From 7ab4d2e1ce634f2c292c286ad7cbf39c6cc9ba7d Mon Sep 17 00:00:00 2001 From: Hakan Olsson Date: Thu, 15 May 2003 02:28:57 +0000 Subject: Cleanup. Do not store the private key in either the exchange or sa structs. --- sbin/isakmpd/exchange.c | 8 +------- sbin/isakmpd/ike_auth.c | 29 +++++++++++++++-------------- sbin/isakmpd/sa.c | 4 +--- sbin/isakmpd/sa.h | 6 ++---- 4 files changed, 19 insertions(+), 28 deletions(-) (limited to 'sbin/isakmpd') diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index cdbccc597c6..d48501b94e5 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.78 2003/03/06 13:32:42 ho Exp $ */ +/* $OpenBSD: exchange.c,v 1.79 2003/05/15 02:28:55 ho Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -1299,9 +1299,6 @@ exchange_free_aux (void *v_exch) if (exchange->recv_key) key_free (exchange->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, exchange->recv_key); - if (exchange->sent_key) - key_free (exchange->sent_keytype, ISAKMP_KEYTYPE_PRIVATE, - exchange->sent_key); if (exchange->keynote_key) free (exchange->keynote_key); /* This is just a string */ @@ -1471,13 +1468,10 @@ exchange_finalize (struct message *msg) msg->isakmp_sa->recv_certtype = exchange->recv_certtype; msg->isakmp_sa->sent_certtype = exchange->sent_certtype; msg->isakmp_sa->recv_keytype = exchange->recv_keytype; - msg->isakmp_sa->sent_keytype = exchange->sent_keytype; msg->isakmp_sa->recv_key = exchange->recv_key; - msg->isakmp_sa->sent_key = exchange->sent_key; msg->isakmp_sa->keynote_key = exchange->keynote_key; /* Reset. */ exchange->recv_key = 0; - exchange->sent_key = 0; exchange->keynote_key = 0; msg->isakmp_sa->policy_id = exchange->policy_id; exchange->policy_id = -1; diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 5ced46a612e..d0e182c3f2a 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.71 2003/05/15 02:08:54 ho Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.72 2003/05/15 02:28:56 ho Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -964,6 +964,8 @@ rsa_sig_encode_hash (struct message *msg) u_int8_t *id; size_t id_len; int idtype; + int sent_keytype; + void *sent_key; id = initiator ? exchange->id_i : exchange->id_r; id_len = initiator ? exchange->id_i_len : exchange->id_r_len; @@ -1117,11 +1119,10 @@ rsa_sig_encode_hash (struct message *msg) return 0; } - exchange->sent_keytype = ISAKMP_KEY_RSA; - exchange->sent_key = key_internalize (ISAKMP_KEY_RSA, - ISAKMP_KEYTYPE_PRIVATE, data, - datalen); - if (!exchange->sent_key) + sent_keytype = ISAKMP_KEY_RSA; + sent_key = key_internalize (ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, data, + datalen); + if (!sent_key) { log_print ("rsa_sig_encode_hash: bad RSA private key from dynamic " "SA acquisition subsystem"); @@ -1130,22 +1131,22 @@ rsa_sig_encode_hash (struct message *msg) } else /* Try through the regular means. */ { - exchange->sent_key = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, - (char *)buf2, 0); + sent_key = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, + (char *)buf2, 0); free (buf2); /* Did we find a key? */ - if (!exchange->sent_key) + if (!sent_key) { log_print ("rsa_sig_encode_hash: could not get private key"); return -1; } - exchange->sent_keytype = ISAKMP_KEY_RSA; + sent_keytype = ISAKMP_KEY_RSA; } /* Enable RSA blinding. */ - if (RSA_blinding_on (exchange->sent_key, NULL) != 1) + if (RSA_blinding_on (sent_key, NULL) != 1) { log_error ("rsa_sig_encode_hash: RSA_blinding_on () failed."); return -1; @@ -1169,15 +1170,15 @@ rsa_sig_encode_hash (struct message *msg) snprintf (header, 80, "rsa_sig_encode_hash: HASH_%c", initiator ? 'I' : 'R'); LOG_DBG_BUF ((LOG_MISC, 80, header, buf, hashsize)); - data = malloc (RSA_size (exchange->sent_key)); + data = malloc (RSA_size (sent_key)); if (!data) { log_error ("rsa_sig_encode_hash: malloc (%d) failed", - RSA_size (exchange->sent_key)); + RSA_size (sent_key)); return -1; } - datalen = RSA_private_encrypt (hashsize, buf, data, exchange->sent_key, + datalen = RSA_private_encrypt (hashsize, buf, data, sent_key, RSA_PKCS1_PADDING); if (datalen == -1) { diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index 76c9cb30ce0..330803d0bb2 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.67 2003/05/14 17:37:22 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.68 2003/05/15 02:28:56 ho Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -791,8 +791,6 @@ sa_release (struct sa *sa) } if (sa->recv_key) key_free (sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, sa->recv_key); - if (sa->sent_key) - key_free (sa->sent_keytype, ISAKMP_KEYTYPE_PRIVATE, sa->sent_key); if (sa->keynote_key) free (sa->keynote_key); /* This is just a string */ #if defined (USE_POLICY) || defined (USE_KEYNOTE) diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 4b7fbb0b07c..683d5f47a64 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.29 2002/06/09 08:13:07 todd Exp $ */ +/* $OpenBSD: sa.h,v 1.30 2003/05/15 02:28:56 ho Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -166,11 +166,9 @@ struct sa { * Certificates or other information we used to authenticate to the peer, * Phase 1. */ - int sent_certtype, sent_keytype; + int sent_certtype; /* Certificate (to be) sent to peer, native format. */ void *sent_cert; - /* Key we'll use to authenticate to peer, native format. */ - void *sent_key; /* DOI-specific opaque data. */ void *data; -- cgit v1.2.3