cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove security/ikeman

Browse Source 
This port remains unmaintained since import in 2011, only on life support by
tb and his LibreSSL efforts.

Previous changes saw no response maintainer and this port is already a
maintainence burden for porters.

maintainer timeout (again)
OK tb
This commit is contained in:
kn 2022-11-23 19:48:28 +00:00
parent 411413bfa9
commit 354b16bcd6
12 changed files with 4 additions and 433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devel/quirks/Makefile
View File

@ -3,7 +3,7 @@ CATEGORIES = devel databases
DISTFILES =
# API.rev
PKGNAME = quirks-6.67
PKGNAME = quirks-6.68
PKG_ARCH = *
MAINTAINER = Marc Espie <espie@openbsd.org>

4
devel/quirks/files/Quirks.pm
View File

@ -1,7 +1,7 @@
#! /usr/bin/perl
# ex:ts=8 sw=4:
# $OpenBSD: Quirks.pm,v 1.1462 2022/11/18 21:26:56 kn Exp $
# $OpenBSD: Quirks.pm,v 1.1463 2022/11/23 19:48:28 kn Exp $
#
# Copyright (c) 2009 Marc Espie <espie@openbsd.org>
#
@ -1749,6 +1749,7 @@ setup_obsolete_reason(
1 => 'samdump2',
1 => 'smbsniff',
0 => 'fragroute',
52 => 'ikeman',
);
# though it's not yet used, these should be pkgnames, so that eventually
@ -1813,6 +1814,7 @@ my $obsolete_message = {
49 => "has no license, unmaintained since too long, crashes at runtime",
50 => "abandoned ten years ago, broken by default due to missing runtime dependencies, use security/sslscan",
51 => "dead upstream, consider using socat or SSH",
52 => "unmaintained since import, already on LibreSSL life support for too long",
};
# ->is_base_system($handle, $state):

1
security/Makefile
View File

@ -74,7 +74,6 @@
SUBDIR += heimdal
SUBDIR += hlfl
SUBDIR += hydra
SUBDIR += ikeman
SUBDIR += integrit
SUBDIR += ipguard
SUBDIR += isic

25
security/ikeman/Makefile
View File

@ -1,25 +0,0 @@
COMMENT = interactive PKI manager for isakmpd(8) or iked(8)
DISTNAME = ikeman-0.2
REVISION = 7
CATEGORIES = security
HOMEPAGE = http://storkhole.cz/software/ikeman/
MAINTAINER = Martin Pelikan <martin.pelikan@gmail.com>
# ISC
PERMIT_PACKAGE = Yes
MASTER_SITES = ${HOMEPAGE}
WANTLIB += c crypto curses
NO_TEST = Yes
FAKE_FLAGS = MANDIR=${PREFIX}/man/man
# XXX seven duplicate symbols
CFLAGS += -fcommon
.include <bsd.port.mk>

2
security/ikeman/distinfo
View File

@ -1,2 +0,0 @@
SHA256 (ikeman-0.2.tar.gz) = V80MDnZVqbTaGqnNyeNTQm1whAv1xS6EDne/q/beOo4=
SIZE (ikeman-0.2.tar.gz) = 23135

20
security/ikeman/patches/patch-asn1_time_t_c
View File

@ -1,20 +0,0 @@
Index: asn1_time_t.c
--- asn1_time_t.c.orig
+++ asn1_time_t.c
@@ -14,6 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <string.h>
#include <time.h>
#include <openssl/ssl.h>
@@ -22,7 +23,7 @@
/* Returns the wall time in the specified time zone. */
time_t
-asn1_time_to_timestamp(ASN1_TIME *as)
+asn1_time_to_timestamp(const ASN1_TIME *as)
{
#define B2I(byte) ((byte) - '0')
/* offset from GMT has to be in seconds - format +HHMM */

