From 61d00dc4b322beea260b6700de730edddefe7f1c Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Fri, 8 Oct 2010 10:13:48 +0000 Subject: allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example. --- usr.sbin/ikectl/ikeca.c | 108 +++++++++++++++++++++++++++++++++-------------- usr.sbin/ikectl/ikectl.8 | 17 +++++--- usr.sbin/ikectl/ikectl.c | 12 +++--- usr.sbin/ikectl/parser.c | 31 ++++++++------ usr.sbin/ikectl/parser.h | 10 ++--- 5 files changed, 116 insertions(+), 62 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 9ac58005d04..2824490415c 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.15 2010/10/08 07:45:06 reyk Exp $ */ +/* $OpenBSD: ikeca.c,v 1.16 2010/10/08 10:13:47 jsg Exp $ */ /* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */ /* @@ -56,12 +56,24 @@ struct ca { char *caname; }; +struct { + char *dir; + mode_t mode; +} exdirs[] = { + { "/ca", 0755 }, + { "/certs", 0755 }, + { "/crls", 0755 }, + { "/export", 0755 }, + { "/private", 0700 } +}; + int ca_sign(struct ca *, char *, int, char *); int ca_request(struct ca *, char *); int ca_newpass(char *, char *); char * ca_readpass(char *, size_t *); int fcopy(char *, char *, mode_t); int rm_dir(char *); +int ca_hier(char *); int ca_delete(struct ca *ca) @@ -223,12 +235,13 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action) } int -ca_key_install(struct ca *ca, char *keyname) +ca_key_install(struct ca *ca, char *keyname, char *dir) { - struct stat st; - char cmd[PATH_MAX * 2]; - char src[PATH_MAX]; - char dst[PATH_MAX]; + struct stat st; + char cmd[PATH_MAX * 2]; + char src[PATH_MAX]; + char dst[PATH_MAX]; + char *p = NULL; snprintf(src, sizeof(src), "%s/private/%s.key", ca->sslpath, keyname); if (stat(src, &st) == -1) { @@ -239,32 +252,47 @@ ca_key_install(struct ca *ca, char *keyname) return (1); } - snprintf(dst, sizeof(dst), "%s/private/local.key", KEYBASE); + if (dir == NULL) + p = dir = strdup(KEYBASE); + + ca_hier(dir); + + snprintf(dst, sizeof(dst), "%s/private/local.key", dir); fcopy(src, dst, 0600); snprintf(cmd, sizeof(cmd), "%s rsa -out %s/local.pub" - " -in %s/private/local.key -pubout", PATH_OPENSSL, KEYBASE, - KEYBASE); + " -in %s/private/local.key -pubout", PATH_OPENSSL, dir, dir); system(cmd); + free(p); return (0); } int -ca_cert_install(struct ca *ca, char *keyname) +ca_cert_install(struct ca *ca, char *keyname, char *dir) { - char src[PATH_MAX]; - char dst[PATH_MAX]; - int r; + char src[PATH_MAX]; + char dst[PATH_MAX]; + int r; + char *p = NULL; + + if (dir == NULL) + p = dir = strdup(KEYBASE); + + ca_hier(dir); - if ((r = ca_key_install(ca, keyname)) != 0) + if ((r = ca_key_install(ca, keyname, dir)) != 0) { + free(dir); return (r); + } snprintf(src, sizeof(src), "%s/%s.crt", ca->sslpath, keyname); - snprintf(dst, sizeof(dst), "%s/certs/%s.crt", KEYBASE, keyname); + snprintf(dst, sizeof(dst), "%s/certs/%s.crt", dir, keyname); fcopy(src, dst, 0644); + free(p); + return (0); } @@ -336,11 +364,12 @@ ca_create(struct ca *ca) } int -ca_install(struct ca *ca) +ca_install(struct ca *ca, char *dir) { - struct stat st; - char src[PATH_MAX]; - char dst[PATH_MAX]; + struct stat st; + char src[PATH_MAX]; + char dst[PATH_MAX]; + char *p = NULL; snprintf(src, sizeof(src), "%s/ca.crt", ca->sslpath); if (stat(src, &st) == -1) { @@ -348,19 +377,26 @@ ca_install(struct ca *ca) return (1); } - snprintf(dst, sizeof(dst), "%s/ca/ca.crt", KEYBASE); + if (dir == NULL) + p = dir = strdup(KEYBASE); + + ca_hier(dir); + + snprintf(dst, sizeof(dst), "%s/ca/ca.crt", dir); if (fcopy(src, dst, 0644) == 0) printf("certificate for CA '%s' installed into %s\n", ca->caname, dst); snprintf(src, sizeof(src), "%s/ca.crl", ca->sslpath); if (stat(src, &st) == 0) { - snprintf(dst, sizeof(dst), "%s/crls/ca.crl", KEYBASE); + snprintf(dst, sizeof(dst), "%s/crls/ca.crl", dir); if (fcopy(src, dst, 0644) == 0) printf("CRL for CA '%s' installed to %s\n", ca->caname, dst); } + free(p); + return (0); } @@ -469,6 +505,25 @@ rm_dir(char *path) return (0); } + +int +ca_hier(char *path) +{ + struct stat st; + char dst[PATH_MAX]; + u_int i; + + for (i = 0; i < nitems(exdirs); i++) { + strlcpy(dst, path, sizeof(dst)); + strlcat(dst, exdirs[i].dir, sizeof(dst)); + if (stat(dst, &st) != 0 && errno == ENOENT && + mkdir(dst, exdirs[i].mode) != 0) + err(1, "failed to create dir %s", dst); + } + + return (0); +} + int ca_export(struct ca *ca, char *keyname, char *myname, char *password) { @@ -486,17 +541,6 @@ ca_export(struct ca *ca, char *keyname, char *myname, char *password) u_int i; int fd; - struct { - char *dir; - mode_t mode; - } exdirs[] = { - { "/ca", 0755 }, - { "/certs", 0755 }, - { "/crls", 0755 }, - { "/export", 0755 }, - { "/private", 0700 } - }; - if (keyname != NULL) { if (strlcpy(oname, keyname, sizeof(oname)) >= sizeof(oname)) err(1, "name too long"); diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8 index 305fd930c01..33305a4ae99 100644 --- a/usr.sbin/ikectl/ikectl.8 +++ b/usr.sbin/ikectl/ikectl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ikectl.8,v 1.13 2010/10/08 07:45:06 reyk Exp $ +.\" $OpenBSD: ikectl.8,v 1.14 2010/10/08 10:13:47 jsg Exp $ .\" $vantronix: ikectl.8,v 1.11 2010/06/03 15:55:51 reyk Exp $ .\" .\" Copyright (c) 2007, 2008, 2009, 2010 Reyk Floeter @@ -139,10 +139,11 @@ argument can be used to specify the address or FQDN of the local gateway which will be written into a text file .Pa peer.txt and included in the archives. -.It Cm ca Ar name Cm install +.It Cm ca Ar name Cm install Op Ar path Install the certificate and Certificate Revocation List (CRL) for CA .Ar name -as the currently active CA. +as the currently active CA or into the specified +.Ar path . .It Xo .Cm ca Ar name Cm certificate Ar host .Cm create @@ -192,11 +193,12 @@ which will be written into a text file and included in the archives. .It Xo .Cm ca Ar name Cm certificate Ar host -.Cm install +.Cm install Op Ar path .Xc Install the private and public key for .Ar host -into the active configuration. +into the active configuration or specified +.Ar path . .It Xo .Cm ca Ar name Cm certificate Ar host .Cm revoke @@ -222,11 +224,12 @@ Create a private key for if one does not already exist. .It Xo .Cm ca Ar name Cm key Ar host -.Cm install +.Cm install Op Ar path .Xc Install the private and public keys for .Ar host -into the active configuration. +into the active configuration or specified +.Ar path . .It Xo .Cm ca Ar name Cm key Ar host .Cm delete diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c index 7a7e7d105ec..21626187dad 100644 --- a/usr.sbin/ikectl/ikectl.c +++ b/usr.sbin/ikectl/ikectl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikectl.c,v 1.9 2010/10/08 07:45:06 reyk Exp $ */ +/* $OpenBSD: ikectl.c,v 1.10 2010/10/08 10:13:47 jsg Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter @@ -94,7 +94,7 @@ ca_opt(struct parse_result *res) ca_delete(ca); break; case CA_INSTALL: - ca_install(ca); + ca_install(ca, res->path); break; case CA_EXPORT: ca_export(ca, NULL, res->peer, res->pass); @@ -108,7 +108,7 @@ ca_opt(struct parse_result *res) ca_delkey(ca, res->host); break; case CA_CERT_INSTALL: - ca_cert_install(ca, res->host); + ca_cert_install(ca, res->host, res->path); break; case CA_CERT_EXPORT: ca_export(ca, res->host, res->peer, res->pass); @@ -126,10 +126,10 @@ ca_opt(struct parse_result *res) ca_key_delete(ca, res->host); break; case CA_KEY_INSTALL: - ca_key_install(ca, res->host); + ca_key_install(ca, res->host, res->path); break; case CA_KEY_IMPORT: - ca_key_import(ca, res->host, res->filename); + ca_key_import(ca, res->host, res->path); break; default: break; @@ -274,7 +274,7 @@ main(int argc, char *argv[]) break; case LOAD: imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1, - res->filename, strlen(res->filename)); + res->path, strlen(res->path)); break; case RELOAD: imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1, NULL, 0); diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c index 133fba12261..19e721dec99 100644 --- a/usr.sbin/ikectl/parser.c +++ b/usr.sbin/ikectl/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.8 2010/10/08 07:45:06 reyk Exp $ */ +/* $OpenBSD: parser.c,v 1.9 2010/10/08 10:13:47 jsg Exp $ */ /* * Copyright (c) 2010 Reyk Floeter @@ -40,7 +40,7 @@ enum token_type { NOTOKEN, ENDTOKEN, KEYWORD, - FILENAME, + PATH, CANAME, PEER, ADDRESS, @@ -77,6 +77,7 @@ static const struct token t_show[]; static const struct token t_show_ca[]; static const struct token t_show_ca_modifiers[]; static const struct token t_show_ca_cert[]; +static const struct token t_opt_path[]; static const struct token t_main[] = { { KEYWORD, "active", ACTIVE, NULL }, @@ -109,7 +110,7 @@ static const struct token t_reset[] = { }; static const struct token t_load[] = { - { FILENAME, "", NONE, NULL }, + { PATH, "", NONE, NULL }, { ENDTOKEN, "", NONE, NULL } }; @@ -121,7 +122,7 @@ static const struct token t_ca[] = { static const struct token t_ca_modifiers[] = { { KEYWORD, "create", CA_CREATE, t_ca_pass }, { KEYWORD, "delete", CA_DELETE, NULL }, - { KEYWORD, "install", CA_INSTALL, NULL }, + { KEYWORD, "install", CA_INSTALL, t_opt_path }, { KEYWORD, "certificate", CA_CERTIFICATE, t_ca_cert }, { KEYWORD, "key", NONE, t_ca_key }, { KEYWORD, "export", CA_EXPORT, t_ca_export }, @@ -156,6 +157,12 @@ static const struct token t_ca_ex_pass[] = { { ENDTOKEN, "", NONE, NULL } }; +static const struct token t_opt_path[] = { + { NOTOKEN, "", NONE, NULL }, + { PATH, "", NONE, NULL }, + { ENDTOKEN, "", NONE, NULL } +}; + static const struct token t_ca_cert[] = { { ADDRESS, "", NONE, t_ca_cert_modifiers }, { FQDN, "", NONE, t_ca_cert_modifiers }, @@ -165,7 +172,7 @@ static const struct token t_ca_cert[] = { static const struct token t_ca_cert_modifiers[] = { { KEYWORD, "create", CA_CERT_CREATE, t_ca_cert_extusage }, { KEYWORD, "delete", CA_CERT_DELETE, NULL }, - { KEYWORD, "install", CA_CERT_INSTALL, NULL }, + { KEYWORD, "install", CA_CERT_INSTALL, t_opt_path }, { KEYWORD, "export", CA_CERT_EXPORT, t_ca_export }, { KEYWORD, "revoke", CA_CERT_REVOKE, NULL }, { ENDTOKEN, "", NONE, NULL } @@ -187,14 +194,14 @@ static const struct token t_ca_key[] = { static const struct token t_ca_key_modifiers[] = { { KEYWORD, "create", CA_KEY_CREATE, NULL }, { KEYWORD, "delete", CA_KEY_DELETE, NULL }, - { KEYWORD, "install", CA_KEY_INSTALL, NULL }, + { KEYWORD, "install", CA_KEY_INSTALL, t_opt_path }, { KEYWORD, "import", CA_KEY_IMPORT, t_ca_key_path }, { ENDTOKEN, "", NONE, NULL } }; static const struct token t_ca_key_path[] = { - { FILENAME, "", NONE, NULL }, - { ENDTOKEN, "", NONE, NULL } + { PATH, "", NONE, NULL }, + { PATH, "", NONE, NULL } }; static const struct token t_show[] = { @@ -297,9 +304,9 @@ match_token(char *word, const struct token table[]) res.action = t->value; } break; - case FILENAME: + case PATH: if (!match && word != NULL && strlen(word) > 0) { - res.filename = strdup(word); + res.path = strdup(word); match++; t = &table[i]; } @@ -369,8 +376,8 @@ show_valid_args(const struct token table[]) case KEYWORD: fprintf(stderr, " %s\n", table[i].keyword); break; - case FILENAME: - fprintf(stderr, " \n"); + case PATH: + fprintf(stderr, " \n"); break; case CANAME: fprintf(stderr, " \n"); diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h index 13787679505..1c40381a2b3 100644 --- a/usr.sbin/ikectl/parser.h +++ b/usr.sbin/ikectl/parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.h,v 1.8 2010/10/08 07:45:06 reyk Exp $ */ +/* $OpenBSD: parser.h,v 1.9 2010/10/08 10:13:47 jsg Exp $ */ /* * Copyright (c) 2007, 2008 Reyk Floeter @@ -59,7 +59,7 @@ enum actions { struct parse_result { enum actions action; struct imsgbuf *ibuf; - char *filename; + char *path; char *caname; char *pass; char *host; @@ -80,12 +80,12 @@ int ca_export(struct ca *, char *, char *, char *); int ca_revoke(struct ca *, char *); int ca_delete(struct ca *); int ca_delkey(struct ca *, char *); -int ca_install(struct ca *); -int ca_cert_install(struct ca *, char *); +int ca_install(struct ca *, char *); +int ca_cert_install(struct ca *, char *, char *); int ca_show_certs(struct ca *, char *); int ca_key_create(struct ca *, char *); int ca_key_delete(struct ca *, char *); -int ca_key_install(struct ca *, char *); +int ca_key_install(struct ca *, char *, char *); int ca_key_import(struct ca *, char *, char *); #endif /* _IKECTL_PARSER_H */ -- cgit v1.2.3