -399,7 +488,6 @@ net_shutdown(void)
if (listen_socket > -1)
close(listen_socket);
- net_SSL_shutdown();
}
/*
@@ -409,29 +497,77 @@ net_shutdown(void)
static u_int8_t *
net_read(struct syncpeer *p, u_int32_t *msgtype, u_int32_t *msglen)
{
- u_int8_t *msg;
- u_int32_t v;
+ u_int8_t *msg, *blob, *rhash, *iv, hash[SHA_DIGEST_LENGTH];
+ u_int32_t v, blob_len;
+ int padlen = 0, offset = 0, r;
+ SHA_CTX ctx;
- if (net_SSL_read(p, &v, sizeof v))
+ /* Read blob length */
+ if (read(p->socket, &v, sizeof v) != (ssize_t)sizeof v)
return NULL;
- *msgtype = ntohl(v);
+ blob_len = ntohl(v);
+ if (blob_len < sizeof hash + AES_IV_LEN + 2 * sizeof(u_int32_t))
+ return NULL;
+ *msglen = blob_len - sizeof hash - AES_IV_LEN - 2 * sizeof(u_int32_t);
- if (*msgtype > MSG_MAXTYPE)
+ /* Read message blob */
+ blob = (u_int8_t *)malloc(blob_len);
+ if (!blob) {
+ log_err("net_read: malloc()");
+ return NULL;
+ }
+ r = read(p->socket, blob, blob_len);
+ if (r == -1) {
+ free(blob);
+ return NULL;
+ } else if (r < (ssize_t)blob_len) {
+ /* XXX wait and read more? */
+ fprintf(stderr, "net_read: wanted %d, got %d\n", blob_len, r);
+ free(blob);
return NULL;
+ }
+
+ offset = 0;
+ memcpy(&v, blob + offset, sizeof v);
+ *msgtype = ntohl(v);
+ offset += sizeof v;
- if (net_SSL_read(p, &v, sizeof v))
+ if (*msgtype > MSG_MAXTYPE) {
+ free(blob);
return NULL;
- *msglen = ntohl(v);
+ }
- /* XXX msglen sanity */
+ memcpy(&v, blob + offset, sizeof v);
+ padlen = ntohl(v);
+ offset += sizeof v;
+ rhash = blob + offset;
+ iv = rhash + sizeof hash;
msg = (u_int8_t *)malloc(*msglen);
- memset(msg, 0, *msglen);
- if (net_SSL_read(p, msg, *msglen)) {
- free(msg);
+ if (!msg) {
+ free(blob);
return NULL;
}
-
+ memcpy(msg, iv + AES_IV_LEN, *msglen);
+
+ dump_buf(5, rhash, sizeof hash, "Recv hash");
+ dump_buf(5, iv, sizeof iv, "Recv IV");
+ dump_buf(5, msg, *msglen, "Pre-decrypt");
+ AES_cbc_encrypt(msg, msg, *msglen, &aes_key[1], iv, AES_DECRYPT);
+ dump_buf(5, msg, *msglen, "Post-decrypt");
+ *msglen -= padlen;
+
+ SHA1_Init(&ctx);
+ SHA1_Update(&ctx, msg, *msglen);
+ SHA1_Final(hash, &ctx);
+ dump_buf(5, hash, sizeof hash, "Local hash");
+
+ if (memcmp(hash, rhash, sizeof hash) != 0) {
+ free(blob);
+ log_msg(0, "net_read: bad msg hash (shared key typo?)");
+ return NULL;
+ }
+ free(blob);
return msg;
}
@@ -487,7 +623,7 @@ net_connect_peers(void)
setitimer(ITIMER_REAL, &iv, NULL);
for (p = LIST_FIRST(&cfgstate.peerlist); p; p = LIST_NEXT(p, link)) {
- if (p->ssl || p->socket > -1)
+ if (p->socket > -1)
continue;
memset(sa, 0, sizeof sa_storage);
diff --git a/usr.sbin/sasyncd/net.h b/usr.sbin/sasyncd/net.h
index b3a5569a187..901ea1b35f9 100644
--- a/usr.sbin/sasyncd/net.h
+++ b/usr.sbin/sasyncd/net.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: net.h,v 1.1 2005/03/30 18:44:49 ho Exp $ */
+/* $OpenBSD: net.h,v 1.2 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -30,14 +30,11 @@
*/
-#include <openssl/ssl.h>
-
struct qmsg;
struct syncpeer {
LIST_ENTRY(syncpeer) link;
char *name; /* FQDN or an IP, from conf */
- SSL *ssl;
int socket;
enum RUNSTATE runstate;
@@ -60,10 +57,3 @@ int net_ctl_send_ack(struct syncpeer *, enum CTLTYPE, u_int32_t);