267
security/ikeman/patches/patch-certificates_c
View File

@ -1,267 +0,0 @@
Index: certificates.c
--- certificates.c.orig
+++ certificates.c
@@ -59,13 +59,19 @@ add_v3_extension(X509 *cert, int nid, char *val)
static int
assign_random_number(int bits, ASN1_INTEGER *aint)
{
- BIGNUM bn;
+ BIGNUM *bn;
- memset(&bn, 0, sizeof bn);
- if (BN_rand(&bn, bits, 0, 0) == 0)
+ if ((bn = BN_new()) == NULL)
return (0);
- if (BN_to_ASN1_INTEGER(&bn, aint) == 0)
+ if (BN_rand(bn, bits, 0, 0) == 0) {
+ BN_free(bn);
return (0);
+ }
+ if (BN_to_ASN1_INTEGER(bn, aint) == 0) {
+ BN_free(bn);
+ return (0);
+ }
+ BN_free(bn);
return (1);
}
@@ -141,10 +147,11 @@ fail:
static int
ca_x509_subjectaltname(X509 *cert, unsigned char **altname, size_t *len)
{
- X509_EXTENSION *san;
- u_int8_t *data;
- int ext, santype;
- size_t sanlen;
+ X509_EXTENSION *san;
+ u_int8_t *data;
+ ASN1_OCTET_STRING *ostr;
+ int ext, santype;
+ size_t sanlen;
if ((ext = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) == -1
|| (san = X509_get_ext(cert, ext)) == NULL) {
@@ -152,21 +159,21 @@ ca_x509_subjectaltname(X509 *cert, unsigned char **alt
__func__);
return (ALTNAME_FAIL);
}
+ ostr = X509_EXTENSION_get_data(san);
- if (san->value == NULL || san->value->data == NULL ||
- san->value->length < 4) {
+ if (ostr == NULL || ostr->data == NULL || ostr->length < 4) {
log_debug("%s: invalid subjectAltName in certificate",
__func__);
return (ALTNAME_FAIL);
}
- data = san->value->data;
+ data = ostr->data;
santype = data[2] & 0x3f;
sanlen = data[3];
/* skip over header */
data += 4;
- if ((sanlen + 4) > (size_t)san->value->length) {
+ if ((sanlen + 4) > (size_t)ostr->length) {
log_debug("%s: invalid subjectAltName length", __func__);
return (ALTNAME_FAIL);
}
@@ -263,8 +270,8 @@ fill_crl_attributes(X509_CRL *crl, struct ikeman_crl_a
/* LINTED BAD_BAD_OPENSSL */
r = sk_X509_REVOKED_value(rev, i);
rc[i].revocation_date =
- asn1_time_to_timestamp(r->revocationDate);
- rc[i].serial_number = i2s_ASN1_INTEGER(NULL, r->serialNumber);
+ asn1_time_to_timestamp(X509_REVOKED_get0_revocationDate(r));
+ rc[i].serial_number = i2s_ASN1_INTEGER(NULL, X509_REVOKED_get0_serialNumber(r));
}
at->revoked_certs = rc;
@@ -327,7 +334,7 @@ ca_sign_csr(char *csrpath, char *certpath, struct ikem
if (X509_set_issuer_name(cert, X509_get_subject_name(ca->x509)) == 0)
ERROR("couldn't set issuer's name");
- if (X509_set_subject_name(cert, req->req_info->subject) == 0)
+ if (X509_set_subject_name(cert, X509_REQ_get_subject_name(req)) == 0)
ERROR("couldn't set subject's name");
if (ca_new_serial_number(ca, X509_get_serialNumber(cert)) == 0)
