From 354b16bcd6588629b316a0f7ec3ac8a289eccb11 Mon Sep 17 00:00:00 2001 From: kn Date: Wed, 23 Nov 2022 19:48:28 +0000 Subject: [PATCH] Remove security/ikeman This port remains unmaintained since import in 2011, only on life support by tb and his LibreSSL efforts. Previous changes saw no response maintainer and this port is already a maintainence burden for porters. maintainer timeout (again) OK tb --- devel/quirks/Makefile | 2 +- devel/quirks/files/Quirks.pm | 4 +- security/Makefile | 1 - security/ikeman/Makefile | 25 -- security/ikeman/distinfo | 2 - security/ikeman/patches/patch-asn1_time_t_c | 20 -- security/ikeman/patches/patch-certificates_c | 267 ------------------- security/ikeman/patches/patch-ikeman_h | 21 -- security/ikeman/patches/patch-log_c | 27 -- security/ikeman/patches/patch-ncurses_c | 58 ---- security/ikeman/pkg/DESCR | 8 - security/ikeman/pkg/PLIST | 2 - 12 files changed, 4 insertions(+), 433 deletions(-) delete mode 100644 security/ikeman/Makefile delete mode 100644 security/ikeman/distinfo delete mode 100644 security/ikeman/patches/patch-asn1_time_t_c delete mode 100644 security/ikeman/patches/patch-certificates_c delete mode 100644 security/ikeman/patches/patch-ikeman_h delete mode 100644 security/ikeman/patches/patch-log_c delete mode 100644 security/ikeman/patches/patch-ncurses_c delete mode 100644 security/ikeman/pkg/DESCR delete mode 100644 security/ikeman/pkg/PLIST diff --git a/devel/quirks/Makefile b/devel/quirks/Makefile index d09ab4068fd..5c8b0581b32 100644 --- a/devel/quirks/Makefile +++ b/devel/quirks/Makefile @@ -3,7 +3,7 @@ CATEGORIES = devel databases DISTFILES = # API.rev -PKGNAME = quirks-6.67 +PKGNAME = quirks-6.68 PKG_ARCH = * MAINTAINER = Marc Espie diff --git a/devel/quirks/files/Quirks.pm b/devel/quirks/files/Quirks.pm index 13d99115b7f..6818c8f7ccb 100644 --- a/devel/quirks/files/Quirks.pm +++ b/devel/quirks/files/Quirks.pm @@ -1,7 +1,7 @@ #! /usr/bin/perl # ex:ts=8 sw=4: -# $OpenBSD: Quirks.pm,v 1.1462 2022/11/18 21:26:56 kn Exp $ +# $OpenBSD: Quirks.pm,v 1.1463 2022/11/23 19:48:28 kn Exp $ # # Copyright (c) 2009 Marc Espie # @@ -1749,6 +1749,7 @@ setup_obsolete_reason( 1 => 'samdump2', 1 => 'smbsniff', 0 => 'fragroute', + 52 => 'ikeman', ); # though it's not yet used, these should be pkgnames, so that eventually @@ -1813,6 +1814,7 @@ my $obsolete_message = { 49 => "has no license, unmaintained since too long, crashes at runtime", 50 => "abandoned ten years ago, broken by default due to missing runtime dependencies, use security/sslscan", 51 => "dead upstream, consider using socat or SSH", + 52 => "unmaintained since import, already on LibreSSL life support for too long", }; # ->is_base_system($handle, $state): diff --git a/security/Makefile b/security/Makefile index 93e78b63eaf..b20da55c6a5 100644 --- a/security/Makefile +++ b/security/Makefile @@ -74,7 +74,6 @@ SUBDIR += heimdal SUBDIR += hlfl SUBDIR += hydra - SUBDIR += ikeman SUBDIR += integrit