diff options
| -rw-r--r-- | sbin/isakmpd/monitor.c | 474 | ||||
| -rw-r--r-- | sbin/isakmpd/monitor.h | 16 |
2 files changed, 2 insertions, 488 deletions
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c index 8d26e1101ad..7792b0753fc 100644 --- a/sbin/isakmpd/monitor.c +++ b/sbin/isakmpd/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.10 2003/09/25 22:28:48 aaron Exp $ */ +/* $OpenBSD: monitor.c,v 1.11 2004/03/15 16:29:00 hshoexer Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -48,9 +48,6 @@ #include "monitor.h" #include "policy.h" #include "util.h" -#if defined (USE_X509) -#include "x509.h" -#endif struct monitor_state { @@ -76,17 +73,6 @@ void m_priv_bind (int); void m_priv_mkfifo (int); void m_priv_local_sanitize_path (char *, size_t, int); -#if defined (USE_X509) -void m_priv_rsa_getkey (int); -void m_priv_rsa_freekey (int); -void m_priv_rsa_uploadkey (int); -void m_priv_rsa_encrypt (int); - -int32_t m_priv_local_addkey (RSA *); -RSA *m_priv_local_getkey (int32_t); -void m_priv_local_deletekey (int32_t); -#endif /* USE_X509 */ - /* * Public functions, unprivileged. */ @@ -360,134 +346,6 @@ monitor_mkfifo (const char *path, mode_t mode) return -1; } -#if defined (USE_X509) -/* Called by rsa_sig_encode_hash, the code that gets a key from ACQUIRE. */ -char * -monitor_RSA_upload_key (char *k_raw) -{ - RSA *rsa = (RSA *)k_raw; - int32_t v; - - if (m_write_int32 (m_state.s, MONITOR_RSA_UPLOADKEY)) - goto errout; - - /* XXX - incomplete */ - if (m_write_raw (m_state.s, k_raw, 0)) - goto errout; - - RSA_free (rsa); - - if (m_read_int32 (m_state.s, &v)) - goto errout; - - return (char *)v; - - errout: - log_print ("monitor_RSA_upload_key: read/write error"); - return 0; -} - -char * -monitor_RSA_get_private_key (char *id, char *local_id) -{ - char *confval; - int32_t v; - - if (m_write_int32 (m_state.s, MONITOR_RSA_GETKEY)) - goto errout; - - /* - * The privileged process will call ike_auth_get_key, so we need to - * to collect some current configuration data for it. - */ - confval = conf_get_str ("KeyNote", "Credential-directory"); - if (!confval) - m_write_int32 (m_state.s, 0); - else - m_write_raw (m_state.s, confval, strlen (confval) + 1); - - confval = conf_get_str ("X509-certificates", "Private-key"); - if (!confval) - m_write_int32 (m_state.s, 0); - else - m_write_raw (m_state.s, confval, strlen (confval) + 1); - - /* Next, the required arguments. */ - if (m_write_raw (m_state.s, id, strlen (id) + 1)) - goto errout; - if (m_write_raw (m_state.s, local_id, strlen (local_id) + 1)) - goto errout; - - /* Now, read the results. */ - if (m_read_int32 (m_state.s, &v)) - goto errout; - - return (char *)v; - - errout: - log_print ("monitor_RSA_upload_key: read/write error"); - return 0; -} - -int -monitor_RSA_private_encrypt (int hashsize, unsigned char *hash, - unsigned char **sigdata, void *rkey, int padtype) -{ - int32_t v; - char *data = 0; - int datalen; - - *sigdata = 0; - - if (m_write_int32 (m_state.s, MONITOR_RSA_ENCRYPT)) - goto errout; - - if (m_write_int32 (m_state.s, (int32_t)hashsize)) - goto errout; - - if (m_write_raw (m_state.s, hash, hashsize)) - goto errout; - - if (m_write_int32 (m_state.s, (int32_t)rkey)) - goto errout; - - if (m_write_int32 (m_state.s, (int32_t)padtype)) - goto errout; - - /* Read results. */ - if (m_read_int32 (m_state.s, &v)) - goto errout; - datalen = (int)v; - - if (datalen == -1) - goto errout; - - data = (char *)malloc (datalen); - if (!data) - goto errout; - - if (m_read_raw (m_state.s, data, datalen)) - goto errout; - - *sigdata = data; - return datalen; - - errout: - if (data) - free (data); - return -1; -} - -void -monitor_RSA_free (void *key) -{ - if (m_write_int32 (m_state.s, MONITOR_RSA_FREEKEY) == 0) - m_write_int32 (m_state.s, (int32_t)key); - - return; -} -#endif /* USE_X509 */ - /* * Start of code running with privileges (the monitor process). */ @@ -581,25 +439,6 @@ monitor_loop (int debugging) shutdown++; break; -#if defined (USE_X509) - case