diff options
| author | Hakan Olsson <ho@cvs.openbsd.org> | 2004-06-14 09:55:43 +0000 |
|---|---|---|
| committer | Hakan Olsson <ho@cvs.openbsd.org> | 2004-06-14 09:55:43 +0000 |
| commit | a3de7d60356b91ad4fa41498aa0d21f54e6d6e42 (patch) | |
| tree | b29ac59d68e2c5c0913bb2c2154adf4a46ba6ef9 | |
| parent | 3c3a93ac7765dde3e397739f03b36a735ee304e0 (diff) | |
KNF, style, 80c, etc. hshoexer@ ok
30 files changed, 1650 insertions, 1102 deletions
diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c index 044ed87758a..d04b9648d7f 100644 --- a/sbin/isakmpd/cert.c +++ b/sbin/isakmpd/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.27 2004/05/14 08:42:56 hshoexer Exp $ */ +/* $OpenBSD: cert.c,v 1.28 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -81,7 +81,8 @@ cert_init(void) int err = 1; for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) - if (cert_handler[i].cert_init && !(*cert_handler[i].cert_init)()) + if (cert_handler[i].cert_init && + !(*cert_handler[i].cert_init)()) err = 0; return err; diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index fe3b51eea01..27b4a1e5325 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.68 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: conf.c,v 1.69 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -238,7 +238,7 @@ conf_parse_line(int trans, char *line, size_t sz) free(section); if (i == sz) { log_print("conf_parse_line: %d:" - "non-matched ']', ignoring until next section", ln); + "unmatched ']', ignoring until next section", ln); section = 0; return; } @@ -299,7 +299,7 @@ conf_parse(int trans, char *buf, size_t sz) cp++; } if (cp != line) - log_print("conf_parse: last line non-terminated, ignored."); + log_print("conf_parse: last line unterminated, ignored."); } /* @@ -356,7 +356,8 @@ conf_find_trans_xf(int phase, char *xf) (phase == 2 && strcmp("Suites", node->tag) == 0)) { p = node->value; while ((p = strstr(p, xf)) != NULL) - if (*(p + strlen(p)) && *(p + strlen(p)) != ',') + if (*(p + strlen(p)) && + *(p + strlen(p)) != ',') p += strlen(p); else return 1; @@ -574,8 +575,8 @@ conf_reinit(void) fd = monitor_open(conf_path, O_RDONLY, 0); if (fd == -1) { - log_error("conf_reinit: open (\"%s\", O_RDONLY) failed", - conf_path); + log_error("conf_reinit: " + "open (\"%s\", O_RDONLY) failed", conf_path); return; } new_conf_addr = malloc(sz); @@ -1074,14 +1075,16 @@ conf_report(void) snprintf(dnode->s, len, "[%s]", current_section); dnode->next = (struct dumper *) - calloc(1, sizeof(struct dumper)); + calloc(1, + sizeof(struct dumper)); dnode = dnode->next; if (!dnode) goto mem_fail; dnode->s = ""; dnode->next = (struct dumper *) - calloc(1, sizeof(struct dumper)); + calloc(1, + sizeof(struct dumper)); dnode = dnode->next; if (!dnode) goto mem_fail; diff --git a/sbin/isakmpd/connection.c b/sbin/isakmpd/connection.c index 624eff8223b..94373ad25bc 100644 --- a/sbin/isakmpd/connection.c +++ b/sbin/isakmpd/connection.c @@ -1,4 +1,4 @@ -/* $OpenBSD: connection.c,v 1.28 2004/05/14 08:42:56 hshoexer Exp $ */ +/* $OpenBSD: connection.c,v 1.29 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */ /* @@ -148,7 +148,8 @@ connection_checker(void *vconn) struct connection *conn = vconn; gettimeofday(&now, 0); - now.tv_sec += conf_get_num("General", "check-interval", CHECK_INTERVAL); + now.tv_sec += conf_get_num("General", "check-interval", + CHECK_INTERVAL); conn->ev = timer_add_event("connection_checker", connection_checker, conn, &now); if (!conn->ev) @@ -225,8 +226,8 @@ connection_passive_lookup_by_ids(u_int8_t *id1, u_int8_t *id2) (compare_ids(id1, conn->remote_id, conn->remote_sz) == 0 && compare_ids(id2, conn->local_id, conn->local_sz) == 0)) { LOG_DBG((LOG_MISC, 60, - "connection_passive_lookup_by_ids: returned \"%s\"", - conn->name)); + "connection_passive_lookup_by_ids: " + "returned \"%s\"", conn->name)); return conn->name; } } diff --git a/sbin/isakmpd/crypto.c b/sbin/isakmpd/crypto.c index 189bfa7d4ee..d74191ede90 100644 --- a/sbin/isakmpd/crypto.c +++ b/sbin/isakmpd/crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.c,v 1.21 2004/05/14 08:42:56 hshoexer Exp $ */ +/* $OpenBSD: crypto.c,v 1.22 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ /* @@ -58,35 +58,40 @@ void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); struct crypto_xf transforms[] = { #ifdef USE_DES { - DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0, + DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, + BLOCKSIZE, 0, des1_init, des1_encrypt, des1_decrypt }, #endif #ifdef USE_TRIPLEDES { - TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0, + TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, + BLOCKSIZE, 0, des3_init, des3_encrypt, des3_decrypt }, #endif #ifdef USE_BLOWFISH { - BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0, + BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, + BLOCKSIZE, 0, blf_init, blf_encrypt, blf_decrypt }, #endif #ifdef USE_CAST { - CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0, + CAST_CBC, "CAST (CBC-Mode)", 12, 16, + BLOCKSIZE, 0, cast_init, cast1_encrypt, cast1_decrypt }, #endif #ifdef USE_AES { - AES_CBC, "AES (CBC-Mode)", 16, 32, AES_BLOCK_SIZE, 0, + AES_CBC, "AES (CBC-Mode)", 16, 32, + AES_BLOCK_SIZE, 0, aes_init, aes_encrypt, aes_decrypt }, @@ -116,13 +121,15 @@ des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) void des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) { - des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT); + des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, + DES_ENCRYPT); } void des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) { - des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT); + des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, + DES_DECRYPT); } #ifdef USE_TRIPLEDES diff --git a/sbin/isakmpd/dnssec.c b/sbin/isakmpd/dnssec.c index aed01807af2..b7ee75f7860 100644 --- a/sbin/isakmpd/dnssec.c +++ b/sbin/isakmpd/dnssec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dnssec.c,v 1.19 2004/05/14 08:42:56 hshoexer Exp $ */ +/* $OpenBSD: dnssec.c,v 1.20 2004/06/14 09:55:41 ho Exp $ */ /* * Copyright (c) 2001 Håkan Olsson. All rights reserved. @@ -126,7 +126,7 @@ dns_get_key(int type, struct message *msg, int *keylen) case IPSEC_ID_FQDN: if ((id_len + 1) >= sizeof name) return 0; - /* ID is not NULL-terminated. Add trailing dot and terminate. */ + /* ID is not NULL-terminated. Add trailing dot and NULL. */ memcpy(name, id + ISAKMP_ID_DATA_OFF, id_len); *(name + id_len) = '.'; *(name + id_len + 1) = '\0'; @@ -176,7 +176,8 @@ dns_get_key(int type, struct message *msg, int *keylen) /* We don't accept unvalidated data. */ if (!(rr->rri_flags & RRSET_VALIDATED)) { - LOG_DBG((LOG_MISC, 10, "dns_get_key: got unvalidated response")); + LOG_DBG((LOG_MISC, 10, "dns_get_key: " + "got unvalidated response")); freerrset(rr); return 0; } @@ -210,7 +211,8 @@ dns_get_key(int type, struct message *msg, int *keylen) } key_rr.datalen = rr->rri_rdatas[i].rdi_length - 4; if (key_rr.datalen <= 0) { - LOG_DBG((LOG_MISC, 50, "dns_get_key: ignored bad key")); + LOG_DBG((LOG_MISC, 50, "dns_get_key: " + "ignored bad key")); key_rr.datalen = 0; continue; } @@ -247,7 +249,8 @@ dns_RSA_dns_to_x509(u_int8_t *key, int keylen, RSA **rsa_key) } rsa = RSA_new(); if (rsa == NULL) { - log_error("dns_RSA_dns_to_x509: failed to allocate new RSA struct"); + log_error("dns_RSA_dns_to_x509: " + "failed to allocate new RSA struct"); return -1; } e_len = *key; diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index c28c855448a..12f5080de82 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.95 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: exchange.c,v 1.96 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -1157,7 +1157,8 @@ exchange_dump_real(char *header, struct exchange *exchange, int class, exchange->doi->id, exchange->type, exchange->step)); LOG_DBG((class, level, "%s: icookie %08x%08x rcookie %08x%08x", header, decode_32(exchange->cookies), decode_32(exchange->cookies + 4), - decode_32(exchange->cookies + 8), decode_32(exchange->cookies + 12))); + decode_32(exchange->cookies + 8), + decode_32(exchange->cookies + 12))); /* Include phase 2 SA list for this exchange */ if (exchange->phase == 2) { diff --git a/sbin/isakmpd/field.c b/sbin/isakmpd/field.c index 1618ca690aa..0cc96d2748d 100644 --- a/sbin/isakmpd/field.c +++ b/sbin/isakmpd/field.c @@ -1,4 +1,4 @@ -/* $OpenBSD: field.c,v 1.15 2004/05/23 18:17:55 hshoexer Exp $ */ +/* $OpenBSD: field.c,v 1.16 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: field.c,v 1.11 2000/02/20 19:58:37 niklas Exp $ */ /* @@ -47,7 +47,8 @@ static char *field_debug_ign(u_int8_t *, size_t, struct constant_map **); static char *field_debug_cst(u_int8_t *, size_t, struct constant_map **); /* Contents must match the enum in struct field. */ -static char *(*decode_field[]) (u_int8_t *, size_t, struct constant_map **) = { +static char *(*decode_field[]) (u_int8_t *, size_t, + struct constant_map **) = { field_debug_raw, field_debug_num, field_debug_mask, diff --git a/sbin/isakmpd/hash.c b/sbin/isakmpd/hash.c index 517b8e12f0d..84773f875b0 100644 --- a/sbin/isakmpd/hash.c +++ b/sbin/isakmpd/hash.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hash.c,v 1.16 2004/05/23 18:17:55 hshoexer Exp $ */ +/* $OpenBSD: hash.c,v 1.17 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: hash.c,v 1.10 1999/04/17 23:20:34 niklas Exp $ */ /* @@ -84,7 +84,8 @@ hash_get(enum hashes hashtype) { size_t i; - LOG_DBG((LOG_CRYPTO, 60, "hash_get: requested algorithm %d", hashtype)); + LOG_DBG((LOG_CRYPTO, 60, "hash_get: requested algorithm %d", + hashtype)); for (i = 0; i < sizeof hashes / sizeof hashes[0]; i++) if (hashtype == hashes[i].type) diff --git a/sbin/isakmpd/if.c b/sbin/isakmpd/if.c index 697b90a4a4a..b9cf927478a 100644 --- a/sbin/isakmpd/if.c +++ b/sbin/isakmpd/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.21 2004/05/23 18:17:55 hshoexer Exp $ */ +/* $OpenBSD: if.c,v 1.22 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: if.c,v 1.12 1999/10/01 13:45:20 niklas Exp $ */ /* @@ -67,7 +67,8 @@ siocgifconf(struct ifconf *ifcp) /* Get a socket to ask for the network interface configurations. */ s = socket(AF_INET, SOCK_DGRAM, 0); if (s == -1) { - log_error("siocgifconf: socket (AF_INET, SOCK_DGRAM, 0) failed"); + log_error("siocgifconf: " + "socket (AF_INET, SOCK_DGRAM, 0) failed"); return -1; } len = sizeof(struct ifreq) * INITIAL_IFREQ_COUNT; diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 6a380b0ecfb..0615c16b60c 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.89 2004/06/02 16:19:16 hshoexer Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.90 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -94,28 +94,33 @@ static int ike_auth_hash(struct exchange *, u_int8_t *); static struct ike_auth ike_auth[] = { { - IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid, pre_shared_decode_hash, + IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid, + pre_shared_decode_hash, pre_shared_encode_hash }, #ifdef notdef { - IKE_AUTH_DSS, sig_gen_skeyid, pre_shared_decode_hash, + IKE_AUTH_DSS, sig_gen_skeyid, + pre_shared_decode_hash, pre_shared_encode_hash }, #endif #if defined (USE_X509) || defined (USE_KEYNOTE) { - IKE_AUTH_RSA_SIG, sig_gen_skeyid, rsa_sig_decode_hash, + IKE_AUTH_RSA_SIG, sig_gen_skeyid, + rsa_sig_decode_hash, rsa_sig_encode_hash }, #endif #ifdef notdef { - IKE_AUTH_RSA_ENC, enc_gen_skeyid, pre_shared_decode_hash, + IKE_AUTH_RSA_ENC, enc_gen_skeyid, + pre_shared_decode_hash, pre_shared_encode_hash }, { - IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid, pre_shared_decode_hash, + IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid, + pre_shared_decode_hash, pre_shared_encode_hash }, #endif @@ -248,7 +253,8 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) buf2 = kn_get_string(buf); free(buf); - if (kn_decode_key(&dc, buf2, KEYNOTE_PRIVATE_KEY) == -1) { + if (kn_decode_key(&dc, buf2, KEYNOTE_PRIVATE_KEY) + == -1) { free(buf2); log_print("ike_auth_get_key: failed decoding " "key in \"%s\"", keyfile); @@ -291,7 +297,8 @@ ignorekeynote: fclose(keyfp); if (!rsakey) { - log_print("ike_auth_get_key: PEM_read_bio_RSAPrivateKey failed"); + log_print("ike_auth_get_key: " + "PEM_read_bio_RSAPrivateKey failed"); return 0; } return rsakey; @@ -345,7 +352,8 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) return 0; } memcpy(buf, - exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + exchange->id_i + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ, exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; @@ -381,7 +389,8 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) exchange->recv_certtype = ISAKMP_CERTENC_NONE; free(key); - prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key, keylen); + prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key, + keylen); if (!prf) return 0; @@ -605,7 +614,8 @@ rsa_sig_decode_hash(struct message *msg) exchange->recv_cert = cert; exchange->recv_certtype = handler->id; #if defined (USE_POLICY) - x509_generate_kn(exchange->policy_id, cert); + x509_generate_kn(exchange->policy_id, + cert); #endif /* USE_POLICY */ } } @@ -631,8 +641,8 @@ rsa_sig_decode_hash(struct message *msg) handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p)); if (!handler) { - LOG_DBG((LOG_MISC, 30, - "rsa_sig_decode_hash: no handler for %s CERT encoding", + LOG_DBG((LOG_MISC, 30, "rsa_sig_decode_hash: " + "no handler for %s CERT encoding", constant_name(isakmp_certenc_cst, GET_ISAKMP_CERT_ENCODING(p->p)))); continue; @@ -640,7 +650,8 @@ rsa_sig_decode_hash(struct message *msg) cert = handler->cert_get(p->p + ISAKMP_CERT_DATA_OFF, GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERT_DATA_OFF); if (!cert) { - log_print("rsa_sig_decode_hash: can not get data from CERT"); + log_print("rsa_sig_decode_hash: " + "can not get data from CERT"); continue; } if (!handler->cert_validate(cert)) { @@ -649,7 +660,8 @@ rsa_sig_decode_hash(struct message *msg) "be validated"); continue; } - if (GET_ISAKMP_CERT_ENCODING(p->p) == ISAKMP_CERTENC_X509_SIG) { + if (GET_ISAKMP_CERT_ENCODING(p->p) == + ISAKMP_CERTENC_X509_SIG) { if (!handler->cert_get_subjects(cert, &n, &id_cert, &id_cert_len)) { handler->cert_free(cert); @@ -696,8 +708,8 @@ rsa_sig_decode_hash(struct message *msg) dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; dc.dec_key = key; - pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, - KEYNOTE_PUBLIC_KEY); + pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, + ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (pp == NULL) { kn_free_key(&dc); log_print("rsa_sig_decode_hash: failed to " @@ -713,7 +725,8 @@ rsa_sig_decode_hash(struct message *msg) "allocate %d bytes", dclen); return -1; } - snprintf(exchange->keynote_key, dclen, "rsa-hex:%s", pp); + snprintf(exchange->keynote_key, dclen, "rsa-hex:%s", + pp); free(pp); } #endif @@ -819,7 +832,8 @@ pre_shared_encode_hash(struct message *msg) snprintf(header, sizeof header, "pre_shared_encode_hash: HASH_%c", initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize)); + LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, + hashsize)); return 0; } @@ -844,8 +858,8 @@ rsa_sig_encode_hash(struct message *msg) /* We may have been provided these by the kernel */ buf = (u_int8_t *) conf_get_str(exchange->name, "Credentials"); - if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", -1) - != -1)) { + if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", + -1) != -1)) { exchange->sent_certtype = idtype; handler = cert_get(idtype); if (!handler) { @@ -853,7 +867,8 @@ rsa_sig_encode_hash(struct message *msg) idtype); return -1; } - exchange->sent_cert = handler->cert_from_printable((char *)buf); + exchange->sent_cert = + handler->cert_from_printable((char *)buf); if (!exchange->sent_cert) { log_print("rsa_sig_encode_hash: failed to retrieve " "certificate"); @@ -892,8 +907,8 @@ rsa_sig_encode_hash(struct message *msg) } if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) { - LOG_DBG((LOG_MISC, 10, - "rsa_sig_encode_hash: no certificate to send")); + LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: " + "no certificate to send")); goto skipcert; } } else { @@ -985,7 +1000,8 @@ skipcert: /* Did we find a key? */ if (!sent_key) { - log_print("rsa_sig_encode_hash: could not get private key"); + log_print("rsa_sig_encode_hash: " + "could not get private key"); return -1; } } @@ -1019,7 +1035,8 @@ skipcert: sigsize = RSA_private_encrypt(hashsize, buf, data, sent_key, RSA_PKCS1_PADDING); if (sigsize == -1) { - log_print("rsa_sig_encode_hash: RSA_private_encrypt () failed"); + log_print("rsa_sig_encode_hash: " + "RSA_private_encrypt () failed"); if (data) free(data); free(buf); @@ -1041,7 +1058,8 @@ skipcert: snprintf(header, sizeof header, "rsa_sig_encode_hash: SIG_%c", initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF, datalen)); + LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF, + datalen)); if (message_add_payload(msg, ISAKMP_PAYLOAD_SIG, buf, ISAKMP_SIG_SZ + datalen, 1)) { free(buf); diff --git a/sbin/isakmpd/ike_main_mode.c b/sbin/isakmpd/ike_main_mode.c index 53e18c486c4..1308564b47b 100644 --- a/sbin/isakmpd/ike_main_mode.c +++ b/sbin/isakmpd/ike_main_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_main_mode.c,v 1.14 2004/05/23 18:17:55 hshoexer Exp $ */ +/* $OpenBSD: ike_main_mode.c,v 1.15 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */ /* @@ -103,8 +103,8 @@ responder_send_KE_NONCE(struct message *msg) return -1; /* - * Calculate DH values & key material in parallel with the message going - * on a roundtrip over the wire. + * Calculate DH values & key material in parallel with the message + * going on a roundtrip over the wire. */ message_register_post_send(msg, (void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE); diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 1a6897ea46c..010d71cdd18 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_phase_1.c,v 1.49 2004/06/10 12:54:53 hshoexer Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.50 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ /* @@ -978,7 +978,8 @@ ike_phase_1_recv_ID(struct message *msg) memcpy(*id, payload->p + ISAKMP_GEN_SZ, *id_len); snprintf(header, sizeof header, "ike_phase_1_recv_ID: %s", constant_name(ipsec_id_cst, GET_ISAKMP_ID_TYPE(payload->p))); - LOG_DBG_BUF((LOG_NEGOTIATION, 40, header, payload->p + ISAKMP_ID_DATA_OFF, + LOG_DBG_BUF((LOG_NEGOTIATION, 40, header, + payload->p + ISAKMP_ID_DATA_OFF, *id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF)); payload->flags |= PL_MARK; return 0; diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 1ae011d900d..4a2e24b9aed 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.80 2004/06/10 12:54:53 hshoexer Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.81 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -115,7 +115,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) /* Initialize if necessary -- e.g., if pre-shared key auth was used */ if (isakmp_sa->policy_id < 0) { if ((isakmp_sa->policy_id = kn_init()) == -1) { - log_print("check_policy: failed to initialize policy session"); + log_print("check_policy: " + "failed to initialize policy session"); return 0; } } @@ -164,8 +165,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) nprinc = 3; principal = calloc(nprinc, sizeof *principal); if (!principal) { - log_error("check_policy: calloc (%d, %lu) failed", nprinc, - (unsigned long)sizeof *principal); + log_error("check_policy: calloc (%d, %lu) failed", + nprinc, (unsigned long)sizeof *principal); goto policydone; } len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:"; @@ -180,8 +181,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) * constants. */ strlcpy(principal[0], "passphrase:", len); - memcpy(principal[0] + sizeof "passphrase:" - 1, isakmp_sa->recv_key, - strlen(isakmp_sa->recv_key)); + memcpy(principal[0] + sizeof "passphrase:" - 1, + isakmp_sa->recv_key, strlen(isakmp_sa->recv_key)); len = sizeof "passphrase-md5-hex:" + 2 * 16; principal[1] = calloc(len, sizeof(char)); @@ -193,8 +194,9 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) strlcpy(principal[1], "passphrase-md5-hex:", len); MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf); for (i = 0; i < 16; i++) - snprintf(principal[1] + 2 * i + sizeof "passphrase-md5-hex:" - 1, - 3, "%02x", hashbuf[i]); + snprintf(principal[1] + 2 * i + + sizeof "passphrase-md5-hex:" - 1, 3, "%02x", + hashbuf[i]); len = sizeof "passphrase-sha1-hex:" + 2 * 20; principal[2] = calloc(len, sizeof(char)); @@ -204,10 +206,12 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) goto policydone; } strlcpy(principal[2], "passphrase-sha1-hex:", len); - SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf); + SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), + hashbuf); for (i = 0; i < 20; i++) - snprintf(principal[2] + 2 * i + sizeof "passphrase-sha1-hex:" - 1, - 3, "%02x", hashbuf[i]); + snprintf(principal[2] + 2 * i + + sizeof "passphrase-sha1-hex:" - 1, 3, "%02x", + hashbuf[i]); break; case ISAKMP_CERTENC_KEYNOTE: @@ -216,8 +220,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal = calloc(nprinc, sizeof *principal); if (!principal) { - log_error("check_policy: calloc (%d, %lu) failed", nprinc, - (unsigned long)sizeof *principal); + log_error("check_policy: calloc (%d, %lu) failed", + nprinc, (unsigned long)sizeof *principal); goto policydone; } /* Dup the keys */ @@ -242,20 +246,23 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA) dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; else { - log_error("check_policy: unknown/unsupported public key algorithm " - "%d", isakmp_sa->recv_keytype); + log_error("check_policy: " + "unknown/unsupported public key algorithm %d", + isakmp_sa->recv_keytype); goto policydone; } dc.dec_key = isakmp_sa->recv_key; - principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, - KEYNOTE_PUBLIC_KEY); + principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, + ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (keynote_errno == ERROR_MEMORY) { - log_print("check_policy: failed to get memory for public key"); + log_print("check_policy: " + "failed to get memory for public key"); goto policydone; } if (!principal[0]) { - log_print("check_policy: failed to allocate memory for principal"); + log_print("check_policy: " + "failed to allocate memory for principal"); goto policydone; } len = strlen(principal[0]) + sizeof "rsa-hex:"; @@ -275,7 +282,8 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) if (subject) { principal[1] = calloc(259, sizeof(char)); if (!principal[1]) { - log_error("check_policy: calloc (259, %lu) failed", + log_error("check_policy: " + "calloc (259, %lu) failed", (unsigned long)sizeof(char)); goto policydone; } @@ -311,22 +319,26 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) * what mode of authentication we used in Phase 1. */ for (i = 0; i < nprinc; i++) { - LOG_DBG((LOG_POLICY, 40, "check_policy: adding authorizer [%s]", - principal[i])); + LOG_DBG((LOG_POLICY, 40, "check_policy: " + "adding authorizer [%s]", principal[i])); - if (kn_add_authorizer(isakmp_sa->policy_id, principal[i]) == -1) { - int j; + if (kn_add_authorizer(isakmp_sa->policy_id, principal[i]) + == -1) { + int j; for (j = 0; j < i; j++) - kn_remove_authorizer(isakmp_sa->policy_id, principal[j]); + kn_remove_authorizer(isakmp_sa->policy_id, + principal[j]); log_print("check_policy: kn_add_authorizer failed"); goto policydone; } } /* Ask policy */ - result = kn_do_query(isakmp_sa->policy_id, return_values, RETVALUES_NUM); - LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", result)); + result = kn_do_query(isakmp_sa->policy_id, return_values, + RETVALUES_NUM); + LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", + result)); /* Cleanup environment */ kn_cleanup_action_environment(isakmp_sa->policy_id); @@ -358,7 +370,8 @@ policydone: /* Remove the policies */ for (i = 0; i < policy_asserts_num; i++) { if (keynote_ids[i] != -1) - kn_remove_assertion(isakmp_sa->policy_id, keynote_ids[i]); + kn_remove_assertion(isakmp_sa->policy_id, + keynote_ids[i]); } if (keynote_ids) @@ -368,15 +381,17 @@ policydone: free(x509_ids); /* - * XXX Currently, check_policy() is only called from message_negotiate_sa(), - * and so this log message reflects this. Change to something better? + * XXX Currently, check_policy() is only called from + * message_negotiate_sa(), and so this log message reflects this. + * Change to something better? */ if (result == 0) log_print("check_policy: negotiated SA failed policy check"); /* * Given that we have only 2 return values from policy (true/false) - * we can just return the query result directly (no pre-processing needed). + * we can just return the query result directly (no pre-processing + * needed). */ return result; } @@ -445,7 +460,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) new_proposal = realloc(proposal, prop_cnt * sizeof *proposal); if (!new_proposal) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "realloc (%p, %lu) failed", proposal, prop_cnt * (unsigned long)sizeof *proposal); @@ -456,7 +472,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) new_transforms_len = realloc(transforms_len, prop_cnt * sizeof *transforms_len); if (!new_transforms_len) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "realloc (%p, %lu) failed", transforms_len, prop_cnt * (unsigned long)sizeof *transforms_len); @@ -467,7 +484,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) new_transform = realloc(transform, prop_cnt * sizeof *transform); if (!new_transform) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "realloc (%p, %lu) failed", transform, prop_cnt * (unsigned long)sizeof *transform); @@ -478,7 +496,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) new_transform_cnt = realloc(transform_cnt, prop_cnt * sizeof *transform_cnt); if (!new_transform_cnt) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "realloc (%p, %lu) failed", transform_cnt, prop_cnt * (unsigned long)sizeof *transform_cnt); @@ -489,7 +508,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) new_transform_len = realloc(transform_len, prop_cnt * sizeof *transform_len); if (!new_transform_len) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "realloc (%p, %lu) failed", transform_len, prop_cnt * (unsigned long)sizeof *transform_len); @@ -501,7 +521,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) if (!protocol_id) goto bail_out; - proto_id = constant_value(ipsec_proto_cst, protocol_id); + proto_id = constant_value(ipsec_proto_cst, + protocol_id); switch (proto_id) { case IPSEC_PROTO_IPSEC_AH: id_map = ipsec_ah_cst; @@ -517,13 +538,13 @@ initiator_send_HASH_SA_NONCE(struct message *msg) default: { - log_print("initiator_send_HASH_SA_NONCE: invalid PROTCOL_ID: " - "%s", protocol_id); + log_print("initiator_send_HASH_SA_NONCE: " + "invalid PROTCOL_ID: %s", protocol_id); goto bail_out; } } - /* Now get each transform we offer for this protocol. */ + /* Now get each transform we offer for this protocol.