SUBDIR += ipguard SUBDIR += isic diff --git a/security/ikeman/Makefile b/security/ikeman/Makefile deleted file mode 100644 index 43aa9a8b004..00000000000 --- a/security/ikeman/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -COMMENT = interactive PKI manager for isakmpd(8) or iked(8) -DISTNAME = ikeman-0.2 -REVISION = 7 - -CATEGORIES = security - -HOMEPAGE = http://storkhole.cz/software/ikeman/ - -MAINTAINER = Martin Pelikan - -# ISC -PERMIT_PACKAGE = Yes - -MASTER_SITES = ${HOMEPAGE} - -WANTLIB += c crypto curses - -NO_TEST = Yes - -FAKE_FLAGS = MANDIR=${PREFIX}/man/man - -# XXX seven duplicate symbols -CFLAGS += -fcommon - -.include diff --git a/security/ikeman/distinfo b/security/ikeman/distinfo deleted file mode 100644 index f6f99ab2b6e..00000000000 --- a/security/ikeman/distinfo +++ /dev/null @@ -1,2 +0,0 @@ -SHA256 (ikeman-0.2.tar.gz) = V80MDnZVqbTaGqnNyeNTQm1whAv1xS6EDne/q/beOo4= -SIZE (ikeman-0.2.tar.gz) = 23135 diff --git a/security/ikeman/patches/patch-asn1_time_t_c b/security/ikeman/patches/patch-asn1_time_t_c deleted file mode 100644 index cbdda762b6f..00000000000 --- a/security/ikeman/patches/patch-asn1_time_t_c +++ /dev/null @@ -1,20 +0,0 @@ -Index: asn1_time_t.c ---- asn1_time_t.c.orig -+++ asn1_time_t.c -@@ -14,6 +14,7 @@ - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -+#include - #include - - #include -@@ -22,7 +23,7 @@ - - /* Returns the wall time in the specified time zone. */ - time_t --asn1_time_to_timestamp(ASN1_TIME *as) -+asn1_time_to_timestamp(const ASN1_TIME *as) - { - #define B2I(byte) ((byte) - '0') - /* offset from GMT has to be in seconds - format +HHMM */ diff --git a/security/ikeman/patches/patch-certificates_c b/security/ikeman/patches/patch-certificates_c deleted file mode 100644 index 6c84c7f8a34..00000000000 --- a/security/ikeman/patches/patch-certificates_c +++ /dev/null @@ -1,267 +0,0 @@ -Index: certificates.c ---- certificates.c.orig -+++ certificates.c -@@ -59,13 +59,19 @@ add_v3_extension(X509 *cert, int nid, char *val) - static int - assign_random_number(int bits, ASN1_INTEGER *aint) - { -- BIGNUM bn; -+ BIGNUM *bn; - -- memset(&bn, 0, sizeof bn); -- if (BN_rand(&bn, bits, 0, 0) == 0) -+ if ((bn = BN_new()) == NULL) - return (0); -- if (BN_to_ASN1_INTEGER(&bn, aint) == 0) -+ if (BN_rand(bn, bits, 0, 0) == 0) { -+ BN_free(bn); - return (0); -+ } -+ if (BN_to_ASN1_INTEGER(bn, aint) == 0) { -+ BN_free(bn); -+ return (0); -+ } -+ BN_free(bn); - - return (1); - } -@@ -141,10 +147,11 @@ fail: - static int - ca_x509_subjectaltname(X509 *cert, unsigned char **altname, size_t *len) - { -- X509_EXTENSION *san; -- u_int8_t *data; -- int ext, santype; -- size_t sanlen; -+ X509_EXTENSION *san; -+ u_int8_t *data; -+ ASN1_OCTET_STRING *ostr; -+ int ext, santype; -+ size_t sanlen; - - if ((ext = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) == -1 - || (san = X509_get_ext(cert, ext)) == NULL) { -@@ -152,21 +159,21 @@ ca_x509_subjectaltname(X509 *cert, unsigned char **alt - __func__); - return (ALTNAME_FAIL); - } -+ ostr = X509_EXTENSION_get_data(san); - -- if (san->value == NULL || san->value->data == NULL || -- san->value->length < 4) { -+ if (ostr == NULL || ostr->data == NULL || ostr->length < 4) { - log_debug("%s: invalid subjectAltName in certificate", - __func__); - return (ALTNAME_FAIL); - } - -- data = san->value->data; -+ data = ostr->data; - santype = data[2] & 0x3f; - sanlen = data[3]; - /* skip over header */ - data += 4; - -- if ((sanlen + 4) > (size_t)san->value->length) { -+ if ((sanlen + 4) > (size_t)ostr->length) { - log_debug("%s: invalid subjectAltName length", __func__); - return (ALTNAME_FAIL); - } -@@ -263,8 +270,8 @@ fill_crl_attributes(X509_CRL *crl, struct ikeman_crl_a - /* LINTED BAD_BAD_OPENSSL */ - r = sk_X509_REVOKED_value(rev, i); - rc[i].revocation_date = -- asn1_time_to_timestamp(r->revocationDate); -- rc[i].serial_number = i2s_ASN1_INTEGER(NULL, r->serialNumber); -+ asn1_time_to_timestamp(X509_REVOKED_get0_revocationDate(r)); -+ rc[i].serial_number = i2s_ASN1_INTEGER(NULL, X509_REVOKED_get0_serialNumber(r)); - } - - at->revoked_certs = rc; -@@ -327,7 +334,7 @@ ca_sign_csr(char *csrpath, char *certpath, struct ikem - - if (X509_set_issuer_name(cert, X509_get_subject_name(ca->x509)) == 0) - ERROR("couldn't set issuer's name"); -- if (X509_set_subject_name(cert, req->req_info->subject) == 0) -+ if (X509_set_subject_name(cert, X509_REQ_get_subject_name(req)) == 0) - ERROR("couldn't set subject's name"); - - if (ca_new_serial_number(ca, X509_get_serialNumber(cert)) == 0) -@@ -481,22 +488,24 @@ ca_create_selfsigned_cert(X509 **cert, EVP_PKEY *pk, i - } - - int --ca_create_rsa_private_key(RSA **rsa, EVP_PKEY *pk, int bits) -+ca_create_rsa_private_key(RSA **rsa, EVP_PKEY **pk, int bits) - { -- BIGNUM bn; -+ BIGNUM *bn; - - if ((*rsa = RSA_new()) == NULL) - ERROR("allocating RSA key"); - -- memset(&bn, 0, sizeof bn); -- if (BN_set_word(&bn, 0x10001) == 0) -+ if ((bn = BN_new()) == NULL) -+ ERROR("allocating BN"); -+ if (BN_set_word(bn, 0x10001) == 0) - ERROR("setting exponent"); -- if (RSA_generate_key_ex(*rsa, bits, &bn, NULL) == 0) -+ if (RSA_generate_key_ex(*rsa, bits, bn, NULL) == 0) - ERROR("generating RSA key"); -- -- memset(pk, 0, sizeof(EVP_PKEY)); -- if (EVP_PKEY_assign_RSA(pk, *rsa) == 0) -+ if ((*pk = EVP_PKEY_new()) == NULL) -+ ERROR("allocating EVP_PKEY"); -+ if (EVP_PKEY_assign_RSA(*pk, *rsa) == 0) - ERROR("assigning key"); -+ BN_free(bn); - - return (EXIT_SUCCESS); - } -@@ -768,9 +777,9 @@ ca_load(const char *ca_dir, const char *crl_dir, const - { - DIR *dir; - struct dirent *entry; -- char file[PATH_MAX], *subjname; -+ char file[PATH_MAX], *certname, *subjname; - STACK_OF(X509_OBJECT) *h; -- X509_STORE_CTX csc; -+ X509_STORE_CTX *csc; - X509_STORE *st; - X509_OBJECT *xo; - X509 *x509; -@@ -805,15 +814,15 @@ ca_load(const char *ca_dir, const char *crl_dir, const - } - - /* retreive which one was