diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-05-23 18:17:57 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-05-23 18:17:57 +0000 |
| commit | ac324beccb96daadd14d3f42cd142addde9333a0 (patch) | |
| tree | 43034f8e22a5dafe63baffa14930ab64d3368ccb | |
| parent | 1cc81129a63546cce75f8186e7296f4defe4317a (diff) | |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
38 files changed, 1852 insertions, 1616 deletions
diff --git a/sbin/isakmpd/field.c b/sbin/isakmpd/field.c index 2f54a1db74d..1618ca690aa 100644 --- a/sbin/isakmpd/field.c +++ b/sbin/isakmpd/field.c @@ -1,4 +1,4 @@ -/* $OpenBSD: field.c,v 1.14 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: field.c,v 1.15 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: field.c,v 1.11 2000/02/20 19:58:37 niklas Exp $ */ /* @@ -62,7 +62,7 @@ static char *(*decode_field[]) (u_int8_t *, size_t, struct constant_map **) = static char * field_debug_raw(u_int8_t *buf, size_t len, struct constant_map **maps) { - char *retval, *p; + char *retval, *p; if (len == 0) return 0; @@ -189,7 +189,7 @@ field_debug_cst(u_int8_t *buf, size_t len, struct constant_map **maps) void field_dump_field(struct field *f, u_int8_t *buf) { - char *value; + char *value; value = decode_field[(int) f->type] (buf + f->offset, f->len, f->maps); if (value) { @@ -238,14 +238,14 @@ field_set_num(struct field *f, u_int8_t *buf, u_int32_t val) /* Stash BUF's raw field F into VAL. */ void -field_get_raw(struct field * f, u_int8_t * buf, u_int8_t * val) +field_get_raw(struct field *f, u_int8_t *buf, u_int8_t *val) { memcpy(val, buf + f->offset, f->len); } /* Stash the buffer VAL into BUF's field F. */ void -field_set_raw(struct field * f, u_int8_t * buf, u_int8_t * val) +field_set_raw(struct field *f, u_int8_t *buf, u_int8_t *val) { memcpy(buf + f->offset, val, f->len); } diff --git a/sbin/isakmpd/field.h b/sbin/isakmpd/field.h index 9021ba3693c..428d417674a 100644 --- a/sbin/isakmpd/field.h +++ b/sbin/isakmpd/field.h @@ -1,4 +1,4 @@ -/* $OpenBSD: field.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: field.h,v 1.6 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: field.h,v 1.3 1998/08/02 20:25:01 niklas Exp $ */ /* @@ -35,12 +35,12 @@ #include <sys/types.h> struct field { - char *name; - int offset; - size_t len; + char *name; + int offset; + size_t len; enum { - raw, num, mask, ign, cst - } type; + raw, num, mask, ign, cst + } type; struct constant_map **maps; }; diff --git a/sbin/isakmpd/hash.c b/sbin/isakmpd/hash.c index bf77af07836..517b8e12f0d 100644 --- a/sbin/isakmpd/hash.c +++ b/sbin/isakmpd/hash.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hash.c,v 1.15 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: hash.c,v 1.16 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: hash.c,v 1.10 1999/04/17 23:20:34 niklas Exp $ */ /* @@ -45,12 +45,12 @@ #include "hash.h" #include "log.h" -void hmac_init(struct hash *, unsigned char *, unsigned int); -void hmac_final(unsigned char *, struct hash *); +void hmac_init(struct hash *, unsigned char *, unsigned int); +void hmac_final(unsigned char *, struct hash *); /* Temporary hash contexts. */ static union { - MD5_CTX md5ctx; + MD5_CTX md5ctx; SHA1_CTX sha1ctx; } Ctx, Ctx2; @@ -61,19 +61,19 @@ static unsigned char digest[HASH_MAX]; static struct hash hashes[] = { { - HASH_MD5, 5, MD5_SIZE, (void *) &Ctx.md5ctx, digest, - sizeof(MD5_CTX), (void *) &Ctx2.md5ctx, - (void (*) (void *)) MD5Init, - (void (*) (void *, unsigned char *, unsigned int)) MD5Update, - (void (*) (unsigned char *, void *)) MD5Final, + HASH_MD5, 5, MD5_SIZE, (void *)&Ctx.md5ctx, digest, + sizeof(MD5_CTX), (void *)&Ctx2.md5ctx, + (void (*)(void *))MD5Init, + (void (*)(void *, unsigned char *, unsigned int))MD5Update, + (void (*)(unsigned char *, void *))MD5Final, hmac_init, hmac_final }, { - HASH_SHA1, 6, SHA1_SIZE, (void *) &Ctx.sha1ctx, digest, - sizeof(SHA1_CTX), (void *) &Ctx2.sha1ctx, - (void (*) (void *)) SHA1Init, - (void (*) (void *, unsigned char *, unsigned int)) SHA1Update, - (void (*) (unsigned char *, void *)) SHA1Final, + HASH_SHA1, 6, SHA1_SIZE, (void *)&Ctx.sha1ctx, digest, + sizeof(SHA1_CTX), (void *)&Ctx2.sha1ctx, + (void (*)(void *))SHA1Init, + (void (*)(void *, unsigned char *, unsigned int))SHA1Update, + (void (*)(unsigned char *, void *))SHA1Final, hmac_init, hmac_final }, @@ -82,7 +82,7 @@ static struct hash hashes[] = { struct hash * hash_get(enum hashes hashtype) { - size_t i; + size_t i; LOG_DBG((LOG_CRYPTO, 60, "hash_get: requested algorithm %d", hashtype)); diff --git a/sbin/isakmpd/if.c b/sbin/isakmpd/if.c index f6488779cf7..697b90a4a4a 100644 --- a/sbin/isakmpd/if.c +++ b/sbin/isakmpd/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.20 2004/05/23 16:14:37 deraadt Exp $ */ +/* $OpenBSD: if.c,v 1.21 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: if.c,v 1.12 1999/10/01 13:45:20 niklas Exp $ */ /* @@ -74,24 +74,27 @@ siocgifconf(struct ifconf *ifcp) buf = 0; while (1) { /* - * Allocate a larger buffer each time around the loop and get the - * network interfaces configurations into it. + * Allocate a larger buffer each time around the loop and get + * the network interfaces configurations into it. */ new_buf = realloc(buf, len); if (!new_buf) { - log_error("siocgifconf: realloc (%p, %d) failed", buf, len); + log_error("siocgifconf: realloc (%p, %d) failed", buf, + len); goto err; } ifcp->ifc_len = len; ifcp->ifc_buf = buf = new_buf; if (ioctl(s, SIOCGIFCONF, ifcp) == -1) { - log_error("siocgifconf: ioctl (%d, SIOCGIFCONF, ...) failed", s); + log_error("siocgifconf: ioctl (%d, SIOCGIFCONF, ...) " + "failed", s); goto err; } /* - * If there is place for another ifreq we can be sure that the buffer - * was big enough, otherwise double the size and try again. + * If there is place for another ifreq we can be sure that the + * buffer was big enough, otherwise double the size and try + * again. */ if (len - ifcp->ifc_len >= sizeof(struct ifreq)) break; @@ -122,7 +125,7 @@ if_map(int (*func)(char *, struct sockaddr *, void *), void *arg) return -1; for (ifa = ifap; ifa; ifa = ifa->ifa_next) - if ((*func) (ifa->ifa_name, ifa->ifa_addr, arg) == -1) + if ((*func)(ifa->ifa_name, ifa->ifa_addr, arg) == -1) err = -1; freeifaddrs(ifap); #else @@ -136,7 +139,7 @@ if_map(int (*func)(char *, struct sockaddr *, void *), void *arg) limit = ifc.ifc_buf + ifc.ifc_len; for (p = ifc.ifc_buf; p < limit; p += len) { - ifrp = (struct ifreq *) p; + ifrp = (struct ifreq *)p; if ((*func)(ifrp->ifr_name, &ifrp->ifr_addr, arg) == -1) err = -1; len = sizeof ifrp->ifr_name + diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c index a7d58fc3b9e..6ff93cd72f7 100644 --- a/sbin/isakmpd/ike_aggressive.c +++ b/sbin/isakmpd/ike_aggressive.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_aggressive.c,v 1.6 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ike_aggressive.c,v 1.7 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */ /* @@ -65,13 +65,13 @@ static int initiator_send_AUTH(struct message *); static int responder_recv_SA_KE_NONCE_ID(struct message *); static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *); -int (*ike_aggressive_initiator[]) (struct message *) = { +int (*ike_aggressive_initiator[])(struct message *) = { initiator_send_SA_KE_NONCE_ID, initiator_recv_SA_KE_NONCE_ID_AUTH, initiator_send_AUTH }; -int (*ike_aggressive_responder[]) (struct message *) = { +int (*ike_aggressive_responder[])(struct message *) = { responder_recv_SA_KE_NONCE_ID, responder_send_SA_KE_NONCE_ID_AUTH, ike_phase_1_recv_AUTH @@ -79,7 +79,7 @@ int (*ike_aggressive_responder[]) (struct message *) = { /* Offer a set of transforms to the responder in the MSG message. */ static int -initiator_send_SA_KE_NONCE_ID(struct message * msg) +initiator_send_SA_KE_NONCE_ID(struct message *msg) { if (ike_phase_1_initiator_send_SA(msg)) return -1; @@ -92,7 +92,7 @@ initiator_send_SA_KE_NONCE_ID(struct message * msg) /* Figure out what transform the responder chose. */ static int -initiator_recv_SA_KE_NONCE_ID_AUTH(struct message * msg) +initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *msg) { if (ike_phase_1_initiator_recv_SA(msg)) return -1; @@ -104,7 +104,7 @@ initiator_recv_SA_KE_NONCE_ID_AUTH(struct message * msg) } static int -initiator_send_AUTH(struct message * msg) +initiator_send_AUTH(struct message *msg) { msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; @@ -129,7 +129,7 @@ initiator_send_AUTH(struct message * msg) * handle. Also accept initiator's public DH value, nonce and ID. */ static int -responder_recv_SA_KE_NONCE_ID(struct message * msg) +responder_recv_SA_KE_NONCE_ID(struct message *msg) { if (ike_phase_1_responder_recv_SA(msg)) return -1; @@ -145,7 +145,7 @@ responder_recv_SA_KE_NONCE_ID(struct message * msg) * to the initiator. */ static int -responder_send_SA_KE_NONCE_ID_AUTH(struct message * msg) +responder_send_SA_KE_NONCE_ID_AUTH(struct message *msg) { /* Add the SA payload with the transform that was chosen. */ if (ike_phase_1_responder_send_SA(msg)) diff --git a/sbin/isakmpd/ike_aggressive.h b/sbin/isakmpd/ike_aggressive.h index 4356cdeac57..f2af5244e90 100644 --- a/sbin/isakmpd/ike_aggressive.h +++ b/sbin/isakmpd/ike_aggressive.