*/ xf_conf = conf_get_list(prot->field, "Transforms"); if (!xf_conf) goto bail_out; @@ -557,7 +578,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF + 9 * ISAKMP_ATTR_VALUE_OFF, 1); if (!transform[prop_no][xf_no]) { - log_error("initiator_send_HASH_SA_NONCE: " + log_error( + "initiator_send_HASH_SA_NONCE: " "calloc (%d, 1) failed", ISAKMP_TRANSFORM_SA_ATTRS_OFF + 9 * ISAKMP_ATTR_VALUE_OFF); @@ -566,114 +588,137 @@ initiator_send_HASH_SA_NONCE(struct message *msg) SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no], xf_no + 1); - transform_id = conf_get_str(xf->field, "TRANSFORM_ID"); + transform_id = conf_get_str(xf->field, + "TRANSFORM_ID"); if (!transform_id) goto bail_out; SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no], constant_value(id_map, transform_id)); SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0); - attr = transform[prop_no][xf_no] + ISAKMP_TRANSFORM_SA_ATTRS_OFF; + attr = transform[prop_no][xf_no] + + ISAKMP_TRANSFORM_SA_ATTRS_OFF; /* - * Life durations are special, we should be able to specify - * several, one per type. + * Life durations are special, we should be + * able to specify several, one per type. */ life_conf = conf_get_list(xf->field, "Life"); if (life_conf) { - for (life = TAILQ_FIRST(&life_conf->fields); life; + for (life = TAILQ_FIRST(&life_conf->fields); + life; life = TAILQ_NEXT(life, link)) { - attribute_set_constant(life->field, "LIFE_TYPE", - ipsec_duration_cst, - IPSEC_ATTR_SA_LIFE_TYPE, &attr); + attribute_set_constant( + life->field, "LIFE_TYPE", + ipsec_duration_cst, + IPSEC_ATTR_SA_LIFE_TYPE, + &attr); /* * XXX Deals with 16 and 32 * bit lifetimes only */ - value = conf_get_num(life->field, "LIFE_DURATION", 0); + value = + conf_get_num(life->field, + "LIFE_DURATION", 0); if (value) { if (value <= 0xffff) attr = - attribute_set_basic(attr, - IPSEC_ATTR_SA_LIFE_DURATION, - value); + attribute_set_basic( + attr, + IPSEC_ATTR_SA_LIFE_DURATION, + value); else { value = htonl(value); attr = - attribute_set_var(attr, - IPSEC_ATTR_SA_LIFE_DURATION, - (u_int8_t *)&value, - sizeof value); + attribute_set_var( + attr, + IPSEC_ATTR_SA_LIFE_DURATION, + (u_int8_t *)&value, + sizeof value); } } } conf_free_list(life_conf); } - attribute_set_constant(xf->field, "ENCAPSULATION_MODE", - ipsec_encap_cst, + attribute_set_constant(xf->field, + "ENCAPSULATION_MODE", ipsec_encap_cst, IPSEC_ATTR_ENCAPSULATION_MODE, &attr); if (proto_id != IPSEC_PROTO_IPCOMP) { attribute_set_constant(xf->field, - "AUTHENTICATION_ALGORITHM", - ipsec_auth_cst, - IPSEC_ATTR_AUTHENTICATION_ALGORITHM, - &attr); + "AUTHENTICATION_ALGORITHM", + ipsec_auth_cst, + IPSEC_ATTR_AUTHENTICATION_ALGORITHM, + &attr); - attribute_set_constant(xf->field, "GROUP_DESCRIPTION", - ike_group_desc_cst, - IPSEC_ATTR_GROUP_DESCRIPTION, &attr); + attribute_set_constant(xf->field, + "GROUP_DESCRIPTION", + ike_group_desc_cst, + IPSEC_ATTR_GROUP_DESCRIPTION, &attr); - value = conf_get_num(xf->field, "KEY_LENGTH", 0); + value = conf_get_num(xf->field, + "KEY_LENGTH", 0); if (value) - attr = attribute_set_basic(attr, IPSEC_ATTR_KEY_LENGTH, - value); + attr = attribute_set_basic( + attr, + IPSEC_ATTR_KEY_LENGTH, + value); - value = conf_get_num(xf->field, "KEY_ROUNDS", 0); + value = conf_get_num(xf->field, + "KEY_ROUNDS", 0); if (value) - attr = attribute_set_basic(attr, IPSEC_ATTR_KEY_ROUNDS, - value); + attr = attribute_set_basic( + attr, + IPSEC_ATTR_KEY_ROUNDS, + value); } else { - value = conf_get_num(xf->field, "COMPRESS_DICTIONARY_SIZE", - 0); + value = conf_get_num(xf->field, + "COMPRESS_DICTIONARY_SIZE", 0); if (value) - attr = attribute_set_basic(attr, - IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE, - value); + attr = attribute_set_basic( + attr, + IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE, + value); value = conf_get_num(xf->field, "COMPRESS_PRIVATE_ALGORITHM", 0); if (value) - attr = attribute_set_basic(attr, - IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM, - value); + attr = attribute_set_basic( + attr, + IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM, + value); } - value = conf_get_num(xf->field, "ECN_TUNNEL", 0); + value = conf_get_num(xf->field, "ECN_TUNNEL", + 0); if (value) - attr = attribute_set_basic(attr, IPSEC_ATTR_ECN_TUNNEL, - value); + attr = attribute_set_basic(attr, + IPSEC_ATTR_ECN_TUNNEL, value); /* Record the real transform size. */ - transforms_len[prop_no] += (transform_len[prop_no][xf_no] + transforms_len[prop_no] += + (transform_len[prop_no][xf_no] = attr - transform[prop_no][xf_no]); if (proto_id != IPSEC_PROTO_IPCOMP) { /* - * Make sure that if a group description is specified, it is - * specified for all transforms equally. + * Make sure that if a group + * description is specified, it is + * specified for all transforms + * equally. */ - attr = (u_int8_t *)conf_get_str(xf->field, - "GROUP_DESCRIPTION"); + attr = + (u_int8_t *)conf_get_str(xf->field, + "GROUP_DESCRIPTION"); new_group_desc - = attr ? constant_value(ike_group_desc_cst, - (char *)attr) : 0; + = attr ? constant_value(ike_group_desc_cst, + (char *)attr) : 0; if (group_desc == -1) group_desc = new_group_desc; else if (group_desc != new_group_desc) { log_print("initiator_send_HASH_SA_NONCE: " - "differing group descriptions in a proposal"); + "differing group descriptions in a proposal"); goto bail_out; } } @@ -685,18 +730,22 @@ initiator_send_HASH_SA_NONCE(struct message *msg) * Get SPI from application. * XXX Should we care about unknown constants? */ - protocol_num = constant_value(ipsec_proto_cst, protocol_id); + protocol_num = constant_value(ipsec_proto_cst, + protocol_id); spi = doi->get_spi(&spi_sz, protocol_num, msg); if (spi_sz && !spi) { - log_print("initiator_send_HASH_SA_NONCE: doi->get_spi failed"); + log_print("initiator_send_HASH_SA_NONCE: " + "doi->get_spi failed"); goto bail_out; } proposal_len = ISAKMP_PROP_SPI_OFF + spi_sz; - proposals_len += proposal_len + transforms_len[prop_no]; + proposals_len += + proposal_len + transforms_len[prop_no]; proposal[prop_no] = malloc(proposal_len); if (!proposal[prop_no]) { - log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)proposal_len); + log_error("initiator_send_HASH_SA_NONCE: " + "malloc (%lu) failed", + (unsigned long)proposal_len); goto bail_out; } SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1); @@ -705,15 +754,18 @@ initiator_send_HASH_SA_NONCE(struct message *msg) /* XXX I would like to see this factored out. */ proto = calloc(1, sizeof *proto); if (!proto) { - log_error("initiator_send_HASH_SA_NONCE: calloc (1, %lu) " - "failed", (unsigned long)sizeof *proto); + log_error("initiator_send_HASH_SA_NONCE: " + "calloc (1, %lu) failed", + (unsigned long)sizeof *proto); goto bail_out; } if (doi->proto_size) { proto->data = calloc(1, doi->proto_size); if (!proto->data) { - log_error("initiator_send_HASH_SA_NONCE: calloc (1, %lu) " - "failed", (unsigned long)doi->proto_size); + log_error( + "initiator_send_HASH_SA_NONCE: " + "calloc (1, %lu) failed", + (unsigned long)doi->proto_size); goto bail_out; } } @@ -723,7 +775,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) proto->xf_cnt = transform_cnt[prop_no]; TAILQ_INIT(&proto->xfs); for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) { - pa = (struct proto_attr *)calloc(1, sizeof *pa); + pa = (struct proto_attr *)calloc(1, + sizeof *pa); if (!pa) goto bail_out; pa->len = transform_len[prop_no][xf_no]; @@ -732,15 +785,17 @@ initiator_send_HASH_SA_NONCE(struct message *msg) free(pa); goto bail_out; } - memcpy(pa->attrs, transform[prop_no][xf_no], pa->len); + memcpy(pa->attrs, transform[prop_no][xf_no], + pa->len); TAILQ_INSERT_TAIL(&proto->xfs, pa, next); } - TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, proto, - link); + TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, + proto, link); /* Setup the incoming SPI. */ SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz); - memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi, spi_sz); + memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi, + spi_sz); proto->spi_sz[1] = spi_sz; proto->spi[1] = spi; @@ -782,10 +837,11 @@ initiator_send_HASH_SA_NONCE(struct message *msg) update_nextp = 0; saved_nextp_sa = msg->nextp; for (i = 0; i < prop_no; i++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, proposal[i], - proposal_len, update_nextp)) + if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, + proposal[i], proposal_len, update_nextp)) goto bail_out; - SET_ISAKMP_GEN_LENGTH(proposal[i], proposal_len + transforms_len[i]); + SET_ISAKMP_GEN_LENGTH(proposal[i], + proposal_len + transforms_len[i]); proposal[i] = 0; update_nextp = 0; @@ -835,8 +891,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) id = ipsec_build_id(local_id, &sz); if (!id) return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "initiator_send_HASH_SA_NONCE: IDic", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; @@ -844,8 +900,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) id = ipsec_build_id(remote_id, &sz); if (!id) return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; @@ -877,8 +933,9 @@ initiator_send_HASH_SA_NONCE(struct message *msg) id = calloc(sz, sizeof(char)); if (!id) { - log_error("initiator_send_HASH_SA_NONCE: calloc (%lu, %lu) failed", - (unsigned long)sz, (unsigned long)sizeof(char)); + log_error("initiator_send_HASH_SA_NONCE: " + "calloc (%lu, %lu) failed", (unsigned long)sz, + (unsigned long)sizeof(char)); return -1; } switch (src->sa_family) { @@ -889,16 +946,16 @@ initiator_send_HASH_SA_NONCE(struct message *msg) SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR); break; default: - log_error("initiator_send_HASH_SA_NONCE: unknown sa_family %d", - src->sa_family); + log_error("initiator_send_HASH_SA_NONCE: " + "unknown sa_family %d", src->sa_family); free(id); return -1; } memcpy(id + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), sockaddr_addrlen(src)); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "initiator_send_HASH_SA_NONCE: IDic", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; @@ -907,8 +964,8 @@ initiator_send_HASH_SA_NONCE(struct message *msg) id = ipsec_build_id(remote_id, &sz); if (!id) return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; @@ -937,7 +994,8 @@ bail_out: if (proposal[i]) free(proposal[i]); if (transform[i]) { - for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) + for (xf_no = 0; xf_no < transform_cnt[i]; + xf_no++) if (transform[i][xf_no]) free(transform[i][xf_no]); free(transform[i]); @@ -969,8 +1027,10 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) struct proto *proto, *next_proto; struct payload *sa_p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_SA]); struct payload *xf, *idp; - struct payload *hashp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); - struct payload *kep = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_KEY_EXCH]); + struct payload *hashp = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); + struct payload *kep = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_KEY_EXCH]); struct prf *prf; struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa = isakmp_sa->data; @@ -981,42 +1041,46 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) struct sockaddr *src, *dst; /* Allocate the prf and start calculating our HASH(1). XXX Share? */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: SKEYID_a", - (u_int8_t *)isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " + "SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, + isa->skeyid_len); if (!prf) return -1; prf->Init(prf->prfctx); LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: NONCE_I_b", - exchange->nonce_i, exchange->nonce_i_len)); + "initiator_recv_HASH_SA_NONCE: message_id", + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " + "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - - (rest - (u_int8_t *)msg->iov[0].iov_base)); + - (rest - (u_int8_t *)msg->iov[0].iov_base)); LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, - rest_len)); + "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, + rest_len)); prf->Update(prf->prfctx, rest, rest_len); prf->Final(hash->digest, prf->prfctx); prf_free(prf); LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "initiator_recv_HASH_SA_NONCE: computed HASH(2)", - hash->digest, hashsize)); - if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + "initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest, + hashsize)); + if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) + != 0) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, + 0); return -1; } /* Mark the HASH as handled. */ hashp->flags |= PL_MARK; /* - * As we are getting an answer on our transform offer, only one transform - * should be given. + * As we are getting an answer on our transform offer, only one + * transform should be given. * * XXX Currently we only support negotiating one SA per quick mode run. */ @@ -1037,38 +1101,39 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) /* If IDci is there, IDcr must be too. */ if (!TAILQ_NEXT(idp, link)) { /* XXX Is this a good notify type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, + 1, 0); return -1; } /* XXX We should really compare, not override. */ ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); ie->id_ci = malloc(ie->id_ci_sz); if (!ie->id_ci) { - log_error("initiator_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)ie->id_ci_sz); + log_error("initiator_recv_HASH_SA_NONCE: " + "malloc (%lu) failed", + (unsigned long)ie->id_ci_sz); return -1; } memcpy(ie->id_ci, idp->p, ie->id_ci_sz); idp->flags |= PL_MARK; LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: IDci", - ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - - ISAKMP_GEN_SZ)); + "initiator_recv_HASH_SA_NONCE: IDci", + ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); idp = TAILQ_NEXT(idp, link); ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); ie->id_cr = malloc(ie->id_cr_sz); if (!ie->id_cr) { - log_error("initiator_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)ie->id_cr_sz); + log_error("initiator_recv_HASH_SA_NONCE: " + "malloc (%lu) failed", + (unsigned long)ie->id_cr_sz); return -1; } memcpy(ie->id_cr, idp->p, ie->id_cr_sz); idp->flags |= PL_MARK; LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: IDcr", - ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - - ISAKMP_GEN_SZ)); + "initiator_recv_HASH_SA_NONCE: IDcr", + ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); } else { /* * If client identifiers are not present in the exchange, @@ -1093,8 +1158,10 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); if (!ie->id_ci || !ie->id_cr) { - log_error("initiator_recv_HASH_SA_NONCE: calloc (%lu, %lu) failed", - (unsigned long)ie->id_cr_sz, (unsigned long)sizeof(char)); + log_error("initiator_recv_HASH_SA_NONCE: " + "calloc (%lu, %lu) failed", + (unsigned long)ie->id_cr_sz, + (unsigned long)sizeof(char)); if (ie->id_ci) { free(ie->id_ci); ie->id_ci = 0; @@ -1106,7 +1173,8 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) return -1; } if (src->sa_family != dst->sa_family) { - log_error("initiator_recv_HASH_SA_NONCE: sa_family mismatch"); + log_error("initiator_recv_HASH_SA_NONCE: " + "sa_family mismatch"); free(ie->id_ci); ie->id_ci = 0; free(ie->id_cr); @@ -1125,8 +1193,8 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) break; default: - log_error("initiator_recv_HASH_SA_NONCE: unknown sa_family %d", - src->sa_family); + log_error("initiator_recv_HASH_SA_NONCE: " + "unknown sa_family %d", src->sa_family); free(ie->id_ci); ie->id_ci = 0; free(ie->id_cr); @@ -1144,8 +1212,8 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) xf = TAILQ_NEXT(xf, link)) { /* - * XXX We could check that the proposal each transform belongs to - * is unique. + * XXX We could check that the proposal each transform + * belongs to is unique. */ if (sa_add_transform(sa, xf, exchange->initiator, &proto)) @@ -1175,8 +1243,9 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) sa_p->flags |= PL_MARK; isa = sa->data; - if ((isa->group_desc && (!ie->group || ie->group->id != isa->group_desc)) - || (!isa->group_desc && ie->group)) { + if ((isa->group_desc && + (!ie->group || ie->group->id != isa->group_desc)) || + (!isa->group_desc && ie->group)) { log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS"); return -1; } @@ -1214,31 +1283,33 @@ initiator_send_HASH(struct message *msg) return -1; } if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, - ISAKMP_HASH_SZ + hashsize, 1)) { + ISAKMP_HASH_SZ + hashsize, 1)) { free(buf); return -1; } /* Allocate the prf and start calculating our HASH(3). XXX Share? */ LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a", isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); + prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, + isa->skeyid_len); if (!prf) return -1; prf->Init(prf->prfctx); prf->Update(prf->prfctx, (unsigned char *)"\0", 1); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b", - exchange->nonce_i, exchange->nonce_i_len)); + exchange->nonce_i, exchange->nonce_i_len)); prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b", - exchange->nonce_r, exchange->nonce_r_len)); + exchange->nonce_r, exchange->nonce_r_len)); prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); prf->Final(buf + ISAKMP_GEN_SZ, prf->prfctx); prf_free(prf); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)", - buf + ISAKMP_GEN_SZ, hashsize)); + buf + ISAKMP_GEN_SZ, hashsize)); if (ie->group) message_register_post_send(msg, gen_g_xy); @@ -1266,7 +1337,8 @@ post_quick_mode(struct message *msg) * Loop over all SA negotiations and do both an in- and an outgoing SA * per protocol. */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = TAILQ_NEXT(sa, next)) { + for (sa = TAILQ_FIRST(&exchange->sa_list); sa; + sa = TAILQ_NEXT(sa, next)) { for (proto = TAILQ_FIRST(&sa->protos); proto; proto = TAILQ_NEXT(proto, link)) { if (proto->proto == IPSEC_PROTO_IPCOMP) @@ -1275,11 +1347,12 @@ post_quick_mode(struct message *msg) iproto = proto->data; /* - * There are two SAs for each SA negotiation, incoming and outcoing. + * There are two SAs for each SA negotiation, + * incoming and outcoing. */ for (i = 0; i < 2; i++) { - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_d, - isa->skeyid_len); + prf = prf_alloc(isa->prf_type, isa->hash, + isa->skeyid_d, isa->skeyid_len); if (!prf) { /* XXX What to do? */ continue; @@ -1287,18 +1360,20 @@ post_quick_mode(struct message *msg) ie->keymat_len = ipsec_keymat_length(proto); /* - * We need to roundup the length of the key material buffer - * to a multiple of the PRF's blocksize as it is generated - * in chunks of that blocksize. + * We need to roundup the length of the key + * material buffer to a multiple of the PRF's + * blocksize as it is generated in chunks of + * that blocksize. */ iproto->keymat[i] = malloc(((ie->keymat_len + prf->blocksize - 1) / prf->blocksize) * prf->blocksize); if (!iproto->keymat[i]) { - log_error("post_quick_mode: malloc (%lu) failed", - (((unsigned long)ie->keymat_len + - prf->blocksize - 1) / prf->blocksize) * - prf->blocksize); + log_error("post_quick_mode: " + "malloc (%lu) failed", + (((unsigned long)ie->keymat_len + + prf->blocksize - 1) / prf->blocksize) * + prf->blocksize); /* XXX What more to do? */ free(prf); continue; @@ -1313,49 +1388,63 @@ post_quick_mode(struct message *msg) * Hash in last round's * KEYMAT. */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: last KEYMAT", + LOG_DBG_BUF((LOG_NEGOTIATION, + 90, "post_quick_mode: " + "last KEYMAT", keymat - prf->blocksize, - prf->blocksize)); - prf->Update(prf->prfctx, keymat - prf->blocksize, - prf->blocksize); + prf->blocksize)); + prf->Update(prf->prfctx, + keymat - prf->blocksize, + prf->blocksize); } /* If PFS is used hash in g^xy. */ if (ie->g_xy) { - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: g^xy", ie->g_xy, - ie->g_x_len)); - prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); + LOG_DBG_BUF((LOG_NEGOTIATION, + 90, "post_quick_mode: " + "g^xy", ie->g_xy, + ie->g_x_len)); + prf->Update(prf->prfctx, + ie->g_xy, ie->g_x_len); } LOG_DBG((LOG_NEGOTIATION, 90, - "post_quick_mode: suite %d proto %d", proto->no, - proto->proto)); - prf->Update(prf->prfctx, &proto->proto, 1); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "post_quick_mode: SPI", - proto->spi[i], proto->spi_sz[i])); - prf->Update(prf->prfctx, proto->spi[i], proto->spi_sz[i]); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", - exchange->nonce_i, exchange->nonce_i_len)); - prf->Update(prf->prfctx, exchange->nonce_i, - exchange->nonce_i_len); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", - exchange->nonce_r, exchange->nonce_r_len)); - prf->Update(prf->prfctx, exchange->nonce_r, - exchange->nonce_r_len); + "post_quick_mode: " + "suite %d proto %d", proto->no, + proto->proto)); + prf->Update(prf->prfctx, &proto->proto, + 1); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "post_quick_mode: SPI", + proto->spi[i], proto->spi_sz[i])); + prf->Update(prf->prfctx, + proto->spi[i], proto->spi_sz[i]); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "post_quick_mode: Ni_b", + exchange->nonce_i, + exchange->nonce_i_len)); + prf->Update(prf->prfctx, + exchange->nonce_i, + exchange->nonce_i_len); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "post_quick_mode: Nr_b", + exchange->nonce_r, + exchange->nonce_r_len)); + prf->Update(prf->prfctx, + exchange->nonce_r, + exchange->nonce_r_len); prf->Final(keymat, prf->prfctx); } prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT", - iproto->keymat[i], ie->keymat_len)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "post_quick_mode: KEYMAT", + iproto->keymat[i], ie->keymat_len)); } } } log_verbose("isakmpd: quick mode done: %s", - !msg->isakmp_sa || !msg->isakmp_sa->transport - ? "<no transport>" - : msg->isakmp_sa->transport->vtbl->decode_ids - (msg->isakmp_sa->transport)); + !msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>" + : msg->isakmp_sa->transport->vtbl->decode_ids + (msg->isakmp_sa->transport)); } /* @@ -1403,16 +1492,18 @@ responder_recv_HASH_SA_NONCE(struct message *msg) * Check the payload's integrity. * XXX Share with ipsec_fill_in_hash? */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " + "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, + isa->skeyid_len); if (!prf) goto cleanup; prf->Init(prf->prfctx); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH", hash + hash_len, @@ -1424,8 +1515,10 @@ responder_recv_HASH_SA_NONCE(struct message *msg) LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash, hash_len - ISAKMP_GEN_SZ)); - if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) + != 0) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, + 1, 0); goto cleanup; } free(my_hash); @@ -1444,37 +1537,38 @@ responder_recv_HASH_SA_NONCE(struct message *msg) /* If IDci is there, IDcr must be too. */ if (!TAILQ_NEXT(idp, link)) { /* XXX Is this a good notify type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, + 1, 0); goto cleanup; } ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); ie->id_ci = malloc(ie->id_ci_sz); if (!ie->id_ci) { - log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)ie->id_ci_sz); + log_error("responder_recv_HASH_SA_NONCE: " + "malloc (%lu) failed", + (unsigned long)ie->id_ci_sz); goto cleanup; } memcpy(ie->id_ci, idp->p, ie->id_ci_sz); idp->flags |= PL_MARK; LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: IDci", - ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - - ISAKMP_GEN_SZ)); + "responder_recv_HASH_SA_NONCE: IDci", + ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); idp = TAILQ_NEXT(idp, link); ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); ie->id_cr = malloc(ie->id_cr_sz); if (!ie->id_cr) { - log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)ie->id_cr_sz); + log_error("responder_recv_HASH_SA_NONCE: " + "malloc (%lu) failed", + (unsigned long)ie->id_cr_sz); goto cleanup; } memcpy(ie->id_cr, idp->p, ie->id_cr_sz); idp->flags |= PL_MARK; LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: IDcr", - ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - - ISAKMP_GEN_SZ)); + "responder_recv_HASH_SA_NONCE: IDcr", + ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); } else { /* * If client identifiers are not present in the exchange, @@ -1499,12 +1593,15 @@ responder_recv_HASH_SA_NONCE(struct message *msg) ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); if (!ie->id_ci || !ie->id_cr) { - log_error("responder_recv_HASH_SA_NONCE: calloc (%lu, %lu) failed", - (unsigned long)ie->id_ci_sz, (unsigned long)sizeof(char)); + log_error("responder_recv_HASH_SA_NONCE: " + "calloc (%lu, %lu) failed", + (unsigned long)ie->id_ci_sz, + (unsigned long)sizeof(char)); goto cleanup; } if (src->sa_family != dst->sa_family) { - log_error("initiator_recv_HASH_SA_NONCE: sa_family mismatch"); + log_error("initiator_recv_HASH_SA_NONCE: " + "sa_family mismatch"); goto cleanup; } switch (src->sa_family) { @@ -1519,8 +1616,8 @@ responder_recv_HASH_SA_NONCE(struct message *msg) break; default: - log_error("initiator_recv_HASH_SA_NONCE: unknown sa_family %d", - src->sa_family); + log_error("initiator_recv_HASH_SA_NONCE: " + "unknown sa_family %d", src->sa_family); goto cleanup; } @@ -1543,19 +1640,23 @@ responder_recv_HASH_SA_NONCE(struct message *msg) goto cleanup; #endif /* USE_POLICY */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = TAILQ_NEXT(sa, next)) { + for (sa = TAILQ_FIRST(&exchange->sa_list); sa; + sa = TAILQ_NEXT(sa, next)) { for (proto = TAILQ_FIRST(&sa->protos); proto; proto = TAILQ_NEXT(proto, link)) { /* * XXX we need to have some attributes per proto, not * all per SA. */ - ipsec_decode_transform(msg, sa, proto, proto->chosen->p); + ipsec_decode_transform(msg, sa, proto, + proto->chosen->p); if (proto->proto == IPSEC_PROTO_IPSEC_AH && !