diff options
| -rw-r--r-- | sbin/isakmpd/Makefile | 11 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_auth.c | 108 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.8 | 36 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 9 |
4 files changed, 156 insertions, 8 deletions
diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile index 73f535071e9..fb84be311ea 100644 --- a/sbin/isakmpd/Makefile +++ b/sbin/isakmpd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.41 2001/07/06 09:35:57 ho Exp $ +# $OpenBSD: Makefile,v 1.42 2001/08/15 09:16:29 ho Exp $ # $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $ # @@ -51,9 +51,9 @@ OS= openbsd # Compile-time configuration of otherwise optional features #FEATURES= tripledes des blowfish cast policy x509 ec aggressive debug gmp -#FEATURES+= isakmp_cfg dnssec +#FEATURES+= rawkey isakmp_cfg dnssec FEATURES= tripledes des blowfish cast policy x509 ec aggressive debug -#FEATURES= +FEATURES+= rawkey .PATH: ${.CURDIR}/sysdep/${OS} @@ -169,6 +169,11 @@ DPADD+= ${LIBKEYNOTE} ${LIBM} CFLAGS+= -DUSE_KEYNOTE .endif +.ifdef USE_RAWKEY +USE_LIBCRYPTO= yes +CFLAGS+= -DUSE_RAWKEY +.endif + .ifdef USE_LIBCRYPTO CFLAGS+= -DUSE_LIBCRYPTO LDADD+= -lcrypto diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 3f8a45737e3..e9e6aa592a1 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.52 2001/07/01 19:48:43 niklas Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.53 2001/08/15 09:16:29 ho Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -90,6 +90,11 @@ static int rsa_sig_decode_hash (struct message *); static int rsa_sig_encode_hash (struct message *); #endif +#if defined (USE_RAWKEY) +#define PUBKEY_DIR_DEFAULT "/etc/isakmpd/pubkeys" +static int get_raw_key_from_file (int, u_int8_t *, size_t, RSA **); +#endif + static int ike_auth_hash (struct exchange *, u_int8_t *); static struct ike_auth ike_auth[] = { @@ -796,6 +801,13 @@ rsa_sig_decode_hash (struct message *msg) } #endif /* USE_DNSSEC */ +#if defined (USE_RAWKEY) + /* If we still have not found a key, try to read it from a file. */ + if (!found) + if (get_raw_key_from_file (IKE_AUTH_RSA_SIG, id, id_len, &key) != -1) + found++; +#endif + if (!found) { log_print ("rsa_sig_decode_hash: no public key found"); @@ -1172,3 +1184,97 @@ ike_auth_hash (struct exchange *exchange, u_int8_t *buf) return 0; } + +#if defined (USE_RAWKEY) +static int +get_raw_key_from_file (int type, u_int8_t *id, size_t id_len, RSA **rsa) +{ + char filename[FILENAME_MAX]; + char *rdir, *base, *addrstr = 0; + struct stat st; + FILE *fp; + + if (type != IKE_AUTH_RSA_SIG) /* XXX More types? */ + { + LOG_DBG ((LOG_NEGOTIATION, 20, "get_raw_key_from_file: " + "invalid auth type %d\n", type)); + return -1; + } + + *rsa = 0; + + rdir = conf_get_str ("General", "Pubkey-directory"); + if (!rdir) + rdir = PUBKEY_DIR_DEFAULT; + + strncpy (filename, rdir, FILENAME_MAX - 1); + filename[FILENAME_MAX - 1] = '\0'; + base = filename + strlen (filename) - 1; + + switch (GET_ISAKMP_ID_TYPE (id)) + { + case IPSEC_ID_IPV4_ADDR: + if (id_len < sizeof (struct in_addr)) + return -1; + util_ntoa (&addrstr, AF_INET, id + ISAKMP_ID_DATA_OFF); + if (!addrstr) + return -1; + strncat (filename, "/ipv4/", FILENAME_MAX - 1 - strlen (filename)); + strncat (filename, addrstr, FILENAME_MAX - 1 - strlen (filename)); + break; + + case IPSEC_ID_IPV6_ADDR: + if (id_len < sizeof (struct in6_addr)) + return -1; + util_ntoa (&addrstr, AF_INET6, id + ISAKMP_ID_DATA_OFF); + if (!addrstr) + return -1; + strncat (filename, "/ipv6/", FILENAME_MAX - 1 - strlen (filename)); + strncat (filename, addrstr, FILENAME_MAX - 1 - strlen (filename)); + break; + + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + if (GET_ISAKMP_ID_TYPE (id) == IPSEC_ID_FQDN) + addrstr = "/fqdn/"; + else + addrstr = "/ufqdn/"; + + strncat (filename, addrstr, FILENAME_MAX - 1 - strlen (filename)); + + /* Id is not NULL-terminated. */ + id_len -= ISAKMP_ID_DATA_OFF; + id_len = MIN (id_len, FILENAME_MAX - 1 - strlen (filename)); + memcpy (base + strlen (addrstr), id + ISAKMP_ID_DATA_OFF, id_len); + *(base + strlen (addrstr) + id_len) = '\0'; + addrstr = 0; + break; + + default: + /* Unknown type. */ + LOG_DBG ((LOG_NEGOTIATION, 10, "get_raw_key_from_file: " + "unknown identity type %d\n", GET_ISAKMP_ID_TYPE (id))); + return -1; + break; + } + + /* If the file does not exist, fail silently. */ + if (stat (filename, &st) == 0) + { + fp = fopen (filename, "r"); + if (!fp) + { + log_error ("get_raw_key_from_file: could not open \"%s\"", filename); + goto out; + } + *rsa = LC (PEM_read_RSAPublicKey, (fp, NULL, NULL, NULL)); + fclose (fp); + } + + out: + if (addrstr) + free (addrstr); + + return (*rsa ? 0 : -1); +} +#endif /* USE_RAWKEY */ diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index e18b40e1700..b6424c8f770 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.29 2001/07/20 18:07:11 mpech Exp $ +.\" $OpenBSD: isakmpd.8,v 1.30 2001/08/15 09:16:29 ho Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -217,7 +217,7 @@ should take part in, or there will be a need to setup one. In the former case, what is needed to be done varies depending on the actual Certificate Authority used, and is therefore not covered here, more than mentioning that -.Xr openssl 8 +.Xr openssl 1 needs to be used to create a certificate signing request that the CA understands. The latter case however is described here: .Pp @@ -306,10 +306,36 @@ on your local system. Also carry over the CA cert and put it in .Pa /etc/isakmpd/ca/. .El +.Pp +It is also possible to store trusted public keys to make them directly +usable by +.Nm isakmpd . +The keys should be saved in PEM format (see +.Xr openssl 1 ) +and named and stored after this easy formula: +.Bl -tag -width for_ufqdn_identities +.It For IPv4 identities +/etc/isakmpd/pubkeys/ipv4/A.B.C.D +.It For IPv6 identities +/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc +.It For FQDN identities +/etc/isakmpd/pubkeys/fqdn/foo.bar.org +.It For UFQDN identities +/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org +.El .Sh BUGS The .Fl P flag does not do what we document, rather it does nothing. +.Sh CAVEATS +When storing a trusted public key for an IPv6 identity, the +.Em most efficient +form of address representation, i.e "::" instead of ":0:0:0:", +must be used or the matching will fail. +.Nm +uses the output from +.Xr getnameinfo 3 +for the address-to-name translation. .Sh FILES .Bl -tag -width /etc/isakmpd/private/local. .It Pa /etc/isakmpd/ca/ @@ -331,6 +357,9 @@ A local private key for certificate based authentication. There has to be a certificate for this key in the certificate directory mentioned above. The same mode requirements as .Nm isakmpd.conf . +.It Pa /etc/isakmpd/pubkeys/ +Directory in which trusted public keys can be kept. The keys must be +named after a fashion described above. .It Pa /var/run/isakmpd.pid The PID of the current daemon. .It Pa /var/run/isakmpd.fifo @@ -351,7 +380,8 @@ and keynote policy configuration files. .Xr ipsec 4 , .Xr isakmpd.conf 5 , .Xr isakmpd.policy 5 , -.Xr openssl 8 , +.Xr getnameinfo 3 , +.Xr openssl 1 , .Xr pcap 3 , .Xr photurisd 8 , .Xr ssl 8 , diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 5bd50264558..f490dae5596 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.56 2001/08/02 09:55:38 ho Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.57 2001/08/15 09:16:30 ho Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -180,6 +180,13 @@ and setup SAs with eachother. Specifically this means replay protection will not be asked for, and errors that can occur when updating an SA with its parameters a 2nd time will be ignored. +.It Em Pubkey-directory +The directory in which +.Nm +looks for explicitly trusted public keys. The default is +"/etc/isakmpd/pubkeys". Read +.Xr isakmpd 8 +for the required naming convention of the files in here. .El .It Em Phase 1 ISAKMP SA negotiation parameter root |