@@ -481,22 +488,24 @@ ca_create_selfsigned_cert(X509 **cert, EVP_PKEY *pk, i
}
int
-ca_create_rsa_private_key(RSA **rsa, EVP_PKEY *pk, int bits)
+ca_create_rsa_private_key(RSA **rsa, EVP_PKEY **pk, int bits)
{
- BIGNUM bn;
+ BIGNUM *bn;
if ((*rsa = RSA_new()) == NULL)
ERROR("allocating RSA key");
- memset(&bn, 0, sizeof bn);
- if (BN_set_word(&bn, 0x10001) == 0)
+ if ((bn = BN_new()) == NULL)
+ ERROR("allocating BN");
+ if (BN_set_word(bn, 0x10001) == 0)
ERROR("setting exponent");
- if (RSA_generate_key_ex(*rsa, bits, &bn, NULL) == 0)
+ if (RSA_generate_key_ex(*rsa, bits, bn, NULL) == 0)
ERROR("generating RSA key");
-
- memset(pk, 0, sizeof(EVP_PKEY));
- if (EVP_PKEY_assign_RSA(pk, *rsa) == 0)
+ if ((*pk = EVP_PKEY_new()) == NULL)
+ ERROR("allocating EVP_PKEY");
+ if (EVP_PKEY_assign_RSA(*pk, *rsa) == 0)
ERROR("assigning key");
+ BN_free(bn);
return (EXIT_SUCCESS);
}
@@ -768,9 +777,9 @@ ca_load(const char *ca_dir, const char *crl_dir, const
{
DIR *dir;
struct dirent *entry;
- char file[PATH_MAX], *subjname;
+ char file[PATH_MAX], *certname, *subjname;
STACK_OF(X509_OBJECT) *h;
- X509_STORE_CTX csc;
+ X509_STORE_CTX *csc;
X509_STORE *st;
X509_OBJECT *xo;
X509 *x509;
@@ -805,15 +814,15 @@ ca_load(const char *ca_dir, const char *crl_dir, const
}
/* retreive which one was it and store it in own SLIST */
- h = store.ca_cas->objs;
+ h = X509_STORE_get0_objects(store.ca_cas);
/* LINTED BAD_BAD_OPENSSL */
xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1);
- if (fill_ca(&ca, xo->data.x509, entry->d_name) != EXIT_SUCCESS)
+ if (fill_ca(&ca, X509_OBJECT_get0_X509(xo), entry->d_name) != EXIT_SUCCESS)
ERROR("fill_ca");
log_debug("%s: loaded ca %s from file %s", __func__,
- ca->x509->name, entry->d_name);
+ X509_get_subject_name(ca->x509), entry->d_name);
}
if (closedir(dir) == -1)
ERROR(strerror(errno));
@@ -845,22 +854,28 @@ ca_load(const char *ca_dir, const char *crl_dir, const
X509_STORE_set_flags(store.ca_cas, X509_V_FLAG_CRL_CHECK);
/* Find out which CA does this CRL belong to */
- h = store.ca_cas->objs;
+ h = X509_STORE_get0_objects(store.ca_cas);
/* LINTED BAD_BAD_OPENSSL */
xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1);
SLIST_FOREACH(ca, &cas, cas) {
- subjname = X509_NAME_oneline(xo->data.crl->crl->issuer,
+ certname = X509_NAME_oneline(X509_get_subject_name(ca->x509), NULL, 0);
+ subjname = X509_NAME_oneline(X509_CRL_get_issuer(X509_OBJECT_get0_X509_CRL(xo)),
NULL, 0);
+ if (certname == NULL || subjname == NULL) {
+ OPENSSL_free(certname);
+ OPENSSL_free(subjname);
+ continue;
+ }
/* Try matching by issuer's name, then make sure */
- if (!strcmp(ca->x509->name, subjname) &&
