diff options
Diffstat (limited to 'sbin/isakmpd/regress/x509')
-rw-r--r-- | sbin/isakmpd/regress/x509/.cvsignore | 2 | ||||
-rw-r--r-- | sbin/isakmpd/regress/x509/Makefile | 75 | ||||
-rw-r--r-- | sbin/isakmpd/regress/x509/x509test.c | 291 |
3 files changed, 0 insertions, 368 deletions
diff --git a/sbin/isakmpd/regress/x509/.cvsignore b/sbin/isakmpd/regress/x509/.cvsignore deleted file mode 100644 index 9863c982ac4..00000000000 --- a/sbin/isakmpd/regress/x509/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -x509test -obj diff --git a/sbin/isakmpd/regress/x509/Makefile b/sbin/isakmpd/regress/x509/Makefile deleted file mode 100644 index d03762f02da..00000000000 --- a/sbin/isakmpd/regress/x509/Makefile +++ /dev/null @@ -1,75 +0,0 @@ -# $OpenBSD: Makefile,v 1.15 2005/04/05 22:53:50 cloder Exp $ -# $EOM: Makefile,v 1.16 2000/09/28 12:53:27 niklas Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Test X509 - -# Enable this if you have a DNSSEC enabled OpenSSL -#LIBLWRES= /usr/local/lib/liblwres.a - -PROG= x509test -SRCS= x509test.c conf.c log.c libcrypto.c sysdep.c field.c util.c \ - isakmp_fld.c ipsec_fld.c ipsec_num.c isakmp_num.c constants.c \ - cert.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -NOMAN= -DEBUG= -g - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep" - -POLICY= policy.c -LDADD+= -lkeynote -lm -DPADD+= ${LIBKEYNOTE} ${LIBM} -CFLAGS+= -DUSE_KEYNOTE - -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto ${LIBLWRES} -DPADD+= ${LIBCRYPTO} - -SRCS+= x509.c ${POLICY} - -LDADD+= ${DESLIB} -DPADD+= ${DESLIBDEP} - -.include <bsd.prog.mk> diff --git a/sbin/isakmpd/regress/x509/x509test.c b/sbin/isakmpd/regress/x509/x509test.c deleted file mode 100644 index 25b8babe614..00000000000 --- a/sbin/isakmpd/regress/x509/x509test.c +++ /dev/null @@ -1,291 +0,0 @@ -/* $OpenBSD: x509test.c,v 1.22 2003/06/03 14:39:51 ho Exp $ */ -/* $EOM: x509test.c,v 1.9 2000/12/21 15:24:25 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This program takes a certificate generated by ssleay and a key pair - * from rsakeygen. It reads the IP address from certificate.txt and - * includes this as subject alt name extension into the certifcate. - * The result gets written as new certificate that can be used by - * isakmpd. - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include "conf.h" -#include "ipsec_num.h" -#include "isakmp_fld.h" -#include "libcrypto.h" -#include "log.h" -#include "math_mp.h" -#include "x509.h" - -static int x509_check_subjectaltname (u_char *, u_int, X509 *); - -u_int32_t file_sz; - -#if 0 -/* XXX Currently unused. */ -static u_int8_t * -open_file (char *name) -{ - int fd; - struct stat st; - u_int8_t *addr; - - if (stat (name, &st) == -1) - log_fatal ("stat (\"%s\", &st)", name); - file_sz = st.st_size; - fd = open (name, O_RDONLY); - if (fd == -1) - log_fatal ("open (\"%s\", O_RDONLY)", name); - addr = mmap (0, file_sz, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE, - fd, 0); - if (addr == MAP_FAILED) - log_fatal ("mmap (0, %d, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE," - "%d, 0)", file_sz, fd); - close (fd); - - return addr; -} -#endif - -/* - * Check that a certificate has a subjectAltName and that it matches our ID. - */ -static int -x509_check_subjectaltname (u_char *id, u_int id_len, X509 *scert) -{ - u_int8_t *altname; - u_int32_t altlen; - int type, idtype, ret; - - type = x509_cert_subjectaltname (scert, &altname, &altlen); - if (!type) - { - log_print ("x509_check_subjectaltname: can't access subjectAltName"); - return 0; - } - - /* - * Now that we have the X509 certicate in native form, get the - * subjectAltName extension and verify that