((struct ipsec_proto *)proto->data)->auth) { log_print("responder_recv_HASH_SA_NONCE: " - "AH proposed without an algorithm attribute"); - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + "AH proposed without an algorithm " + "attribute"); + message_drop(msg, + ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); goto next_sa; } } @@ -1569,8 +1670,10 @@ responder_recv_HASH_SA_NONCE(struct message *msg) if (kep) { if (!isa->group_desc) { log_print("responder_recv_HASH_SA_NONCE: " - "KEY_EXCH payload without a group desc. attribute"); - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + "KEY_EXCH payload without a group " + "desc. attribute"); + message_drop(msg, + ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); continue; } /* Also, all SAs must have equal groups. */ @@ -1579,7 +1682,8 @@ responder_recv_HASH_SA_NONCE(struct message *msg) else if (group_desc != isa->group_desc) { log_print("responder_recv_HASH_SA_NONCE: " "differing group descriptions in one QM"); - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + message_drop(msg, + ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); continue; } } @@ -1587,16 +1691,17 @@ responder_recv_HASH_SA_NONCE(struct message *msg) retval = 0; next_sa: - ; /* XXX gcc3 wants this. */ + ; /* XXX gcc3 wants this. */ } if (kep) { ie->group = group_get(group_desc); if (!ie->group) { /* - * XXX If the error was due to an out-of-range group description - * we should notify our peer, but this should probably be done - * by the attribute validation. Is it? + * XXX If the error was due to an out-of-range group + * description we should notify our peer, but this + * should probably be done by the attribute + * validation. Is it? */ goto cleanup; } @@ -1621,16 +1726,16 @@ next_sa: if (name) { exchange->name = strdup(name); if (!exchange->name) { - log_error("responder_recv_HASH_SA_NONCE: strdup (\"%s\") failed", - name); + log_error("responder_recv_HASH_SA_NONCE: " + "strdup (\"%s\") failed", name); goto cleanup; } } #if !defined (USE_POLICY) && !defined (USE_KEYNOTE) else { /* - * This code is no longer necessary, as policy determines acceptance - * of IDs/SAs. (angelos@openbsd.org) + * This code is no longer necessary, as policy determines + * acceptance of IDs/SAs. (angelos@openbsd.org) * * XXX Keep it if not USE_POLICY for now, though. */ @@ -1644,7 +1749,8 @@ next_sa: cleanup: /* Remove all potential protocols that have been added to the SAs. */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = TAILQ_NEXT(sa, next)) + for (sa = TAILQ_FIRST(&exchange->sa_list); sa; + sa = TAILQ_NEXT(sa, next)) while ((proto = TAILQ_FIRST(&sa->protos)) != 0) proto_free(proto); if (my_hash) @@ -1694,7 +1800,7 @@ responder_send_HASH_SA_NONCE(struct message *msg) free(buf); return -1; } - /* Add the SA payload(s) with the transform(s) that was/were chosen. */ + /* Add the SA payload(s) with the transform(s) that was/were chosen. */ if (message_add_sa_payload(msg)) return -1; @@ -1714,13 +1820,13 @@ responder_send_HASH_SA_NONCE(struct message *msg) sz = ie->id_ci_sz; id = malloc(sz); if (!id) { - log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)sz); + log_error("responder_send_HASH_SA_NONCE: " + "malloc (%lu) failed", (unsigned long)sz); return -1; } memcpy(id, ie->id_ci, sz); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDic", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "responder_send_HASH_SA_NONCE: IDic", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; @@ -1728,33 +1834,35 @@ responder_send_HASH_SA_NONCE(struct message *msg) sz = ie->id_cr_sz; id = malloc(sz); if (!id) { - log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)sz); + log_error("responder_send_HASH_SA_NONCE: " + "malloc (%lu) failed", (unsigned long)sz); return -1; } memcpy(id, ie->id_cr, sz); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDrc", - id, sz)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, + "responder_send_HASH_SA_NONCE: IDrc", id, sz)); if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free(id); return -1; } } /* Allocate the prf and start calculating our HASH(2). XXX Share? */ - LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: isakmp_sa %p isa %p", - isakmp_sa, isa)); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); + LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " + "isakmp_sa %p isa %p", isakmp_sa, isa)); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " + "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, + isa->skeyid_len); if (!prf) return -1; prf->Init(prf->prfctx); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: NONCE_I_b", - exchange->nonce_i, exchange->nonce_i_len)); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); + LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " + "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); /* Loop over all payloads after HASH(2). */ @@ -1765,12 +1873,13 @@ responder_send_HASH_SA_NONCE(struct message *msg) i - 1); LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base, msg->iov[i].iov_len)); - prf->Update(prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len); + prf->Update(prf->prfctx, msg->iov[i].iov_base, + msg->iov[i].iov_len); } prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); prf_free(prf); - snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: HASH_%c", - initiator ? 'I' : 'R'); + snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: " + "HASH_%c", initiator ? 'I' : 'R'); LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize)); @@ -1789,7 +1898,8 @@ gen_g_xy(struct message *msg) /* Compute Diffie-Hellman shared value. */ ie->g_xy = malloc(ie->g_x_len); if (!ie->g_xy) { - log_error("gen_g_xy: malloc (%lu) failed", (unsigned long)ie->g_x_len); + log_error("gen_g_xy: malloc (%lu) failed", + (unsigned long)ie->g_x_len); return; } if (dh_create_shared(ie->group, ie->g_xy, @@ -1797,7 +1907,8 @@ gen_g_xy(struct message *msg) log_print("gen_g_xy: dh_create_shared failed"); return; } - LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, ie->g_x_len)); + LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, + ie->g_x_len)); } static int @@ -1823,18 +1934,20 @@ responder_recv_HASH(struct message *msg) goto cleanup; } /* Allocate the prf and start calculating our HASH(3). XXX Share? */ - LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: isakmp_sa %p isa %p", - isakmp_sa, isa)); + LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " + "isakmp_sa %p isa %p", isakmp_sa, isa)); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a", isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); + prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, + isa->skeyid_len); if (!prf) goto cleanup; prf->Init(prf->prfctx); prf->Update(prf->prfctx, (unsigned char *)"\0", 1); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); @@ -1846,8 +1959,10 @@ responder_recv_HASH(struct message *msg) LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: computed HASH(3)", my_hash, hash_len - ISAKMP_GEN_SZ)); - if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) + != 0) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, + 1, 0); goto cleanup; } free(my_hash); diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 614689e2dc6..62dbfabf690 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.93 2004/06/10 12:54:53 hshoexer Exp $ */ +/* $OpenBSD: ipsec.c,v 1.94 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -94,7 +94,8 @@ static int addr_cmp(const void *, const void *); static int ipsec_add_contact(struct message *); static int ipsec_contacted(struct message *); #ifdef USE_DEBUG -static int ipsec_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); +static int ipsec_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, + void *); #endif static void ipsec_delete_spi(struct sa *, struct proto *, int); static int16_t *ipsec_exchange_script(u_int8_t); @@ -105,7 +106,7 @@ static void ipsec_free_sa_data(void *); static struct keystate *ipsec_get_keystate(struct message *); static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *); static int ipsec_handle_leftover_payload(struct message *, u_int8_t, - struct payload *); + struct payload *); static int ipsec_informational_post_hook(struct message *); static int ipsec_informational_pre_hook(struct message *); static int ipsec_initiator(struct message *); @@ -116,10 +117,10 @@ static int ipsec_set_network(u_int8_t *, u_int8_t *, struct ipsec_sa *); static size_t ipsec_situation_size(void); static u_int8_t ipsec_spi_size(u_int8_t); static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); + void *); static int ipsec_validate_exchange(u_int8_t); static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, - size_t, struct exchange *); + size_t, struct exchange *); static int ipsec_validate_key_information(u_int8_t *, size_t); static int ipsec_validate_notification(u_int16_t); static int ipsec_validate_proto(u_int8_t); @@ -333,8 +334,10 @@ ipsec_finalize_exchange(struct message *msg) */ if (ipsec_set_network(ie->id_ci, ie->id_cr, isa)) { - log_print("ipsec_finalize_exchange: " - "ipsec_set_network failed"); + log_print( + "ipsec_finalize_exchange: " + "ipsec_set_network " + "failed"); return; } } else { @@ -344,8 +347,10 @@ ipsec_finalize_exchange(struct message *msg) */ if (ipsec_set_network(ie->id_cr, ie->id_ci, isa)) { - log_print("ipsec_finalize_exchange: " - "ipsec_set_network failed"); + log_print( + "ipsec_finalize_exchange: " + "ipsec_set_network " + "failed"); return; } } @@ -506,7 +511,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) break; } - memcpy(&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + memcpy(&isa->sport, + src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, IPSEC_ID_PORT_LEN); /* Set destination address. */ @@ -576,7 +582,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, IPSEC_ID_PROTO_LEN); - memcpy(&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + memcpy(&isa->dport, + dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, IPSEC_ID_PORT_LEN); return 0; @@ -1624,8 +1631,8 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, * disappear too. */ msg->transport->vtbl->get_dst(msg->transport, &dst); - while ((sa = sa_lookup_by_peer(dst, sysdep_sa_len(dst))) - != 0) { + while ((sa = sa_lookup_by_peer(dst, + sysdep_sa_len(dst))) != 0) { /* * Don't delete the current SA -- we received * the notification over it, so it's obviously @@ -2134,8 +2141,9 @@ ipsec_add_contact(struct message *msg) cnt = contact_limit ? 2 * contact_limit : 64; new_contacts = realloc(contacts, cnt * sizeof contacts[0]); if (!new_contacts) { - log_error("ipsec_add_contact: realloc (%p, %lu) failed", - contacts, cnt * (unsigned long) sizeof contacts[0]); + log_error("ipsec_add_contact: " + "realloc (%p, %lu) failed", contacts, + cnt * (unsigned long) sizeof contacts[0]); return -1; } contact_limit = cnt; @@ -2303,8 +2311,8 @@ ipsec_id_size(char *section, u_int8_t *id) case IPSEC_ID_DER_ASN1_GN: data = conf_get_str(section, "Name"); if (!data) { - log_print("ipsec_id_size: section %s has no \"Name\" tag", - section); + log_print("ipsec_id_size: " + "section %s has no \"Name\" tag", section); return -1; } return strlen(data); diff --git a/sbin/isakmpd/isakmp_cfg.c b/sbin/isakmpd/isakmp_cfg.c index 1ad29b93ee0..327b007291f 100644 --- a/sbin/isakmpd/isakmp_cfg.c +++ b/sbin/isakmpd/isakmp_cfg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmp_cfg.c,v 1.30 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: isakmp_cfg.c,v 1.31 2004/06/14 09:55:41 ho Exp $ */ /* * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. @@ -66,7 +66,7 @@ int16_t script_transaction[] = { static int cfg_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); static int cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t, - u_int32_t, char *, u_int8_t **, u_int16_t *); + u_int32_t, char *, u_int8_t **, u_int16_t *); static int cfg_initiator_send_ATTR(struct message *); static int cfg_initiator_recv_ATTR(struct message *); static int cfg_responder_recv_ATTR(struct message *); @@ -74,7 +74,7 @@ static int cfg_responder_send_ATTR(struct message *); u_int8_t *cfg_add_hash(struct message *); int cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *, - u_int16_t); + u_int16_t); int cfg_verify_hash(struct message *); /* Server: SET/ACK Client; REQ/REPLY */ @@ -276,7 +276,8 @@ cfg_initiator_send_ATTR(struct message *msg) } /* All the other are similar, this is the odd one. */ if (bit == ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY) { - life = conf_get_num(id_string, "Lifetime", 1200); + life = conf_get_num(id_string, "Lifetime", + 1200); SET_ISAKMP_ATTR_LENGTH_VALUE(attr, 4); encode_32(attr + ISAKMP_ATTR_VALUE_OFF, life); off += ISAKMP_ATTR_SZ + 4; @@ -372,14 +373,16 @@ cfg_initiator_recv_ATTR(struct message *msg) /* Sanity. */ if (ie->cfg_id != GET_ISAKMP_ATTRIBUTE_ID(attrp->p)) { - log_print("cfg_initiator_recv_ATTR: cfg packet ID does not match!"); + log_print("cfg_initiator_recv_ATTR: " + "cfg packet ID does not match!"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); return -1; } switch (attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]) { case ISAKMP_CFG_ACK: if (ie->cfg_type != ISAKMP_CFG_SET) { - log_print("cfg_initiator_recv_ATTR: bad packet type ACK"); + log_print("cfg_initiator_recv_ATTR: " + "bad packet type ACK"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); return -1; @@ -387,7 +390,8 @@ cfg_initiator_recv_ATTR(struct message *msg) break; case ISAKMP_CFG_REPLY: if (ie->cfg_type != ISAKMP_CFG_REQUEST) { - log_print("cfg_initiator_recv_ATTR: bad packet type REPLY"); + log_print("cfg_initiator_recv_ATTR: " + "bad packet type REPLY"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); return -1; @@ -408,7 +412,8 @@ cfg_initiator_recv_ATTR(struct message *msg) switch (ie->cfg_type) { case ISAKMP_CFG_ACK: { /* SET/ACK -- Server side (ACK from client) */ - msg->transport->vtbl->get_src(isakmp_sa->transport, &sa); + msg->transport->vtbl->get_src(isakmp_sa->transport, + &sa); if (sockaddr2text(sa, &addr, 0) < 0) addr = (char *) uk_addr; @@ -430,7 +435,8 @@ cfg_initiator_recv_ATTR(struct message *msg) * REQ/REPLY: effect attributes we've gotten * responses on. */ - msg->transport->vtbl->get_src(isakmp_sa->transport, &sa); + msg->transport->vtbl->get_src(isakmp_sa->transport, + &sa); if (sockaddr2text(sa, &addr, 0) < 0) addr = (char *) uk_addr; @@ -502,7 +508,8 @@ cfg_responder_recv_ATTR(struct message *msg) /* SET/ACK -- Client side (SET from server) */ const char *uk_addr = "<unknown>"; - msg->transport->vtbl->get_dst(isakmp_sa->transport, &sa); + msg->transport->vtbl->get_dst(isakmp_sa->transport, + &sa); if (sockaddr2text(sa, &addr, 0) < 0) addr = (char *) uk_addr; @@ -630,7 +637,8 @@ cfg_finalize_hash(struct message *msg, u_int8_t *hashp, u_int8_t *data, int cfg_verify_hash(struct message *msg) { - struct payload *hashp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); + struct payload *hashp = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); struct ipsec_sa *isa = msg->isakmp_sa->data; struct prf *prf; u_int8_t *hash, *comp_hash; @@ -759,7 +767,7 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, break; case ISAKMP_CFG_ATTR_APPLICATION_VERSION: - /* XXX So far no version identifier of isakmpd here. */ + /* XXX So far no version identifier of isakmpd here. */ attr->length = 0; break; @@ -885,7 +893,8 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, "attribute %s - expected %s got %s data", field, (family == AF_INET ? "IPv4" : "IPv6"), - (sa->sa_family == AF_INET ? "IPv4" : "IPv6")); + (sa->sa_family == + AF_INET ? "IPv4" : "IPv6")); free(sa); attr->length = 0; break; @@ -902,7 +911,8 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, free(sa); /* _SUBNET types need some extra work. */ - if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) { + if (attr->type == + ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) { sa = conf_get_address(id_string, "Netmask"); if (!sa) { LOG_DBG((LOG_NEGOTIATION, 10, @@ -936,8 +946,8 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, break; } else if (prefix < -1 || prefix > 128) { log_print("cfg_responder_send_ATTR: " - "attribute Prefix - invalid value %d", - prefix); + "attribute Prefix - invalid " + "value %d", prefix); attr->length = 0; break; } @@ -953,7 +963,7 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, break; case ISAKMP_CFG_ATTR_APPLICATION_VERSION: - /* XXX So far no version identifier of isakmpd here. */ + /* XXX So far no version identifier of isakmpd here. */ break; case ISAKMP_CFG_ATTR_SUPPORTED_ATTRIBUTES: diff --git a/sbin/isakmpd/isakmp_doi.c b/sbin/isakmpd/isakmp_doi.c index ea279b66fff..61e40c10050 100644 --- a/sbin/isakmpd/isakmp_doi.c +++ b/sbin/isakmpd/isakmp_doi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmp_doi.c,v 1.20 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: isakmp_doi.c,v 1.21 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: isakmp_doi.c,v 1.42 2000/09/12 16:29:41 ho Exp $ */ /* @@ -50,7 +50,8 @@ #include "util.h" #ifdef USE_DEBUG -static int isakmp_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); +static int isakmp_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, + void *); #endif static void isakmp_finalize_exchange(struct message *); static struct keystate *isakmp_get_keystate(struct message *); @@ -60,10 +61,10 @@ static void isakmp_setup_situation(u_int8_t *); static size_t isakmp_situation_size(void); static u_int8_t isakmp_spi_size(u_int8_t); static int isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); + void *); static int isakmp_validate_exchange(u_int8_t); -static int isakmp_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, - size_t, struct exchange *); +static int isakmp_validate_id_information(u_int8_t, u_int8_t *, + u_int8_t *, size_t, struct exchange *); static int isakmp_validate_key_information(u_int8_t *, size_t); static int isakmp_validate_notification(u_int16_t); static int isakmp_validate_proto(u_int8_t); @@ -231,8 +232,8 @@ isakmp_responder(struct message *msg) case ISAKMP_EXCH_INFO: for (p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p; p = TAILQ_NEXT(p, link)) { - LOG_DBG((LOG_EXCHANGE, 10, - "isakmp_responder: got NOTIFY of type %s, ignoring", + LOG_DBG((LOG_EXCHANGE, 10, "isakmp_responder: " + "got NOTIFY of type %s, ignoring", constant_name(isakmp_notify_cst, GET_ISAKMP_NOTIFY_MSG_TYPE(p->p)))); p->flags |= PL_MARK; diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index 4e8f70b21c2..9a6166ad676 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.63 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.64 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -154,7 +154,8 @@ parse_args(int argc, char *argv[]) case 'D': if (sscanf(optarg, "%d=%d", &cls, &level) != 2) { if (sscanf(optarg, "A=%d", &level) == 1) { - for (cls = 0; cls < LOG_ENDCLASS; cls++) + for (cls = 0; cls < LOG_ENDCLASS; + cls++) log_debug_cmd(cls, level); } else log_print("parse_args: -D argument " @@ -402,7 +403,7 @@ main(int argc, char *argv[]) #if defined (USE_PRIVSEP) if (monitor_init()) { - /* The parent, with privileges enters infinite monitor loop. */ + /* The parent, with privileges enters infinite monitor loop. */ monitor_loop(debug); exit(0); /* Never reached. */ } @@ -494,7 +495,7 @@ main(int argc, char *argv[]) if (app_socket + 1 > n) n = app_socket + 1; } - /* Setup the descriptors that have pending messages to send. */ + /* Setup the descriptors that have pending messages to send. */ memset(wfds, 0, mask_size); m = transport_pending_wfd_set(wfds); if (m > n) diff --git a/sbin/isakmpd/key.c b/sbin/isakmpd/key.c index cfd9f7ac6dd..a10fedd36b7 100644 --- a/sbin/isakmpd/key.c +++ b/sbin/isakmpd/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.17 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: key.c,v 1.18 2004/06/14 09:55:41 ho Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -185,8 +185,8 @@ key_from_printable(int type, int private, char *key, u_int8_t **data, break; default: - log_error("key_from_printable: unknown/unsupported key type %d", - type); + log_error("key_from_printable: " + "unknown/unsupported key type %d", type); *data = NULL; *datalenp = 0; break; diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c index 55ac7c1abc8..aa019b59308 100644 --- a/sbin/isakmpd/log.c +++ b/sbin/isakmpd/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.44 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: log.c,v 1.45 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */ /* @@ -96,7 +96,8 @@ static char *pcaplog_file = NULL; static FILE *packet_log; static u_int8_t *packet_buf = NULL; -static int udp_cksum(struct packhdr *, const struct udphdr *, u_int16_t *); +static int udp_cksum(struct packhdr *, const struct udphdr *, + u_int16_t *); static u_int16_t in_cksum(const u_int16_t *, int); #endif /* USE_DEBUG */ @@ -182,7 +183,7 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap, { char buffer[LOG_SIZE], nbuf[LOG_SIZE + 32]; static const char fallback_msg[] = - "write to log file failed (errno %d), redirecting output to syslog"; + "write to log file failed (errno %d), redirecting to syslog"; int len; struct tm *tm; struct timeval now; @@ -318,12 +319,14 @@ log_debug_toggle(void) static int log_level_copy[LOG_ENDCLASS], toggle = 0; if (!toggle) { - LOG_DBG((LOG_MISC, 50, "log_debug_toggle: debug levels cleared")); + LOG_DBG((LOG_MISC, 50, "log_debug_toggle: " + "debug levels cleared")); memcpy(&log_level_copy, &log_level, sizeof log_level); memset(&log_level, 0, sizeof log_level); } else { memcpy(&log_level, &log_level_copy, sizeof log_level); - LOG_DBG((LOG_MISC, 50, "log_debug_toggle: debug levels restored")); + LOG_DBG((LOG_MISC, 50, "log_debug_toggle: " + "debug levels restored")); } toggle = !toggle; } @@ -443,8 +446,8 @@ log_packet_init(char *newname) pcaplog_file, mode); return; } - log_print("log_packet_init: starting IKE packet capture to file \"%s\"", - pcaplog_file); + log_print("log_packet_init: " + "starting IKE packet capture to file \"%s\"", pcaplog_file); /* If this is a new file, we need to write a PCAP header to it. */ if (*mode == 'w') { diff --git a/sbin/isakmpd/math_2n.c b/sbin/isakmpd/math_2n.c index 78a041e62fe..f8828efc527 100644 --- a/sbin/isakmpd/math_2n.c +++ b/sbin/isakmpd/math_2n.c @@ -1,4 +1,4 @@ -/* $OpenBSD: math_2n.c,v 1.15 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: math_2n.c,v 1.16 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: math_2n.c,v 1.15 1999/04/20 09:23:30 niklas Exp $ */ /* @@ -86,7 +86,8 @@ b2n_random(b2n_ptr n, u_int32_t bits) /* Get the number of significant bits right */ if (bits & CHUNK_MASK) { - CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1; + CHUNK_TYPE m = + (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1; n->limp[n->chunks - 1] &= m; } n->dirty = 1; @@ -216,8 +217,9 @@ b2n_set_str(b2n_ptr n, char *str) for (w = 0, i = 0; i < chunks; i++) { tmp = 0; - for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); - j > 0; j--) { + for (j = (i == 0 ? + ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); + j > 0; j--) { tmp <<= 8; tmp |= (hex2int(str[w]) << 4) | hex2int(str[w + 1]); w += 2; @@ -416,8 +418,8 @@ b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s) maj = s >> CHUNK_SHIFTS; min = s & CHUNK_MASK; - add = (!