- crl_matching_ca(xo->data.crl, ca->x509) > 0) {
+ if (!strcmp(certname, subjname) &&
+ crl_matching_ca(X509_OBJECT_get0_X509_CRL(xo), ca->x509) > 0) {
ca->num_crls_ok++;
if ((crl = calloc(1, sizeof(*crl))) == NULL)
ERROR("calloc ikeman_crl");
- crl->x509 = xo->data.crl;
+ crl->x509 = X509_OBJECT_get0_X509_CRL(xo);
crl->filename = strdup(entry->d_name);
if (crl->filename == NULL)
ERROR("strdup crl filename");
@@ -873,9 +888,11 @@ ca_load(const char *ca_dir, const char *crl_dir, const
fill_crl_attributes(crl->x509, crl->attrs);
/* got it, go after next CRL */
+ OPENSSL_free(certname);
OPENSSL_free(subjname);
break;
}
+ OPENSSL_free(certname);
OPENSSL_free(subjname);
}
if (ca)
@@ -908,10 +925,10 @@ ca_load(const char *ca_dir, const char *crl_dir, const
continue;
}
- h = store.ca_certs->objs;
+ h = X509_STORE_get0_objects(store.ca_certs);
/* LINTED BAD_BAD_OPENSSL */
xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1);
- x509 = xo->data.x509;
+ x509 = X509_OBJECT_get0_X509(xo);
/* Certificate needs a valid subjectName */
if (X509_get_subject_name(x509) == NULL) {
@@ -958,21 +975,22 @@ ca_load(const char *ca_dir, const char *crl_dir, const
}
#endif
- memset(&csc, 0, sizeof csc);
- X509_STORE_CTX_init(&csc, st, x509, NULL);
+ if ((csc = X509_STORE_CTX_new()) == NULL)
+ ERROR("X509_STORE_CTX_new");
+ X509_STORE_CTX_init(csc, st, x509, NULL);
if (! SLIST_EMPTY(&(ca->crls))) {
- X509_STORE_CTX_set_flags(&csc,
+ X509_STORE_CTX_set_flags(csc,
X509_V_FLAG_CRL_CHECK);
- X509_STORE_CTX_set_flags(&csc,
+ X509_STORE_CTX_set_flags(csc,
X509_V_FLAG_CRL_CHECK_ALL);
}
- X509_verify_cert(&csc);
- X509_STORE_CTX_cleanup(&csc);
+ X509_verify_cert(csc);
+ X509_STORE_CTX_cleanup(csc);
X509_STORE_free(st);
- switch (csc.error) {
+ switch (X509_STORE_CTX_get_error(csc)) {
case X509_V_ERR_CERT_HAS_EXPIRED:
ca->num_certs_expired++;
matches_at_least_a_bit++;
@@ -1000,7 +1018,7 @@ ca_load(const char *ca_dir, const char *crl_dir, const
cert->x509 = x509;
cert->ca = ca;
- cert->state = csc.error;
+ cert->state = X509_STORE_CTX_get_error(csc);
cert->filename = strdup(entry->d_name);
if (cert->filename == NULL)
ERROR("strdup cert filename");
@@ -1017,13 +1035,14 @@ ca_load(const char *ca_dir, const char *crl_dir, const
* Don't forget revoked certs - find the
* appropriate CRL and fill in the info.
*/
- if (csc.error == X509_V_ERR_CERT_REVOKED)
+ if (X509_STORE_CTX_get_error(csc) == X509_V_ERR_CERT_REVOKED)
add_cert_to_crls(cert, ca);
log_debug("cert %s has CA in file %s",
cert->attrs->subject, ca->filename);
break;
}
+ X509_STORE_CTX_free(csc);
}
log_debug("%s: loaded cert file %s", __func__, entry->d_name);
}

