Load RFC 7217 key material and generate if it does not already exist.

Add soii.key to changelist (pointed out by semarie) and mtree/special (suggest by Craig Skinner). OK naddy, sthen, rpe, tb
6 years ago · f95d9f00de
--- a/src/etc/changelist
+++ b/src/etc/changelist
@ -1,4 +1,4 @@
 #	$OpenBSD: changelist,v 1.118 2018/01/19 00:19:58 gsoares Exp $
 #	$OpenBSD: changelist,v 1.119 2018/02/10 05:56:47 florian Exp $
 #
 # List of files which the security script backs up and checks
 # for modifications.
@ -115,6 +115,7 @@
 /etc/services
 /etc/shells
 +/etc/snmpd.conf
 +/etc/soii.key
 +/etc/spwd.db
 /etc/ssh/ssh_config
 +/etc/ssh/ssh_host_dsa_key
--- a/src/etc/mtree/special
+++ b/src/etc/mtree/special
@ -1,4 +1,4 @@
 #	$OpenBSD: special,v 1.124 2017/05/03 11:55:36 gsoares Exp $
 #	$OpenBSD: special,v 1.125 2018/02/10 05:56:47 florian Exp $
 #
 # Hand-crafted mtree specification for the dangerous files.
 #
@ -94,6 +94,7 @@ shells		type=file mode=0644 uname=root gname=wheel
 skey		type=dir mode=01730 uname=root gname=auth optional
 ..	#skey
 snmpd.conf	type=file mode=0600 uname=root gname=wheel optional
 soii.key	type=file mode=0600 uname=root gname=wheel optional
 spwd.db		type=file mode=0640 uname=root gname=_shadow
 ssh		type=dir mode=0755 uname=root gname=wheel optional
 ssh_config	type=file mode=0644 uname=root gname=wheel
--- a/src/etc/netstart
+++ b/src/etc/netstart
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
 #	$OpenBSD: netstart,v 1.188 2018/02/06 19:53:50 tb Exp $
 #	$OpenBSD: netstart,v 1.189 2018/02/10 05:56:47 florian Exp $

 # Turn off Strict Bourne shell mode.
 set +o sh
@ -194,6 +194,9 @@ if $PRINT_ONLY && (($# == 0)); then
 	exit 1
 fi

 $PRINT_ONLY || [[ ! -f /etc/soii.key ]] ||
 	sysctl -q "net.inet6.ip6.soiikey=$(</etc/soii.key)"

 # If we were invoked with a list of interface names, just reconfigure these
 # interfaces (or bridges), add default routes and return.
 if (($# > 0)); then
--- a/src/etc/rc
+++ b/src/etc/rc
@ -1,4 +1,4 @@
 #	$OpenBSD: rc,v 1.523 2017/11/09 11:02:10 tb Exp $
 #	$OpenBSD: rc,v 1.524 2018/02/10 05:56:47 florian Exp $

 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
@ -158,6 +158,12 @@ make_keys() {
 	fi

 	ssh-keygen -A

 	if [[ ! -f /etc/soii.key ]]; then
 		openssl rand -hex 16 > /etc/soii.key && \
 		    chmod 600 /etc/soii.key && sysctl -q \
 		    "net.inet6.ip6.soiikey=$(</etc/soii.key)"
 	fi
 }

 # Re-link libraries, placing the objects in a random order.