(bits & CHUNK_MASK) || ((bits & CHUNK_MASK) + min) > CHUNK_MASK) - ? 1 : 0; + add = (!(bits & CHUNK_MASK) || + ((bits & CHUNK_MASK) + min) > CHUNK_MASK) ? 1 : 0; chunks = n->chunks; if (b2n_resize(d, chunks + maj + add)) return -1; @@ -473,7 +475,8 @@ b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s) } else tmp = n; - memmove(d->limp, tmp->limp + maj + (min ? 1 : 0), CHUNK_BYTES * newsize); + memmove(d->limp, tmp->limp + maj + (min ? 1 : 0), + CHUNK_BYTES * newsize); if (b2n_resize(d, newsize)) return -1; @@ -546,7 +549,8 @@ b2n_square(b2n_ptr d, b2n_ptr n) maj = (maj + CHUNK_MASK) >> CHUNK_SHIFTS; b2n_init(t); - if (b2n_resize(t, 2 * maj + ((CHUNK_MASK + 2 * min) >> CHUNK_SHIFTS))) { + if (b2n_resize(t, + 2 * maj + ((CHUNK_MASK + 2 * min) >> CHUNK_SHIFTS))) { b2n_clear(t); return -1; } @@ -1035,7 +1039,8 @@ b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0) } if (i < a->chunks) - memcpy(d->limp + i, a->limp + i, CHUNK_BYTES * (a->chunks - i)); + memcpy(d->limp + i, a->limp + i, + CHUNK_BYTES * (a->chunks - i)); d->dirty = 1; B2N_SWAP(d0, d); @@ -1070,7 +1075,8 @@ b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b) } if (i < a->chunks) - memcpy(d->limp + i, a->limp + i, CHUNK_BYTES * (a->chunks - i)); + memcpy(d->limp + i, a->limp + i, + CHUNK_BYTES * (a->chunks - i)); d->dirty = 1; diff --git a/sbin/isakmpd/math_group.c b/sbin/isakmpd/math_group.c index c723a81d1a4..55f340f58cf 100644 --- a/sbin/isakmpd/math_group.c +++ b/sbin/isakmpd/math_group.c @@ -1,4 +1,4 @@ -/* $OpenBSD: math_group.c,v 1.22 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: math_group.c,v 1.23 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: math_group.c,v 1.25 2000/04/07 19:53:26 niklas Exp $ */ /* @@ -429,7 +429,7 @@ group_init(void) for (i = sizeof(groups) / sizeof(groups[0]) - 1; i >= 0; i--) switch (groups[i].type) { #ifdef USE_EC - case EC2N: /* Initialize an Elliptic Curve over GF(2**n) */ + case EC2N: /* Initialize an Elliptic Curve over GF(2**n) */ ec2n_init(&groups[i]); break; #endif diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 34cb022643e..08c1503445f 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.77 2004/06/11 10:17:58 brad Exp $ */ +/* $OpenBSD: message.c,v 1.78 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -252,8 +252,8 @@ message_parse_payloads(struct message *msg, struct payload *p, u_int8_t next, if (buf + ISAKMP_GEN_SZ > (u_int8_t *)msg->iov[0].iov_base + msg->iov[0].iov_len) { log_print("message_parse_payloads: short message"); - message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, - 0, 1, 1); + message_drop(msg, + ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); return -1; } /* Ponder on the payload that is at BUF... */ @@ -307,9 +307,9 @@ message_parse_payloads(struct message *msg, struct payload *p, u_int8_t next, } /* Ignore private payloads. */ if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN) { - LOG_DBG((LOG_MESSAGE, 30, - "message_parse_payloads: private next payload type " - "%d in payload of type %d ignored", next, payload)); + LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: " + "private next payload type %d in payload of " + "type %d ignored", next, payload)); goto next_payload; } /* @@ -343,8 +343,8 @@ next_payload: * generic payload header. */ static int -message_parse_proposal(struct message *msg, struct payload *p, u_int8_t payload, - u_int8_t *buf) +message_parse_proposal(struct message *msg, struct payload *p, + u_int8_t payload, u_int8_t *buf) { set payload_set; @@ -436,9 +436,11 @@ message_validate_attribute(struct message *msg, struct payload *p) if (!msg->exchange) { if (zero_test((u_int8_t *) msg->iov[0].iov_base + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) - msg->exchange = exchange_setup_p1(msg, IPSEC_DOI_IPSEC); + msg->exchange = exchange_setup_p1(msg, + IPSEC_DOI_IPSEC); else - msg->exchange = exchange_setup_p2(msg, IPSEC_DOI_IPSEC); + msg->exchange = exchange_setup_p2(msg, + IPSEC_DOI_IPSEC); if (!msg->exchange) { log_print("message_validate_attribute: can not " "create exchange"); @@ -455,7 +457,8 @@ static int message_validate_cert(struct message *msg, struct payload *p) { if (GET_ISAKMP_CERT_ENCODING(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, + 1); return -1; } return 0; @@ -466,10 +469,12 @@ static int message_validate_cert_req(struct message *msg, struct payload *p) { struct cert_handler *cert; - size_t len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF; + size_t len = + GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF; if (GET_ISAKMP_CERTREQ_TYPE(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, + 1); return -1; } /* @@ -479,7 +484,8 @@ message_validate_cert_req(struct message *msg, struct payload *p) cert = cert_get(GET_ISAKMP_CERTREQ_TYPE(p->p)); if (!cert || (len && !cert->certreq_validate(p->p + ISAKMP_CERTREQ_AUTHORITY_OFF, len))) { - message_drop(msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, + 1); return -1; } return 0; @@ -603,7 +609,8 @@ message_validate_hash(struct message *msg, struct payload *p) struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa; struct hash *hash; - struct payload *hashp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); + struct payload *hashp = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); struct prf *prf; u_int8_t *comp_hash, *rest; u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; @@ -668,7 +675,8 @@ message_validate_hash(struct message *msg, struct payload *p) prf->Final(comp_hash, prf->prfctx); prf_free(prf); - if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash, hash->hashsize)) { + if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash, + hash->hashsize)) { log_print("message_validate_hash: invalid hash value for " "%s payload", TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_DELETE]) ? @@ -706,7 +714,8 @@ message_validate_id(struct message *msg, struct payload *p) && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p), p->p + ISAKMP_ID_DOI_DATA_OFF, p->p + ISAKMP_ID_DATA_OFF, len - ISAKMP_ID_DATA_OFF, exchange)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, + 1); return -1; } return 0; @@ -721,7 +730,8 @@ message_validate_key_exch(struct message *msg, struct payload *p) if (!exchange) { /* We should have an exchange at this point. */ - log_print("message_validate_key_exch: payload out of sequence"); + log_print("message_validate_key_exch: " + "payload out of sequence"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); return -1; } @@ -795,7 +805,8 @@ message_validate_notify(struct message *msg, struct payload *p) && type <= ISAKMP_NOTIFY_STATUS_DOI_MAX && doi->validate_notification(type)) || type >= ISAKMP_NOTIFY_STATUS_RESERVED2_MIN) { - log_print("message_validate_notify: message type not supported"); + log_print("message_validate_notify: " + "message type not supported"); message_free(msg); return -1; } @@ -811,7 +822,8 @@ message_validate_proposal(struct message *msg, struct payload *p) if (!msg->exchange) { /* We should have an exchange at this point. */ - log_print("message_validate_proposal: payload out of sequence"); + log_print("message_validate_proposal: " + "payload out of sequence"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); return -1; } @@ -886,8 +898,8 @@ message_validate_sa(struct message *msg, struct payload *p) msg->exchange = exchange; /* - * Create a struct sa for each SA payload handed to us unless we are the - * initiator where we only will count them. + * Create a struct sa for each SA payload handed to us unless we are + * the initiator where we only will count them. */ if (exchange->initiator) { /* XXX Count SA payloads. */ @@ -902,8 +914,8 @@ message_validate_sa(struct message *msg, struct payload *p) sa_reference(msg->isakmp_sa); } /* - * Let the DOI validate the situation, at the same time it tells us what - * the length of the situation field is. + * Let the DOI validate the situation, at the same time it tells us + * what the length of the situation field is. */ if (exchange->doi->validate_situation(p->p + ISAKMP_SA_SIT_OFF, &len, GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) { @@ -953,7 +965,8 @@ message_validate_transform(struct message *msg, struct payload *p) if (!msg->exchange) { /* We should have an exchange at this point. */ - log_print("message_validate_transform: payload out of sequence"); + log_print("message_validate_transform: " + "payload out of sequence"); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); return -1; } @@ -1073,7 +1086,8 @@ message_validate_payloads(struct message *msg) LOG_DBG((LOG_MESSAGE, 60, "message_validate_payloads: " "payload %s at %p of message %p", constant_name(isakmp_payload_cst, i), p->p, msg)); - field_dump_payload(fields[i - ISAKMP_PAYLOAD_SA], p->p); + field_dump_payload(fields[i - ISAKMP_PAYLOAD_SA], + p->p); if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] (msg, p)) return -1; @@ -1165,7 +1179,8 @@ message_recv(struct message *msg) tmp_sa.doi = doi_lookup(ISAKMP_DOI_ISAKMP); tmp_proto.proto = ISAKMP_PROTO_ISAKMP; tmp_proto.spi_sz[1] = ISAKMP_HDR_COOKIES_LEN; - tmp_proto.spi[1] = buf + ISAKMP_HDR_COOKIES_OFF; + tmp_proto.spi[1] = + buf + ISAKMP_HDR_COOKIES_OFF; message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE, &tmp_proto, 1, 1); return -1; @@ -1194,13 +1209,15 @@ message_recv(struct message *msg) if (ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)) != 1) { log_print("message_recv: invalid version major %d", ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf))); - message_drop(msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, + 1); return -1; } if (ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)) != 0) { log_print("message_recv: invalid version minor %d", ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf))); - message_drop(msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, + 1); return -1; } /* @@ -1216,7 +1233,8 @@ message_recv(struct message *msg) || (setup_isakmp_sa && exch_type >= ISAKMP_EXCH_DOI_MIN)) { log_print("message_recv: invalid exchange type %s", constant_name(isakmp_exch_cst, exch_type)); - message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, + 1); return -1; } /* @@ -1323,11 +1341,13 @@ message_recv(struct message *msg) * Now we can validate DOI-specific exchange types. If we have no SA * DOI-specific exchange types are definitely wrong. */ - if (exch_type >= ISAKMP_EXCH_DOI_MIN && exch_type <= ISAKMP_EXCH_DOI_MAX + if (exch_type >= ISAKMP_EXCH_DOI_MIN + && exch_type <= ISAKMP_EXCH_DOI_MAX && msg->exchange->doi->validate_exchange(exch_type)) { log_print("message_recv: invalid DOI exchange type %d", exch_type); - message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, + 1); if (ks) free(ks); return -1; @@ -1618,7 +1638,8 @@ message_send_info(struct message *msg) SET_ISAKMP_NOTIFY_PROTO(buf, args->proto); SET_ISAKMP_NOTIFY_SPI_SZ(buf, args->spi_sz); SET_ISAKMP_NOTIFY_MSG_TYPE(buf, args->u.n.msg_type); - memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, args->u.n.spi, args->spi_sz); + memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, args->u.n.spi, + args->spi_sz); break; case 'D': @@ -1656,8 +1677,8 @@ message_send_info(struct message *msg) * set, free the message when ready with it. */ void -message_drop(struct message *msg, int notify, struct proto *proto, int incoming, - int clean) +message_drop(struct message *msg, int notify, struct proto *proto, + int incoming, int clean) { struct transport *t = msg->transport; struct sockaddr *dst; @@ -1681,8 +1702,8 @@ message_drop(struct message *msg, int notify, struct proto *proto, int incoming, dst->sa_family); } - log_print("dropped message from %s port %d due to notification type %s", - address ? address : "<unknown>", htons(port), + log_print("dropped message from %s port %d due to notification type " + "%s", address ? address : "<unknown>", htons(port), constant_name(isakmp_notify_cst, notify)); if (address) @@ -1736,7 +1757,8 @@ message_packet_log(struct message *msg) return; /* Figure out direction. */ - if (msg->exchange && msg->exchange->initiator ^ (msg->exchange->step % 2)) { + if (msg->exchange && + msg->exchange->initiator ^ (msg->exchange->step % 2)) { msg->transport->vtbl->get_src(msg->transport, &src); msg->transport->vtbl->get_dst(msg->transport, &dst); } else { @@ -1867,7 +1889,8 @@ message_check_duplicate(struct message *msg) /* Helper to message_negotiate_sa. */ static INLINE struct payload * -step_transform(struct payload *tp, struct payload **propp, struct payload **sap) +step_transform(struct payload *tp, struct payload **propp, + struct payload **sap) { tp = TAILQ_NEXT(tp, link); if (tp) { @@ -1939,7 +1962,7 @@ message_negotiate_sa(struct message *msg, int (*validate)(struct exchange *, saved_tp = next_tp; saved_propp = next_propp; saved_sap = next_sap; - /* Skip to last transform of this protocol proposal. */ + /* Skip to last transform of this protocol proposal. */ while ((next_tp = step_transform(tp, &next_propp, &next_sap)) && next_propp == propp) tp = next_tp; @@ -2088,8 +2111,8 @@ message_add_sa_payload(struct message *msg) extra_sa_len = 0; sa_buf = malloc(sa_len); if (!sa_buf) { - log_error("message_add_sa_payload: malloc (%lu) failed", - (unsigned long)sa_len); + log_error("message_add_sa_payload: " + "malloc (%lu) failed", (unsigned long)sa_len); goto cleanup; } SET_ISAKMP_SA_DOI(sa_buf, doi->id); diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c index 0fe3a0190e0..7db75043a53 100644 --- a/sbin/isakmpd/monitor.c +++ b/sbin/isakmpd/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: monitor.c,v 1.22 2004/06/14 09:55:41 ho Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -554,7 +554,8 @@ monitor_loop(int debugging) if (sigchlded) { do { - pid = waitpid(m_state.pid, &n, WNOHANG); + pid = waitpid(m_state.pid, &n, + WNOHANG); } while (pid == -1 && errno == EINTR); @@ -589,42 +590,58 @@ monitor_loop(int debugging) break; case MONITOR_GET_SOCKET: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_GET_SOCKET", __func__)); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_GET_SOCKET", + __func__)); m_priv_test_state(STATE_INIT); m_priv_getsocket(m_state.s); break; case MONITOR_SETSOCKOPT: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_SETSOCKOPT", __func__)); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_SETSOCKOPT", + __func__)); m_priv_test_state(STATE_INIT); m_priv_setsockopt(m_state.s); break; case MONITOR_BIND: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_BIND", __func__)); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_BIND", + __func__)); m_priv_test_state(STATE_INIT); m_priv_bind(m_state.s); break; case MONITOR_MKFIFO: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_MKFIFO", __func__)); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_MKFIFO", + __func__)); m_priv_test_state(STATE_INIT); m_priv_mkfifo(m_state.s); break; case MONITOR_INIT_DONE: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_INIT_DONE", __func__)); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_INIT_DONE", + __func__)); m_priv_test_state(STATE_INIT); - m_priv_increase_state(STATE_RUNNING); + m_priv_increase_state( + STATE_RUNNING); break; case MONITOR_SHUTDOWN: - LOG_DBG((LOG_MISC, 80, "%s: MONITOR_SHUTDOWN", __func__)); - m_priv_increase_state(STATE_QUIT); + LOG_DBG((LOG_MISC, 80, + "%s: MONITOR_SHUTDOWN", + __func__)); + m_priv_increase_state( + STATE_QUIT); break; default: - log_print("monitor_loop: got unknown code %d", msgcode); + log_print("monitor_loop: " + "got unknown code %d", + msgcode); } } } @@ -1020,7 +1037,8 @@ m_priv_check_sockopt(int level, int name) break; default: - log_print("m_priv_check_sockopt: Illegal option name %d", name); + log_print("m_priv_check_sockopt: Illegal option name %d", + name); return 1; } diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 64ebdef954c..4407ac99330 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.141 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.142 2004/06/14 09:55:41 ho Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -288,18 +288,19 @@ pf_key_v2_read(u_int32_t seq) while (1) { /* - * If this is a read of a reply we should actually expect the reply to - * get lost as PF_KEY is an unreliable service per the specs. - * Currently we do this by setting a short timeout, and if it is not - * readable in that time, we fail the read. + * If this is a read of a reply we should actually expect the + * reply to get lost as PF_KEY is an unreliable service per + * the specs. Currently we do this by setting a short timeout, + * and if it is not readable in that time, we fail the read. */ if (seq) { fds = calloc(howmany(pf_key_v2_socket + 1, NFDBITS), sizeof(fd_mask)); if (!fds) { - log_error("pf_key_v2_read: calloc (%lu, %lu) failed", + log_error("pf_key_v2_read: " + "calloc (%lu, %lu) failed", (unsigned long) howmany(pf_key_v2_socket + 1, - NFDBITS), + NFDBITS), (unsigned long) sizeof(fd_mask)); goto cleanup; } @@ -309,13 +310,14 @@ pf_key_v2_read(u_int32_t seq) n = select(pf_key_v2_socket + 1, fds, 0, 0, &tv); free(fds); if (n == -1) { - log_error("pf_key_v2_read: select (%d, fds, 0, " - "0, &tv) failed", + log_error("pf_key_v2_read: " + "select (%d, fds, 0, 0, &tv) failed", pf_key_v2_socket + 1); goto cleanup; } if (!n) { - log_print("pf_key_v2_read: no reply from PF_KEY"); + log_print("pf_key_v2_read: " + "no reply from PF_KEY"); goto cleanup; } } @@ -362,11 +364,10 @@ pf_key_v2_read(u_int32_t seq) buf = 0; continue; } else { - LOG_DBG((LOG_SYSDEP, 90, - "pf_key_v2_read:" - "bad version (%d) or PID (%d, mine is %ld), ignored", - msg->sadb_msg_version, msg->sadb_msg_pid, - (long) getpid())); + LOG_DBG((LOG_SYSDEP, 90, "pf_key_v2_read:" + "bad version (%d) or PID (%d, mine is " + "%ld), ignored", msg->sadb_msg_version, + msg->sadb_msg_pid, (long) getpid())); goto cleanup; } } @@ -448,8 +449,8 @@ pf_key_v2_write(struct pf_key_v2_msg *pmsg) for (i = 0; i < cnt; i++) { snprintf(header, sizeof header, "pf_key_v2_write: iov[%d]", i); - LOG_DBG_BUF((LOG_SYSDEP, 80, header, (u_int8_t *) iov[i].iov_base, - iov[i].iov_len)); + LOG_DBG_BUF((LOG_SYSDEP, 80, header, + (u_int8_t *) iov[i].iov_base, iov[i].iov_len)); } n = writev(pf_key_v2_socket, iov, cnt); @@ -459,8 +460,9 @@ pf_key_v2_write(struct pf_key_v2_msg *pmsg) goto cleanup; } if ((size_t) n != len) { - log_error("pf_key_v2_write: writev (%d, ...) returned prematurely " - "(%lu)", pf_key_v2_socket, (unsigned long) n); + log_error("pf_key_v2_write: " + "writev (%d, ...) returned prematurely (%lu)", + pf_key_v2_socket, (unsigned long) n); goto cleanup; } free(iov); @@ -653,7 +655,8 @@ pf_key_v2_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, #endif /* Setup the ADDRESS extensions. */ - len = sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(src)); + len = + sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(src)); addr = calloc(1, len); if (!addr) goto cleanup; @@ -678,7 +681,8 @@ pf_key_v2_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, goto cleanup; addr = 0; - len = sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); + len = + sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); addr = calloc(1, len); if (!addr) goto cleanup; @@ -748,7 +752,8 @@ pf_key_v2_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, memcpy(spi, &sa->sadb_sa_spi, *sz); #ifdef KAME - if (!pf_key_v2_register_sa_seq(spi, *sz, proto, dst, sysdep_sa_len(dst), + if (!pf_key_v2_register_sa_seq(spi, *sz, proto, dst, + sysdep_sa_len(dst), ((struct sadb_msg *) (TAILQ_FIRST(ret)->seg))->sadb_msg_seq)) goto cleanup; #endif @@ -890,9 +895,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, #endif default: - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_set_spi: unknown encryption algorithm %d", - proto->id)); + LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " + "unknown encryption algorithm %d", proto->id)); return -1; } @@ -948,8 +952,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, case IPSEC_AUTH_DES_MAC: case IPSEC_AUTH_KPDK: /* XXX We should be supporting KPDK */ - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_set_spi: unknown authentication algorithm %d", + LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " + "unknown authentication algorithm %d", iproto->auth)); return -1; @@ -1014,9 +1018,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, #endif default: - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_set_spi: unknown authentication algorithm %d", - proto->id)); + LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " + "unknown authentication algorithm %d", proto->id)); goto cleanup; } break; @@ -1129,8 +1132,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, life->sadb_lifetime_allocations = 0; life->sadb_lifetime_bytes = sa->kilobytes * 1024; /* - * XXX I am not sure which one is best in security respect. Maybe the - * RFCs actually mandate what a lifetime really is. + * XXX I am not sure which one is best in security respect. + * Maybe the RFCs actually mandate what a lifetime really is. */ #if 0 life->sadb_lifetime_addtime = 0; @@ -1156,8 +1159,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, life->sadb_lifetime_allocations = 0; life->sadb_lifetime_bytes = sa->kilobytes * 1024 * 9 / 10; /* - * XXX I am not sure which one is best in security respect. Maybe the - * RFCs actually mandate what a lifetime really is. + * XXX I am not sure which one is best in security respect. + * Maybe the RFCs actually mandate what a lifetime really is. */ #if 0 life->sadb_lifetime_addtime = 0; @@ -1275,7 +1278,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, key->sadb_key_reserved = 0; memcpy(key + 1, iproto->keymat[incoming] + - (proto->proto == IPSEC_PROTO_IPSEC_ESP ? keylen : 0), + (proto->proto == + IPSEC_PROTO_IPSEC_ESP ? keylen : 0), hashlen); if (pf_key_v2_msg_add(update, (struct sadb_ext *) key, PF_KEY_V2_NODE_MALLOCED) == -1) @@ -1306,7 +1310,8 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, if (!pp) goto nosid; - sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, sizeof(u_int8_t)); + sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, + sizeof(u_int8_t)); if (!sid) { free(pp); goto cleanup; @@ -1339,7 +1344,8 @@ nosid: if (!pp) goto nodid; - sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, sizeof(u_int8_t)); + sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, + sizeof(u_int8_t)); if (!sid) { free(pp); goto cleanup; @@ -1371,9 +1377,9 @@ nodid: #ifdef SADB_X_CREDTYPE_NONE /* * Send received credentials to the kernel. We don't bother with - * our credentials, since the process either knows them (if it specified - * them with setsockopt()), or has no business looking at them (e.g., - * system wide certs). + * our credentials, since the process either knows them (if it + * specified them with setsockopt()), or has no business looking at + * them (e.g., system wide certs). */ if (isakmp_sa->recv_cert) { switch (isakmp_sa->recv_certtype) { @@ -1389,9 +1395,11 @@ nodid: if (!cred) goto cleanup; - cred->sadb_x_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + cred->sadb_x_cred_len = + ((sizeof *cred) / PF_KEY_V2_CHUNK) + PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = SADB_X_EXT_REMOTE_CREDENTIALS; + cred->sadb_x_cred_exttype = + SADB_X_EXT_REMOTE_CREDENTIALS; cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; memcpy(cred + 1, isakmp_sa->recv_cert, len); @@ -1408,7 +1416,7 @@ nodid: u_int32_t datalen; struct cert_handler *handler; - /* We do it this way to avoid weird includes. */ + /* We do it this way to avoid weird includes.