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_aggressive.h,v 1.4 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ike_aggressive.h,v 1.5 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: ike_aggressive.h,v 1.1 1999/04/16 21:24:43 niklas Exp $ */ /* @@ -34,7 +34,7 @@ struct message; -extern int (*ike_aggressive_initiator[]) (struct message * msg); -extern int (*ike_aggressive_responder[]) (struct message * msg); +extern int (*ike_aggressive_initiator[])(struct message *msg); +extern int (*ike_aggressive_responder[])(struct message *msg); #endif /* _IKE_AGGRESSIVE_H_ */ diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index b5901acdf0f..560527b057c 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.86 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.87 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -139,17 +139,17 @@ ike_auth_get(u_int16_t id) static void * ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) { - char *key, *buf; + char *key, *buf; #if defined (USE_X509) || defined (USE_KEYNOTE) - char *keyfile; + char *keyfile; #if defined (USE_X509) #if defined (USE_PRIVSEP) - FILE *keyfp; + FILE *keyfp; #else - BIO *keyh; + BIO *keyh; #endif - RSA *rsakey; - size_t fsize; + RSA *rsakey; + size_t fsize; #endif #endif @@ -171,14 +171,14 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) *keylen = (strlen(key) - 1) / 2; buf = malloc(*keylen); if (!buf) { - log_error("ike_auth_get_key: malloc (%lu) failed", - (unsigned long) *keylen); + log_error("ike_auth_get_key: malloc (%lu) " + "failed", (unsigned long) *keylen); return 0; } - if (hex2raw(key + 2, (unsigned char *) buf, *keylen)) { + if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) { free(buf); - log_print("ike_auth_get_key: invalid hex key %s", - key); + log_print("ike_auth_get_key: invalid hex key " + "%s", key); return 0; } key = buf; @@ -196,8 +196,8 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) case IKE_AUTH_RSA_SIG: #if defined (USE_X509) || defined (USE_KEYNOTE) #if defined (USE_KEYNOTE) - if (local_id && - (keyfile = conf_get_str("KeyNote", "Credential-directory")) != 0) { + if (local_id && (keyfile = conf_get_str("KeyNote", + "Credential-directory")) != 0) { struct stat sb; struct keynote_deckey dc; char *privkeyfile, *buf2; @@ -208,12 +208,12 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) sizeof PRIVATE_KEY_FILE + sizeof "//" - 1; privkeyfile = calloc(pkflen, sizeof(char)); if (!privkeyfile) { - log_print("ike_auth_get_key: failed to allocate %d bytes", - pkflen); + log_print("ike_auth_get_key: failed to " + "allocate %d bytes", pkflen); return 0; } - snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile, local_id, - PRIVATE_KEY_FILE); + snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile, + local_id, PRIVATE_KEY_FILE); keyfile = privkeyfile; if (monitor_stat(keyfile, &sb) < 0) { @@ -224,15 +224,15 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) fd = monitor_open(keyfile, O_RDONLY, 0); if (fd < 0) { - log_print("ike_auth_get_key: failed opening \"%s\"", - keyfile); + log_print("ike_auth_get_key: failed opening " + "\"%s\"", keyfile); free(keyfile); return 0; } buf = calloc(size + 1, sizeof(char)); if (!buf) { - log_print("ike_auth_get_key: failed allocating %lu bytes", - (unsigned long) size + 1); + log_print("ike_auth_get_key: failed allocating" + " %lu bytes", (unsigned long)size + 1); free(keyfile); return 0; } @@ -240,7 +240,7 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) free(buf); log_print("ike_auth_get_key: " "failed reading %lu bytes from \"%s\"", - (unsigned long) size, keyfile); + (unsigned long)size, keyfile); free(keyfile); return 0; } @@ -252,16 +252,17 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) if (kn_decode_key(&dc, buf2, KEYNOTE_PRIVATE_KEY) == -1) { free(buf2); - log_print("ike_auth_get_key: failed decoding key in \"%s\"", - keyfile); + log_print("ike_auth_get_key: failed decoding " + "key in \"%s\"", keyfile); free(keyfile); return 0; } free(buf2); if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) { - log_print("ike_auth_get_key: wrong algorithm type %d in \"%s\"", - dc.dec_algorithm, keyfile); + log_print("ike_auth_get_key: wrong algorithm " + "type %d in \"%s\"", dc.dec_algorithm, + keyfile); free(keyfile); kn_free_key(&dc); return 0; @@ -281,7 +282,8 @@ ignorekeynote: #if defined (USE_PRIVSEP) keyfp = monitor_fopen(keyfile, "r"); if (!keyfp) { - log_print("ike_auth_get_key: failed opening \"%s\"", keyfile); + log_print("ike_auth_get_key: failed opening \"%s\"", + keyfile); return 0; } #if SSLEAY_VERSION_NUMBER >= 0x00904100L @@ -293,14 +295,13 @@ ignorekeynote: #else keyh = BIO_new(BIO_s_file()); if (keyh == NULL) { - log_print("ike_auth_get_key: " - "BIO_new (BIO_s_file ()) failed"); + log_print("ike_auth_get_key: BIO_new (BIO_s_file ())" + "failed"); return 0; } if (BIO_read_filename(keyh, keyfile) == -1) { - log_print("ike_auth_get_key: " - "BIO_read_filename (keyh, \"%s\") failed", - keyfile); + log_print("ike_auth_get_key: BIO_read_filename (keyh," + "\"%s\") failed", keyfile); BIO_free(keyh); return 0; } @@ -348,8 +349,9 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV6_ADDR: util_ntoa((char **) &buf, - exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, - exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); + exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET : + AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ); if (!buf) return 0; break; @@ -359,14 +361,16 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, sizeof(char)); if (!buf) { - log_print("pre_shared_gen_skeyid: malloc (%lu) failed", - (unsigned long) exchange->id_i_len - + log_print("pre_shared_gen_skeyid: malloc (%lu" + ") failed", + (unsigned long)exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); return 0; } memcpy(buf, exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); + exchange->id_i_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ); break; /* XXX Support more ID types ? */ @@ -392,7 +396,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE; if (!exchange->recv_key) { log_error("pre_shared_gen_skeyid: malloc (%lu) failed", - (unsigned long) keylen); + (unsigned long)keylen); free(key); return 0; } @@ -408,7 +412,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) skeyid = malloc(*sz); if (!skeyid) { log_error("pre_shared_gen_skeyid: malloc (%lu) failed", - (unsigned long) *sz); + (unsigned long)*sz); prf_free(prf); return 0; } @@ -439,8 +443,9 @@ sig_gen_skeyid(struct exchange *exchange, size_t *sz) LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d", ie->prf_type, ie->hash->type)); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, "sig_gen_skeyid: SKEYID initialized with", - (u_int8_t *) key, exchange->nonce_i_len + exchange->nonce_r_len)); + LOG_DBG_BUF((LOG_NEGOTIATION, 80, + "sig_gen_skeyid: SKEYID initialized with", + (u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len)); prf = prf_alloc(ie->prf_type, ie->hash->type, key, exchange->nonce_i_len + exchange->nonce_r_len); @@ -452,14 +457,14 @@ sig_gen_skeyid(struct exchange *exchange, size_t *sz) skeyid = malloc(*sz); if (!skeyid) { log_error("sig_gen_skeyid: malloc (%lu) failed", - (unsigned long) *sz); + (unsigned long)*sz); prf_free(prf); return 0; } LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu", (unsigned long) ie->g_x_len)); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, "sig_gen_skeyid: SKEYID fed with g^xy", - ie->g_xy, ie->g_x_len)); + LOG_DBG_BUF((LOG_NEGOTIATION, 80, + "sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_x_len)); prf->Init(prf->prfctx); prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); @@ -532,7 +537,7 @@ pre_shared_decode_hash(struct message *msg) *hash_p = malloc(hashsize); if (!*hash_p) { log_error("pre_shared_decode_hash: malloc (%lu) failed", - (unsigned long) hashsize); + (unsigned long)hashsize); return -1; } memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize); @@ -576,8 +581,9 @@ rsa_sig_decode_hash(struct message *msg) return -1; } /* - * XXX Assume we should use the same kind of certification as the remote... - * moreover, just use the first CERT payload to decide what to use. + * XXX Assume we should use the same kind of certification as the + * remote... moreover, just use the first CERT payload to decide what + * to use. */ p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_CERT]); if (!p) @@ -596,7 +602,8 @@ rsa_sig_decode_hash(struct message *msg) */ exchange->policy_id = kn_init(); if (exchange->policy_id == -1) { - log_print("rsa_sig_decode_hash: failed to initialize policy session"); + log_print("rsa_sig_decode_hash: failed to initialize policy " + "session"); return -1; } #endif /* USE_POLICY || USE_KEYNOTE */ @@ -606,8 +613,8 @@ rsa_sig_decode_hash(struct message *msg) if (handler->id == ISAKMP_CERTENC_X509_SIG) { cert = handler->cert_get(rawcert, rawcertlen); if (!cert) - LOG_DBG((LOG_CRYPTO, 50, - "rsa_sig_decode_hash: certificate malformed")); + LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:" + " certificate malformed")); else { if (!handler->cert_get_key(cert, &key)) { log_print("rsa_sig_decode_hash: " @@ -616,8 +623,8 @@ rsa_sig_decode_hash(struct message *msg) } else { found++; LOG_DBG((LOG_CRYPTO, 40, - "rsa_sig_decode_hash: using cert of type %d", - handler->id)); + "rsa_sig_decode_hash: using cert " + "of type %d", handler->id)); exchange->recv_cert = cert; exchange->recv_certtype = handler->id; #if defined (USE_POLICY) @@ -661,27 +668,31 @@ rsa_sig_decode_hash(struct