int net_ctl_send_error(struct syncpeer *, enum CTLTYPE);
int net_ctl_send_state(struct syncpeer *);
-/* net_ssl.c */
-int net_SSL_init(void);
-int net_SSL_connect(struct syncpeer *);
-void net_SSL_disconnect(struct syncpeer *);
-int net_SSL_read(struct syncpeer *, void *, u_int32_t);
-int net_SSL_write(struct syncpeer *, void *, u_int32_t);
-void net_SSL_shutdown(void);
diff --git a/usr.sbin/sasyncd/net_ctl.c b/usr.sbin/sasyncd/net_ctl.c
index f58668363d3..4ffcf92e7b6 100644
--- a/usr.sbin/sasyncd/net_ctl.c
+++ b/usr.sbin/sasyncd/net_ctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: net_ctl.c,v 1.2 2005/05/22 12:14:16 ho Exp $ */
+/* $OpenBSD: net_ctl.c,v 1.3 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -37,6 +37,7 @@
#include <arpa/inet.h>
#include <errno.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -155,7 +156,7 @@ net_ctl_send(struct syncpeer *p, u_int32_t type, u_int32_t d, u_int32_t d2)
m->data = htonl(d);
m->data2 = htonl(d2);
- return net_queue(p, MSG_SYNCCTL, (u_int8_t *)m, 0, sizeof *m);
+ return net_queue(p, MSG_SYNCCTL, (u_int8_t *)m, sizeof *m);
}
int
diff --git a/usr.sbin/sasyncd/net_ssl.c b/usr.sbin/sasyncd/net_ssl.c
deleted file mode 100644
index 7cef23bf112..00000000000
--- a/usr.sbin/sasyncd/net_ssl.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/* $OpenBSD: net_ssl.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */
-
-/*
- * Copyright (c) 2005 Håkan Olsson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This code was written under funding by Multicom Security AB.
- */
-
-
-#include <sys/types.h>
-
-#include <openssl/ssl.h>
-#include <openssl/tls1.h>
-#include <openssl/err.h>
-
-#include <string.h>
-
-#include "sasyncd.h"
-#include "net.h"
-
-/* Global SSL context. */
-SSL_CTX *ctx;
-
-static void net_SSL_dump_stack(int);
-static void net_SSL_print_error(int, int);
-
-int
-net_SSL_init(void)
-{
- SSL_library_init();
- SSL_load_error_strings();
-
- ctx = SSL_CTX_new(TLSv1_method());
- if (!ctx)
- return -1;
-
- (void)SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
-
- /* Load CA cert. */
- if (!SSL_CTX_load_verify_locations(ctx, cfgstate.cafile, NULL)) {
- net_SSL_dump_stack(0);
- fprintf(stderr, "cannot read \"%s\": %s\n", cfgstate.cafile,
- strerror(errno));
- return -1;
- }
-
- /* Load our certificate. */
- if (!SSL_CTX_use_certificate_chain_file(ctx, cfgstate.certfile)) {
- net_SSL_dump_stack(0);
- fprintf(stderr, "cannot read \"%s\": %s\n", cfgstate.certfile,
- strerror(errno));
- return -1;
- }
-
- /* Load and check private key. */
- if (!SSL_CTX_use_PrivateKey_file(ctx, cfgstate.privkeyfile,
- SSL_FILETYPE_PEM)) {
- net_SSL_dump_stack(0);
- if (ERR_GET_REASON(ERR_peek_error() == EVP_R_BAD_DECRYPT)) {
- fprintf(stderr, "bad pass phrase\n");
- return -1;
- } else {
- fprintf(stderr, "cannot read \"%s\": %s\n",
- cfgstate.privkeyfile, strerror(errno));
- return -1;
- }
- }
- if (!SSL_CTX_check_private_key(ctx)) {
- net_SSL_dump_stack(0);
- fprintf(stderr, "Private key does not match certificate\n");
- return -1;
- }
- return 0;
-}
-
-int
-net_SSL_connect(struct syncpeer *p)
-{
- int r, err;
-
- p->ssl = SSL_new(ctx);
- if (!p->ssl)
- return -1;