*/ handler = cert_get(ISAKMP_CERTENC_X509_SIG); if (!handler) break; @@ -1418,8 +1426,9 @@ nodid: break; len = datalen; - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); + cred = + calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, + sizeof(u_int8_t)); if (!cred) { free(data); goto cleanup; @@ -1433,7 +1442,8 @@ nodid: memcpy(cred + 1, data, len); free(data); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred, + if (pf_key_v2_msg_add(update, + (struct sadb_ext *) cred, PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; } @@ -1452,13 +1462,13 @@ nodid: u_int8_t *data; /* - * If it's a private key, we shouldn't pass it to the kernel for - * processes to see; successful authentication of Phase 1 implies - * that the process already knew the passphrase. On the other hand, - * we don't want to reveal to processes any system-wide passphrases - * used for authentication with remote systems. Same reason we don't - * send up the key (private or passphrase) we used to authenticate - * with the peer. + * If it's a private key, we shouldn't pass it to the kernel + * for processes to see; successful authentication of Phase 1 + * implies that the process already knew the passphrase. On + * the other hand, we don't want to reveal to processes any + * system-wide passphrases used for authentication with remote + * systems. Same reason we don't send up the key (private or + * passphrase) we used to authenticate with the peer. */ if (isakmp_sa->recv_keytype == ISAKMP_KEY_PASSPHRASE) goto doneauth; @@ -1468,7 +1478,8 @@ nodid: if (!data) goto cleanup; - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, sizeof(u_int8_t)); + cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, + sizeof(u_int8_t)); if (!cred) { free(data); goto cleanup; @@ -1485,7 +1496,8 @@ nodid: break; default: - log_print("pf_key_v2_set_spi: unknown received key type %d", + log_print("pf_key_v2_set_spi: " + "unknown received key type %d", isakmp_sa->recv_keytype); free(cred); goto cleanup; @@ -1514,7 +1526,8 @@ doneauth: tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; tprotocol.sadb_protocol_proto = isa->tproto; - if (pf_key_v2_msg_add(update, (struct sadb_ext *) & tprotocol, 0) == -1) + if (pf_key_v2_msg_add(update, (struct sadb_ext *) & tprotocol, + 0) == -1) goto cleanup; len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(isa->src_net)); @@ -1579,17 +1592,17 @@ doneauth: if (sockaddr2text(dst, &addr_str, 0)) addr_str = 0; - LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_set_spi: satype %d dst %s SPI 0x%x", - msg.sadb_msg_satype, addr_str ? addr_str : "unknown", - ntohl(ssa.sadb_sa_spi))); + LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_set_spi: " + "satype %d dst %s SPI 0x%x", msg.sadb_msg_satype, + addr_str ? addr_str : "unknown", ntohl(ssa.sadb_sa_spi))); if (addr_str) free(addr_str); #endif /* USE_DEBUG */ /* - * Although PF_KEY knows about expirations, it is unreliable per the specs - * thus we need to do them inside isakmpd as well. + * Although PF_KEY knows about expirations, it is unreliable per the + * specs thus we need to do them inside isakmpd as well. */ if (sa->seconds) if (sa_setup_expirations(sa)) @@ -1605,9 +1618,9 @@ doneauth: ret = 0; /* - * If we are doing an addition into an SADB shared with our peer, errors - * here are to be expected as the peer will already have created the SA, - * and can thus be ignored. + * If we are doing an addition into an SADB shared with our peer, + * errors here are to be expected as the peer will already have + * created the SA, and can thus be ignored. */ if (err && !(msg.sadb_msg_type == SADB_ADD && conf_get_str("General", "Shared-SADB"))) { @@ -1715,40 +1728,42 @@ pf_key_v2_flow(struct sockaddr *laddr, struct sockaddr *lmask, if (!delete) { /* Setup the source ID, if provided. */ if (srcid) { - sid = calloc(PF_KEY_V2_ROUND(srcid_len + 1) + sizeof *sid, - sizeof(u_int8_t)); + sid = calloc( + PF_KEY_V2_ROUND(srcid_len + 1) + sizeof *sid, + sizeof(u_int8_t)); if (!sid) goto cleanup; sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) - + PF_KEY_V2_ROUND(srcid_len + 1) / PF_KEY_V2_CHUNK; + + PF_KEY_V2_ROUND(srcid_len + 1) / PF_KEY_V2_CHUNK; sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; sid->sadb_ident_type = srcid_type; memcpy(sid + 1, srcid, srcid_len); if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) + PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; sid = 0; } /* Setup the destination ID, if provided. */ if (dstid) { - sid = calloc(PF_KEY_V2_ROUND(dstid_len + 1) + sizeof *sid, - sizeof(u_int8_t)); + sid = calloc( + PF_KEY_V2_ROUND(dstid_len + 1) + sizeof *sid, + sizeof(u_int8_t)); if (!sid) goto cleanup; sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) - + PF_KEY_V2_ROUND(dstid_len + 1) / PF_KEY_V2_CHUNK; + + PF_KEY_V2_ROUND(dstid_len + 1) / PF_KEY_V2_CHUNK; sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; sid->sadb_ident_type = dstid_type; memcpy(sid + 1, dstid, dstid_len); if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) + PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; sid = 0; @@ -1758,10 +1773,10 @@ pf_key_v2_flow(struct sockaddr *laddr, struct sockaddr *lmask, bzero(&flowtype, sizeof flowtype); flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; - flowtype.sadb_protocol_direction - = ingress ? IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; - flowtype.sadb_protocol_proto - = ingress ? SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; + flowtype.sadb_protocol_direction = + ingress ? IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; + flowtype.sadb_protocol_proto = + ingress ? SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; if (pf_key_v2_msg_add(flow, (struct sadb_ext *) & flowtype, 0) == -1) goto cleanup; @@ -1910,8 +1925,8 @@ pf_key_v2_flow(struct sockaddr *laddr, struct sockaddr *lmask, LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", strerror(err))); else - log_print("pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", - strerror(err)); + log_print("pf_key_v2_flow: %sFLOW: %s", + delete ? "DEL" : "ADD", strerror(err)); goto cleanup; } pf_key_v2_msg_free(ret); @@ -1990,8 +2005,8 @@ cleanup: break; case AF_INET6: ip6_sa = (struct sockaddr_in6 *) lmask; - addr->sadb_address_prefixlen - = pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); + addr->sadb_address_prefixlen = + pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); break; } if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, @@ -2024,8 +2039,8 @@ cleanup: break; case AF_INET6: ip6_sa = (struct sockaddr_in6 *) rmask; - addr->sadb_address_prefixlen - = pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); + addr->sadb_address_prefixlen = + pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); break; } if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, @@ -2038,7 +2053,8 @@ cleanup: 2 * PF_KEY_V2_ROUND(sysdep_sa_len(src)); policy_buf = (u_int8_t *) calloc(1, len); if (!policy_buf) { - log_error("pf_key_v2_flow: calloc %lu failed", (unsigned long) len); + log_error("pf_key_v2_flow: calloc %lu failed", + (unsigned long) len); goto cleanup; } policy = (struct sadb_x_policy *) policy_buf; @@ -2071,7 +2087,7 @@ cleanup: else ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; #else - ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; /* XXX */ + ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; /* XXX */ #endif ipsecrequest->sadb_x_ipsecrequest_level = ingress ? IPSEC_LEVEL_USE : IPSEC_LEVEL_REQUIRE; @@ -2082,10 +2098,12 @@ cleanup: pf_key_v2_setup_sockaddr(saddr, src, 0, 0, 0); switch (src->sa_family) { case AF_INET: - saddr = (struct sockaddr *) ((struct sockaddr_in *) saddr + 1); + saddr = + (struct sockaddr *) ((struct sockaddr_in *) saddr + 1); break; case AF_INET6: - saddr = (struct sockaddr *) ((struct sockaddr_in6 *) saddr + 1); + saddr = + (struct sockaddr *) ((struct sockaddr_in6 *) saddr + 1); break; } pf_key_v2_setup_sockaddr(saddr, dst, 0, 0, 0); @@ -2124,10 +2142,11 @@ cleanup: goto cleanup; err = ((struct sadb_msg *) TAILQ_FIRST(ret)->seg)->sadb_msg_errno; if (!delete && err == EEXIST) { - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_flow: SPDADD returns EEXIST")); + LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_flow: " + "SPDADD returns EEXIST")); } else if (err) { - log_print("pf_key_v2_flow: SPD%s: %s", delete ? "DELETE" : "ADD", - strerror(err)); + log_print("pf_key_v2_flow: SPD%s: %s", + delete ? "DELETE" : "ADD", strerror(err)); goto cleanup; } pf_key_v2_msg_free(ret); @@ -2198,19 +2217,22 @@ pf_key_v2_convert_id(u_int8_t * id, int idlen, size_t * reslen, int *idtype) if (!res) return 0; *idtype = SADB_IDENTTYPE_PREFIX; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: IPv4 address %s", res)); + LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " + "IPv4 address %s", res)); return res; case IPSEC_ID_IPV6_ADDR: /* XXX CONNECTION ? */ - if (inet_ntop(AF_INET6, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - addrbuf, ADDRESS_MAX) == NULL) + if (inet_ntop(AF_INET6, + id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + addrbuf, ADDRESS_MAX) == NULL) return 0; *reslen = strlen(addrbuf) + 4; strlcat(addrbuf, "/128", ADDRESS_MAX + 5); res = (u_int8_t *) strdup(addrbuf); if (!res) return 0; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: IPv6 address %s", res)); + LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " + "IPv6 address %s", res)); *idtype = SADB_IDENTTYPE_PREFIX; return res; @@ -2218,30 +2240,33 @@ pf_key_v2_convert_id(u_int8_t * id, int idlen, size_t * reslen, int *idtype) addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; if (inet_ntop(AF_INET, addr, addrbuf, ADDRESS_MAX) == NULL) return 0; - snprintf(addrbuf + strlen(addrbuf), ADDRESS_MAX - strlen(addrbuf), - "/%d", pf_key_v2_mask_to_bits((u_int32_t) - * (addr + - sizeof(struct in_addr)))); + snprintf(addrbuf + strlen(addrbuf), + ADDRESS_MAX - strlen(addrbuf), + "/%d", pf_key_v2_mask_to_bits((u_int32_t) + * (addr + sizeof(struct in_addr)))); *reslen = strlen(addrbuf); res = (u_int8_t *) strdup(addrbuf); if (!res) return 0; *idtype = SADB_IDENTTYPE_PREFIX; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: IPv4 subnet %s", res)); + LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " + "IPv4 subnet %s", res)); return res; case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX PREFIX */ addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; if (inet_ntop(AF_INET6, addr, addrbuf, ADDRESS_MAX) == NULL) return 0; - snprintf(addrbuf + strlen(addrbuf), ADDRESS_MAX - strlen(addrbuf), - "/%d", pf_key_v2_mask6_to_bits(addr + - sizeof(struct in6_addr))); + snprintf(addrbuf + strlen(addrbuf), + ADDRESS_MAX - strlen(addrbuf), "/%d", + pf_key_v2_mask6_to_bits(addr + + sizeof(struct in6_addr))); *reslen = strlen(addrbuf); res = (u_int8_t *) strdup(addrbuf); if (!res) return 0; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: IPv6 subnet %s", res)); + LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " + "IPv6 subnet %s", res)); *idtype = SADB_IDENTTYPE_PREFIX; return res; @@ -2280,19 +2305,19 @@ pf_key_v2_enable_sa(struct sa *sa, struct sa *isakmp_sa) #if defined (SADB_X_EXT_FLOW_TYPE) if (isakmp_sa->id_i) { if (isakmp_sa->initiator) - sid = pf_key_v2_convert_id(isakmp_sa->id_i, isakmp_sa->id_i_len, - &sidlen, &sidtype); + sid = pf_key_v2_convert_id(isakmp_sa->id_i, + isakmp_sa->id_i_len, &sidlen, &sidtype); else - did = pf_key_v2_convert_id(isakmp_sa->id_i, isakmp_sa->id_i_len, - &didlen, &didtype); + did = pf_key_v2_convert_id(isakmp_sa->id_i, + isakmp_sa->id_i_len, &didlen, &didtype); } if (isakmp_sa->id_r) { if (isakmp_sa->initiator) - did = pf_key_v2_convert_id(isakmp_sa->id_r, isakmp_sa->id_r_len, - &didlen, &didtype); + did = pf_key_v2_convert_id(isakmp_sa->id_r, + isakmp_sa->id_r_len, &didlen, &didtype); else - sid = pf_key_v2_convert_id(isakmp_sa->id_r, isakmp_sa->id_r_len, - &sidlen, &sidtype); + sid = pf_key_v2_convert_id(isakmp_sa->id_r, + isakmp_sa->id_r_len, &sidlen, &sidtype); } #endif /* SADB_X_EXT_FLOW_TYPE */ @@ -2310,18 +2335,20 @@ pf_key_v2_enable_sa(struct sa *sa, struct sa *isakmp_sa) case AF_INET: ((struct sockaddr_in *) hostmask)->sin_family = AF_INET; #ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in *) hostmask)->sin_len = sizeof(struct in_addr); + ((struct sockaddr_in *) hostmask)->sin_len = + sizeof(struct in_addr); #endif - memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, 0xff, - sizeof(struct in_addr)); + memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, + 0xff, sizeof(struct in_addr)); break; case AF_INET6: ((struct sockaddr_in6 *) hostmask)->sin6_family = AF_INET6; #ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in6 *) hostmask)->sin6_len = sizeof(struct in6_addr); + ((struct sockaddr_in6 *) hostmask)->sin6_len = + sizeof(struct in6_addr); #endif - memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, 0xff, - sizeof(struct in6_addr)); + memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, + 0xff, sizeof(struct in6_addr)); break; } @@ -2477,48 +2504,51 @@ pf_key_v2_disable_sa(struct sa *sa, int incoming) sa->transport->vtbl->get_src(sa->transport, &src); if (!incoming) - return pf_key_v2_flow(isa->src_net, isa->src_mask, isa->dst_net, - isa->dst_mask, isa->tproto, isa->sport, isa->dport, - proto->spi[0], proto->proto, src, dst, 1, 0, - 0, 0, 0, 0, 0, 0, proto->data); + return pf_key_v2_flow(isa->src_net, isa->src_mask, + isa->dst_net, isa->dst_mask, isa->tproto, isa->sport, + isa->dport, proto->spi[0], proto->proto, src, dst, 1, 0, + 0, 0, 0, 0, 0, 0, proto->data); else { #if !defined (SADB_X_EXT_FLOW_TYPE) /* Set hostmask to '-1'. */ switch (dst->sa_family) { case AF_INET: - ((struct sockaddr_in *) hostmask)->sin_family = AF_INET; + ((struct sockaddr_in *) hostmask)->sin_family = + AF_INET; #ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in *) hostmask)->sin_len = sizeof(struct in_addr); + ((struct sockaddr_in *) hostmask)->sin_len = + sizeof(struct in_addr); #endif - memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, 0xff, - sizeof(struct in_addr)); + memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, + 0xff, sizeof(struct in_addr)); break; case AF_INET6: - ((struct sockaddr_in6 *) hostmask)->sin6_family = AF_INET6; + ((struct sockaddr_in6 *) hostmask)->sin6_family = + AF_INET6; #ifndef USE_OLD_SOCKADDR ((struct sockaddr_in6 *) hostmask)->sin6_len = - sizeof(struct in6_addr); + sizeof(struct in6_addr); #endif - memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, 0xff, - sizeof(struct in6_addr)); + memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, + 0xff, sizeof(struct in6_addr)); break; } /* Ingress flow --- SA bundles */ while (TAILQ_NEXT(proto, link)) { - error = pf_key_v2_flow(dst, hostmask, src, hostmask, 0, 0, 0, - proto->spi[1], proto->proto, src, dst, - 1, 1, 0, 0, 0, 0, 0, 0, proto->data); + error = pf_key_v2_flow(dst, hostmask, src, hostmask, + 0, 0, 0, proto->spi[1], proto->proto, src, dst, + 1, 1, 0, 0, 0, 0, 0, 0, proto->data); if (error) return error; proto = TAILQ_NEXT(proto, link); } #endif /* SADB_X_EXT_FLOW_TYPE */ - return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, - isa->src_mask, isa->tproto, isa->dport, - isa->sport, proto->spi[1], proto->proto, - src, dst, 1, 1, 0, 0, 0, 0, 0, 0, proto->data); + return pf_key_v2_flow(isa->dst_net, isa->dst_mask, + isa->src_net, isa->src_mask, isa->tproto, isa->dport, + isa->sport, proto->spi[1], proto->proto, src, dst, 1, 1, + 0, 0, 0, 0, 0, 0, proto->data); } } @@ -2572,7 +2602,8 @@ pf_key_v2_delete_spi(struct sa *sa, struct proto *proto, int incoming) break; #endif default: - log_print("pf_key_v2_delete_spi: invalid proto %d", proto->proto); + log_print("pf_key_v2_delete_spi: invalid proto %d", + proto->proto); goto cleanup; } msg.sadb_msg_seq = 0; @@ -2719,8 +2750,8 @@ pf_key_v2_connection_check(char *conn) "pf_key_v2_connection_check: SA for %s missing", conn)); exchange_establish(conn, pf_key_v2_stayalive, conn); } else - LOG_DBG((LOG_SYSDEP, 70, "pf_key_v2_connection_check: SA for %s exists", - conn)); + LOG_DBG((LOG_SYSDEP, 70, "pf_key_v2_connection_check: " + "SA for %s exists", conn)); } /* Handle a PF_KEY lifetime expiration message PMSG. */ @@ -2745,7 +2776,8 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg) ssa = ext->seg; ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); if (!ext) { - log_print("pf_key_v2_expire: no destination address extension found"); + log_print("pf_key_v2_expire: " + "no destination address extension found"); return; } dst = ext->seg; @@ -2761,7 +2793,8 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg) lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_CURRENT); if (!lifenode) { - log_print("pf_key_v2_expire: no current lifetime extension found"); + log_print("pf_key_v2_expire: " + "no current lifetime extension found"); return; } lifecurrent = lifenode->seg; @@ -2771,10 +2804,11 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg) if (sockaddr2text(dstaddr, &dst_str, 0)) dst_str = 0; - LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_expire: %s dst %s SPI %x sproto %d", - life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" - : "HARD", dst_str ? dst_str : "<unknown>", - ntohl(ssa->sadb_sa_spi), msg->sadb_msg_satype)); + LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_expire: " + "%s dst %s SPI %x sproto %d", + life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" + : "HARD", dst_str ? dst_str : "<unknown>", + ntohl(ssa->sadb_sa_spi), msg->sadb_msg_satype)); if (dst_str) free(dst_str); @@ -2791,16 +2825,19 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg) */ switch (msg->sadb_msg_satype) { case SADB_SATYPE_ESP: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, IPSEC_PROTO_IPSEC_ESP); + sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, + IPSEC_PROTO_IPSEC_ESP); break; case SADB_SATYPE_AH: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, IPSEC_PROTO_IPSEC_AH); + sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, + IPSEC_PROTO_IPSEC_AH); break; #ifdef SADB_X_SATYPE_IPCOMP case SADB_X_SATYPE_IPCOMP: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, IPSEC_PROTO_IPCOMP); + sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, + IPSEC_PROTO_IPCOMP); break; #endif @@ -2820,7 +2857,8 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg) * Also, ignore SAs that were not dynamically established, or that * did not see any use. */ - if (!(sa->flags & SA_FLAG_REPLACED) && (sa->flags & SA_FLAG_ONDEMAND) && + if (!(sa->flags & SA_FLAG_REPLACED) && + (sa->flags & SA_FLAG_ONDEMAND) && lifecurrent->sadb_lifetime_bytes) exchange_establish(sa->name, 0, 0); @@ -2876,7 +2914,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); if (!ext) { - log_print("pf_key_v2_acquire: no destination address specified"); + log_print("pf_key_v2_acquire: " + "no destination address specified"); return; } dst = ext->seg; @@ -2926,7 +2965,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_FLOW); if (!ext) { - log_print("pf_key_v2_acquire: no destination flow extension found"); + log_print("pf_key_v2_acquire: " + "no destination flow extension found"); goto fail; } dflow = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); @@ -2939,7 +2979,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_MASK); if (!ext) { - log_print("pf_key_v2_acquire: no destination mask extension found"); + log_print("pf_key_v2_acquire: " + "no destination mask extension found"); goto fail; } dmask = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); @@ -2977,74 +3018,84 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) switch (sflow->sa_family) { case AF_INET: - if (inet_ntop(AF_INET, &((struct sockaddr_in *) sflow)->sin_addr, ssflow, - ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) sflow)->sin_addr, ssflow, + ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } sport = ((struct sockaddr_in *) sflow)->sin_port; - if (inet_ntop(AF_INET, &((struct sockaddr_in *) dflow)->sin_addr, sdflow, - ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) dflow)->sin_addr, sdflow, + ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } dport = ((struct sockaddr_in *) dflow)->sin_port; - if (inet_ntop(AF_INET, &((struct sockaddr_in *) smask)->sin_addr, ssmask, - ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) smask)->sin_addr, ssmask, + ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } - if (inet_ntop(AF_INET, &((struct sockaddr_in *) dmask)->sin_addr, sdmask, - ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) dmask)->sin_addr, sdmask, + ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } - if (((struct sockaddr_in *) smask)->sin_addr.s_addr == INADDR_BROADCAST) { + if (((struct sockaddr_in *) smask)->sin_addr.s_addr == + INADDR_BROADCAST) { shostflag = 1; sidtype = "IPV4_ADDR"; } - if (((struct sockaddr_in *) dmask)->sin_addr.s_addr == INADDR_BROADCAST) { + if (((struct sockaddr_in *) dmask)->sin_addr.s_addr == + INADDR_BROADCAST) { dhostflag = 1; didtype = "IPV4_ADDR"; } break; case AF_INET6: - if (inet_ntop(AF_INET6, &((struct sockaddr_in6 *) sflow)->sin6_addr, - ssflow, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) sflow)->sin6_addr, + ssflow, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } sport = ((struct sockaddr_in6 *) sflow)->sin6_port; - if (inet_ntop(AF_INET6, &((struct sockaddr_in6 *) dflow)->sin6_addr, - sdflow, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) dflow)->sin6_addr, + sdflow, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } dport = ((struct sockaddr_in6 *) dflow)->sin6_port; - if (inet_ntop(AF_INET6, &((struct sockaddr_in6 *) smask)->sin6_addr, - ssmask, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) smask)->sin6_addr, + ssmask, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } - if (inet_ntop(AF_INET6, &((struct sockaddr_in6 *) dmask)->sin6_addr, - sdmask, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) dmask)->sin6_addr, + sdmask, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } sidtype = didtype = "IPV6_ADDR_SUBNET"; - if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *) smask)->sin6_addr)) { + if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)smask)->sin6_addr)) { shostflag = 1; sidtype = "IPV6_ADDR"; } - if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *) dmask)->sin6_addr)) { + if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)dmask)->sin6_addr)) { dhostflag = 1; didtype = "IPV6_ADDR"; } break; } - dstaddr = (struct sockaddr *) (dst + 1); + dstaddr = (struct sockaddr *)(dst + 1); bzero(dstbuf, sizeof dstbuf); bzero(srcbuf, sizeof srcbuf); @@ -3054,30 +3105,35 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) * it? */ if (dhostflag == 0) { - log_print("pf_key_v2_acquire: Cannot determine precise destination"); + log_print("pf_key_v2_acquire: " + "Cannot determine precise destination"); goto fail; } dstaddr = dflow; } switch (dstaddr->sa_family) { case AF_INET: - if (inet_ntop(AF_INET, &((struct sockaddr_in *) dstaddr)->sin_addr, - dstbuf, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) dstaddr)->sin_addr, + dstbuf, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } - LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, - msg->sadb_msg_satype)); + LOG_DBG((LOG_SYSDEP, 20, + "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, + msg->sadb_msg_satype)); break; case AF_INET6: - if (inet_ntop(AF_INET6, &((struct sockaddr_in6 *) dstaddr)->sin6_addr, - dstbuf, ADDRESS_MAX) == NULL) { + if (inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) dstaddr)->sin6_addr, + dstbuf, ADDRESS_MAX) == NULL) { log_print("pf_key_v2_acquire: inet_ntop failed"); goto