MONITOR_RSA_UPLOADKEY: - /* XXX Not implemented yet. */ - /* m_priv_rsa_uploadkey (m_state.s); */ - break; - - case MONITOR_RSA_GETKEY: - m_priv_rsa_getkey (m_state.s); - break; - - case MONITOR_RSA_ENCRYPT: - m_priv_rsa_encrypt (m_state.s); - break; - - case MONITOR_RSA_FREEKEY: - m_priv_rsa_freekey (m_state.s); - break; -#endif - default: log_print ("monitor_loop: got unknown code %d", msgcode); } @@ -812,242 +651,6 @@ m_priv_mkfifo (int s) return; } -#if defined (USE_X509) -void -m_priv_rsa_getkey (int s) -{ - char cred_dir[MAXPATHLEN], pkey_path[MAXPATHLEN], pbuf[MAXPATHLEN]; - char id[MAXPATHLEN],local_id[MAXPATHLEN]; /* XXX MAXPATHLEN? */ - size_t fsize; - int32_t keyno; - RSA *rsakey = 0; - BIO *keyh; - - cred_dir[0] = pkey_path[0] = id[0] = local_id[0] = 0; - if (m_read_raw (s, pbuf, sizeof pbuf)) - goto errout; - if (pbuf[0] == '/') - strlcpy (cred_dir, pbuf, sizeof cred_dir); - else - snprintf (cred_dir, sizeof cred_dir, "%s/%s", m_state.root, pbuf); - - if (m_read_raw (s, pbuf, sizeof pbuf)) - goto errout; - if (pbuf[0] == '/') - strlcpy (pkey_path, pbuf, sizeof pkey_path); - else - snprintf (pkey_path, sizeof pkey_path, "%s/%s", m_state.root, pbuf); - - if (m_read_raw (s, id, sizeof id)) - goto errout; - if (m_read_raw (s, local_id, sizeof local_id)) - goto errout; - - /* This is basically a copy of ike_auth_get_key (). */ -#if defined (USE_KEYNOTE) - if (local_id[0] && cred_dir[0]) - { - struct stat sb; - struct keynote_deckey dc; - char *privkeyfile, *buf2, *buf; - int fd, pkflen; - size_t size; - - pkflen = strlen (cred_dir) + strlen (local_id) + - sizeof PRIVATE_KEY_FILE + sizeof "//" - 1; - privkeyfile = calloc (pkflen, sizeof (char)); - if (!privkeyfile) - { - log_print ("m_priv_rsa_getkey: failed to allocate %d bytes", pkflen); - goto errout; - } - - snprintf (privkeyfile, pkflen, "%s/%s/%s", cred_dir, local_id, - PRIVATE_KEY_FILE); - - if (stat (privkeyfile, &sb) < 0) - { - free (privkeyfile); - goto ignorekeynote; - } - size = (size_t)sb.st_size; - - fd = open (privkeyfile, O_RDONLY, 0); - if (fd < 0) - { - log_print ("m_priv_rsa_getkey: failed opening \"%s\"", privkeyfile); - free (privkeyfile); - goto errout; - } - - buf = calloc (size + 1, sizeof (char)); - if (!buf) - { - log_print ("m_priv_rsa_getkey: failed allocating %lu bytes", - (unsigned long)size + 1); - free (privkeyfile); - goto errout; - } - - if (read (fd, buf, size) != size) - { - free (buf); - log_print ("m_priv_rsa_getkey: " - "failed reading %lu bytes from \"%s\"", - (unsigned long)size, privkeyfile); - free (privkeyfile); - goto errout; - } - - close (fd); - - /* Parse private key string */ - buf2 = kn_get_string (buf); - free (buf); - - if (kn_decode_key (&dc, buf2, KEYNOTE_PRIVATE_KEY) == -1) - { - free (buf2); - log_print ("m_priv_rsa_getkey: failed decoding key in \"%s\"", - privkeyfile); - free (privkeyfile); - goto errout; - } - - free (buf2); - - if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) - { - log_print ("m_priv_rsa_getkey: wrong algorithm type %d in \"%s\"", - dc.dec_algorithm, privkeyfile); - free (privkeyfile); - kn_free_key (&dc); - goto errout; - } - - free (privkeyfile); - rsakey = dc.dec_key; - } - ignorekeynote: -#endif /* USE_KEYNOTE */ - - /* XXX I do not really like to call this from here. */ - if (check_file_secrecy (pkey_path, &fsize)) - goto errout; - - keyh = BIO_new (BIO_s_file ()); - if (keyh == NULL) - { - log_print ("m_priv_rsa_getkey: " - "BIO_new (BIO_s_file ()) failed"); - goto errout; - } - if (BIO_read_filename (keyh, pkey_path) == -1) - { - log_print ("m_priv_rsa_getkey: " - "BIO_read_filename (keyh, \"%s\") failed", - pkey_path); - BIO_free (keyh); - goto errout; - } - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - rsakey = PEM_read_bio_RSAPrivateKey (keyh, NULL, NULL, NULL); -#else - rsakey = PEM_read_bio_RSAPrivateKey (keyh, NULL, NULL); -#endif - BIO_free (keyh); - if (!rsakey) - { - log_print ("m_priv_rsa_getkey: PEM_read_bio_RSAPrivateKey failed"); - goto