it matches our ID. - */ - - /* XXX Get type of ID. */ - idtype = id[0]; - id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - - ret = 0; - switch (idtype) - { - case IPSEC_ID_IPV4_ADDR: - if (type == X509v3_IP_ADDR) - ret = 1; - break; - case IPSEC_ID_FQDN: - if (type == X509v3_DNS_NAME) - ret = 1; - break; - case IPSEC_ID_USER_FQDN: - if (type == X509v3_RFC_NAME) - ret = 1; - break; - default: - ret = 0; - break; - } - - if (!ret) - { - LOG_DBG ((LOG_CRYPTO, 50, - "x509_check_subjectaltname: " - "our ID type (%d) does not match X509 cert ID type (%d)", - idtype, type)); - return 0; - } - - if (altlen != id_len || memcmp (altname, id, id_len) != 0) - { - LOG_DBG ((LOG_CRYPTO, 50, - "x509_check_subjectaltname: " - "our ID does not match X509 cert ID")); - return 0; - } - - return 1; -} - -int -main (int argc, char *argv[]) -{ - RSA *pub_key, *priv_key; - X509 *cert; - BIO *certfile, *keyfile; - EVP_PKEY *pkey_pub; - u_char ipaddr[6]; - struct in_addr saddr; - char enc[256], dec[256]; - u_int8_t idpayload[8]; - int err, len; - - if (argc < 3 || argc > 4) - { - fprintf (stderr, "usage: x509test private-key certificate ip-address\n"); - exit (1); - } - - /* - * X509_verify will fail, as will all other functions that call - * EVP_get_digest_byname. - */ - - libcrypto_init (); - - printf ("Reading private key %s\n", argv[1]); - keyfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (keyfile, argv[1]) == -1) - { - perror ("read"); - exit (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL, NULL); -#else - priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL); -#endif - BIO_free (keyfile); - if (priv_key == NULL) - { - printf("PEM_read_bio_RSAPrivateKey () failed\n"); - exit (1); - } - - /* Use a certificate created by ssleay. */ - printf ("Reading ssleay created certificate %s\n", argv[2]); - certfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (certfile, argv[2]) == -1) - { - perror ("read"); - exit (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_bio_X509 (certfile, NULL, NULL, NULL); -#else - cert = PEM_read_bio_X509 (certfile, NULL, NULL); -#endif - BIO_free (certfile); - if (cert == NULL) - { - printf("PEM_read_bio_X509 () failed\n"); - exit (1); - } - - pkey_pub = X509_get_pubkey (cert); - /* XXX Violation of the interface? */ - pub_key = pkey_pub->pkey.rsa; - if (pub_key == NULL) - { - exit (1); - } - - printf ("Testing RSA keys: "); - - err = 0; - strlcpy (dec, "Eine kleine Testmeldung", 256); - if ((len = RSA_private_encrypt (strlen (dec), dec, enc, priv_key, - RSA_PKCS1_PADDING)) == -1) - - printf ("SIGN FAILED "); - else - err = RSA_public_decrypt (len, enc, dec, pub_key, RSA_PKCS1_PADDING); - - if (err == -1 || strcmp (dec, "Eine kleine Testmeldung")) - printf ("SIGN/VERIFY FAILED"); - else - printf ("OKAY"); - printf ("\n"); - - - printf ("Validate SIGNED: "); - err = X509_verify (cert, pkey_pub); - printf ("X509 verify: %d ", err); - if (err == -1) - printf ("FAILED "); - else - printf ("OKAY "); - printf ("\n"); - - if (argc == 4) - { - printf ("Verifying extension: "); - if (inet_aton (argv[3], &saddr) == 0) - { - printf ("inet_aton () failed\n"); - exit (1); - } - - saddr.s_addr = htonl (saddr.s_addr); - ipaddr[0] = 0x87; - ipaddr[1] = 0x04; - ipaddr[2] = saddr.s_addr >> 24; - ipaddr[3] = (saddr.s_addr >> 16) & 0xff; - ipaddr[4] = (saddr.s_addr >> 8) & 0xff; - ipaddr[5] = saddr.s_addr & 0xff; - bzero (idpayload, sizeof idpayload); - idpayload[0] = IPSEC_ID_IPV4_ADDR; - bcopy (ipaddr + 2, idpayload + 4, 4); - - if (!x509_check_subjectaltname (idpayload, sizeof idpayload, cert)) - printf("FAILED "); - else - printf("OKAY "); - printf ("\n"); - } - - return 1; -} |