fail; } - LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, - msg->sadb_msg_satype)); + LOG_DBG((LOG_SYSDEP, 20, + "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, + msg->sadb_msg_satype)); break; } @@ -3086,27 +3142,30 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) switch (srcaddr->sa_family) { case AF_INET: - if (inet_ntop(AF_INET, &((struct sockaddr_in *) srcaddr)->sin_addr, - srcbuf, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); + if (inet_ntop(AF_INET, + &((struct sockaddr_in *) srcaddr)->sin_addr, + srcbuf, ADDRESS_MAX) == NULL) { + log_print("pf_key_v2_acquire: " + "inet_ntop failed"); goto fail; } break; case AF_INET6: if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) srcaddr)->sin6_addr, srcbuf, - ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); + &((struct sockaddr_in6 *)srcaddr)->sin6_addr, + srcbuf, ADDRESS_MAX) == NULL) { + log_print("pf_key_v2_acquire: " + "inet_ntop failed"); goto fail; } break; default: /* - * The kernel will pass an all '0' EXT_ADDRESS_SRC if it wasn't - * specified for the flow. In that case, do NOT specify the srcaddr - * in the Peer- name below + * The kernel will pass an all '0' EXT_ADDRESS_SRC if + * it wasn't specified for the flow. In that case, do + * NOT specify the srcaddr in the Peer-name below */ srcbuf[0] = 0; srcaddr = NULL; @@ -3118,7 +3177,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) slen = (srcident->sadb_ident_len * sizeof(u_int64_t)) - sizeof(struct sadb_ident); if (((unsigned char *) (srcident + 1))[slen - 1] != '\0') { - log_print("pf_key_v2_acquire: source identity not NUL-terminated"); + log_print("pf_key_v2_acquire: " + "source identity not NUL-terminated"); goto fail; } /* Check for valid type. */ @@ -3139,7 +3199,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) srcid = memchr(srcident + 1, '/', slen); if (!srcid) { - log_print("pf_key_v2_acquire: badly formatted PREFIX identity"); + log_print("pf_key_v2_acquire: " + "badly formatted PREFIX identity"); goto fail; } masklen = atoi(srcid + 1); @@ -3147,9 +3208,10 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) /* XXX We only support host addresses. */ if ((afamily == AF_INET6 && masklen != 128) || (afamily == AF_INET && masklen != 32)) { - log_print("pf_key_v2_acquire: non-host address specified in " - "source identity (mask length %d), ignoring request", - masklen); + log_print("pf_key_v2_acquire: " + "non-host address specified in source " + "identity (mask length %d), ignoring " + "request", masklen); goto fail; } /* @@ -3157,23 +3219,27 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) * then dup. */ *srcid = '\0'; - slen = strlen((char *) (srcident + 1)) + sizeof "ID:Address/"; + slen = strlen((char *) (srcident + 1)) + + sizeof "ID:Address/"; srcid = malloc(slen); if (!srcid) { - log_error("pf_key_v2_acquire: malloc (%d) failed", slen); + log_error("pf_key_v2_acquire: " + "malloc (%d) failed", slen); goto fail; } - snprintf(srcid, slen, "ID:Address/%s", (char *) (srcident + 1)); + snprintf(srcid, slen, "ID:Address/%s", + (char *) (srcident + 1)); /* Set the section if it doesn't already exist. */ af = conf_begin(); if (!conf_get_str(srcid, "ID-type")) { if (conf_set(af, srcid, "ID-type", - afamily == AF_INET ? "IPV4_ADDR" : "IPV6_ADDR", - 1, 0) - || conf_set(af, srcid, "Refcount", "1", 1, 0) - || conf_set(af, srcid, "Address", (char *) (srcident + 1), - 1, 0)) { + afamily == AF_INET ? "IPV4_ADDR" : + "IPV6_ADDR", 1, 0) + || conf_set(af, srcid, "Refcount", "1", 1, + 0) + || conf_set(af, srcid, "Address", + (char *) (srcident + 1), 1, 0)) { conf_end(af, 0); goto fail; } @@ -3190,28 +3256,40 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) prefstring = "USER_FQDN"; /* - * Check whether there is a string following the header; - * if no, that there is a user ID (and acquire the login - * name). If there is both a string and a user ID, check - * that they match. + * Check whether there is a string following + * the header; if no, that there is a user ID + * (and acquire the login name). If there is + * both a string and a user ID, check that + * they match. */ - if ((slen == 0) && (srcident->sadb_ident_id == 0)) { - log_print("pf_key_v2_acquire: no user FQDN or ID provided"); + if ((slen == 0) && + (srcident->sadb_ident_id == 0)) { + log_print("pf_key_v2_acquire: " + "no user FQDN or ID provided"); goto fail; } if (srcident->sadb_ident_id) { - pwd = getpwuid(srcident->sadb_ident_id); + pwd = + getpwuid(srcident->sadb_ident_id); if (!pwd) { - log_error("pf_key_v2_acquire: could not acquire " - "username from provided ID %llu", - srcident->sadb_ident_id); + log_error("pf_key_v2_acquire: " + "could not acquire " + "username from provided " + "ID %llu", + srcident->sadb_ident_id); goto fail; } if (slen != 0) - if (strcmp(pwd->pw_name, (char *) (srcident + 1)) != 0) { - log_print("pf_key_v2_acquire: provided user name and " - "ID do not match (%s != %s)", - (char *) (srcident + 1), pwd->pw_name); + if (strcmp(pwd->pw_name, + (char *) (srcident + 1)) + != 0) { + log_print("pf_key_v2_acquire: " + "provided user " + "name and ID do " + "not match (%s != " + "%s)", + (char *) (srcident + 1), + pwd->pw_name); /* * String has * precedence, per @@ -3220,16 +3298,18 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } } } - buflen = (slen ? slen : strlen(pwd->pw_name)) + strlen(prefstring) - + sizeof "ID:/"; + buflen = (slen ? slen : strlen(pwd->pw_name)) + + strlen(prefstring) + sizeof "ID:/"; srcid = malloc(buflen); if (!srcid) { - log_error("pf_key_v2_acquire: malloc (%d) failed", buflen); + log_error("pf_key_v2_acquire: " + "malloc (%d) failed", buflen); goto fail; } snprintf(srcid, buflen, "ID:%s/", prefstring); if (slen != 0) - strlcat(srcid, (char *) (srcident + 1), buflen); + strlcat(srcid, + (char *) (srcident + 1), buflen); else strlcat(srcid, pwd->pw_name, buflen); pwd = 0; @@ -3237,11 +3317,13 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) /* Set the section if it doesn't already exist. */ af = conf_begin(); if (!conf_get_str(srcid, "ID-type")) { - if (conf_set(af, srcid, "ID-type", prefstring, 1, 0) - || conf_set(af, srcid, "Refcount", "1", 1, 0) + if (conf_set(af, srcid, "ID-type", prefstring, + 1, 0) + || conf_set(af, srcid, "Refcount", "1", 1, + 0) || conf_set(af, srcid, "Name", - srcid + sizeof "ID:/" - 1 + strlen(prefstring), - 1, 0)) { + srcid + sizeof "ID:/" - 1 + + strlen(prefstring), 1, 0)) { conf_end(af, 0); goto fail; } @@ -3258,7 +3340,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_acquire: constructed source ID \"%s\"", srcid)); + "pf_key_v2_acquire: constructed source ID \"%s\"", srcid)); prefstring = 0; } /* Insert destination ID. */ @@ -3284,7 +3366,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) dstid = memchr(dstident + 1, '/', slen); if (!dstid) { - log_print("pf_key_v2_acquire: badly formatted PREFIX identity"); + log_print("pf_key_v2_acquire: " + "badly formatted PREFIX identity"); goto fail; } masklen = atoi(dstid + 1); @@ -3292,10 +3375,10 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) /* XXX We only support host addresses. */ if ((afamily == AF_INET6 && masklen != 128) || (afamily == AF_INET && masklen != 32)) { - log_print("pf_key_v2_acquire: non-host address specified in " - "destination identity (mask length %d), ignoring " - "request", - masklen); + log_print("pf_key_v2_acquire: " + "non-host address specified in " + "destination identity (mask length %d), " + "ignoring request", masklen); goto fail; } /* @@ -3303,23 +3386,27 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) * then dup. */ *dstid = '\0'; - slen = strlen((char *) (dstident + 1)) + sizeof "ID:Address/"; + slen = strlen((char *) (dstident + 1)) + + sizeof "ID:Address/"; dstid = malloc(slen); if (!dstid) { - log_error("pf_key_v2_acquire: malloc (%d) failed", slen); + log_error("pf_key_v2_acquire: " + "malloc (%d) failed", slen); goto fail; } - snprintf(dstid, slen, "ID:Address/%s", (char *) (dstident + 1)); + snprintf(dstid, slen, "ID:Address/%s", + (char *) (dstident + 1)); /* Set the section if it doesn't already exist. */ af = conf_begin(); if (!conf_get_str(dstid, "ID-type")) { if (conf_set(af, dstid, "ID-type", - afamily == AF_INET ? "IPV4_ADDR" : "IPV6_ADDR", - 1, 0) - || conf_set(af, dstid, "Refcount", "1", 1, 0) - || conf_set(af, dstid, "Address", (char *) (dstident + 1), - 1, 0)) { + afamily == AF_INET ? "IPV4_ADDR" : + "IPV6_ADDR", 1, 0) + || conf_set(af, dstid, "Refcount", "1", 1, + 0) + || conf_set(af, dstid, "Address", + (char *) (dstident + 1), 1, 0)) { conf_end(af, 0); goto fail; } @@ -3337,28 +3424,39 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) prefstring = "USER_FQDN"; /* - * Check whether there is a string following the header; - * if no, that there is a user ID (and acquire the login - * name). If there is both a string and a user ID, check - * that they match. + * Check whether there is a string following + * the header; if no, that there is a user ID + * (and acquire the login name). If there is + * both a string and a user ID, check that + * they match. */ - if (slen == 0 && dstident->sadb_ident_id == 0) { - log_print("pf_key_v2_acquire: no user FQDN or ID provided"); + if (slen == 0 && + dstident->sadb_ident_id == 0) { + log_print("pf_key_v2_acquire: " + "no user FQDN or ID provided"); goto fail; } if (dstident->sadb_ident_id) { pwd = getpwuid(dstident->sadb_ident_id); if (!pwd) { - log_error("pf_key_v2_acquire: could not acquire " - "username from provided ID %llu", - dstident->sadb_ident_id); + log_error("pf_key_v2_acquire: " + "could not acquire " + "username from provided " + "ID %llu", + dstident->sadb_ident_id); goto fail; } if (slen != 0) - if (strcmp(pwd->pw_name, (char *) (dstident + 1)) != 0) { - log_print("pf_key_v2_acquire: provided user name and " - "ID do not match (%s != %s)", - (char *) (dstident + 1), pwd->pw_name); + if (strcmp(pwd->pw_name, + (char *) (dstident + 1)) + != 0) { + log_print("pf_key_v2_acquire: " + "provided user " + "name and ID do " + "not match (%s != " + "%s)", + (char *) (dstident + 1), + pwd->pw_name); /* * String has * precedence, per RF @@ -3367,16 +3465,18 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } } } - buflen = (slen ? slen : strlen(pwd->pw_name)) + strlen(prefstring) - + sizeof "ID:/"; + buflen = (slen ? slen : strlen(pwd->pw_name)) + + strlen(prefstring) + sizeof "ID:/"; dstid = malloc(buflen); if (!dstid) { - log_error("pf_key_v2_acquire: malloc (%d) failed", buflen); + log_error("pf_key_v2_acquire: " + "malloc (%d) failed", buflen); goto fail; } snprintf(dstid, buflen, "ID:%s/", prefstring); if (slen != 0) - strlcat(dstid, (char *) (dstident + 1), buflen); + strlcat(dstid, (char *) (dstident + 1), + buflen); else strlcat(dstid, pwd->pw_name, buflen); pwd = 0; @@ -3384,11 +3484,13 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) /* Set the section if it doesn't already exist. */ af = conf_begin(); if (!conf_get_str(dstid, "ID-type")) { - if (conf_set(af, dstid, "ID-type", prefstring, 1, 0) - || conf_set(af, dstid, "Refcount", "1", 1, 0) + if (conf_set(af, dstid, "ID-type", prefstring, + 1, 0) + || conf_set(af, dstid, "Refcount", "1", 1, + 0) || conf_set(af, dstid, "Name", - dstid + sizeof "ID:/" - 1 + strlen(prefstring), - 1, 0)) { + dstid + sizeof "ID:/" - 1 + + strlen(prefstring), 1, 0)) { conf_end(af, 0); goto fail; } @@ -3398,15 +3500,15 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) break; default: - LOG_DBG((LOG_SYSDEP, 20, - "pf_key_v2_acquire: invalid destination ID type %d", - dstident->sadb_ident_type)); + LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_acquire: " + "invalid destination ID type %d", + dstident->sadb_ident_type)); goto fail; } LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_acquire: constructed destination ID \"%s\"", - dstid)); + "pf_key_v2_acquire: constructed destination ID \"%s\"", + dstid)); } /* Now we've placed the necessary IDs in the configuration space. */ @@ -3414,7 +3516,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) for (;; connection_seq++) { snprintf(conn, connlen, "Connection-%u", connection_seq); snprintf(configname, sizeof configname, "Config-Phase2-%u", - connection_seq); + connection_seq); /* Does it exist ? */ if (!conf_get_str(conn, "Phase") @@ -3438,7 +3540,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) * - Remote-ID (if provided) * - Local-address (if provided) * - Address - * - Configuration (if an entry "ISAKMP-configuration-dstaddr(/srcaddr)" + * - Configuration (if an entry ISAKMP-configuration-dstaddr(/srcaddr) * exists -- otherwise use the defaults) */ @@ -3514,7 +3616,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) goto fail; } if (sport) { - snprintf(tmbuf, sizeof sport * 3 + 1, "%u", ntohs(sport)); + snprintf(tmbuf, sizeof sport * 3 + 1, "%u", + ntohs(sport)); if (conf_set(af, lname, "Port", tmbuf, 0, 0)) { conf_end(af, 0); goto fail; @@ -3526,7 +3629,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) /* Set Remote-ID section. */ snprintf(dname, sizeof dname, "Phase2-ID:%s/%s/%u/%u", sdflow, sdmask, - tproto, dport); + tproto, dport); if (conf_set(af, conn, "Remote-ID", dname, 0, 0)) { conf_end(af, 0); goto fail; @@ -3538,14 +3641,14 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } if (dhostflag) { if (conf_set(af, dname, "ID-type", didtype, 0, 0) - || conf_set(af, dname, "Address", sdflow, 0, 0)) { + || conf_set(af, dname, "Address", sdflow, 0, 0)) { conf_end(af, 0); goto fail; } } else { if (conf_set(af, dname, "ID-type", didtype, 0, 0) || conf_set(af, dname, "Network", sdflow, 0, 0) - || conf_set(af, dname, "Netmask", sdmask, 0, 0)) { + || conf_set(af, dname, "Netmask", sdmask, 0, 0)) { conf_end(af, 0); goto fail; } @@ -3558,7 +3661,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) goto fail; } if (dport) { - snprintf(tmbuf, sizeof dport * 3 + 1, "%u", ntohs(dport)); + snprintf(tmbuf, sizeof dport * 3 + 1, "%u", + ntohs(dport)); if (conf_set(af, dname, "Port", tmbuf, 0, 0)) { conf_end(af, 0); goto fail; @@ -3586,13 +3690,13 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } if (conf_get_str("General", "Default-phase-2-suites")) { if (conf_set(af, configname, "Suites", - conf_get_str("General", "Default-phase-2-suites"), 0, 0)) { + conf_get_str("General", "Default-phase-2-suites"), 0, 0)) { conf_end(af, 0); goto fail; } } else { if (conf_set(af, configname, "Suites", - "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) { + "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) { conf_end(af, 0); goto fail; } @@ -3606,11 +3710,13 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) conf_end(af, 0); goto fail; } - if (srcaddr && conf_set(af, peer, "Local-address", srcbuf, 0, 0)) { + if (srcaddr && conf_set(af, peer, "Local-address", srcbuf, 0, + 0)) { conf_end(af, 0); goto fail; } - snprintf(confname, sizeof confname, "ISAKMP-Configuration-%s", peer); + snprintf(confname, sizeof confname, "ISAKMP-Configuration-%s", + peer); if (conf_set(af, peer, "Configuration", confname, 0, 0)) { conf_end(af, 0); goto fail; @@ -3626,29 +3732,34 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) cred->sadb_x_cred_len *= PF_KEY_V2_CHUNK; if (cred->sadb_x_cred_len <= sizeof *cred) { - log_print("pf_key_v2_acquire: zero-length credentials, " - "aborting SA acquisition"); + log_print("pf_key_v2_acquire: " + "zero-length credentials, aborting SA " + "acquisition"); conf_end(af, 0); goto fail; } switch (cred->sadb_x_cred_type) { case SADB_X_CREDTYPE_X509: - snprintf(num, sizeof num, "%d", ISAKMP_CERTENC_X509_SIG); + snprintf(num, sizeof num, "%d", + ISAKMP_CERTENC_X509_SIG); handler = cert_get(ISAKMP_CERTENC_X509_SIG); break; case SADB_X_CREDTYPE_KEYNOTE: - snprintf(num, sizeof num, "%d", ISAKMP_CERTENC_KEYNOTE); + snprintf(num, sizeof num, "%d", + ISAKMP_CERTENC_KEYNOTE); handler = cert_get(ISAKMP_CERTENC_KEYNOTE); break; default: - log_print("pf_key_v2_acquire: unknown credential type %d", - cred->sadb_x_cred_type); + log_print("pf_key_v2_acquire: " + "unknown credential type %d", + cred->sadb_x_cred_type); conf_end(af, 0); goto fail; } if (!handler) { - log_print("pf_key_v2_acquire: cert_get (%s) failed", num); + log_print("pf_key_v2_acquire: " + "cert_get (%s) failed", num); conf_end(af, 0); goto fail; } @@ -3659,13 +3770,14 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) } /* Get the certificate. */ cert = handler->cert_get((u_int8_t *) (cred + 1), - cred->sadb_x_cred_len - sizeof *cred); + cred->sadb_x_cred_len - sizeof *cred); /* Now convert to printable format. */ certprint = handler->cert_printable(cert); handler->cert_free(cert); if (!certprint - || conf_set(af, peer, "Credentials", certprint, 0, 0)) { + || conf_set(af, peer, "Credentials", certprint, 0, + 0)) { if (certprint) free(certprint); conf_end(af, 0); @@ -3690,29 +3802,36 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) switch (sauth->sadb_x_cred_type) { case SADB_X_AUTHTYPE_PASSPHRASE: - if (conf_set(af, confname, "Transforms", "3DES-SHA", 0, 0)) { + if (conf_set(af, confname, + "Transforms", "3DES-SHA", 0, 0)) { conf_end(af, 0); goto fail; } - if (sauth->sadb_x_cred_len <= sizeof *sauth) { - log_print("pf_key_v2_acquire: zero-length passphrase, " - "aborting SA acquisition"); + if (sauth->sadb_x_cred_len <= + sizeof *sauth) { + log_print("pf_key_v2_acquire: " + "zero-length passphrase, " + "aborting SA acquisition"); conf_end(af, 0); goto fail; } - authm = malloc(sauth->sadb_x_cred_len - sizeof *sauth + 1); + authm = malloc(sauth->sadb_x_cred_len - + sizeof *sauth + 1); if (!authm) { - log_error("pf_key_v2_acquire: malloc (%lu) failed", + log_error("pf_key_v2_acquire: " + "malloc (%lu) failed", sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth + 1); + (unsigned long) sizeof *sauth + 1); conf_end(af, 0); goto fail; } memcpy(authm, sauth + 1, - sauth->sadb_x_cred_len - sizeof *sauth + 1); + sauth->sadb_x_cred_len - + sizeof *sauth + 1); /* Set the passphrase in the peer. */ - if (conf_set(af, peer, "Authentication", authm, 0, 0)) { + if (conf_set(af, peer, + "Authentication", authm, 0, 0)) { free(authm); conf_end(af, 0); goto fail; @@ -3721,38 +3840,47 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) break; case SADB_X_AUTHTYPE_RSA: - if (conf_set(af, confname, "Transforms", "3DES-SHA-RSA_SIG", - 0, 0)) { + if (conf_set(af, confname, + "Transforms", "3DES-SHA-RSA_SIG", + 0, 0)) { conf_end(af, 0); goto fail; } - if (sauth->sadb_x_cred_len <= sizeof *sauth) { - log_print("pf_key_v2_acquire: zero-length RSA key, " - "aborting SA acquisition"); + if (sauth->sadb_x_cred_len <= + sizeof *sauth) { + log_print("pf_key_v2_acquire: " + "zero-length RSA key, " + "aborting SA acquisition"); conf_end(af, 0); goto fail; } authm = key_printable(ISAKMP_KEY_RSA, - ISAKMP_KEYTYPE_PRIVATE, - (u_int8_t *) sauth + 1, - sauth->sadb_x_cred_len - - sizeof *sauth); + ISAKMP_KEYTYPE_PRIVATE, + (u_int8_t *) sauth + 1, + sauth->sadb_x_cred_len - + sizeof *sauth); if (!authm) { - log_print("pf_key_v2_acquire: failed to convert " - "private key to printable format (size %lu)", + log_print("pf_key_v2_acquire: " + "failed to convert " + "private key to printable " + "format (size %lu)", sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth); + (unsigned long) sizeof *sauth); conf_end(af, 0); goto fail; } /* - * Set the key in the peer. We don't use "Authentication" - * to avoid potential conflicts with file-based - * configurations that use public key authentication - * but still specify an "Authentication" tag (typically - * as a remnant of passphrase-based testing). + * Set the key in the peer. We don't + * use "Authentication" to avoid + * potential conflicts with file-based + * configurations that use public key + * authentication but still specify + * an "Authentication" tag (typically + * as a remnant of passphrase-based + * testing). */ - if (conf_set(af, peer, "PKAuthentication", authm, 0, 0)) { + if (conf_set(af, peer, + "PKAuthentication", authm, 0, 0)) { free(authm); conf_end(af, 0); goto fail; @@ -3761,27 +3889,31 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) break; default: - log_print("pf_key_v2_acquire: unknown authentication " - "material type %d received from kernel", - sauth->sadb_x_cred_type); + log_print("pf_key_v2_acquire: " + "unknown authentication " + "material type %d received from " + "kernel", sauth->sadb_x_cred_type); conf_end(af, 0); goto fail; } } else /* Fall through */ #endif /* SADB_X_EXT_LOCAL_AUTH */ { - xform = conf_get_str("Default-phase-1-configuration", - "Transforms"); + xform = conf_get_str( + "Default-phase-1-configuration", + "Transforms"); if (conf_set(af, confname, "Transforms", - xform ? xform : "3DES-SHA-RSA_SIG", 0, 0)) { + xform ? xform : "3DES-SHA-RSA_SIG", 0, + 0)) { conf_end(af, 0); goto fail; } } - if (conf_set(af, confname, "Exchange_Type", "ID_PROT", 0, 0) + if (conf_set(af, confname, "Exchange_Type", "ID_PROT", + 0, 0) || conf_set(af, confname, "DOI", "IPSEC", 0, 0) - || conf_set(af, confname, "Refcount", "1", 0, 0)) { + || conf_set(af, confname, "Refcount", "1", 0, 0)) { conf_end(af, 0); goto fail; } @@ -3833,7 +3965,7 @@ static void pf_key_v2_notify(struct pf_key_v2_msg *msg) { switch (((struct sadb_msg *) TAILQ_FIRST(msg)->seg)->sadb_msg_type) { - case SADB_EXPIRE: + case SADB_EXPIRE: pf_key_v2_expire(msg); break; @@ -3843,7 +3975,7 @@ pf_key_v2_notify(struct pf_key_v2_msg *msg) default: log_print("pf_key_v2_notify: unexpected message type (%d)", - ((struct sadb_msg *) TAILQ_FIRST(msg)->seg)->sadb_msg_type); + ((struct sadb_msg *)TAILQ_FIRST(msg)->seg)->sadb_msg_type); } pf_key_v2_msg_free(msg); } @@ -3856,9 +3988,9 @@ pf_key_v2_handler(int fd) int n; /* - * As synchronous read/writes to the socket can have taken place between - * the select(2) call of the main loop and this handler, we need to recheck - * the readability. + * As synchronous read/writes to the socket can have taken place + * between the select(2) call of the main loop and this handler, we + * need to recheck the readability. */ if (ioctl(pf_key_v2_socket, FIONREAD, &n) == -1) { log_error("pf_key_v2_handler: ioctl (%d, FIONREAD, &n) failed", @@ -3910,7 +4042,8 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, break; #endif default: - log_print("pf_key_v2_group_spis: invalid proto %d", proto1->proto); + log_print("pf_key_v2_group_spis: invalid proto %d", + proto1->proto); goto cleanup; } msg.sadb_msg_seq = 0; @@ -3921,7 +4054,8 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, /* Setup the SA extensions. */ sa1.sadb_sa_exttype = SADB_EXT_SA; sa1.sadb_sa_len = sizeof sa1 / PF_KEY_V2_CHUNK; - memcpy(&sa1.sadb_sa_spi, proto1->spi[incoming], sizeof sa1.sadb_sa_spi); + memcpy(&sa1.sadb_sa_spi, proto1->spi[incoming], + sizeof sa1.sadb_sa_spi); sa1.sadb_sa_replay = 0; sa1.sadb_sa_state = 0; sa1.sadb_sa_auth = 0; @@ -3933,7 +4067,8 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, #ifndef KAME sa2.sadb_sa_exttype = SADB_X_EXT_SA2; sa2.sadb_sa_len = sizeof sa2 / PF_KEY_V2_CHUNK; - memcpy(&sa2.sadb_sa_spi, proto2->spi[incoming], sizeof sa2.sadb_sa_spi); + memcpy(&sa2.sadb_sa_spi, proto2->spi[incoming], + sizeof sa2.sadb_sa_spi); sa2.sadb_sa_replay = 0; sa2.sadb_sa_state = 0; sa2.sadb_sa_auth = 0; @@ -3971,7 +4106,7 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); ((struct sockaddr_in *) (addr + 1))->sin_port = 0; if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) + PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; addr = 0; @@ -3988,7 +4123,7 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); ((struct sockaddr_in *) (addr + 1))->sin_port = 0; if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) + PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; addr = 0; @@ -4008,11 +4143,13 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, break; #endif default: - log_print("pf_key_v2_group_spis: invalid proto %d", proto2->proto); + log_print("pf_key_v2_group_spis: invalid proto %d", + proto2->proto); goto cleanup; } protocol.sadb_protocol_reserved2 = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) & protocol, 0) == -1) + if (pf_key_v2_msg_add(grpspis, + (struct sadb_ext *) & protocol, 0) == -1) goto cleanup; ret = pf_key_v2_call(grpspis); diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index 1b3516399f2..5dc1752997d 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.73 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: policy.c,v 1.74 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -145,26 +145,26 @@ policy_callback(char *name) static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; static char comp_life_kbytes[PMAX]; static char *ah_ecn, *esp_ecn, *comp_ecn; - static char comp_life_seconds[PMAX], *ah_encapsulation, *esp_encapsulation; - static char *comp_encapsulation, ah_key_length[PMAX], esp_key_length[PMAX]; - static