- SSL_set_fd(p->ssl, p->socket);
- r = SSL_connect(p->ssl);
- if (r != 1) {
- err = SSL_get_error(p->ssl, r);
- net_SSL_print_error(err, r);
- return -1;
- }
- log_msg(2, "TLS connection established with peer "
- "\"%s\"", p->name);
- return 0;
-}
-
-void
-net_SSL_disconnect(struct syncpeer *p)
-{
- if (p->ssl) {
- SSL_shutdown(p->ssl);
- SSL_free(p->ssl);
- }
- p->ssl = NULL;
-}
-
-static void
-net_SSL_dump_stack(int level)
-{
- int err;
-
- while ((err = ERR_get_error()) != 0)
- log_msg(level, "%s", ERR_error_string(err, NULL));
-}
-
-static void
-net_SSL_print_error(int r, int prev)
-{
- char *msg;
-
- switch (r) {
- case SSL_ERROR_NONE:
- msg = "SSL_ERROR_NONE";
- break;
- case SSL_ERROR_ZERO_RETURN:
- msg = "SSL_ERROR_ZERO_RETURN";
- break;
- case SSL_ERROR_WANT_READ:
- msg = "SSL_ERROR_WANT_READ";
- break;
- case SSL_ERROR_WANT_WRITE:
- msg = "SSL_ERROR_WANT_WRITE";
- break;
- case SSL_ERROR_WANT_CONNECT:
- msg = "SSL_ERROR_WANT_CONNECT";
- break;
- case SSL_ERROR_WANT_ACCEPT:
- msg = "SSL_ERROR_WANT_ACCEPT";
- break;
- case SSL_ERROR_WANT_X509_LOOKUP:
- msg = "SSL_ERROR_WANT_X509_LOOKUP";
- break;
- case SSL_ERROR_SYSCALL:
- msg = "SSL_ERROR_SYSCALL";
- break;
- case SSL_ERROR_SSL:
- msg = "SSL_ERROR_SSL";
- break;
- default:
- msg = "<unknown error>";
- break;
- }
-
- log_msg(3, "SSL: \"%s\" original code = %d", msg, prev);
-
- net_SSL_dump_stack(3);
-}
-
-static int
-net_SSL_io(struct syncpeer *p, void *buf, u_int32_t len, int writeflag)
-{
- int ret, e;
-
- retry:
- if (writeflag)
- ret = SSL_write(p->ssl, buf, len);
- else
- ret = SSL_read(p->ssl, buf, len);
- if (ret == (int)len)
- return 0;
-
- e = SSL_get_error(p->ssl, ret);
- net_SSL_print_error(e, ret);
-
- if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE)
- goto retry; /* Enough to just retry here? XXX */
-
- log_msg(1, "peer \"%s\" disconnected", p->name);
- net_disconnect_peer(p);
- return 1;
-}
-
-int
-net_SSL_read(struct syncpeer *p, void *buf, u_int32_t len)
-{
- int r, err;
-
- if (!p->ssl) {
- p->ssl = SSL_new(ctx);
- if (!p->ssl) {
- log_msg(0, "SSL_new() failed");
- return NULL;
- }
- SSL_set_fd(p->ssl, p->socket);
- r = SSL_accept(p->ssl);
- if (r != 1) {
- err = SSL_get_error(p->ssl, r);
- net_SSL_print_error(err, r);
- return NULL;
- }
- }
-
- return net_SSL_io(p, buf, len, 0);
-}
-
-int
-net_SSL_write(struct syncpeer *p, void *buf, u_int32_t len)
-{
- return net_SSL_io(p, buf, len, 1);
-}
-
-void
-net_SSL_shutdown(void)
-{
- ERR_free_strings();
- SSL_CTX_free(ctx);
-}
diff --git a/usr.sbin/sasyncd/pfkey.c b/usr.sbin/sasyncd/pfkey.c
index 6ec09d5c327..e5892863297 100644
--- a/usr.sbin/sasyncd/pfkey.c
+++ b/usr.sbin/sasyncd/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.1 2005/03/30 18:44:49 ho Exp $ */
+/* $OpenBSD: pfkey.c,v 1.2 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -112,7 +112,7 @@ pfkey_print_type(struct sadb_msg *msg)
static int
pfkey_handle_message(struct sadb_msg *m)
{
- struct sadb_msg *msg = m;
+ struct sadb_msg *msg = m;
/*
* Report errors, but ignore for DELETE (both isakmpd and kernel will
@@ -125,10 +125,11 @@ pfkey_handle_message(struct sadb_msg *m)
/* We only want promiscuous messages here, skip all others. */
