diff options
| -rw-r--r-- | sbin/isakmpd/conf.c | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/conf.h | 3 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_auth.c | 62 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 6 |
5 files changed, 63 insertions, 16 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index 31c7991e0e7..35066bd9772 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.89 2006/06/10 21:07:10 hshoexer Exp $ */ +/* $OpenBSD: conf.c,v 1.90 2006/06/10 21:09:45 msf Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -478,6 +478,8 @@ conf_load_defaults(int tr) CONF_DFLT_X509_CERT_DIR, 0, 1); conf_set(tr, "X509-certificates", "Private-key", CONF_DFLT_X509_PRIVATE_KEY, 0, 1); + conf_set(tr, "X509-certificates", "Private-key-directory", + CONF_DFLT_X509_PRIVATE_KEY_DIR, 0, 1); conf_set(tr, "X509-certificates", "CRL-directory", CONF_DFLT_X509_CRL_DIR, 0, 1); diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h index d7c7ddbd9e3..bb77660e933 100644 --- a/sbin/isakmpd/conf.h +++ b/sbin/isakmpd/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.31 2005/12/28 10:57:35 hshoexer Exp $ */ +/* $OpenBSD: conf.h,v 1.32 2006/06/10 21:09:45 msf Exp $ */ /* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */ /* @@ -63,6 +63,7 @@ #define CONF_DFLT_X509_CA_DIR ISAKMPD_ROOT "ca/" #define CONF_DFLT_X509_CERT_DIR ISAKMPD_ROOT "certs/" #define CONF_DFLT_X509_PRIVATE_KEY ISAKMPD_ROOT "private/local.key" +#define CONF_DFLT_X509_PRIVATE_KEY_DIR ISAKMPD_ROOT "private/" #define CONF_DFLT_X509_CRL_DIR ISAKMPD_ROOT "crls/" #define CONF_DFLT_PUBKEY_DIR ISAKMPD_ROOT "pubkeys/" #define CONF_DFLT_KEYNOTE_CRED_DIR ISAKMPD_ROOT "keynote/" diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index b1d323b9fa4..2de26d45f7d 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.106 2005/11/17 13:44:11 moritz Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.107 2006/06/10 21:09:45 msf Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -134,11 +134,11 @@ static void * ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) { char *key, *buf; - int fd; - char *keyfile; + char *keyfile, *privkeyfile; FILE *keyfp; RSA *rsakey; - size_t fsize; + size_t fsize, pkflen; + int fd; switch (type) { case IKE_AUTH_PRE_SHARED: @@ -200,6 +200,7 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) free(keyfile); goto ignorekeynote; } + size = (size_t)sb.st_size; if (fstat(fd, &sb) < 0) { log_print("ike_auth_get_key: fstat failed"); @@ -256,23 +257,57 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) } ignorekeynote: /* Otherwise, try X.509 */ - keyfile = conf_get_str("X509-certificates", "Private-key"); - fd = monitor_open(keyfile, O_RDONLY, 0); + privkeyfile = keyfile = NULL; + fd = -1; + + if (local_id) { + /* Look in Private-key-directory. */ + keyfile = conf_get_str("X509-certificates", + "Private-key-directory"); + pkflen = strlen(keyfile) + strlen(local_id) + sizeof "/"; + privkeyfile = calloc(pkflen, sizeof(char)); + if (!privkeyfile) { + log_print("ike_auth_get_key: failed to " + "allocate %lu bytes", (unsigned long)pkflen); + return 0; + } + + snprintf(privkeyfile, pkflen, "%s/%s", keyfile, + local_id); + keyfile = privkeyfile; + + fd = monitor_open(keyfile, O_RDONLY, 0); + if (fd < 0 && errno != ENOENT) { + log_print("ike_auth_get_key: failed opening " + "\"%s\"", keyfile); + free(privkeyfile); + } + } + if (fd < 0) { - log_print("ike_auth_get_key: failed opening \"%s\"", - keyfile); - return 0; + /* No key found, try default key. */ + keyfile = conf_get_str("X509-certificates", + "Private-key"); + + fd = monitor_open(keyfile, O_RDONLY, 0); + if (fd < 0) { + log_print("ike_auth_get_key: failed opening " + "\"%s\"", keyfile); + return 0; + } } - if (check_file_secrecy_fd(fd, keyfile, &fsize) < 0) { - close(fd); + if (check_file_secrecy_fd(fd, keyfile, &fsize)) { + if (privkeyfile) + free(privkeyfile); return 0; } if ((keyfp = fdopen(fd, "r")) == NULL) { log_print("ike_auth_get_key: fdopen failed"); - close(fd); + if (privkeyfile) + free(privkeyfile); return 0; } #if SSLEAY_VERSION_NUMBER >= 0x00904100L @@ -282,6 +317,9 @@ ignorekeynote: #endif fclose(keyfp); + if (privkeyfile) + free(privkeyfile); + if (!rsakey) { log_print("ike_auth_get_key: " "PEM_read_bio_RSAPrivateKey failed"); diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index f72eb598964..0fe61694afb 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.98 2006/06/02 19:35:55 hshoexer Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.99 2006/06/10 21:09:45 msf Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -150,6 +150,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) return_values[1] = "true"; /* Create a principal (authorizer) for the SA/ID request. */ + fprintf(stderr, "ISAKMP_SA RECV_CERTTYPE: %i\n", + isakmp_sa->recv_certtype); switch (isakmp_sa->recv_certtype) { case ISAKMP_CERTENC_NONE: /* diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 9c6d26ff7d1..2e7dc0119f2 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.112 2006/05/27 21:09:11 hshoexer Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.113 2006/06/10 21:09:45 msf Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -399,6 +399,10 @@ holder identity; usually IP address, FQDN, or User FQDN. .It Em Private-key The private key matching the public key of our certificate (which should be in the "Cert-directory", and have an appropriate subjectAltName field). +.It Em Private-key-directory +A directory containing private keys named after an ID (IP addresses, +.Dq user@domain , +or hostnames) .El .El .Sh REFERRED-TO SECTIONS |