char ah_key_rounds[PMAX], esp_key_rounds[PMAX], comp_dict_size[PMAX]; - static char comp_private_alg[PMAX], *remote_filter_type, *local_filter_type; + static char comp_life_seconds[PMAX], *ah_encapsulation; + static char *esp_encapsulation, *comp_encapsulation; + static char ah_key_length[PMAX], esp_key_length[PMAX]; + static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; + static char comp_dict_size[PMAX], comp_private_alg[PMAX]; + static char *remote_filter_type, *local_filter_type; static char remote_filter_addr_upper[NI_MAXHOST]; static char remote_filter_addr_lower[NI_MAXHOST]; static char local_filter_addr_upper[NI_MAXHOST]; static char local_filter_addr_lower[NI_MAXHOST]; - static char ah_group_desc[PMAX], esp_group_desc[PMAX], comp_group_desc[PMAX]; - static char remote_ike_address[NI_MAXHOST]; + static char ah_group_desc[PMAX], esp_group_desc[PMAX]; + static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; static char local_ike_address[NI_MAXHOST]; - static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST], - *phase_1; - static char remote_id_addr_lower[NI_MAXHOST]; + static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; + static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; static char *remote_id_proto, remote_id_port[PMAX]; static char remote_filter_port[PMAX], local_filter_port[PMAX]; - static char *remote_filter_proto, *local_filter_proto, *pfs, - *initiator; - static char remote_filter_proto_num[3], local_filter_proto_num[3]; - static char remote_id_proto_num[3]; + static char *remote_filter_proto, *local_filter_proto, *pfs; + static char *initiator, remote_filter_proto_num[3]; + static char local_filter_proto_num[3], remote_id_proto_num[3]; static char phase1_group[PMAX]; /* Allocated. */ @@ -179,9 +179,11 @@ policy_callback(char *name) ah_hash_alg = ah_auth_alg = phase_1 = ""; esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; ah_ecn = esp_ecn = comp_ecn = "no"; - esp_encapsulation = comp_encapsulation = remote_filter_type = ""; + esp_encapsulation = comp_encapsulation = ""; + remote_filter_type = ""; local_filter_type = remote_id_type = initiator = ""; - remote_filter_proto = local_filter_proto = remote_id_proto = ""; + remote_filter_proto = local_filter_proto = ""; + remote_id_proto = ""; if (remote_filter != 0) { free(remote_filter); @@ -646,7 +648,8 @@ policy_callback(char *name) } } - policy_sa->transport->vtbl->get_src(policy_sa->transport, &sin); + policy_sa->transport->vtbl->get_src(policy_sa->transport, + &sin); if (sockaddr2text(sin, &addr, 1)) { log_error("policy_callback: sockaddr2text failed"); goto bad; @@ -654,7 +657,8 @@ policy_callback(char *name) strlcpy(local_ike_address, addr, sizeof local_ike_address); free(addr); - policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); + policy_sa->transport->vtbl->get_dst(policy_sa->transport, + &sin); if (sockaddr2text(sin, &addr, 1)) { log_error("policy_callback: sockaddr2text failed"); goto bad; @@ -684,14 +688,16 @@ policy_callback(char *name) case IPSEC_ID_IPV4_ADDR: remote_id_type = "IPv4 address"; - net = decode_32(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); + net = decode_32(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ); my_inet_ntop4(&net, remote_id_addr_upper, sizeof remote_id_addr_upper - 1, 1); my_inet_ntop4(&net, remote_id_addr_lower, sizeof remote_id_addr_lower - 1, 1); remote_id = strdup(remote_id_addr_upper); if (!remote_id) { - log_error("policy_callback: strdup (\"%s\") failed", + log_error("policy_callback: " + "strdup (\"%s\") failed", remote_id_addr_upper); goto bad; } @@ -700,18 +706,21 @@ policy_callback(char *name) case IPSEC_ID_IPV4_RANGE: remote_id_type = "IPv4 range"; - net = decode_32(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); + net = decode_32(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ); my_inet_ntop4(&net, remote_id_addr_lower, sizeof remote_id_addr_lower - 1, 1); - net = decode_32(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); + net = decode_32(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ + 4); my_inet_ntop4(&net, remote_id_addr_upper, sizeof remote_id_addr_upper - 1, 1); len = strlen(remote_id_addr_upper) + strlen(remote_id_addr_lower) + 2; remote_id = calloc(len, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%d, %lu) failed", - len, (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } strlcpy(remote_id, remote_id_addr_lower, len); @@ -722,8 +731,10 @@ policy_callback(char *name) case IPSEC_ID_IPV4_ADDR_SUBNET: remote_id_type = "IPv4 subnet"; - net = decode_32(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); - subnet = decode_32(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); + net = decode_32(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ); + subnet = decode_32(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ + 4); net &= subnet; my_inet_ntop4(&net, remote_id_addr_lower, sizeof remote_id_addr_lower - 1, 1); @@ -734,8 +745,9 @@ policy_callback(char *name) strlen(remote_id_addr_lower) + 2; remote_id = calloc(len, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%d, %lu) failed", - len, (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } strlcpy(remote_id, remote_id_addr_lower, len); @@ -751,7 +763,8 @@ policy_callback(char *name) sizeof remote_id_addr_lower); remote_id = strdup(remote_id_addr_upper); if (!remote_id) { - log_error("policy_callback: strdup (\"%s\") failed", + log_error("policy_callback: " + "strdup (\"%s\") failed", remote_id_addr_upper); goto bad; } @@ -764,16 +777,17 @@ policy_callback(char *name) remote_id_addr_lower, sizeof remote_id_addr_lower - 1); - my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, - remote_id_addr_upper, + my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ + 16, remote_id_addr_upper, sizeof remote_id_addr_upper - 1); len = strlen(remote_id_addr_upper) + strlen(remote_id_addr_lower) + 2; remote_id = calloc(len, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%d, %lu) failed", - len, (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } strlcpy(remote_id, remote_id_addr_lower, len); @@ -789,27 +803,30 @@ policy_callback(char *name) bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, sizeof(net)); - bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, &mask, - sizeof(mask)); + bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, + &mask, sizeof(mask)); for (i = 0; i < 16; i++) net.s6_addr[i] &= mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, remote_id_addr_lower, + my_inet_ntop6((unsigned char *)&net, + remote_id_addr_lower, sizeof remote_id_addr_lower - 1); for (i = 0; i < 16; i++) net.s6_addr[i] |= ~mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, remote_id_addr_upper, + my_inet_ntop6((unsigned char *)&net, + remote_id_addr_upper, sizeof remote_id_addr_upper - 1); len = strlen(remote_id_addr_upper) + strlen(remote_id_addr_lower) + 2; remote_id = calloc(len, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%d, %lu) failed", - len, (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } strlcpy(remote_id, remote_id_addr_lower, len); @@ -823,13 +840,15 @@ policy_callback(char *name) remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%lu, %lu) failed", + log_error("policy_callback: " + "calloc (%lu, %lu) failed", (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, (unsigned long)sizeof(char)); goto bad; } - memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + memcpy(remote_id, + id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; @@ -838,13 +857,15 @@ policy_callback(char *name) remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%lu, %lu) failed", + log_error("policy_callback: " + "calloc (%lu, %lu) failed", (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, (unsigned long)sizeof(char)); goto bad; } - memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + memcpy(remote_id, + id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; @@ -870,26 +891,31 @@ policy_callback(char *name) remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, sizeof(char)); if (!remote_id) { - log_error("policy_callback: calloc (%lu, %lu) failed", + log_error("policy_callback: " + "calloc (%lu, %lu) failed", 2 * ((unsigned long)id_sz - - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, + ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, (unsigned long)sizeof(char)); goto bad; } /* Does it contain any non-printable characters ? */ - for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) + for (i = 0; + i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; + i++) if (!isprint(*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + i))) break; if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); + id_sz - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ); break; } /* Non-printable characters, convert to hex */ for (i = 0; - i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) { + i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; + i++) { remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; remote_id[2 * i + 1] = hextab[*(id + @@ -898,7 +924,8 @@ policy_callback(char *name) break; default: - log_print("policy_callback: unknown remote ID type %u", id[0]); + log_print("policy_callback: " + "unknown remote ID type %u", id[0]); goto bad; } @@ -918,7 +945,8 @@ policy_callback(char *name) #endif default: - snprintf(remote_id_proto_num, sizeof remote_id_proto_num, "%d", + snprintf(remote_id_proto_num, + sizeof remote_id_proto_num, "%d", id[1]); remote_id_proto = remote_id_proto_num; break; @@ -952,7 +980,8 @@ policy_callback(char *name) sizeof remote_filter_addr_upper - 1, 1); my_inet_ntop4(&net, remote_filter_addr_lower, sizeof remote_filter_addr_lower - 1, 1); - remote_filter = strdup(remote_filter_addr_upper); + remote_filter = + strdup(remote_filter_addr_upper); if (!remote_filter) { log_error("policy_callback: strdup " "(\"%s\") failed", @@ -967,7 +996,8 @@ policy_callback(char *name) net = decode_32(idremote + ISAKMP_ID_DATA_OFF); my_inet_ntop4(&net, remote_filter_addr_lower, sizeof remote_filter_addr_lower - 1, 1); - net = decode_32(idremote + ISAKMP_ID_DATA_OFF + 4); + net = decode_32(idremote + ISAKMP_ID_DATA_OFF + + 4); my_inet_ntop4(&net, remote_filter_addr_upper, sizeof remote_filter_addr_upper - 1, 1); len = strlen(remote_filter_addr_upper) + @@ -979,16 +1009,19 @@ policy_callback(char *name) (unsigned long)sizeof(char)); goto bad; } - strlcpy(remote_filter, remote_filter_addr_lower, len); + strlcpy(remote_filter, + remote_filter_addr_lower, len); strlcat(remote_filter, "-", len); - strlcat(remote_filter, remote_filter_addr_upper, len); + strlcat(remote_filter, + remote_filter_addr_upper, len); break; case IPSEC_ID_IPV4_ADDR_SUBNET: remote_filter_type = "IPv4 subnet"; net = decode_32(idremote + ISAKMP_ID_DATA_OFF); - subnet = decode_32(idremote + ISAKMP_ID_DATA_OFF + 4); + subnet = decode_32(idremote + + ISAKMP_ID_DATA_OFF + 4); net &= subnet; my_inet_ntop4(&net, remote_filter_addr_lower, sizeof remote_filter_addr_lower - 1, 1); @@ -1004,9 +1037,11 @@ policy_callback(char *name) (unsigned long)sizeof(char)); goto bad; } - strlcpy(remote_filter, remote_filter_addr_lower, len); + strlcpy(remote_filter, + remote_filter_addr_lower, len); strlcat(remote_filter, "-", len); - strlcat(remote_filter, remote_filter_addr_upper, len); + strlcat(remote_filter, + remote_filter_addr_upper, len); break; case IPSEC_ID_IPV6_ADDR: @@ -1017,7 +1052,8 @@ policy_callback(char *name) strlcpy(remote_filter_addr_lower, remote_filter_addr_upper, sizeof remote_filter_addr_lower); - remote_filter = strdup(remote_filter_addr_upper); + remote_filter = + strdup(remote_filter_addr_upper); if (!remote_filter) { log_error("policy_callback: strdup " "(\"%s\") failed", @@ -1033,8 +1069,8 @@ policy_callback(char *name) remote_filter_addr_lower, sizeof remote_filter_addr_lower - 1); - my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + 16, - remote_filter_addr_upper, + my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + + 16, remote_filter_addr_upper, sizeof remote_filter_addr_upper - 1); len = strlen(remote_filter_addr_upper) + @@ -1046,9 +1082,11 @@ policy_callback(char *name) (unsigned long)sizeof(char)); goto bad; } - strlcpy(remote_filter, remote_filter_addr_lower, len); + strlcpy(remote_filter, + remote_filter_addr_lower, len); strlcat(remote_filter, "-", len); - strlcat(remote_filter, remote_filter_addr_upper, len); + strlcat(remote_filter, + remote_filter_addr_upper, len); break; case IPSEC_ID_IPV6_ADDR_SUBNET: @@ -1057,69 +1095,92 @@ policy_callback(char *name) remote_filter_type = "IPv6 subnet"; - bcopy(idremote + ISAKMP_ID_DATA_OFF, &net, sizeof(net)); - bcopy(idremote + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof(mask)); + bcopy(idremote + ISAKMP_ID_DATA_OFF, + &net, sizeof(net)); + bcopy(idremote + ISAKMP_ID_DATA_OFF + + 16, &mask, sizeof(mask)); for (i = 0; i < 16; i++) - net.s6_addr[i] &= mask.s6_addr[i]; + net.s6_addr[i] &= + mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, remote_filter_addr_lower, + my_inet_ntop6((unsigned char *)&net, + remote_filter_addr_lower, sizeof remote_filter_addr_lower - 1); for (i = 0; i < 16; i++) - net.s6_addr[i] |= ~mask.s6_addr[i]; + net.s6_addr[i] |= + ~mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, remote_filter_addr_upper, + my_inet_ntop6((unsigned char *)&net, + remote_filter_addr_upper, sizeof remote_filter_addr_upper - 1); len = strlen(remote_filter_addr_upper) + strlen(remote_filter_addr_lower) + 2; - remote_filter = calloc(len, sizeof(char)); + remote_filter = calloc(len, + sizeof(char)); if (!remote_filter) { - log_error("policy_callback: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", + len, + (unsigned long)sizeof(char)); goto bad; } - strlcpy(remote_filter, remote_filter_addr_lower, len); + strlcpy(remote_filter, + remote_filter_addr_lower, len); strlcat(remote_filter, "-", len); - strlcat(remote_filter, remote_filter_addr_upper, len); + strlcat(remote_filter, + remote_filter_addr_upper, len); break; } case IPSEC_ID_FQDN: remote_filter_type = "FQDN"; - remote_filter = malloc(idremotesz - ISAKMP_ID_DATA_OFF + 1); + remote_filter = malloc(idremotesz - + ISAKMP_ID_DATA_OFF + 1); if (!remote_filter) { - log_error("policy_callback: malloc (%lu) failed", - (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); + log_error("policy_callback: " + "malloc (%lu) failed", + (unsigned long)idremotesz - + ISAKMP_ID_DATA_OFF + 1); goto bad; } - memcpy(remote_filter, idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; + memcpy(remote_filter, + idremote + ISAKMP_ID_DATA_OFF, + idremotesz - ISAKMP_ID_DATA_OFF); + remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] + = '\0'; break; case IPSEC_ID_USER_FQDN: remote_filter_type = "User FQDN"; - remote_filter = malloc(idremotesz - ISAKMP_ID_DATA_OFF + 1); + remote_filter = malloc(idremotesz - + ISAKMP_ID_DATA_OFF + 1); if (!remote_filter) { - log_error("policy_callback: malloc (%lu) failed", - (unsigned long)idremotesz - ISAKMP_ID_DATA_OFF + 1); + log_error("policy_callback: " + "malloc (%lu) failed", + (unsigned long)idremotesz - + ISAKMP_ID_DATA_OFF + 1); goto bad; } - memcpy(remote_filter, idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0'; + memcpy(remote_filter, + idremote + ISAKMP_ID_DATA_OFF, + idremotesz - ISAKMP_ID_DATA_OFF); + remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] + = '\0'; break; case IPSEC_ID_DER_ASN1_DN: remote_filter_type = "ASN1 DN"; - remote_filter = x509_DN_string(idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); + remote_filter = x509_DN_string(idremote + + ISAKMP_ID_DATA_OFF, + idremotesz - ISAKMP_ID_DATA_OFF); if (!remote_filter) { LOG_DBG((LOG_POLICY, 50, - "policy_callback: failed to decode name")); + "policy_callback: " + "failed to decode name")); goto bad; } break; @@ -1132,38 +1193,49 @@ policy_callback(char *name) case IPSEC_ID_KEY_ID: remote_filter_type = "Key ID"; remote_filter - = calloc(2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, - sizeof(char)); + = calloc(2 * (idremotesz - + ISAKMP_ID_DATA_OFF) + 1, + sizeof(char)); if (!remote_filter) { - log_error("policy_callback: calloc (%lu, %lu) failed", - 2 * ((unsigned long)idremotesz - ISAKMP_ID_DATA_OFF) + 1, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%lu, %lu) failed", + 2 * ((unsigned long)idremotesz - + ISAKMP_ID_DATA_OFF) + 1, + (unsigned long)sizeof(char)); goto bad; } /* * Does it contain any non-printable * characters ? */ - for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) - if (!isprint(*(idremote + ISAKMP_ID_DATA_OFF + i))) + for (i = 0; + i < idremotesz - ISAKMP_ID_DATA_OFF; i++) + if (!isprint(*(idremote + + ISAKMP_ID_DATA_OFF + i))) break; if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { - memcpy(remote_filter, idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); + memcpy(remote_filter, + idremote + ISAKMP_ID_DATA_OFF, + idremotesz - ISAKMP_ID_DATA_OFF); break; } /* Non-printable characters, convert to hex */ - for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) { + for (i = 0; + i < idremotesz - ISAKMP_ID_DATA_OFF; + i++) { remote_filter[2 * i] - = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; + = hextab[*(idremote + + ISAKMP_ID_DATA_OFF) >> 4]; remote_filter[2 * i + 1] - = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; + = hextab[*(idremote + + ISAKMP_ID_DATA_OFF) & 0xF]; } break; default: - log_print("policy_callback: unknown Remote ID type %u", - GET_ISAKMP_ID_TYPE(idremote)); + log_print("policy_callback: " + "unknown Remote ID type %u", + GET_ISAKMP_ID_TYPE(idremote)); goto bad; } @@ -1184,14 +1256,14 @@ policy_callback(char *name) default: snprintf(remote_filter_proto_num, - sizeof remote_filter_proto_num, "%d", - idremote[ISAKMP_GEN_SZ + 1]); + sizeof remote_filter_proto_num, "%d", + idremote[ISAKMP_GEN_SZ + 1]); remote_filter_proto = remote_filter_proto_num; break; } - snprintf(remote_filter_port, sizeof remote_filter_port, "%u", - decode_16(idremote + ISAKMP_GEN_SZ + 2)); + snprintf(remote_filter_port, sizeof remote_filter_port, + "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); } else { policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); switch (sin->sa_family) { @@ -1202,12 +1274,14 @@ policy_callback(char *name) remote_filter_type = "IPv6 address"; break; default: - log_print("policy_callback: unsupported protocol family %d", - sin->sa_family); + log_print("policy_callback: " + "unsupported protocol family %d", + sin->sa_family); goto bad; } if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: sockaddr2text failed"); + log_error("policy_callback: " + "sockaddr2text failed"); goto bad; } memcpy(remote_filter_addr_upper, addr, @@ -1217,8 +1291,9 @@ policy_callback(char *name) free(addr); remote_filter = strdup(remote_filter_addr_upper); if (!remote_filter) { - log_error("policy_callback: strdup (\"%s\") failed", - remote_filter_addr_upper); + log_error("policy_callback: " + "strdup (\"%s\") failed", + remote_filter_addr_upper); goto bad; } } @@ -1235,8 +1310,9 @@ policy_callback(char *name) sizeof local_filter_addr_upper - 1, 1); local_filter = strdup(local_filter_addr_upper); if (!local_filter) { - log_error("policy_callback: strdup (\"%s\") failed", - local_filter_addr_upper); + log_error("policy_callback: " + "strdup (\"%s\") failed", + local_filter_addr_upper); goto bad; } break; @@ -1247,27 +1323,32 @@ policy_callback(char *name) net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); my_inet_ntop4(&net, local_filter_addr_lower, sizeof local_filter_addr_lower - 1, 1); - net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 4); + net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + + 4); my_inet_ntop4(&net, local_filter_addr_upper, sizeof local_filter_addr_upper - 1, 1); len = strlen(local_filter_addr_upper) + strlen(local_filter_addr_lower) + 2; local_filter = calloc(len, sizeof(char)); if (!local_filter) { - log_error("policy_callback: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } - strlcpy(local_filter, local_filter_addr_lower, len); + strlcpy(local_filter, local_filter_addr_lower, + len); strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, len); + strlcat(local_filter, local_filter_addr_upper, + len); break; case IPSEC_ID_IPV4_ADDR_SUBNET: local_filter_type = "IPv4 subnet"; net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); - subnet = decode_32(idlocal + ISAKMP_ID_DATA_OFF + 4); + subnet = decode_32(idlocal + + ISAKMP_ID_DATA_OFF + 4); net &= subnet; my_inet_ntop4(&net, local_filter_addr_lower, sizeof local_filter_addr_lower - 1, 1); @@ -1278,13 +1359,16 @@ policy_callback(char *name) + strlen(local_filter_addr_lower) + 2; local_filter = calloc(len, sizeof(char)); if (!local_filter) { - log_error("policy_callback: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } - strlcpy(local_filter, local_filter_addr_lower, len); + strlcpy(local_filter, local_filter_addr_lower, + len); strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, len); + strlcat(local_filter, local_filter_addr_upper, + len); break; case IPSEC_ID_IPV6_ADDR: @@ -1292,12 +1376,14 @@ policy_callback(char *name) my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, local_filter_addr_upper, sizeof local_filter_addr_upper - 1); - strlcpy(local_filter_addr_lower, local_filter_addr_upper, - sizeof local_filter_addr_lower); + strlcpy(local_filter_addr_lower, + local_filter_addr_upper, + sizeof local_filter_addr_lower); local_filter = strdup(local_filter_addr_upper); if (!local_filter) { - log_error("policy_callback: strdup (\"%s\") failed", - local_filter_addr_upper); + log_error("policy_callback: " + "strdup (\"%s\") failed", + local_filter_addr_upper); goto bad; } break; @@ -1309,21 +1395,24 @@ policy_callback(char *name) local_filter_addr_lower, sizeof local_filter_addr_lower - 1); - my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + 16, - local_filter_addr_upper, - sizeof local_filter_addr_upper - 1); + my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + + 16, local_filter_addr_upper, + sizeof local_filter_addr_upper - 1); len = strlen(local_filter_addr_upper) + strlen(local_filter_addr_lower) + 2; local_filter = calloc(len, sizeof(char)); if (!local_filter) { - log_error("policy_callback: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", len, + (unsigned long)sizeof(char)); goto bad; } - strlcpy(local_filter, local_filter_addr_lower, len); + strlcpy(local_filter, local_filter_addr_lower, + len); strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, len); + strlcat(local_filter, local_filter_addr_upper, + len); break; case IPSEC_ID_IPV6_ADDR_SUBNET: @@ -1332,69 +1421,94 @@ policy_callback(char *name) local_filter_type = "IPv6 subnet"; - bcopy(idlocal + ISAKMP_ID_DATA_OFF, &net, sizeof(net)); - bcopy(idlocal + ISAKMP_ID_DATA_OFF + 16, &mask, sizeof(mask)); + bcopy(idlocal + ISAKMP_ID_DATA_OFF, + &net, sizeof(net)); + bcopy(idlocal + ISAKMP_ID_DATA_OFF + + 16, &mask, sizeof(mask)); for (i = 0; i < 16; i++) - net.s6_addr[i] &= mask.s6_addr[i]; + net.s6_addr[i] &= + mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, local_filter_addr_lower, + my_inet_ntop6((unsigned char *)&net, + local_filter_addr_lower, sizeof local_filter_addr_lower - 1); for (i = 0; i < 16; i++) - net.s6_addr[i] |= ~mask.s6_addr[i]; + net.s6_addr[i] |= + ~mask.s6_addr[i]; - my_inet_ntop6((unsigned char *)&net, local_filter_addr_upper, - sizeof local_filter_addr_upper - 1); + my_inet_ntop6((unsigned char *)&net, + local_filter_addr_upper, + sizeof local_filter_addr_upper - + 1); len = strlen(local_filter_addr_upper) - + strlen(local_filter_addr_lower) + 2; - local_filter = calloc(len, sizeof(char)); + + strlen(local_filter_addr_lower) + + 2; + local_filter = calloc(len, + sizeof(char)); if (!local_filter) { - log_error("policy_callback: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%d, %lu) failed", + len, + (unsigned long)sizeof(char)); goto bad; } - strlcpy(local_filter, local_filter_addr_lower, len); + strlcpy(local_filter, + local_filter_addr_lower, len); strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, len); + strlcat(local_filter, + local_filter_addr_upper, len); break; } case IPSEC_ID_FQDN: local_filter_type = "FQDN"; - local_filter = malloc(idlocalsz - ISAKMP_ID_DATA_OFF + 1); + local_filter = malloc(idlocalsz - + ISAKMP_ID_DATA_OFF + 1); if (!local_filter) { - log_error("policy_callback: malloc (%lu) failed", - (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); + log_error("policy_callback: " + "malloc (%lu) failed", + (unsigned long)idlocalsz - + ISAKMP_ID_DATA_OFF + 1); goto bad; } - memcpy(local_filter, idlocal + ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; + memcpy(local_filter, + idlocal + ISAKMP_ID_DATA_OFF, + idlocalsz - ISAKMP_ID_DATA_OFF); + local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] + = '\0'; break; case IPSEC_ID_USER_FQDN: local_filter_type = "User FQDN"; - local_filter = malloc(idlocalsz - ISAKMP_ID_DATA_OFF + 1); + local_filter = malloc(idlocalsz - + ISAKMP_ID_DATA_OFF + 1); if (!local_filter) { - log_error("policy_callback: malloc (%lu) failed", - (unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF + 1); + log_error("policy_callback: " + "malloc (%lu) failed", + (unsigned long)idlocalsz - + ISAKMP_ID_DATA_OFF + 1); goto bad; } - memcpy(local_filter, idlocal + ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0'; + memcpy(local_filter, + idlocal + ISAKMP_ID_DATA_OFF, + idlocalsz - ISAKMP_ID_DATA_OFF); + local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] + = '\0'; break; case IPSEC_ID_DER_ASN1_DN: local_filter_type = "ASN1 DN"; - local_filter = x509_DN_string(idlocal + ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); + local_filter = x509_DN_string(idlocal + + ISAKMP_ID_DATA_OFF, + idlocalsz - ISAKMP_ID_DATA_OFF); if (!local_filter) { LOG_DBG((LOG_POLICY, 50, - "policy_callback: failed to decode name")); + "policy_callback: failed to decode" + " name")); goto bad; } break; @@ -1406,38 +1520,48 @@ policy_callback(char *name) case IPSEC_ID_KEY_ID: local_filter_type = "Key ID"; - local_filter = calloc(2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, - sizeof(char)); + local_filter = calloc(2 * (idlocalsz - + ISAKMP_ID_DATA_OFF) + 1, + sizeof(char)); if (!local_filter) { - log_error("policy_callback: calloc (%lu, %lu) failed", - 2 * ((unsigned long)idlocalsz - ISAKMP_ID_DATA_OFF) + 1, - (unsigned long)sizeof(char)); + log_error("policy_callback: " + "calloc (%lu, %lu) failed", + 2 * ((unsigned long)idlocalsz - + ISAKMP_ID_DATA_OFF) + 1, + (unsigned long)sizeof(char)); goto bad; } /* * Does it contain any non-printable * characters ? */ - for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) - if (!isprint(*(idlocal + ISAKMP_ID_DATA_OFF + i))) + for (i = 0; + i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) + if (!isprint(*(idlocal + + ISAKMP_ID_DATA_OFF + i))) break; if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { - memcpy(local_filter, idlocal + ISAKMP_ID_DATA_OFF, + memcpy(local_filter, idlocal + + ISAKMP_ID_DATA_OFF, idlocalsz - ISAKMP_ID_DATA_OFF); break; } /* Non-printable characters, convert to hex */ - for (i = 0; i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { + for (i = 0; + i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { local_filter[2 * i] - = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; + = hextab[*(idlocal + + ISAKMP_ID_DATA_OFF) >> 4]; local_filter[2 * i + 1] - = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; + = hextab[*(idlocal + + ISAKMP_ID_DATA_OFF) & 0xF]; } break; default: - log_print("policy_callback: unknown Local ID type %u", - GET_ISAKMP_ID_TYPE(idlocal)); + log_print("policy_callback: " + "unknown Local ID type %u", + GET_ISAKMP_ID_TYPE(idlocal)); goto bad; } @@ -1457,17 +1581,18 @@ policy_callback(char *name) #endif default: - snprintf(local_filter_proto_num, sizeof local_filter_proto_num, - "%d", idlocal[ISAKMP_GEN_SZ + 1]); + snprintf(local_filter_proto_num, + sizeof local_filter_proto_num, + "%d", idlocal[ISAKMP_GEN_SZ + 1]); local_filter_proto = local_filter_proto_num; break; } - snprintf(local_filter_port, sizeof local_filter_port, "%u", - decode_16(idlocal + ISAKMP_GEN_SZ + 2)); + snprintf(local_filter_port, sizeof local_filter_port, + "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); } else { policy_sa->transport->vtbl->get_src(policy_sa->transport, - (struct sockaddr **)&sin); + (struct sockaddr **)&sin); switch (sin->sa_family) { case AF_INET: local_filter_type = "IPv4 address"; @@ -1476,29 +1601,33 @@ policy_callback(char *name) local_filter_type = "IPv6 address"; break; default: - log_print("policy_callback: unsupported protocol family %d", - sin->sa_family); + log_print("policy_callback: " + "unsupported protocol family %d", + sin->sa_family); goto bad; } if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: sockaddr2text failed"); + log_error("policy_callback: " + "sockaddr2text failed"); goto bad; } memcpy(local_filter_addr_upper, addr, - sizeof local_filter_addr_upper); + sizeof local_filter_addr_upper); memcpy(local_filter_addr_lower, addr, - sizeof local_filter_addr_lower); + sizeof local_filter_addr_lower); free(addr); local_filter = strdup(local_filter_addr_upper); if (!local_filter) { - log_error("policy_callback: strdup (\"%s\") failed", - local_filter_addr_upper); + log_error("policy_callback: " + "strdup (\"%s\") failed", + local_filter_addr_upper); goto bad; } } - LOG_DBG((LOG_POLICY, 80, "Policy context (action attributes):")); + LOG_DBG((LOG_POLICY, 80, + "Policy context (action attributes):")); LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); @@ -1507,73 +1636,96 @@ policy_callback(char *name) LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); - LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); - LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); + LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", + ah_life_seconds)); + LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", + ah_life_kbytes)); + LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", + esp_life_seconds)); + LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", + esp_life_kbytes)); + LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", + comp_life_seconds)); + LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", + comp_life_kbytes)); + LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", + ah_encapsulation)); + LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", + esp_encapsulation)); LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", - comp_encapsulation)); - LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); - LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); - LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); - LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); - LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); - LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); - LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); - LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); - LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); + comp_encapsulation)); + LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", + comp_dict_size)); + LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", + comp_private_alg)); + LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", + ah_key_length)); + LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", + ah_key_rounds)); + LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", + esp_key_length)); + LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", + esp_key_rounds)); + LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", + ah_group_desc)); + LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", + esp_group_desc)); + LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", + comp_group_desc)); LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", - remote_filter_type)); + remote_filter_type)); LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", - remote_filter_addr_upper)); + remote_filter_addr_upper)); LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", - remote_filter_addr_lower)); + remote_filter_addr_lower)); LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", - (remote_filter ? remote_filter : ""))); + (remote_filter ? remote_filter : ""))); LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", - remote_filter_port)); + remote_filter_port)); LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", - remote_filter_proto)); - LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); + remote_filter_proto)); + LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", + local_filter_type)); LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", - local_filter_addr_upper)); + local_filter_addr_upper)); LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", - local_filter_addr_lower)); + local_filter_addr_lower)); LOG_DBG((LOG_POLICY, 80, "local_filter == %s", - (local_filter ? local_filter : ""))); - LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); + (local_filter ? local_filter : ""))); + LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", + local_filter_port)); LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", - local_filter_proto)); - LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); + local_filter_proto)); + LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", + remote_id_type)); LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", - remote_id_addr_upper)); + remote_id_addr_upper)); LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", - remote_id_addr_lower)); + remote_id_addr_lower)); LOG_DBG((LOG_POLICY, 80, "remote_id == %s", - (remote_id ? remote_id : ""))); - LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); - LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); + (remote_id ? remote_id : ""))); + LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", + remote_id_port)); + LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", + remote_id_proto)); LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", - remote_ike_address)); + remote_ike_address)); LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", - local_ike_address)); + local_ike_address)); LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); - LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); + LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", + phase1_group)); /* Unset dirty now. */ dirty = 0; } if (strcmp(name, "phase_1") == 0) return phase_1; - + if (strcmp(name, "GMTTimeOfDay") == 0) { tt = time((time_t)NULL); strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); @@ -1777,7 +1929,8 @@ policy_init(void) /* Open policy file. */ fd = monitor_open(policy_file, O_RDONLY, 0); if (fd == -1) - log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); + log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", + policy_file); /* Check file modes and collect file size */ if (check_file_secrecy_fd(fd, policy_file, &sz)) { @@ -1994,7 +2147,8 @@ keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, case IPSEC_ID_USER_FQDN: { file = calloc(len + id_len, sizeof(char)); if (file == NULL) { - log_error("keynote_cert_obtain: failed to allocate %lu bytes", + log_error("keynote_cert_obtain: " + "failed to allocate %lu bytes", (unsigned long)len + id_len); return 0; } @@ -2011,15 +2165,15 @@ keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, fd = monitor_open(file, O_RDONLY, 0); if (fd < 0) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", - file)); + LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " + "failed to open \"%s\"", file)); free(file); return 0; } if (fstat(fd, &sb) < 0) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", - file)); + LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " + "failed to stat \"%s\"", file)); free(file); close(fd); return 0; @@ -2035,8 +2189,9 @@ keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, } if (read(fd, *cert, size) != (int)size) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %lu " - "bytes from \"%s\"", (unsigned long)size, file)); + LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " + "failed to read %lu bytes from \"%s\"", + (unsigned long)size, file)); free(file); close(fd); return 0; @@ -2065,13 +2220,14 @@ keynote_cert_get_key(void *scert, void *keyp) foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); if (foo == NULL || num == 0) { - log_print("keynote_cert_get_key: failed to decompose credentials"); + log_print("keynote_cert_get_key: " + "failed to decompose credentials"); return 0; } kid = kn_init(); if (kid == -1) { - log_print("keynote_cert_get_key: failed to initialize new policy " - "session"); + log_print("keynote_cert_get_key: " + "failed to initialize new policy session"); while (num--) free(foo[num]); free(foo); diff --git a/sbin/isakmpd/timer.c b/sbin/isakmpd/timer.c index 9faca130604..45bcc49e4ae 100644 --- a/sbin/isakmpd/timer.c +++ b/sbin/isakmpd/timer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: timer.c,v 1.13 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: timer.c,v 1.14 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: timer.c,v 1.13 2000/02/20 19:58:42 niklas Exp $ */ /* @@ -72,7 +72,8 @@ timer_handle_expirations(void) for (n = TAILQ_FIRST(&events); n && timercmp(&now, &n->expiration, >=); n = TAILQ_FIRST(&events)) { LOG_DBG((LOG_TIMER, 10, - "timer_handle_expirations: event %s(%p)", n->name, n->arg)); + "timer_handle_expirations: event %s(%p)", n->name, + n->arg)); TAILQ_REMOVE(&events, n, link); (*n->func)(n->arg); free(n); diff --git a/sbin/isakmpd/transport.c b/sbin/isakmpd/transport.c index a224435adf3..98608a3648f 100644 --- a/sbin/isakmpd/transport.c +++ b/sbin/isakmpd/transport.c @@ -1,4 +1,4 @@ -/* $OpenBSD: transport.c,v 1.25 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: transport.c,v 1.26 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: transport.c,v 1.43 2000/10/10 12:36:39 provos Exp $ */ /* @@ -216,7 +216,8 @@ transport_handle_messages(fd_set * fds) struct transport *t; for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) - if ((t->flags & TRANSPORT_LISTEN) && (*t->vtbl->fd_isset) (t, fds)) + if ((t->flags & TRANSPORT_LISTEN) && + (*t->vtbl->fd_isset) (t, fds)) (*t->vtbl->handle_message) (t); } @@ -264,87 +265,102 @@ transport_send_messages(fd_set * fds) exchange->in_transit = 0; /* - * We disregard the potential error message here, hoping that the - * retransmit will go better. + * We disregard the potential error message here, + * hoping that the retransmit will go better. * XXX Consider a retry/fatal error discriminator. */ t->vtbl->send_message(msg); msg->xmits++; /* - * This piece of code has been proven to be quite delicate. - * Think twice for before altering. Here's an outline: + * This piece of code has been proven to be quite + * delicate. Think twice for before altering. Here's + * an outline: If this message is not the one which + * finishes an exchange, check if we have reached the + * number of retransmit before queuing it up for + * another. * - * If this message is not the one which finishes an exchange, - * check if we have reached the number of retransmit before - * queuing it up for another. + * If it is a finishing message we still may have to + * keep it around for an on-demand retransmit when + * seeing a duplicate of our peer's previous message. * - * If it is a finishing message we still may have to keep it - * around for an on-demand retransmit when seeing a duplicate - * of our peer's previous message. - * - * If we have no previous message from our peer, we need not - * to keep the message around. + * If we have no previous message from our peer, we + * need not to keep the message around. */ if ((msg->flags & MSG_LAST) == 0) { - if (msg->xmits > conf_get_num("General", "retransmits", - RETRANSMIT_DEFAULT)) { - log_print("transport_send_messages: giving up on " - "message %p, exchange %s", msg, - exchange->name ? exchange->name : "<unnamed>"); + if (msg->xmits > conf_get_num("General", + "retransmits", RETRANSMIT_DEFAULT)) { + log_print("transport_send_messages: " + "giving up on message %p, " + "exchange %s", msg, + exchange->name ? exchange->name : + "<unnamed>"); /* Be more verbose here. */ if (exchange->phase == 1) { - log_print("transport_send_messages: either this " - "message did not reach the other peer"); + log_print( + "transport_send_messages: " + "either this message did " + "not reach the other " + "peer"); if (exchange->initiator) - log_print("transport_send_messages: or the response" - "message did not reach us back"); + log_print("transport_send_messages: " + "or the response" + "message did not " + "reach us back"); else - log_print("transport_send_messages: or this is " - "an attempted IKE scan"); + log_print("transport_send_messages: " + "or this is an " + "attempted IKE " + "scan"); } exchange->last_sent = 0; } else { gettimeofday(&expiration, 0); /* - * XXX Calculate from round trip timings and a backoff func. + * XXX Calculate from round trip + * timings and a backoff func. */ expiry = msg->xmits * 2 + 5; expiration.tv_sec += expiry; LOG_DBG((LOG_TRANSPORT, 30, - "transport_send_messages: message %p " - "scheduled for retransmission %d in %d secs", - msg, msg->xmits, expiry)); + "transport_send_messages: " + "message %p scheduled for " + "retransmission %d in %d secs", + msg, msg->xmits, expiry)); if (msg->retrans) timer_remove_event(msg->retrans); msg->retrans - = timer_add_event("message_send_expire", - (void (*) (void *)) message_send_expire, - msg, &expiration); + = timer_add_event("message_send_expire", + (void (*) (void *)) message_send_expire, + msg, &expiration); /* * If we cannot retransmit, we * cannot... */ - exchange->last_sent = msg->retrans ? msg : 0; + exchange->last_sent = + msg->retrans ? msg : 0; } } else - exchange->last_sent = exchange->last_received ? msg : 0; + exchange->last_sent = + exchange->last_received ? msg : 0; /* - * If this message is not referred to for later retransmission - * it will be ok for us to drop it after the post-send function. - * But as the post-send function may remove the exchange, we need - * to remember this fact here. + * If this message is not referred to for later + * retransmission it will be ok for us to drop it + * after the post-send function. But as the post-send + * function may remove the exchange, we need to + * remember this fact here. */ ok_to_drop_message = exchange->last_sent == 0; /* - * If this is not a retransmit call post-send functions that allows - * parallel work to be done while the network and peer does their - * share of the job. Note that a post-send function may take - * away the exchange we belong to, but only if no retransmits - * are possible. + * If this is not a retransmit call post-send + * functions that allows parallel work to be done + * while the network and peer does their share of the + * job. Note that a post-send function may take away + * the exchange we belong to, but only if no + * retransmits are possible. */ if (msg->xmits == 1) message_post_send(msg); diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c index 78a0d49e9b1..618afa959f1 100644 --- a/sbin/isakmpd/udp.c +++ b/sbin/isakmpd/udp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp.c,v 1.72 2004/06/09 14:02:44 ho Exp $ */ +/* $OpenBSD: udp.c,v 1.73 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */ /* @@ -455,7 +455,8 @@ udp_create(char *name) addr_str = conf_get_str(name, "Address"); if (!addr_str) { - log_print("udp_create: no address configured for \"%s\"", name); + log_print("udp_create: no address configured for \"%s\"", + name); return 0; } if (text2sockaddr(addr_str, port_str, &dst)) { diff --git a/sbin/isakmpd/util.c b/sbin/isakmpd/util.c index a9b66bc5a73..55d4ddb1ce0 100644 --- a/sbin/isakmpd/util.c +++ b/sbin/isakmpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.40 2004/05/24 14:54:50 hshoexer Exp $ */ +/* $OpenBSD: util.c,v 1.41 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: util.c,v 1.23 2000/11/23 12:22:08 niklas Exp $ */ /* @@ -375,7 +375,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) * XXX In the algorithm below there are some magic * numbers we probably could give explaining names. */ - addrlen = sizeof "0000:0000:0000:0000:0000:0000:0000:0000"; + addrlen = + sizeof "0000:0000:0000:0000:0000:0000:0000:0000"; *address = malloc(addrlen); if (!*address) return -1; @@ -386,7 +387,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i], ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i + 1]); j += 4; - (*address)[j] = (j < (addrlen - 1)) ? ':' : '\0'; + (*address)[j] = + (j < (addrlen - 1)) ? ':' : '\0'; j++; } break; diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index ca86a687f97..1fab3a52a8c 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.90 2004/06/02 16:19:16 hshoexer Exp $ */ +/* $OpenBSD: x509.c,v 1.91 2004/06/14 09:55:42 ho Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -169,7 +169,8 @@ x509_generate_kn(int id, X509 *cert) != X509_LU_X509) { X509_STORE_CTX_cleanup(&csc); LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: no certificate found for issuer")); + "x509_generate_kn: no certificate found for " + "issuer")); return 0; } } @@ -223,7 +224,8 @@ x509_generate_kn(int id, X509 *cert) return 0; } if (((tm = X509_get_notBefore(cert)) == NULL) || - (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { + (tm->type != V_ASN1_UTCTIME && + tm->type != V_ASN1_GENERALIZEDTIME)) { tt = time(0); strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt)); timecomp = "LocalTimeOfDay"; @@ -327,7 +329,8 @@ x509_generate_kn(int id, X509 *cert) tm = X509_get_notAfter(cert); if (tm == NULL && - (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { + (tm->type != V_ASN1_UTCTIME && + tm->type != V_ASN1_GENERALIZEDTIME)) { tt = time(0); strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt)); timecomp2 = "LocalTimeOfDay"; @@ -356,7 +359,8 @@ x509_generate_kn(int id, X509 *cert) if ((tm->length < 10) || (tm->length > 13)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " - "NotValidAfter time field (%d)", tm->length)); + "NotValidAfter time field (%d)", + tm->length)); free(ikey); free(skey); free(buf); @@ -382,9 +386,11 @@ x509_generate_kn(int id, X509 *cert) } /* Stupid UTC tricks. */ if (tm->data[0] < '5') - snprintf(after, sizeof after, "20%s", tm->data); + snprintf(after, sizeof after, "20%s", + tm->data); else - snprintf(after, sizeof after, "19%s", tm->data); + snprintf(after, sizeof after, "19%s", + tm->data); } else { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { LOG_DBG((LOG_POLICY, 30, @@ -443,12 +449,14 @@ x509_generate_kn(int id, X509 *cert) if (!X509_NAME_oneline(issuer, isname, 256)) { LOG_DBG((LOG_POLICY, 50, - "x509_generate_kn: X509_NAME_oneline (issuer, ...) failed")); + "x509_generate_kn: " + "X509_NAME_oneline (issuer, ...) failed")); return 0; } if (!X509_NAME_oneline(subject, subname, 256)) { LOG_DBG((LOG_POLICY, 50, - "x509_generate_kn: X509_NAME_oneline (subject, ...) failed")); + "x509_generate_kn: " + "X509_NAME_oneline (subject, ...) failed")); return 0; } buf_len = strlen(fmt2) + strlen(isname) + strlen(subname) + 56; @@ -514,7 +522,8 @@ x509_hash_init(void) x509_tab = malloc((bucket_mask + 1) * sizeof(struct x509_list)); if (!x509_tab) log_fatal("x509_hash_init: malloc (%lu) failed", - (bucket_mask + 1) * (unsigned long)sizeof(struct x509_list)); + (bucket_mask + 1) * + (unsigned long)sizeof(struct x509_list)); for (i = 0; i <= bucket_mask; i++) { LIST_INIT(&x509_tab[i]); } @@ -558,7 +567,8 @@ x509_hash_find(u_int8_t *id, size_t len) return cert->cert; } - LOG_DBG((LOG_CRYPTO, 70, "x509_hash_find: no certificate matched query")); + LOG_DBG((LOG_CRYPTO, 70, + "x509_hash_find: no certificate matched query")); return 0; } @@ -681,8 +691,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash) } if (hash) if (!x509_hash_enter(cert)) - log_print("x509_read_from_dir: x509_hash_enter " - "(%s) failed", + log_print("x509_read_from_dir: " + "x509_hash_enter (%s) failed", file->d_name); } @@ -872,8 +882,8 @@ x509_cert_validate(void *scert) int res, err; /* - * Validate the peer certificate by checking with the CA certificates we - * trust. + * Validate the peer certificate by checking with the CA certificates + * we trust. */ X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00907000L @@ -1092,8 +1102,8 @@ x509_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, X509 *scert; if (aca) - LOG_DBG((LOG_CRYPTO, 60, - "x509_cert_obtain: acceptable certificate authorities here")); + LOG_DBG((LOG_CRYPTO, 60, "x509_cert_obtain: " + "acceptable certificate authorities here")); /* We need our ID to find a certificate. */ if (!id) { @@ -1128,7 +1138,8 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len) subjectaltname = X509_get_ext(scert, extpos); if (!subjectaltname || !subjectaltname->value || - !subjectaltname->value->data || subjectaltname->value->length < 4) { + !subjectaltname->value->data || + subjectaltname->value->length < 4) { log_print("x509_cert_subjectaltname: invalid " "subjectaltname extension"); return 0; @@ -1365,7 +1376,8 @@ x509_from_printable(char *cert) foo = x509_cert_get(buf, plen); free(buf); if (!foo) - log_print("x509_from_printable: could not retrieve certificate"); + log_print("x509_from_printable: " + "could not retrieve certificate"); return foo; } |