it and store it in own SLIST */ -- h = store.ca_cas->objs; -+ h = X509_STORE_get0_objects(store.ca_cas); - /* LINTED BAD_BAD_OPENSSL */ - xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1); - -- if (fill_ca(&ca, xo->data.x509, entry->d_name) != EXIT_SUCCESS) -+ if (fill_ca(&ca, X509_OBJECT_get0_X509(xo), entry->d_name) != EXIT_SUCCESS) - ERROR("fill_ca"); - - log_debug("%s: loaded ca %s from file %s", __func__, -- ca->x509->name, entry->d_name); -+ X509_get_subject_name(ca->x509), entry->d_name); - } - if (closedir(dir) == -1) - ERROR(strerror(errno)); -@@ -845,22 +854,28 @@ ca_load(const char *ca_dir, const char *crl_dir, const - X509_STORE_set_flags(store.ca_cas, X509_V_FLAG_CRL_CHECK); - - /* Find out which CA does this CRL belong to */ -- h = store.ca_cas->objs; -+ h = X509_STORE_get0_objects(store.ca_cas); - /* LINTED BAD_BAD_OPENSSL */ - xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1); - SLIST_FOREACH(ca, &cas, cas) { -- subjname = X509_NAME_oneline(xo->data.crl->crl->issuer, -+ certname = X509_NAME_oneline(X509_get_subject_name(ca->x509), NULL, 0); -+ subjname = X509_NAME_oneline(X509_CRL_get_issuer(X509_OBJECT_get0_X509_CRL(xo)), - NULL, 0); - -+ if (certname == NULL || subjname == NULL) { -+ OPENSSL_free(certname); -+ OPENSSL_free(subjname); -+ continue; -+ } - /* Try matching by issuer's name, then make sure */ -- if (!strcmp(ca->x509->name, subjname) && -- crl_matching_ca(xo->data.crl, ca->x509) > 0) { -+ if (!strcmp(certname, subjname) && -+ crl_matching_ca(X509_OBJECT_get0_X509_CRL(xo), ca->x509) > 0) { - ca->num_crls_ok++; - - if ((crl = calloc(1, sizeof(*crl))) == NULL) - ERROR("calloc ikeman_crl"); - -- crl->x509 = xo->data.crl; -+ crl->x509 = X509_OBJECT_get0_X509_CRL(xo); - crl->filename = strdup(entry->d_name); - if (crl->filename == NULL) - ERROR("strdup crl filename"); -@@ -873,9 +888,11 @@ ca_load(const char *ca_dir, const char *crl_dir, const - fill_crl_attributes(crl->x509, crl->attrs); - - /* got it, go after next CRL */ -+ OPENSSL_free(certname); - OPENSSL_free(subjname); - break; - } -+ OPENSSL_free(certname); - OPENSSL_free(subjname); - } - if (ca) -@@ -908,10 +925,10 @@ ca_load(const char *ca_dir, const char *crl_dir, const - continue; - } - -- h = store.ca_certs->objs; -+ h = X509_STORE_get0_objects(store.ca_certs); - /* LINTED BAD_BAD_OPENSSL */ - xo = sk_X509_OBJECT_value(h, sk_X509_OBJECT_num(h) - 1); -- x509 = xo->data.x509; -+ x509 = X509_OBJECT_get0_X509(xo); - - /* Certificate needs a valid subjectName */ - if (X509_get_subject_name(x509) == NULL) { -@@ -958,21 +975,22 @@ ca_load(const char *ca_dir, const char *crl_dir, const - } - #endif - -- memset(&csc, 0, sizeof csc); -- X509_STORE_CTX_init(&csc, st, x509, NULL); -+ if ((csc = X509_STORE_CTX_new()) == NULL) -+ ERROR("X509_STORE_CTX_new"); -+ X509_STORE_CTX_init(csc, st, x509, NULL); - - if (! SLIST_EMPTY(&(ca->crls))) { -- X509_STORE_CTX_set_flags(&csc, -+ X509_STORE_CTX_set_flags(csc, - X509_V_FLAG_CRL_CHECK); -- X509_STORE_CTX_set_flags(&csc, -+ X509_STORE_CTX_set_flags(csc, - X509_V_FLAG_CRL_CHECK_ALL); - } - -- X509_verify_cert(&csc); -- X509_STORE_CTX_cleanup(&csc); -+ X509_verify_cert(csc); -+ X509_STORE_CTX_cleanup(csc); - X509_STORE_free(st); - -- switch (csc.error) { -+ switch (X509_STORE_CTX_get_error(csc)) { - case X509_V_ERR_CERT_HAS_EXPIRED: - ca->num_certs_expired++; - matches_at_least_a_bit++; -@@ -1000,7 +1018,7 @@ ca_load(const char *ca_dir, const char *crl_dir, const - - cert->x509 = x509; - cert->ca = ca; -- cert->state = csc.error; -+ cert->state = X509_STORE_CTX_get_error(csc); - cert->filename = strdup(entry->d_name); - if (cert->filename == NULL) - ERROR("strdup cert filename"); -@@ -1017,13 +1035,14 @@ ca_load(const char *ca_dir, const char *crl_dir, const - * Don't forget revoked certs - find the - * appropriate CRL and fill in the info. - */ -- if (csc.error == X509_V_ERR_CERT_REVOKED) -+ if (X509_STORE_CTX_get_error(csc) == X509_V_ERR_CERT_REVOKED) - add_cert_to_crls(cert, ca); - - log_debug("cert %s has CA in file %s", - cert->attrs->subject, ca->filename); - break; - } -+ X509_STORE_CTX_free(csc); - } - log_debug("%s: loaded cert file %s", __func__, entry->d_name); - } diff --git a/security/ikeman/patches/patch-ikeman_h b/security/ikeman/patches/patch-ikeman_h deleted file mode 100644 index 4e565c43c15..00000000000 --- a/security/ikeman/patches/patch-ikeman_h +++ /dev/null @@ -1,21 +0,0 @@ -Index: ikeman.h ---- ikeman.h.orig -+++ ikeman.h -@@ -174,7 +174,7 @@ struct ikeman_ncurses_window { - - - /* asn1_time_t.c */ --time_t asn1_time_to_timestamp(ASN1_TIME *); -+time_t asn1_time_to_timestamp(const ASN1_TIME *); - - /* certificates.c */ - int altname_guess_and_fill(struct ikeman_x509v3_altname *, char *); -@@ -185,7 +185,7 @@ int ca_create_selfsigned_cert(X509 **, EVP_PKEY *, int - u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *, u_int8_t *); - void ca_free_private_key(struct ikeman_ca *); - int ca_load_private_key(struct ikeman_ca *, char *, char *); --int ca_create_rsa_private_key(RSA **, EVP_PKEY *, int); -+int ca_create_rsa_private_key(RSA **, EVP_PKEY **, int); - int ca_write_private_key(EVP_PKEY *, char *, char *); - int ca_create_write_cert(X509 *, char *); - int ca_generate_crl(struct ikeman_ca *, EVP_PKEY *, int, int, char *); diff --git a/security/ikeman/patches/patch-log_c b/security/ikeman/patches/patch-log_c deleted file mode 100644 index 7ee3d87a5ea..00000000000 --- a/security/ikeman/patches/patch-log_c +++ /dev/null @@ -1,27 +0,0 @@ -Index: log.c ---- log.c.orig -+++ log.c -@@ -17,13 +17,9 @@ - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - --#include --#include - #include --#include -- -+#include - #include -- - #include - #include - #include -@@ -31,7 +27,7 @@ - #include - #include - #include --#include -+#include - - #include "ikeman.h" - diff --git a/security/ikeman/patches/patch-ncurses_c b/security/ikeman/patches/patch-ncurses_c deleted file mode 100644 index 7039fa331d9..00000000000 --- a/security/ikeman/patches/patch-ncurses_c +++ /dev/null @@ -1,58 +0,0 @@ -Index: ncurses.c ---- ncurses.c.orig -+++ ncurses.