message *msg) } if (!handler->cert_validate(cert)) { handler->cert_free(cert); - log_print("rsa_sig_decode_hash: received CERT can't be validated"); + log_print("rsa_sig_decode_hash: received CERT can't " + "be validated"); continue; } if (GET_ISAKMP_CERT_ENCODING(p->p) == ISAKMP_CERTENC_X509_SIG) { if (!handler->cert_get_subjects(cert, &n, &id_cert, &id_cert_len)) { handler->cert_free(cert); - log_print("rsa_sig_decode_hash: can not get subject from CERT"); + log_print("rsa_sig_decode_hash: can not get " + "subject from CERT"); continue; } id_found = 0; for (i = 0; i < n; i++) if (id_cert_len[i] == id_len && id[0] == id_cert[i][0] && - memcmp(id + 4, id_cert[i] + 4, id_len - 4) == 0) { + memcmp(id + 4, id_cert[i] + 4, id_len - 4) + == 0) { id_found++; break; } if (!id_found) { handler->cert_free(cert); - log_print("rsa_sig_decode_hash: no CERT subject match the ID"); + log_print("rsa_sig_decode_hash: no CERT " + "subject match the ID"); free(id_cert); continue; } @@ -689,7 +700,8 @@ rsa_sig_decode_hash(struct message *msg) } if (!handler->cert_get_key(cert, &key)) { handler->cert_free(cert); - log_print("rsa_sig_decode_hash: decoding payload CERT failed"); + log_print("rsa_sig_decode_hash: decoding payload CERT " + "failed"); continue; } /* We validated the cert, cache it for later use. */ @@ -711,7 +723,8 @@ rsa_sig_decode_hash(struct message *msg) KEYNOTE_PUBLIC_KEY); if (pp == NULL) { kn_free_key(&dc); - log_print("rsa_sig_decode_hash: failed to ASCII-encode key"); + log_print("rsa_sig_decode_hash: failed to " + "ASCII-encode key"); return -1; } dclen = strlen(pp) + sizeof "rsa-hex:"; @@ -719,8 +732,8 @@ rsa_sig_decode_hash(struct message *msg) if (!exchange->keynote_key) { free(pp); kn_free_key(&dc); - log_print("rsa_sig_decode_hash: failed to allocate %d bytes", - dclen); + log_print("rsa_sig_decode_hash: failed to " + "allocate %d bytes", dclen); return -1; } snprintf(exchange->keynote_key, dclen, "rsa-hex:%s", pp); @@ -743,7 +756,8 @@ rsa_sig_decode_hash(struct message *msg) if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0) found++; else - log_print("rsa_sig_decode_hash: KEY to RSA key conversion failed"); + log_print("rsa_sig_decode_hash: KEY to RSA key " + "conversion failed"); if (rawkey) free(rawkey); @@ -753,7 +767,8 @@ rsa_sig_decode_hash(struct message *msg) #if defined (USE_RAWKEY) /* If we still have not found a key, try to read it from a file. */ if (!found) - if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key) != -1) + if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key) + != -1) found++; #endif @@ -796,7 +811,7 @@ rsa_sig_decode_hash(struct message *msg) free(*hash_p); *hash_p = 0; log_print("rsa_sig_decode_hash: len %lu != hashsize %lu", - (unsigned long) len, (unsigned long) hashsize); + (unsigned long)len, (unsigned long)hashsize); return -1; } snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c", @@ -852,22 +867,25 @@ rsa_sig_encode_hash(struct message *msg) /* We may have been provided these by the kernel */ buf = (u_int8_t *) conf_get_str(exchange->name, "Credentials"); - if (buf && - (idtype = conf_get_num(exchange->name, "Credential_Type", -1) != -1)) { + if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", -1) + != -1)) { exchange->sent_certtype = idtype; handler = cert_get(idtype); if (!handler) { - log_print("rsa_sig_encode_hash: cert_get (%d) failed", idtype); + log_print("rsa_sig_encode_hash: cert_get (%d) failed", + idtype); return -1; } - exchange->sent_cert = handler->cert_from_printable((char *) buf); + exchange->sent_cert = handler->cert_from_printable((char *)buf); if (!exchange->sent_cert) { - log_print("rsa_sig_encode_hash: failed to retrieve certificate"); + log_print("rsa_sig_encode_hash: failed to retrieve " + "certificate"); return -1; } handler->cert_serialize(exchange->sent_cert, &data, &datalen); if (!data) { - log_print("rsa_sig_encode_hash: cert serialization failed"); + log_print("rsa_sig_encode_hash: cert serialization " + "failed"); return -1; } goto aftercert; /* Skip all the certificate discovery */ @@ -881,7 +899,8 @@ rsa_sig_encode_hash(struct message *msg) idtype = ISAKMP_CERTENC_X509_SIG; handler = cert_get(idtype); if (!handler) { - log_print("rsa_sig_encode_hash: cert_get(%d) failed", idtype); + log_print("rsa_sig_encode_hash: cert_get(%d) failed", + idtype); return -1; } } @@ -890,11 +909,12 @@ rsa_sig_encode_hash(struct message *msg) idtype = ISAKMP_CERTENC_X509_SIG; handler = cert_get(idtype); if (!handler) { - log_print("rsa_sig_encode_hash: cert_get(%d) failed", - idtype); + log_print("rsa_sig_encode_hash: cert_get(%d) " + "failed", idtype); return -1; } - if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) { + if (handler->cert_obtain(id, id_len, 0, &data, + &datalen) == 0) { LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: no certificate to send")); goto skipcert; @@ -910,8 +930,8 @@ rsa_sig_encode_hash(struct message *msg) exchange->sent_cert = handler->cert_get(data, datalen); if (!exchange->sent_cert) { free(data); - log_print("rsa_sig_encode_hash: failed to get certificate from wire " - "encoding"); + log_print("rsa_sig_encode_hash: failed to get certificate " + "from wire encoding"); return -1; } aftercert: @@ -935,17 +955,18 @@ skipcert: /* Again, we may have these from the kernel */ buf = (u_int8_t *) conf_get_str(exchange->name, "PKAuthentication"); if (buf) { - key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, (char *) buf, - &data, &datalen); + key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, + (char *)buf, &data, &datalen); if (!data) { - log_print("rsa_sig_encode_hash: badly formatted RSA private key"); + log_print("rsa_sig_encode_hash: badly formatted RSA " + "private key"); return 0; } - sent_key = key_internalize(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, - data, datalen); + sent_key = key_internalize(ISAKMP_KEY_RSA, + ISAKMP_KEYTYPE_PRIVATE, data, datalen); if (!sent_key) { - log_print("rsa_sig_encode_hash: bad RSA private key from dynamic " - "SA acquisition subsystem"); + log_print("rsa_sig_encode_hash: bad RSA private key " + "from dynamic SA acquisition subsystem"); return 0; } } else { @@ -953,7 +974,7 @@ skipcert: switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) { case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV6_ADDR: - util_ntoa((char **) &buf2, + util_ntoa((char **)&buf2, id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); @@ -963,12 +984,12 @@ skipcert: case IPSEC_ID_FQDN: case IPSEC_ID_USER_FQDN: - buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, - sizeof(char)); + buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ + 1, sizeof(char)); if (!buf2) { - log_print("rsa_sig_encode_hash: malloc (%lu) failed", - (unsigned long) id_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1); + log_print("rsa_sig_encode_hash: malloc (%lu) " + "failed", (unsigned long)id_len - + ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); return 0; } memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, @@ -982,7 +1003,7 @@ skipcert: } sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name, - (char *) buf2, 0); + (char *)buf2, 0); free(buf2); /* Did we find a key? */ @@ -1001,7 +1022,7 @@ skipcert: buf = malloc(hashsize); if (!buf) { log_error("rsa_sig_encode_hash: malloc (%lu) failed", - (unsigned long) hashsize); + (unsigned long)hashsize); return -1; } if (ike_auth_hash(exchange, buf) == -1) { @@ -1113,7 +1134,7 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa) fstr = CONF_DFLT_PUBKEY_DIR; if (snprintf(filename, sizeof filename, "%s/", fstr) > - (int) sizeof filename - 1) + (int)sizeof filename - 1) return -1; fstr = ipsec_id_string(id, id_len); @@ -1130,8 +1151,8 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa) #if defined (USE_PRIVSEP) keyfp = monitor_fopen(filename, "r"); if (!keyfp) { - log_error("get_raw_key_from_file: monitor_fopen (\"%s\", \"r\") " - "failed", filename); + log_error("get_raw_key_from_file: monitor_fopen " + "(\"%s\", \"r\") failed", filename); return -1; } *rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL); diff --git a/sbin/isakmpd/ike_main_mode.c b/sbin/isakmpd/ike_main_mode.c index cff96457079..53e18c486c4 100644 --- a/sbin/isakmpd/ike_main_mode.c +++ b/sbin/isakmpd/ike_main_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_main_mode.c,v 1.13 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ike_main_mode.c,v 1.14 2004/05/23 18:17:55 hshoexer Exp $ */ /* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */ /* @@ -62,7 +62,7 @@ static int initiator_send_ID_AUTH(struct message *); static int responder_send_ID_AUTH(struct message *); static int responder_send_KE_NONCE(struct message *); -int (*ike_main_mode_initiator[]) (struct message *) = { +int (*ike_main_mode_initiator[]) (struct message *) = { ike_phase_1_initiator_send_SA, ike_phase_1_initiator_recv_SA, ike_phase_1_initiator_send_KE_NONCE, @@ -71,7 +71,7 @@ int (*ike_main_mode_initiator[]) (struct message *) = { ike_phase_1_recv_ID_AUTH }; -int (*ike_main_mode_responder[]) (struct message *) = { +int (*ike_main_mode_responder[]) (struct message *) = { ike_phase_1_responder_recv_SA, ike_phase_1_responder_send_SA, ike_phase_1_recv_KE_NONCE, @@ -81,7 +81,7 @@ int (*ike_main_mode_responder[]) (struct message *) = { }; static int -initiator_send_ID_AUTH(struct message * msg) +initiator_send_ID_AUTH(struct message *msg) { msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; @@ -96,7 +96,7 @@ initiator_send_ID_AUTH(struct message * msg) /* Send our public DH value and a nonce to the initiator. */ int -responder_send_KE_NONCE(struct message * msg) +responder_send_KE_NONCE(struct message *msg) { /* XXX Should we really just use the initiator's nonce size? */ if (ike_phase_1_send_KE_NONCE(msg, msg->exchange->nonce_i_len)) @@ -107,14 +107,13 @@ responder_send_KE_NONCE(struct message * msg) * on a roundtrip over the wire. */ message_register_post_send(msg, - (void (*) (struct message *)) - ike_phase_1_post_exchange_KE_NONCE); + (void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE); return 0; } static int -responder_send_ID_AUTH(struct message * msg) +responder_send_ID_AUTH(struct message *msg) { msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; diff --git a/sbin/isakmpd/ike_main_mode.h b/sbin/isakmpd/ike_main_mode.h index 0ad9e532f97..3e0d17382fa 100644 --- a/sbin/isakmpd/ike_main_mode.h +++ b/sbin/isakmpd/ike_main_mode.