21
security/ikeman/patches/patch-ikeman_h
View File

@ -1,21 +0,0 @@
Index: ikeman.h
--- ikeman.h.orig
+++ ikeman.h
@@ -174,7 +174,7 @@ struct ikeman_ncurses_window {
/* asn1_time_t.c */
-time_t asn1_time_to_timestamp(ASN1_TIME *);
+time_t asn1_time_to_timestamp(const ASN1_TIME *);
/* certificates.c */
int altname_guess_and_fill(struct ikeman_x509v3_altname *, char *);
@@ -185,7 +185,7 @@ int ca_create_selfsigned_cert(X509 **, EVP_PKEY *, int
u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *);
void ca_free_private_key(struct ikeman_ca *);
int ca_load_private_key(struct ikeman_ca *, char *, char *);
-int ca_create_rsa_private_key(RSA **, EVP_PKEY *, int);
+int ca_create_rsa_private_key(RSA **, EVP_PKEY **, int);
int ca_write_private_key(EVP_PKEY *, char *, char *);
int ca_create_write_cert(X509 *, char *);
int ca_generate_crl(struct ikeman_ca *, EVP_PKEY *, int, int, char *);

27
security/ikeman/patches/patch-log_c
View File

@ -1,27 +0,0 @@
Index: log.c
--- log.c.orig
+++ log.c
@@ -17,13 +17,9 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#include <sys/param.h>
-#include <sys/queue.h>
#include <sys/socket.h>
-#include <sys/tree.h>
-
+#include <sys/types.h>
#include <netinet/in.h>
-
#include <errno.h>
#include <netdb.h>
#include <stdarg.h>
@@ -31,7 +27,7 @@
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
-#include <event.h>
+#include <time.h>
#include "ikeman.h"

58
security/ikeman/patches/patch-ncurses_c
View File

@ -1,58 +0,0 @@
Index: ncurses.c
--- ncurses.c.orig
+++ ncurses.c
@@ -25,6 +25,7 @@
#include <signal.h>
#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#include <unistd.h>
#include "ikeman.h"
@@ -653,7 +654,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w)
char cc[3], st[64], l[64], o[64], ou[64], cn[64], email[64];
int keysize = 1024, tries = 3, days = 365, i, error = 0;
RSA *rsa = NULL;
- EVP_PKEY pk;
+ EVP_PKEY *pk = NULL;
X509 *cert = NULL;
struct ikeman_ca *ca = NULL;
@@ -734,8 +735,8 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w)
separator(w, i, ' ');
/* XXX BAD_BAD_OPENSSL just don't let it free() */
- pk.references++;
- error = ca_create_selfsigned_cert(&cert, &pk, days * 60 * 60 * 24,
+ EVP_PKEY_up_ref(pk);
+ error = ca_create_selfsigned_cert(&cert, pk, days * 60 * 60 * 24,
(u_int8_t *) cc, (u_int8_t *) st, (u_int8_t *) l,
(u_int8_t *) o, (u_int8_t *) ou, (u_int8_t *) cn,
(u_int8_t *) email);
@@ -773,7 +774,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w)
strlcat(tmpdest, "ca.key", sizeof(tmpdest)) >= sizeof tmpdest)
ERROR2FAIL("key path too long");
- if ((error = ca_write_private_key(&pk, pwd1, tmpdest)) != 0)
+ if ((error = ca_write_private_key(pk, pwd1, tmpdest)) != 0)
goto fail;
memset(pwd1, 0, sizeof(pwd1));
@@ -828,7 +829,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w)
/* generate empty crl for 10 years - not necessary, but good practice */
if (strlcat(cadest, "ca.crl", sizeof(cadest)) >= sizeof cadest)
ERROR2FAIL("crl path too long");
- if ((error = ca_generate_crl(ca, &pk, 3653, 0, cadest)) != 0)
+ if ((error = ca_generate_crl(ca, pk, 3653, 0, cadest)) != 0)
goto fail;
mvwprintw(w->win, 8, 1, "generated CRL to %s", cadest);
@@ -841,7 +842,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w)
"directory and restart ikeman. ");
fail:
- pk.references--;
+ EVP_PKEY_free(pk);
if (ca)
ca_free_private_key(ca);
#if 0

8
security/ikeman/pkg/DESCR
View File

@ -1,8 +0,0 @@
ikeman is a tool designed to simplify management of X.509 public key
infrastructure used to create IPsec flows by isakmpd(8) or iked(8).
It displays all PKI data in a hierarchical view and can also create
new certificate authorities, sign new certificate requests and revoke
or un-revoke currently loaded certificates.
All this in a user-friendly ncurses GUI, which also warns user about
errors like already expired, revoked or not yet valid certificates.

2
security/ikeman/pkg/PLIST
View File

@ -1,2 +0,0 @@
@bin bin/ikeman
@man man/man1/ikeman.1