diff options
Diffstat (limited to 'sbin/isakmpd/ike_auth.c')
| -rw-r--r-- | sbin/isakmpd/ike_auth.c | 64 |
1 files changed, 41 insertions, 23 deletions
diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index bbd5453e381..05e0c2245c9 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.82 2004/03/17 11:10:06 ho Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.83 2004/03/19 14:04:43 hshoexer Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -143,7 +143,11 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) #if defined (USE_X509) || defined (USE_KEYNOTE) char *keyfile; #if defined (USE_X509) +#if defined (USE_PRIVSEP) + FILE *keyfp; +#else BIO *keyh; +#endif RSA *rsakey; size_t fsize; #endif @@ -223,14 +227,14 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) PRIVATE_KEY_FILE); keyfile = privkeyfile; - if (stat (keyfile, &sb) < 0) + if (monitor_stat (keyfile, &sb) < 0) { free (keyfile); goto ignorekeynote; } size = (size_t)sb.st_size; - fd = open (keyfile, O_RDONLY, 0); + fd = monitor_open (keyfile, O_RDONLY, 0); if (fd < 0) { log_print ("ike_auth_get_key: failed opening \"%s\"", keyfile); @@ -296,6 +300,20 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) if (check_file_secrecy (keyfile, &fsize)) return 0; +#if defined (USE_PRIVSEP) + keyfp = monitor_fopen (keyfile, "r"); + if (!keyfp) + { + log_print ("ike_auth_get_key: failed opening \"%s\"", keyfile); + return 0; + } +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + rsakey = PEM_read_RSAPrivateKey (keyfp, NULL, NULL, NULL); +#else + rsakey = PEM_read_RSAPrivateKey (keyfp, NULL, NULL); +#endif + fclose (keyfp); +#else keyh = BIO_new (BIO_s_file ()); if (keyh == NULL) { @@ -318,6 +336,8 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) rsakey = PEM_read_bio_RSAPrivateKey (keyh, NULL, NULL); #endif BIO_free (keyh); +#endif /* USE_PRIVSEP */ + if (!rsakey) { log_print ("ike_auth_get_key: PEM_read_bio_RSAPrivateKey failed"); @@ -1052,13 +1072,6 @@ rsa_sig_encode_hash (struct message *msg) "SA acquisition subsystem"); return 0; } -#if defined (USE_PRIVSEP) - { - /* With USE_PRIVSEP, the sent_key should be a key number. */ - void *key = sent_key; - sent_key = monitor_RSA_upload_key (key); - } -#endif } else /* Try through the regular means. */ { @@ -1094,12 +1107,8 @@ rsa_sig_encode_hash (struct message *msg) return 0; } -#if defined (USE_PRIVSEP) - sent_key = monitor_RSA_get_private_key (exchange->name, (char *)buf2); -#else sent_key = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, (char *)buf2, 0); -#endif free (buf2); /* Did we find a key? */ @@ -1110,14 +1119,12 @@ rsa_sig_encode_hash (struct message *msg) } } -#if !defined (USE_PRIVSEP) /* Enable RSA blinding. */ if (RSA_blinding_on (sent_key, NULL) != 1) { log_error ("rsa_sig_encode_hash: RSA_blinding_on () failed."); return -1; } -#endif /* XXX hashsize is not necessarily prf->blocksize. */ buf = malloc (hashsize); @@ -1138,7 +1145,6 @@ rsa_sig_encode_hash (struct message *msg) initiator ? 'I' : 'R'); LOG_DBG_BUF ((LOG_MISC, 80, header, buf, hashsize)); -#if !defined (USE_PRIVSEP) data = malloc (RSA_size (sent_key)); if (!data) { @@ -1149,17 +1155,13 @@ rsa_sig_encode_hash (struct message *msg) datalen = RSA_private_encrypt (hashsize, buf, data, sent_key, RSA_PKCS1_PADDING); -#else - datalen = monitor_RSA_private_encrypt (hashsize, buf, &data, sent_key, - RSA_PKCS1_PADDING); -#endif /* USE_PRIVSEP */ if (datalen == -1) { log_print ("rsa_sig_encode_hash: RSA_private_encrypt () failed"); if (data) free (data); free (buf); - monitor_RSA_free (sent_key); + RSA_free (sent_key); return -1; } @@ -1233,7 +1235,11 @@ get_raw_key_from_file (int type, u_int8_t *id, size_t id_len, RSA **rsa) char filename[FILENAME_MAX]; char *fstr; struct stat st; +#if defined (USE_PRIVSEP) + FILE *keyfp; +#else BIO *bio; +#endif if (type != IKE_AUTH_RSA_SIG) /* XXX More types? */ { @@ -1262,8 +1268,19 @@ get_raw_key_from_file (int type, u_int8_t *id, size_t id_len, RSA **rsa) free (fstr); /* If the file does not exist, fail silently. */ - if (stat (filename, &st) == 0) + if (monitor_stat (filename, &st) == 0) { +#if defined (USE_PRIVSEP) + keyfp = monitor_fopen (filename, "r"); + if (!keyfp) + { + log_error ("get_raw_key_from_file: monitor_fopen (\"%s\", \"r\") " + "failed", filename); + return -1; + } + *rsa = PEM_read_RSA_PUBKEY (keyfp, NULL, NULL, NULL); + fclose (keyfp); +#else bio = BIO_new (BIO_s_file ()); if (!bio) { @@ -1281,6 +1298,7 @@ get_raw_key_from_file (int type, u_int8_t *id, size_t id_len, RSA **rsa) filename)); *rsa = PEM_read_bio_RSA_PUBKEY (bio, NULL, NULL, NULL); BIO_free (bio); +#endif /* USE_PRIVSEP */ } else LOG_DBG ((LOG_NEGOTIATION, 50, "get_raw_key_from_file: file %s not found", |