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_main_mode.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ike_main_mode.h,v 1.6 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: ike_main_mode.h,v 1.1 1998/07/25 11:22:07 niklas Exp $ */ /* @@ -34,7 +34,7 @@ struct message; -extern int (*ike_main_mode_initiator[]) (struct message * msg); -extern int (*ike_main_mode_responder[]) (struct message * msg); +extern int (*ike_main_mode_initiator[]) (struct message *msg); +extern int (*ike_main_mode_responder[]) (struct message *msg); #endif /* _IKE_MAIN_MODE_H_ */ diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 2a224c0b694..9956787cea0 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.90 2004/05/19 14:30:26 ho Exp $ */ +/* $OpenBSD: ipsec.c,v 1.91 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -104,9 +104,8 @@ static void ipsec_free_proto_data(void *); static void ipsec_free_sa_data(void *); static struct keystate *ipsec_get_keystate(struct message *); static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *); -static int -ipsec_handle_leftover_payload(struct message *, u_int8_t, - struct payload *); +static int ipsec_handle_leftover_payload(struct message *, u_int8_t, + struct payload *); static int ipsec_informational_post_hook(struct message *); static int ipsec_informational_pre_hook(struct message *); static int ipsec_initiator(struct message *); @@ -116,11 +115,11 @@ static void ipsec_setup_situation(u_int8_t *); static int ipsec_set_network(u_int8_t *, u_int8_t *, struct ipsec_sa *); static size_t ipsec_situation_size(void); static u_int8_t ipsec_spi_size(u_int8_t); -static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); +static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, + void *); static int ipsec_validate_exchange(u_int8_t); -static int -ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, - size_t, struct exchange *); +static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, + size_t, struct exchange *); static int ipsec_validate_key_information(u_int8_t *, size_t); static int ipsec_validate_notification(u_int16_t); static int ipsec_validate_proto(u_int8_t); @@ -163,7 +162,7 @@ static struct doi ipsec_doi = { ipsec_decode_ids }; -int16_t script_quick_mode[] = { +int16_t script_quick_mode[] = { ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ ISAKMP_PAYLOAD_SA, ISAKMP_PAYLOAD_NONCE, @@ -176,7 +175,7 @@ int16_t script_quick_mode[] = { EXCHANGE_SCRIPT_END }; -int16_t script_new_group_mode[] = { +int16_t script_new_group_mode[] = { ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ ISAKMP_PAYLOAD_SA, EXCHANGE_SCRIPT_SWITCH, @@ -223,7 +222,8 @@ ipsec_sa_check(struct sa *sa, void *v_arg) for (proto = TAILQ_FIRST(&sa->protos); proto; proto = TAILQ_NEXT(proto, link)) if ((arg->proto == 0 || proto->proto == arg->proto) && - memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi) == 0) + memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi) + == 0) return 1; return 0; } @@ -279,7 +279,7 @@ ipsec_sa_check_flow(struct sa * sa, void *v_arg) * the final message. */ static void -ipsec_finalize_exchange(struct message * msg) +ipsec_finalize_exchange(struct message *msg) { struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa; @@ -319,7 +319,8 @@ ipsec_finalize_exchange(struct message * msg) switch (exchange->type) { case IKE_EXCH_QUICK_MODE: /* - * Tell the application(s) about the SPIs and key material. + * Tell the application(s) about the SPIs and key + * material. */ for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = TAILQ_NEXT(sa, next)) { @@ -341,8 +342,8 @@ ipsec_finalize_exchange(struct message * msg) * Responder is source, initiator is * destination. */ - if (ipsec_set_network(ie->id_cr, ie->id_ci, - isa)) { + if (ipsec_set_network(ie->id_cr, + ie->id_ci, isa)) { log_print("ipsec_finalize_exchange: " "ipsec_set_network failed"); return; @@ -354,12 +355,14 @@ ipsec_finalize_exchange(struct message * msg) proto = TAILQ_NEXT(proto, link)) { if (sysdep_ipsec_set_spi(sa, proto, 0, isakmp_sa) || - (last_proto && sysdep_ipsec_group_spis(sa, - last_proto, proto, 0)) || + (last_proto && + sysdep_ipsec_group_spis(sa, + last_proto, proto, 0)) || sysdep_ipsec_set_spi(sa, proto, - 1, isakmp_sa) || - (last_proto && sysdep_ipsec_group_spis(sa, - last_proto, proto, 1))) + 1, isakmp_sa) || + (last_proto && + sysdep_ipsec_group_spis(sa, + last_proto, proto, 1))) /* * XXX Tear down this * exchange. @@ -379,11 +382,14 @@ ipsec_finalize_exchange(struct message * msg) mask2 = 0; LOG_DBG((LOG_EXCHANGE, 50, - "ipsec_finalize_exchange: " - "src %s %s dst %s %s tproto %u sport %u dport %u", - addr1 ? addr1 : "<??\?>", mask1 ? mask1 : "<??\?>", - addr2 ? addr2 : "<??\?>", mask2 ? mask2 : "<??\?>", - isa->tproto, ntohs(isa->sport), ntohs(isa->dport))); + "ipsec_finalize_exchange: src %s %s " + "dst %s %s tproto %u sport %u dport %u", + addr1 ? addr1 : "<??\?>", + mask1 ? mask1 : "<??\?>", + addr2 ? addr2 : "<??\?>", + mask2 ? mask2 : "<??\?>", + isa->tproto, ntohs(isa->sport), + ntohs(isa->dport))); if (addr1) free(addr1); @@ -397,8 +403,9 @@ ipsec_finalize_exchange(struct message * msg) #endif /* USE_DEBUG */ /* - * If this is not an SA acquired by the kernel, it needs - * to have a SPD entry (a.k.a. flow) set up. + * If this is not an SA acquired by the + * kernel, it needs to have a SPD entry + * (a.k.a. flow) set up. */ if (!(sa->flags & SA_FLAG_ONDEMAND) && sysdep_ipsec_enable_sa(sa, isakmp_sa)) @@ -409,7 +416,8 @@ ipsec_finalize_exchange(struct message * msg) * Mark elder SAs with the same flow * information as replaced. */ - while ((old_sa = sa_find(ipsec_sa_check_flow, sa)) != 0) + while ((old_sa = sa_find(ipsec_sa_check_flow, + sa)) != 0) sa_mark_replaced(old_sa); } break; @@ -421,14 +429,14 @@ ipsec_finalize_exchange(struct message * msg) static int ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) { - int id; + int id; /* Set source address/mask. */ id = GET_ISAKMP_ID_TYPE(src_id); switch (id) { case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV4_ADDR_SUBNET: - isa->src_net = (struct sockaddr *) calloc(1, + isa->src_net = (struct sockaddr *)calloc(1, sizeof(struct sockaddr_in)); if (!isa->src_net) goto memfail; @@ -437,7 +445,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) isa->src_net->sa_len = sizeof(struct sockaddr_in); #endif - isa->src_mask = (struct sockaddr *) calloc(1, + isa->src_mask = (struct sockaddr *)calloc(1, sizeof(struct sockaddr_in)); if (!isa->src_mask) goto memfail; @@ -449,7 +457,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) case IPSEC_ID_IPV6_ADDR: case IPSEC_ID_IPV6_ADDR_SUBNET: - isa->src_net = (struct sockaddr *) calloc(1, + isa->src_net = (struct sockaddr *)calloc(1, sizeof(struct sockaddr_in6)); if (!isa->src_net) goto memfail; @@ -458,7 +466,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) isa->src_net->sa_len = sizeof(struct sockaddr_in6); #endif - isa->src_mask = (struct sockaddr *) calloc(1, + isa->src_mask = (struct sockaddr *)calloc(1, sizeof(struct sockaddr_in6)); if (!isa->src_mask) goto memfail; @@ -492,21 +500,22 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) break; case IPSEC_ID_IPV4_ADDR_SUBNET: case IPSEC_ID_IPV6_ADDR_SUBNET: - memcpy(sockaddr_addrdata(isa->src_mask), src_id + ISAKMP_ID_DATA_OFF + - sockaddr_addrlen(isa->src_net), sockaddr_addrlen(isa->src_mask)); + memcpy(sockaddr_addrdata(isa->src_mask), src_id + + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->src_net), + sockaddr_addrlen(isa->src_mask)); break; } memcpy(&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, - IPSEC_ID_PORT_LEN); + IPSEC_ID_PORT_LEN); /* Set destination address. */ id = GET_ISAKMP_ID_TYPE(dst_id); switch (id) { case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV4_ADDR_SUBNET: - isa->dst_net = - (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in)); + isa->dst_net = (struct sockaddr *)calloc(1, + sizeof(struct sockaddr_in)); if (!isa->dst_net) goto memfail; isa->dst_net->sa_family = AF_INET; @@ -514,8 +523,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) isa->dst_net->sa_len = sizeof(struct sockaddr_in); #endif - isa->dst_mask = - (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in)); + isa->dst_mask = (struct sockaddr *)calloc(1, + sizeof(struct sockaddr_in)); if (!isa->dst_mask) goto memfail; isa->dst_mask->sa_family = AF_INET; @@ -526,8 +535,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) case IPSEC_ID_IPV6_ADDR: case IPSEC_ID_IPV6_ADDR_SUBNET: - isa->dst_net = - (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in6)); + isa->dst_net = (struct sockaddr *)calloc(1, + sizeof(struct sockaddr_in6)); if (!isa->dst_net) goto memfail; isa->dst_net->sa_family = AF_INET6; @@ -535,8 +544,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) isa->dst_net->sa_len = sizeof(struct sockaddr_in6); #endif - isa->dst_mask = - (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in6)); + isa->dst_mask = (struct sockaddr *)calloc(1, + sizeof(struct sockaddr_in6)); if (!isa->dst_mask) goto memfail; isa->dst_mask->sa_family = AF_INET6; @@ -548,27 +557,27 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) /* Net */ memcpy(sockaddr_addrdata(isa->dst_net), dst_id + ISAKMP_ID_DATA_OFF, - sockaddr_addrlen(isa->dst_net)); + sockaddr_addrlen(isa->dst_net)); /* Mask */ switch (id) { case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV6_ADDR: memset(sockaddr_addrdata(isa->dst_mask), 0xff, - sockaddr_addrlen(isa->dst_mask)); + sockaddr_addrlen(isa->dst_mask)); break; case IPSEC_ID_IPV4_ADDR_SUBNET: case IPSEC_ID_IPV6_ADDR_SUBNET: - memcpy(sockaddr_addrdata(isa->dst_mask), dst_id + ISAKMP_ID_DATA_OFF + - sockaddr_addrlen(isa->dst_net), - sockaddr_addrlen(isa->dst_mask)); + memcpy(sockaddr_addrdata(isa->dst_mask), dst_id + + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->dst_net), + sockaddr_addrlen(isa->dst_mask)); break; } - memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, - IPSEC_ID_PROTO_LEN); + memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + + IPSEC_ID_PROTO_OFF, IPSEC_ID_PROTO_LEN); memcpy(&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, - IPSEC_ID_PORT_LEN); + IPSEC_ID_PORT_LEN); return 0; memfail: @@ -612,7 +621,8 @@ ipsec_free_exchange_data(void *vie) if (ie->group) group_free(ie->group); #ifdef USE_ISAKMP_CFG - for (attr = LIST_FIRST(&ie->attrs); attr; attr = LIST_FIRST(&ie->attrs)) { + for (attr = LIST_FIRST(&ie->attrs); attr; + attr = LIST_FIRST(&ie->attrs)) { LIST_REMOVE(attr, link); if (attr->length) free(attr->value); @@ -689,7 +699,7 @@ ipsec_get_keystate(struct message * msg) ks = malloc(sizeof *ks); if (!ks) { log_error("ipsec_get_keystate: malloc (%lu) failed", - (unsigned long) sizeof *ks); + (unsigned long) sizeof *ks); return 0; } memcpy(ks, msg->exchange->keystate, sizeof *ks); @@ -702,45 +712,43 @@ ipsec_get_keystate(struct message * msg) */ if (!msg->isakmp_sa->keystate) { log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p", - msg->isakmp_sa); + msg->isakmp_sa); return 0; } ks = crypto_clone_keystate(msg->isakmp_sa->keystate); if (!ks) return 0; - hash = hash_get(((struct ipsec_sa *) msg->isakmp_sa->data)->hash); + hash = hash_get(((struct ipsec_sa *)msg->isakmp_sa->data)->hash); hash->Init(hash->ctx); LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV", - ks->riv, ks->xf->blocksize)); + ks->riv, ks->xf->blocksize)); hash->Update(hash->ctx, ks->riv, ks->xf->blocksize); LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID", - ((u_int8_t *) msg->iov[0].iov_base) - + ISAKMP_HDR_MESSAGE_ID_OFF, - ISAKMP_HDR_MESSAGE_ID_LEN)); - hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF, - ISAKMP_HDR_MESSAGE_ID_LEN); + ISAKMP_HDR_MESSAGE_ID_LEN)); + hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) + + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN); hash->Final(hash->digest, hash->ctx); crypto_init_iv(ks, hash->digest, ks->xf->blocksize); LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV", - hash->digest, ks->xf->blocksize)); + hash->digest, ks->xf->blocksize)); return ks; } static void -ipsec_setup_situation(u_int8_t * buf) +ipsec_setup_situation(u_int8_t *buf) { SET_IPSEC_SIT_SIT(buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); } -static size_t +static size_t ipsec_situation_size(void) { return IPSEC_SIT_SIT_LEN; } -static u_int8_t +static u_int8_t ipsec_spi_size(u_int8_t proto) { return IPSEC_SPI_SIZE; @@ -748,13 +756,13 @@ ipsec_spi_size(u_int8_t proto) static int ipsec_validate_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vmsg) + void *vmsg) { struct message *msg = vmsg; if ((msg->exchange->phase == 1 - && (type < IKE_ATTR_ENCRYPTION_ALGORITHM - || type > IKE_ATTR_GROUP_ORDER)) + && (type < IKE_ATTR_ENCRYPTION_ALGORITHM + || type > IKE_ATTR_GROUP_ORDER)) || (msg->exchange->phase == 2 && (type < IPSEC_ATTR_SA_LIFE_TYPE || type > IPSEC_ATTR_ECN_TUNNEL))) @@ -769,39 +777,41 @@ ipsec_validate_exchange(u_int8_t exch) } static int -ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf, - size_t sz, struct exchange * exchange) +ipsec_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf, + size_t sz, struct exchange *exchange) { u_int8_t proto = GET_IPSEC_ID_PROTO(extra); u_int16_t port = GET_IPSEC_ID_PORT(extra); LOG_DBG((LOG_MESSAGE, 40, - "ipsec_validate_id_information: proto %d port %d type %d", - proto, port, type)); + "ipsec_validate_id_information: proto %d port %d type %d", + proto, port, type)); if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_KEY_ID) return -1; switch (type) { case IPSEC_ID_IPV4_ADDR: - LOG_DBG_BUF((LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4", - buf, sizeof(struct in_addr))); + LOG_DBG_BUF((LOG_MESSAGE, 40, + "ipsec_validate_id_information: IPv4", buf, + sizeof(struct in_addr))); break; case IPSEC_ID_IPV6_ADDR: - LOG_DBG_BUF((LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6", - buf, sizeof(struct in6_addr))); + LOG_DBG_BUF((LOG_MESSAGE, 40, + "ipsec_validate_id_information: IPv6", buf, + sizeof(struct in6_addr))); break; case IPSEC_ID_IPV4_ADDR_SUBNET: LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv4 network/netmask", - buf, 2 * sizeof(struct in_addr))); + "ipsec_validate_id_information: IPv4 network/netmask", + buf, 2 * sizeof(struct in_addr))); break; case IPSEC_ID_IPV6_ADDR_SUBNET: LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv6 network/netmask", - buf, 2 * sizeof(struct in6_addr))); + "ipsec_validate_id_information: IPv6 network/netmask", + buf, 2 * sizeof(struct in6_addr))); break; default: @@ -818,8 +828,8 @@ ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf, #ifdef notyet return -1; #else - log_print("ipsec_validate_id_information: " - "dubious ID information accepted"); + log_print("ipsec_validate_id_information: dubious ID " + "information accepted"); #endif } /* XXX More checks? */ @@ -828,7 +838,7 @@ ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf, } static int -ipsec_validate_key_information(u_int8_t * buf, size_t sz) +ipsec_validate_key_information(u_int8_t *buf, size_t sz) { /* XXX Not implemented yet. */ return 0; @@ -838,21 +848,22 @@ static int ipsec_validate_notification(u_int16_t type) { return type < IPSEC_NOTIFY_RESPONDER_LIFETIME - || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0; + || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0; } static int ipsec_validate_proto(u_int8_t proto) { - return proto < IPSEC_PROTO_IPSEC_AH || proto > IPSEC_PROTO_IPCOMP ? -1 : 0; + return proto < IPSEC_PROTO_IPSEC_AH + || proto > IPSEC_PROTO_IPCOMP ? -1 : 0; } static int -ipsec_validate_situation(u_int8_t * buf, size_t * sz, size_t len) +ipsec_validate_situation(u_int8_t *buf, size_t *sz, size_t len) { if (len < IPSEC_SIT_SIT_OFF + IPSEC_SIT_SIT_LEN) { log_print("ipsec_validate_situation: payload too short: %u", - (unsigned int) len); + (unsigned int) len); return -1; } /* Currently only "identity only" situations are supported. */ @@ -869,41 +880,42 @@ ipsec_validate_transform_id(u_int8_t proto, u_int8_t transform_id) { switch (proto) { /* - * As no unexpected protocols can occur, we just tie the default case - * to the first case, in orer to silence a GCC warning. + * As no unexpected protocols can occur, we just tie the + * default case to the first case, in orer to silence a GCC + * warning. */ default: case ISAKMP_PROTO_ISAKMP: - return transform_id != IPSEC_TRANSFORM_KEY_IKE; - case IPSEC_PROTO_IPSEC_AH: - return - transform_id < IPSEC_AH_MD5 || transform_id > IPSEC_AH_DES ? -1 : 0; + return transform_id != IPSEC_TRANSFORM_KEY_IKE; + case IPSEC_PROTO_IPSEC_AH: + return transform_id < IPSEC_AH_MD5 + || transform_id > IPSEC_AH_DES ? -1 : 0; case IPSEC_PROTO_IPSEC_ESP: return transform_id < IPSEC_ESP_DES_IV64 - || (transform_id > IPSEC_ESP_AES_128_CTR - && transform_id < IPSEC_ESP_AES_MARS) - || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0; + || (transform_id > IPSEC_ESP_AES_128_CTR + && transform_id < IPSEC_ESP_AES_MARS) + || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0; case IPSEC_PROTO_IPCOMP: return transform_id < IPSEC_IPCOMP_OUI - || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0; + || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0; } } static int -ipsec_initiator(struct message * msg) +ipsec_initiator(struct message *msg) { struct exchange *exchange = msg->exchange; - int (**script) (struct message *) = 0; + int (**script)(struct message *) = 0; /* Check that the SA is coherent with the IKE rules. */ if (exchange->type != ISAKMP_EXCH_TRANSACTION - && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT - && exchange->type != ISAKMP_EXCH_AGGRESSIVE - && exchange->type != ISAKMP_EXCH_INFO) - || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE - && exchange->type != ISAKMP_EXCH_INFO))) { - log_print("ipsec_initiator: unsupported exchange type %d in phase %d", - exchange->type, exchange->phase); + && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != ISAKMP_EXCH_INFO) + || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE + && exchange->type != ISAKMP_EXCH_INFO))) { + log_print("ipsec_initiator: unsupported exchange type %d " + "in phase %d", exchange->type, exchange->phase); return -1; } switch (exchange->type) { @@ -945,15 +957,15 @@ ipsec_initiator(struct message * msg) * or 4-octet otherwise. */ static void -ipsec_delete_spi_list(struct sockaddr * addr, u_int8_t proto, - u_int8_t * spis, int nspis, char *type) +ipsec_delete_spi_list(struct sockaddr *addr, u_int8_t proto, u_int8_t *spis, + int nspis, char *type) { struct sa *sa; int i; for (i = 0; i < nspis; i++) { if (proto == ISAKMP_PROTO_ISAKMP) { - u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN; + u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN; /* * This really shouldn't happen in IPSEC DOI @@ -962,46 +974,47 @@ ipsec_delete_spi_list(struct sockaddr * addr, u_int8_t proto, */ sa = sa_lookup_isakmp_sa(addr, spi); } else { - u_int32_t spi = ((u_int32_t *) spis)[i]; + u_int32_t spi = ((u_int32_t *)spis)[i]; sa = ipsec_sa_lookup(addr, spi, proto); } if (sa == NULL) { - LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: " - "could not locate SA (SPI %08x, proto %u)", - ((u_int32_t *) spis)[i], proto)); + LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: could " + "not locate SA (SPI %08x, proto %u)", + ((u_int32_t *)spis)[i], proto)); continue; } /* Delete the SA and search for the next */ LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: " - "%s made us delete SA %p (%d references) for proto %d", - type, sa, sa->refcnt, proto)); + "%s made us delete SA %p (%d references) for proto %d", + type, sa, sa->refcnt, proto)); sa_free(sa); } } static int -ipsec_responder(struct message * msg) +ipsec_responder(struct message *msg) { struct exchange *exchange = msg->exchange; - int (**script) (struct message *) = 0; + int (**script)(struct message *) = 0; struct payload *p; u_int16_t type; /* Check that a new exchange is coherent with the IKE rules. */ if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION - && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT - && exchange->type != ISAKMP_EXCH_AGGRESSIVE - && exchange->type != ISAKMP_EXCH_INFO) - || (exchange->phase == 2 && exchange->type == ISAKMP_EXCH_ID_PROT))) { - message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != ISAKMP_EXCH_INFO) + || (exchange->phase == 2 && exchange->type == + ISAKMP_EXCH_ID_PROT))) { + message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, + 0, 1, 0); return -1; } - LOG_DBG((LOG_MISC, 30, - "ipsec_responder: phase %d exchange %d step %d", exchange->phase, - exchange->type, exchange->step)); + LOG_DBG((LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d", + exchange->phase, exchange->type, exchange->step)); switch (exchange->type) { case ISAKMP_EXCH_ID_PROT: script = ike_main_mode_responder; @@ -1021,18 +1034,18 @@ ipsec_responder(struct message * msg) case ISAKMP_EXCH_INFO: for (p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p; - p = TAILQ_NEXT(p, link)) { + p = TAILQ_NEXT(p, link)) { type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p); LOG_DBG((LOG_EXCHANGE, 10, - "ipsec_responder: got NOTIFY of type %s", - constant_name(isakmp_notify_cst, type))); + "ipsec_responder: got NOTIFY of type %s", + constant_name(isakmp_notify_cst, type))); p->flags |= PL_MARK; } /* - * If any DELETEs are in here, let the logic of leftover payloads deal - * with them. + * If any DELETEs are in here, let the logic of leftover + * payloads deal with them. */ return 0; @@ -1042,7 +1055,8 @@ ipsec_responder(struct message * msg) break; default: - message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, + 0, 1, 0); return -1; } @@ -1051,7 +1065,8 @@ ipsec_responder(struct message * msg) return script[exchange->step] (msg); /* - * XXX So far we don't accept any proposals for exchanges we don't support. + * XXX So far we don't accept any proposals for exchanges we don't + * support. */ if (TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_SA])) { message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); @@ -1085,8 +1100,8 @@ from_ike_crypto(u_int16_t crypto) * VMSG is a pointer to the current message. */ int -ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value, - u_int16_t len, void *vmsg) +ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) { struct message *msg = vmsg; @@ -1100,9 +1115,9 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value, return !ike_auth_get(decode_16(value)); case IKE_ATTR_GROUP_DESCRIPTION: return (decode_16(value) < IKE_GROUP_DESC_MODP_768 - || decode_16(value) > IKE_GROUP_DESC_MODP_1536) - && (decode_16(value) < IKE_GROUP_DESC_MODP_2048 - || decode_16(value) > IKE_GROUP_DESC_MODP_8192); + || decode_16(value) > IKE_GROUP_DESC_MODP_1536) + && (decode_16(value) < IKE_GROUP_DESC_MODP_2048 + || decode_16(value) > IKE_GROUP_DESC_MODP_8192); case IKE_ATTR_GROUP_TYPE: return 1; case IKE_ATTR_GROUP_PRIME: @@ -1117,15 +1132,15 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value, return 1; case IKE_ATTR_LIFE_TYPE: return decode_16(value) < IKE_DURATION_SECONDS - || decode_16(value) > IKE_DURATION_KILOBYTES; + || decode_16(value) > IKE_DURATION_KILOBYTES; case IKE_ATTR_LIFE_DURATION: return len != 2 && len != 4; case IKE_ATTR_PRF: return 1; case IKE_ATTR_KEY_LENGTH: /* - * Our crypto routines only allows key-lengths which are multiples - * of an octet. + * Our crypto routines only allows key-lengths which + * are multiples of an octet. */ return decode_16(value) % 8 != 0; case IKE_ATTR_FIELD_SIZE: @@ -1137,20 +1152,20 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value, switch (type) { case IPSEC_ATTR_SA_LIFE_TYPE: return decode_16(value) < IPSEC_DURATION_SECONDS - || decode_16(value) > IPSEC_DURATION_KILOBYTES; + || decode_16(value) > IPSEC_DURATION_KILOBYTES; case IPSEC_ATTR_SA_LIFE_DURATION: return len != 2 && len != 4; case IPSEC_ATTR_GROUP_DESCRIPTION: return (decode_16(value) < IKE_GROUP_DESC_MODP_768 - || decode_16(value) > IKE_GROUP_DESC_MODP_1536) - && (decode_16(value) < IKE_GROUP_DESC_MODP_2048 - || IKE_GROUP_DESC_MODP_8192 < decode_16(value)); + || decode_16(value) > IKE_GROUP_DESC_MODP_1536) + && (decode_16(value) < IKE_GROUP_DESC_MODP_2048 + || IKE_GROUP_DESC_MODP_8192 < decode_16(value)); case IPSEC_ATTR_ENCAPSULATION_MODE: return decode_16(value) < IPSEC_ENCAP_TUNNEL - || decode_16(value) > IPSEC_ENCAP_TRANSPORT; + || decode_16(value) > IPSEC_ENCAP_TRANSPORT; case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: return decode_16(value) < IPSEC_AUTH_HMAC_MD5 - || decode_16(value) > IPSEC_AUTH_HMAC_RIPEMD; + || decode_16(value) > IPSEC_AUTH_HMAC_RIPEMD; case IPSEC_ATTR_KEY_LENGTH: /* * XXX Blowfish needs '0'. Others appear to disregard @@ -1177,8 +1192,8 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value, * in human-readable form. VMSG is a pointer to the current message. */ int -ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vmsg) +ipsec_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) { struct message *msg = vmsg; char val[20]; @@ -1192,9 +1207,8 @@ ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, snprintf(val, sizeof val, "unrepresentable"); LOG_DBG((LOG_MESSAGE, 50, "Attribute %s value %s", - constant_name(msg->exchange->phase == 1 - ? ike_attr_cst : ipsec_attr_cst, type), - val)); + constant_name(msg->exchange->phase == 1 ? ike_attr_cst : + ipsec_attr_cst, type), val)); return 0; } #endif @@ -1205,8 +1219,8 @@ ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, * current message, SA and protocol. */ int -ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vida) +ipsec_decode_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, + void *vida) { struct ipsec_decode_arg *ida = vida; struct message *msg = ida->msg; @@ -1222,7 +1236,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, switch (type) { case IKE_ATTR_ENCRYPTION_ALGORITHM: /* XXX Errors possible? */ - exchange->crypto = crypto_get(from_ike_crypto(decode_16(value))); + exchange->crypto = crypto_get(from_ike_crypto( + decode_16(value))); break; case IKE_ATTR_HASH_ALGORITHM: /* XXX Errors possible? */ @@ -1261,7 +1276,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, sa->seconds = decode_32(value); break; default: - log_print("ipsec_decode_attribute: unreasonable lifetime"); + log_print("ipsec_decode_attribute: " + "unreasonable lifetime"); } break; case IKE_DURATION_KILOBYTES: @@ -1273,11 +1289,13 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, sa->kilobytes = decode_32(value); break; default: - log_print("ipsec_decode_attribute: unreasonable lifetime"); + log_print("ipsec_decode_attribute: " + "unreasonable lifetime"); } break; default: - log_print("ipsec_decode_attribute: unknown lifetime type"); + log_print("ipsec_decode_attribute: unknown " + "lifetime type"); } break; case IKE_ATTR_PRF: @@ -1306,7 +1324,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, sa->seconds = decode_32(value); break; default: - log_print("ipsec_decode_attribute: unreasonable lifetime"); + log_print("ipsec_decode_attribute: " + "unreasonable lifetime"); } break; case IPSEC_DURATION_KILOBYTES: @@ -1318,11 +1337,13 