errout; - } - - /* Enable RSA blinding. */ - if (RSA_blinding_on (rsakey, NULL) != 1) - { - log_error ("m_priv_rsa_getkey: RSA_blinding_on () failed"); - goto errout; - } - - keyno = m_priv_local_addkey (rsakey); - m_write_int32 (s, keyno); - return; - - errout: - m_write_int32 (s, -1); - if (rsakey) - RSA_free (rsakey); - return; -} - -void -m_priv_rsa_encrypt (int s) -{ - int32_t hashsize, padtype, datalen; - char *hash = 0, *data = 0; - RSA *key; - int32_t v; - - if (m_read_int32 (s, &hashsize)) - goto errout; - - hash = (char *)malloc (hashsize); - if (!hash) - goto errout; - - if (m_read_raw (s, hash, hashsize)) - goto errout; - - if (m_read_int32 (s, &v)) - goto errout; - - if (m_read_int32 (s, &padtype)) - goto errout; - - key = m_priv_local_getkey (v); - if (!key) - goto errout; - - data = (char *)malloc (RSA_size (key)); - if (!data) - goto errout; - - datalen = RSA_private_encrypt (hashsize, hash, data, key, padtype); - if (datalen == -1) - { - log_print ("m_priv_rsa_encrypt: RSA_private_encrypt () failed"); - goto errout; - } - - if (m_write_int32 (s, datalen)) - goto errout; - - if (m_write_raw (s, data, datalen)) - goto errout; - - free (hash); - free (data); - return; - - errout: - m_write_int32 (s, -1); - if (data) - free (data); - if (hash) - free (hash); - return; -} - -void -m_priv_rsa_freekey (int s) -{ - int32_t keyno; - if (m_read_int32 (s, &keyno) == 0) - m_priv_local_deletekey (keyno); -} -#endif /* USE_X509 */ - /* * Help functions, used by both privileged and unprivileged code */ @@ -1106,81 +709,6 @@ m_flush (int s) ioctl (s, FIONBIO, 0); /* Blocking */ } -#if defined (USE_X509) -/* Privileged process RSA key storage help functions. */ -struct m_key_storage -{ - RSA *key; - int32_t keyno; - struct m_key_storage *next; -} *keylist = 0; - -int32_t -m_priv_local_addkey (RSA *key) -{ - struct m_key_storage *n, *k; - - n = (struct m_key_storage *)calloc (1, sizeof (struct m_key_storage)); - if (!n) - return 0; - - if (!keylist) - { - keylist = n; - n->keyno = 1; - } - else - { - for (k = keylist; k->next; k = k->next) ; - k->next = n; - n->keyno = k->keyno + 1; /* XXX 2^31 keys? */ - } - - n->key = key; - return n->keyno; -} - -RSA * -m_priv_local_getkey (int32_t keyno) -{ - struct m_key_storage *k; - - for (k = keylist; k; k = k->next) - if (k->keyno == keyno) - return k->key; - return 0; -} - -void -m_priv_local_deletekey (int32_t keyno) -{ - struct m_key_storage *k; - - if (keylist->keyno == keyno) - { - k = keylist; - keylist = keylist->next; - } - else - for (k = keylist; k->next; k = k->next) - if (k->next->keyno == keyno) - { - struct m_key_storage *s = k->next; - k->next = k->next->next; - k = s; - break; - } - - if (k) - { - RSA_free (k->key); - free (k); - } - - return; -} -#endif /* USE_X509 */ - /* Check that path/mode is permitted. */ void m_priv_local_sanitize_path (char *path, size_t pmax, int flags) diff --git a/sbin/isakmpd/monitor.h b/sbin/isakmpd/monitor.h index 1d29183a250..106cc78ecb5 100644 --- a/sbin/isakmpd/monitor.h +++ b/sbin/isakmpd/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.5 2003/06/10 16:41:29 deraadt Exp $ */ +/* $OpenBSD: monitor.h,v 1.6 2004/03/15 16:29:00 hshoexer Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -37,12 +37,6 @@ enum monitor_reqtypes MONITOR_BIND, MONITOR_MKFIFO, MONITOR_SHUTDOWN, -#if defined (USE_X509) - MONITOR_RSA_UPLOADKEY, - MONITOR_RSA_GETKEY, - MONITOR_RSA_ENCRYPT, - MONITOR_RSA_FREEKEY, -#endif }; pid_t monitor_init (void); @@ -60,14 +54,6 @@ int monitor_setsockopt (int, int, int, const void *, socklen_t); int monitor_bind (int, const struct sockaddr *, socklen_t); int monitor_mkfifo (const char *, mode_t); -#if defined (USE_X509) -char *monitor_RSA_upload_key (char *); -char *monitor_RSA_get_private_key (char *, char *); -int monitor_RSA_private_encrypt (int, unsigned char *, unsigned char **, - void *, int); -void monitor_RSA_free (void *); -#endif - #else /* !USE_PRIVSEP */ #define monitor_fopen fopen |