if (msg->sadb_msg_type != SADB_X_PROMISC ||
- (msg->sadb_msg_len * CHUNK) <= 2 * sizeof *msg) {
+ (msg->sadb_msg_len * CHUNK) < 2 * sizeof *msg) {
free(m);
return 0;
}
+ /* Move next msg to start of the buffer. */
msg++;
/*
@@ -162,9 +163,10 @@ pfkey_handle_message(struct sadb_msg *m)
/* FALLTHROUGH */
default:
- /* The rest should just be passed along to our peers. */
- return net_queue(NULL, MSG_PFKEYDATA, (u_int8_t *)m, sizeof *m,
- msg->sadb_msg_len * CHUNK);
+ /* Pass the the rest along to our peers. */
+ memmove(m, msg, msg->sadb_msg_len * CHUNK); /* for realloc */
+ return net_queue(NULL, MSG_PFKEYDATA, (u_int8_t *)m,
+ m->sadb_msg_len * CHUNK);
}
return 0;
@@ -211,11 +213,11 @@ pfkey_init(int reinit)
}
cfgstate.pfkey_socket = fd;
- if (reinit) {
- if (cfgstate.runstate == MASTER)
- pfkey_set_promisc();
+ if (cfgstate.runstate == MASTER)
+ pfkey_set_promisc();
+
+ if (reinit)
return (fd > -1 ? 0 : -1);
- }
SIMPLEQ_INIT(&pfkey_msglist);
return 0;
diff --git a/usr.sbin/sasyncd/sasyncd.c b/usr.sbin/sasyncd/sasyncd.c
index b859cb3ed69..c9923279737 100644
--- a/usr.sbin/sasyncd/sasyncd.c
+++ b/usr.sbin/sasyncd/sasyncd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sasyncd.c,v 1.6 2005/05/22 12:14:16 ho Exp $ */
+/* $OpenBSD: sasyncd.c,v 1.7 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -145,6 +145,12 @@ main(int argc, char **argv)
extern char *__progname;
int r;
+ if (geteuid() != 0) {
+ /* No point in continuing. */
+ fprintf(stderr, "This daemon needs to be run as root.\n");
+ return 1;
+ }
+
/* Init. */
closefrom(STDERR_FILENO + 1);
for (r = 0; r <= 2; r++)
@@ -167,12 +173,6 @@ main(int argc, char **argv)
if (r)
return 1;
- if (geteuid() != 0) {
- /* No point in continuing. */
- fprintf(stderr, "This daemon needs to be run as root.\n");
- return 1;
- }
-
if (carp_init())
return 1;
if (pfkey_init(0))
diff --git a/usr.sbin/sasyncd/sasyncd.h b/usr.sbin/sasyncd/sasyncd.h
index 57648575482..3eb107e33c8 100644
--- a/usr.sbin/sasyncd/sasyncd.h
+++ b/usr.sbin/sasyncd/sasyncd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sasyncd.h,v 1.3 2005/05/22 12:14:16 ho Exp $ */
+/* $OpenBSD: sasyncd.h,v 1.4 2005/05/22 20:35:48 ho Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@@ -47,10 +47,6 @@ struct cfgstate {
char *carp_ifname;
int carp_check_interval;
- char *cafile;
- char *certfile;
- char *privkeyfile;
-
char *sharedkey;
int pfkey_socket;
@@ -67,11 +63,7 @@ extern struct cfgstate cfgstate;
#define SASYNCD_CFGFILE "/etc/sasyncd.conf"
#define CARP_DEFAULT_INTERVAL 10
-
-#define SASYNCD_DEFAULT_PORT 501
-#define SASYNCD_CAFILE "/etc/ssl/ca.crt"
-#define SASYNCD_CERTFILE "/etc/ssl/sasyncd.crt"
-#define SASYNCD_PRIVKEY "/etc/ssl/private/sasyncd.key"
+#define SASYNCD_DEFAULT_PORT 500
/*
* sasyncd "protocol" definition
@@ -103,8 +95,7 @@ void log_err(const char *, ...);
void net_ctl_update_state(void);
int net_init(void);
void net_handle_messages(fd_set *);
-int net_queue(struct syncpeer *, u_int32_t, u_int8_t *, u_int32_t,
- u_int32_t);
+int net_queue(struct syncpeer *, u_int32_t, u_int8_t *, u_int32_t);
void net_send_messages(fd_set *);
int net_set_rfds(fd_set *);
int net_set_pending_wfds(fd_set *);