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include - - #include "ikeman.h" -@@ -653,7 +654,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w) - char cc[3], st[64], l[64], o[64], ou[64], cn[64], email[64]; - int keysize = 1024, tries = 3, days = 365, i, error = 0; - RSA *rsa = NULL; -- EVP_PKEY pk; -+ EVP_PKEY *pk = NULL; - X509 *cert = NULL; - struct ikeman_ca *ca = NULL; - -@@ -734,8 +735,8 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w) - separator(w, i, ' '); - - /* XXX BAD_BAD_OPENSSL just don't let it free() */ -- pk.references++; -- error = ca_create_selfsigned_cert(&cert, &pk, days * 60 * 60 * 24, -+ EVP_PKEY_up_ref(pk); -+ error = ca_create_selfsigned_cert(&cert, pk, days * 60 * 60 * 24, - (u_int8_t *) cc, (u_int8_t *) st, (u_int8_t *) l, - (u_int8_t *) o, (u_int8_t *) ou, (u_int8_t *) cn, - (u_int8_t *) email); -@@ -773,7 +774,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w) - strlcat(tmpdest, "ca.key", sizeof(tmpdest)) >= sizeof tmpdest) - ERROR2FAIL("key path too long"); - -- if ((error = ca_write_private_key(&pk, pwd1, tmpdest)) != 0) -+ if ((error = ca_write_private_key(pk, pwd1, tmpdest)) != 0) - goto fail; - memset(pwd1, 0, sizeof(pwd1)); - -@@ -828,7 +829,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w) - /* generate empty crl for 10 years - not necessary, but good practice */ - if (strlcat(cadest, "ca.crl", sizeof(cadest)) >= sizeof cadest) - ERROR2FAIL("crl path too long"); -- if ((error = ca_generate_crl(ca, &pk, 3653, 0, cadest)) != 0) -+ if ((error = ca_generate_crl(ca, pk, 3653, 0, cadest)) != 0) - goto fail; - - mvwprintw(w->win, 8, 1, "generated CRL to %s", cadest); -@@ -841,7 +842,7 @@ create_ca(void *arg1, struct ikeman_ncurses_window *w) - "directory and restart ikeman. "); - - fail: -- pk.references--; -+ EVP_PKEY_free(pk); - if (ca) - ca_free_private_key(ca); - #if 0 diff --git a/security/ikeman/pkg/DESCR b/security/ikeman/pkg/DESCR deleted file mode 100644 index c9069cfb7c3..00000000000 --- a/security/ikeman/pkg/DESCR +++ /dev/null @@ -1,8 +0,0 @@ -ikeman is a tool designed to simplify management of X.509 public key -infrastructure used to create IPsec flows by isakmpd(8) or iked(8). -It displays all PKI data in a hierarchical view and can also create -new certificate authorities, sign new certificate requests and revoke -or un-revoke currently loaded certificates. - -All this in a user-friendly ncurses GUI, which also warns user about -errors like already expired, revoked or not yet valid certificates. diff --git a/security/ikeman/pkg/PLIST b/security/ikeman/pkg/PLIST deleted file mode 100644 index fb15b9c6652..00000000000 --- a/security/ikeman/pkg/PLIST +++ /dev/null @@ -1,2 +0,0 @@ -@bin bin/ikeman -@man man/man1/ikeman.1