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, sa->kilobytes = decode_32(value); break; default: - log_print("ipsec_decode_attribute: unreasonable lifetime"); + log_print("ipsec_decode_attribute: " + "unreasonable lifetime"); } break; default: - log_print("ipsec_decode_attribute: unknown lifetime type"); + log_print("ipsec_decode_attribute: unknown " + "lifetime type"); } break; case IPSEC_ATTR_GROUP_DESCRIPTION: @@ -1362,14 +1383,14 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, * processed. */ void -ipsec_decode_transform(struct message * msg, struct sa * sa, - struct proto * proto, u_int8_t * buf) +ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto, + u_int8_t *buf) { struct ipsec_exch *ie = msg->exchange->data; struct ipsec_decode_arg ida; LOG_DBG((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen", - GET_ISAKMP_TRANSFORM_NO(buf))); + GET_ISAKMP_TRANSFORM_NO(buf))); ida.msg = msg; ida.sa = sa; @@ -1381,8 +1402,8 @@ ipsec_decode_transform(struct message * msg, struct sa * sa, /* Extract the attributes and stuff them into the SA. */ attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - ipsec_decode_attribute, &ida); + GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + ipsec_decode_attribute, &ida); /* * If no pseudo-random function was negotiated, it's HMAC. @@ -1397,7 +1418,7 @@ ipsec_decode_transform(struct message * msg, struct sa * sa, * of the IKE security association SA. */ static void -ipsec_delete_spi(struct sa * sa, struct proto * proto, int incoming) +ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming) { if (sa->phase == 1) return; @@ -1410,7 +1431,7 @@ ipsec_delete_spi(struct sa * sa, struct proto * proto, int incoming) * PEER is non-zero when the value is our peer's, and zero when it is ours. */ static int -ipsec_g_x(struct message * msg, int peer, u_int8_t * buf) +ipsec_g_x(struct message *msg, int peer, u_int8_t *buf) { struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; @@ -1421,18 +1442,20 @@ ipsec_g_x(struct message * msg, int peer, u_int8_t * buf) g_x = initiator ? &ie->g_xi : &ie->g_xr; *g_x = malloc(ie->g_x_len); if (!*g_x) { - log_error("ipsec_g_x: malloc (%lu) failed", (unsigned long) ie->g_x_len); + log_error("ipsec_g_x: malloc (%lu) failed", + (unsigned long)ie->g_x_len); return -1; } memcpy(*g_x, buf, ie->g_x_len); - snprintf(header, sizeof header, "ipsec_g_x: g^x%c", initiator ? 'i' : 'r'); + snprintf(header, sizeof header, "ipsec_g_x: g^x%c", + initiator ? 'i' : 'r'); LOG_DBG_BUF((LOG_MISC, 80, header, *g_x, ie->g_x_len)); return 0; } /* Generate our DH value. */ int -ipsec_gen_g_x(struct message * msg) +ipsec_gen_g_x(struct message *msg) { struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; @@ -1441,11 +1464,11 @@ ipsec_gen_g_x(struct message * msg) buf = malloc(ISAKMP_KE_SZ + ie->g_x_len); if (!buf) { log_error("ipsec_gen_g_x: malloc (%lu) failed", - ISAKMP_KE_SZ + (unsigned long) ie->g_x_len); + ISAKMP_KE_SZ + (unsigned long)ie->g_x_len); return -1; } if (message_add_payload(msg, ISAKMP_PAYLOAD_KEY_EXCH, buf, - ISAKMP_KE_SZ + ie->g_x_len, 1)) { + ISAKMP_KE_SZ + ie->g_x_len, 1)) { free(buf); return -1; } @@ -1459,7 +1482,7 @@ ipsec_gen_g_x(struct message * msg) /* Save the peer's DH value. */ int -ipsec_save_g_x(struct message * msg) +ipsec_save_g_x(struct message *msg) { struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; @@ -1483,7 +1506,7 @@ ipsec_save_g_x(struct message * msg) * size where SZ points. NB! A zero return is OK if *SZ is zero. */ static u_int8_t * -ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg) +ipsec_get_spi(size_t *sz, u_int8_t proto, struct message *msg) { struct sockaddr *dst, *src; struct transport *transport = msg->transport; @@ -1496,7 +1519,8 @@ ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg) transport->vtbl->get_src(transport, &dst); /* The peer is the source. */ transport->vtbl->get_dst(transport, &src); - return sysdep_ipsec_get_spi(sz, proto, src, dst, msg->exchange->seq); + return sysdep_ipsec_get_spi(sz, proto, src, dst, + msg->exchange->seq); } } @@ -1507,8 +1531,8 @@ ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg) * 0. */ int -ipsec_handle_leftover_payload(struct message * msg, u_int8_t type, - struct payload * payload) +ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, + struct payload *payload) { u_int32_t spisz, nspis; struct sockaddr *dst; @@ -1523,22 +1547,24 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type, spisz = GET_ISAKMP_DELETE_SPI_SZ(payload->p); if (nspis == 0) { - LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: message " - "specified zero SPIs, ignoring")); + LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: " + "message specified zero SPIs, ignoring")); return -1; } /* verify proper SPI size */ - if ((proto == ISAKMP_PROTO_ISAKMP && spisz != ISAKMP_HDR_COOKIES_LEN) - || (proto != ISAKMP_PROTO_ISAKMP && spisz != sizeof(u_int32_t))) { - log_print("ipsec_handle_leftover_payload: " - "invalid SPI size %d for proto %d in DELETE payload", - spisz, proto); + if ((proto == ISAKMP_PROTO_ISAKMP && spisz != + ISAKMP_HDR_COOKIES_LEN) + || (proto != ISAKMP_PROTO_ISAKMP && spisz != + sizeof(u_int32_t))) { + log_print("ipsec_handle_leftover_payload: invalid SPI " + "size %d for proto %d in DELETE payload", + spisz, proto); return -1; } spis = (u_int8_t *) malloc(nspis * spisz); if (!spis) { - log_error("ipsec_handle_leftover_payload: malloc (%d) failed", - nspis * spisz); + log_error("ipsec_handle_leftover_payload: malloc " + "(%d) failed", nspis * spisz); return -1; } /* extract SPI and get dst address */ @@ -1559,35 +1585,40 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type, * - this is not an AGGRESSIVE mode exchange * - it is protected by an ISAKMP SA * - * XXX Instead of the first condition above, we could permit this - * XXX only for phase 2. In the last packet of main-mode, this - * XXX payload, while encrypted, is not part of the hash digest. - * XXX As we currently send our own INITIAL-CONTACTs at this point, - * XXX this too would need to be changed. + * XXX Instead of the first condition above, we could + * XXX permit this only for phase 2. In the last + * XXX packet of main-mode, this payload, while + * XXX encrypted, is not part of the hash digest. As + * XXX we currently send our own INITIAL-CONTACTs at + * XXX this point, this too would need to be changed. */ if (msg->exchange->type == ISAKMP_EXCH_AGGRESSIVE) { - log_print("ipsec_handle_leftover_payload: got INITIAL-CONTACT " - "in AGGRESSIVE mode"); + log_print("ipsec_handle_leftover_payload: got " + "INITIAL-CONTACT in AGGRESSIVE mode"); return -1; } - if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT) == 0) { - log_print("ipsec_handle_leftover_payload: got INITIAL-CONTACT " - "without ISAKMP SA"); + if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT) + == 0) { + log_print("ipsec_handle_leftover_payload: got " + "INITIAL-CONTACT without ISAKMP SA"); return -1; } /* - * Find out who is sending this and then delete every SA that is - * ready. Exchanges will timeout themselves and then the - * non-ready SAs will disappear too. + * Find out who is sending this and then delete every + * SA that is ready. Exchanges will timeout + * themselves and then the non-ready SAs will + * disappear too. */ msg->transport->vtbl->get_dst(msg->transport, &dst); - while ((sa = sa_lookup_by_peer(dst, sysdep_sa_len(dst))) != 0) { + while ((sa = sa_lookup_by_peer(dst, sysdep_sa_len(dst))) + != 0) { /* - * Don't delete the current SA -- we received the - * notification over it, so it's obviously still - * active. We temporarily need to remove the SA - * from the list to avoid an endless loop, but - * keep a reference so it won't disappear meanwhile. + * Don't delete the current SA -- we received + * the notification over it, so it's obviously + * still active. We temporarily need to remove + * the SA from the list to avoid an endless + * loop, but keep a reference so it won't + * disappear meanwhile. */ if (sa == msg->isakmp_sa) { sa_reference(sa); @@ -1615,7 +1646,7 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type, /* Return the encryption keylength in octets of the ESP protocol PROTO. */ int -ipsec_esp_enckeylength(struct proto * proto) +ipsec_esp_enckeylength(struct proto *proto) { struct ipsec_proto *iproto = proto->data; @@ -1643,7 +1674,7 @@ ipsec_esp_enckeylength(struct proto * proto) /* Return the authentication keylength in octets of the ESP protocol PROTO. */ int -ipsec_esp_authkeylength(struct proto * proto) +ipsec_esp_authkeylength(struct proto *proto) { struct ipsec_proto *iproto = proto->data; @@ -1666,7 +1697,7 @@ ipsec_esp_authkeylength(struct proto * proto) /* Return the authentication keylength in octets of the AH protocol PROTO. */ int -ipsec_ah_keylength(struct proto * proto) +ipsec_ah_keylength(struct proto *proto) { switch (proto->id) { case IPSEC_AH_MD5: @@ -1687,11 +1718,12 @@ ipsec_ah_keylength(struct proto * proto) /* Return the total keymaterial length of the protocol PROTO. */ int -ipsec_keymat_length(struct proto * proto) +ipsec_keymat_length(struct proto *proto) { switch (proto->proto) { case IPSEC_PROTO_IPSEC_ESP: - return ipsec_esp_enckeylength(proto) + ipsec_esp_authkeylength(proto); + return ipsec_esp_enckeylength(proto) + + ipsec_esp_authkeylength(proto); case IPSEC_PROTO_IPSEC_AH: return ipsec_ah_keylength(proto); default: @@ -1842,8 +1874,8 @@ ipsec_get_id(char *section, int *id, struct sockaddr **addr, * we cannot fit the information in the supplied buffer. */ static void -ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len, - int isakmpform) +ipsec_decode_id(char *buf, size_t size, u_int8_t *id, size_t id_len, + int isakmpform) { int id_type; char *addr = 0, *mask = 0; @@ -1864,29 +1896,30 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len, case IPSEC_ID_IPV4_ADDR: util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF); snprintf(buf, size, "%08x: %s", - decode_32(id + ISAKMP_ID_DATA_OFF), addr); + decode_32(id + ISAKMP_ID_DATA_OFF), addr); break; case IPSEC_ID_IPV4_ADDR_SUBNET: util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF); util_ntoa(&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4); snprintf(buf, size, "%08x/%08x: %s/%s", - decode_32(id + ISAKMP_ID_DATA_OFF), + decode_32(id + ISAKMP_ID_DATA_OFF), decode_32(id + ISAKMP_ID_DATA_OFF + 4), addr, mask); break; case IPSEC_ID_IPV6_ADDR: util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF); - snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp, *(idp + 1), - *(idp + 2), *(idp + 3), addr); + snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp, + *(idp + 1), *(idp + 2), *(idp + 3), addr); break; case IPSEC_ID_IPV6_ADDR_SUBNET: util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF); util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF + - sizeof(struct in6_addr)); - snprintf(buf, size, "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s", - *idp, *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4), + sizeof(struct in6_addr)); + snprintf(buf, size, + "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s", *idp, + *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4), *(idp + 5), *(idp + 6), *(idp + 7), addr, mask); break; @@ -1902,7 +1935,7 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len, #ifdef USE_X509 case IPSEC_ID_DER_ASN1_DN: addr = x509_DN_string(id + ISAKMP_ID_DATA_OFF, - id_len - ISAKMP_ID_DATA_OFF); + id_len - ISAKMP_ID_DATA_OFF); if (!addr) { snprintf(buf, size, "unparsable ASN1 DN ID"); return; @@ -1923,9 +1956,9 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len, free(mask); } -char * -ipsec_decode_ids(char *fmt, u_int8_t * id1, size_t id1_len, - u_int8_t * id2, size_t id2_len, int isakmpform) +char * +ipsec_decode_ids(char *fmt, u_int8_t *id1, size_t id1_len, u_int8_t *id2, + size_t id2_len, int isakmpform) { static char result[1024]; char s_id1[256], s_id2[256]; @@ -1942,8 +1975,8 @@ ipsec_decode_ids(char *fmt, u_int8_t * id1, size_t id1_len, * ISAKMP ID payload. Ths payload size should be stashed in SZ. * The caller is responsible for freeing the payload. */ -u_int8_t * -ipsec_build_id(char *section, size_t * sz) +u_int8_t * +ipsec_build_id(char *section, size_t *sz) { struct sockaddr *addr, *mask; u_int8_t *p; @@ -1963,17 +1996,18 @@ ipsec_build_id(char *section, size_t * sz) p = malloc(*sz); if (!p) { - log_print("ipsec_build_id: malloc(%lu) failed", (unsigned long) *sz); + log_print("ipsec_build_id: malloc(%lu) failed", + (unsigned long)*sz); return 0; } SET_ISAKMP_ID_TYPE(p, id); - SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *) "\000\000\000"); + SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *)"\000\000\000"); memcpy(p + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(addr), - sockaddr_addrlen(addr)); + sockaddr_addrlen(addr)); if (subnet) memcpy(p + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(addr), - sockaddr_addrdata(mask), sockaddr_addrlen(mask)); + sockaddr_addrdata(mask), sockaddr_addrlen(mask)); SET_IPSEC_ID_PROTO(p + ISAKMP_ID_DOI_DATA_OFF, tproto); SET_IPSEC_ID_PORT(p + ISAKMP_ID_DOI_DATA_OFF, port); @@ -1985,7 +2019,7 @@ ipsec_build_id(char *section, size_t * sz) * copy an ISAKMPD id */ int -ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len) +ipsec_clone_id(u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len) { if (*did) free(*did); @@ -1998,7 +2032,8 @@ ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len) *did = malloc(id_len); if (!*did) { *did_len = 0; - log_error("ipsec_clone_id: malloc(%lu) failed", (unsigned long) id_len); + log_error("ipsec_clone_id: malloc(%lu) failed", + (unsigned long)id_len); return -1; } *did_len = id_len; @@ -2013,13 +2048,13 @@ ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len) * XXX I want to fix this later. */ void -ipsec_proto_init(struct proto * proto, char *section) +ipsec_proto_init(struct proto *proto, char *section) { struct ipsec_proto *iproto = proto->data; if (proto->sa->phase == 2 && section) - iproto->replay_window - = conf_get_num(section, "ReplayWindow", DEFAULT_REPLAY_WINDOW); + iproto->replay_window = conf_get_num(section, "ReplayWindow", + DEFAULT_REPLAY_WINDOW); } /* @@ -2027,9 +2062,9 @@ ipsec_proto_init(struct proto * proto, char *section) * the first contact we have made to our peer. */ int -ipsec_initial_contact(struct message * msg) +ipsec_initial_contact(struct message *msg) { - u_int8_t *buf; + u_int8_t *buf; if (ipsec_contacted(msg)) return 0; @@ -2037,7 +2072,7 @@ ipsec_initial_contact(struct message * msg) buf = malloc(ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); if (!buf) { log_error("ike_phase_1_initial_contact: malloc (%d) failed", - ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); + ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); return -1; } SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC); @@ -2045,9 +2080,9 @@ ipsec_initial_contact(struct message * msg) SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN); SET_ISAKMP_NOTIFY_MSG_TYPE(buf, IPSEC_NOTIFY_INITIAL_CONTACT); memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies, - ISAKMP_HDR_COOKIES_LEN); + ISAKMP_HDR_COOKIES_LEN); if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf, - ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) { + ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) { free(buf); return -1; } @@ -2075,7 +2110,7 @@ addr_cmp(const void *a, const void *b) * is unimportant, if this is to scale. */ static int -ipsec_add_contact(struct message * msg) +ipsec_add_contact(struct message *msg) { struct contact *new_contacts; struct sockaddr *dst, *addr; @@ -2085,8 +2120,8 @@ ipsec_add_contact(struct message * msg) cnt = contact_limit ? 2 * contact_limit : 64; new_contacts = realloc(contacts, cnt * sizeof contacts[0]); if (!new_contacts) { - log_error("ipsec_add_contact: realloc (%p, %lu) failed", contacts, - cnt * (unsigned long) sizeof contacts[0]); + log_error("ipsec_add_contact: realloc (%p, %lu) failed", + contacts, cnt * (unsigned long) sizeof contacts[0]); return -1; } contact_limit = cnt; @@ -2095,7 +2130,8 @@ ipsec_add_contact(struct message * msg) msg->transport->vtbl->get_dst(msg->transport, &dst); addr = malloc(sysdep_sa_len(dst)); if (!addr) { - log_error("ipsec_add_contact: malloc (%d) failed", sysdep_sa_len(dst)); + log_error("ipsec_add_contact: malloc (%d) failed", + sysdep_sa_len(dst)); return -1; } memcpy(addr, dst, sysdep_sa_len(dst)); @@ -2112,32 +2148,30 @@ ipsec_add_contact(struct message * msg) /* Return true if the recipient of MSG has already been contacted. */ static int -ipsec_contacted(struct message * msg) +ipsec_contacted(struct message *msg) { struct contact contact; msg->transport->vtbl->get_dst(msg->transport, &contact.addr); contact.len = sysdep_sa_len(contact.addr); - return contacts - ? (bsearch(&contact, contacts, contact_cnt, sizeof *contacts, addr_cmp) - != 0) - : 0; + return contacts ? (bsearch(&contact, contacts, contact_cnt, + sizeof *contacts, addr_cmp) != 0) : 0; } /* Add a HASH for to MSG. */ -u_int8_t * -ipsec_add_hash_payload(struct message * msg, size_t hashsize) +u_int8_t * +ipsec_add_hash_payload(struct message *msg, size_t hashsize) { - u_int8_t *buf; + u_int8_t *buf; buf = malloc(ISAKMP_HASH_SZ + hashsize); if (!buf) { log_error("ipsec_add_hash_payload: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long) hashsize); + ISAKMP_HASH_SZ + (unsigned long) hashsize); return 0; } if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, - ISAKMP_HASH_SZ + hashsize, 1)) { + ISAKMP_HASH_SZ + hashsize, 1)) { free(buf); return 0; } @@ -2146,7 +2180,7 @@ ipsec_add_hash_payload(struct message * msg, size_t hashsize) /* Fill in the HASH payload of MSG. */ int -ipsec_fill_in_hash(struct message * msg) +ipsec_fill_in_hash(struct message *msg) { struct exchange *exchange = msg->exchange; struct sa *isakmp_sa = msg->isakmp_sa; @@ -2170,37 +2204,40 @@ ipsec_fill_in_hash(struct message * msg) buf = payload->p; /* Allocate the prf and start calculating our HASH(1). */ - LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", isa->skeyid_a, - isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); + LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", + isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, + isa->skeyid_len); if (!prf) return -1; prf->Init(prf->prfctx); LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update(prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); /* Loop over all payloads after HASH(1). */ for (i = 2; i < msg->iovlen; i++) { /* XXX Misleading payload type printouts. */ snprintf(header, sizeof header, - "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1); + "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1); LOG_DBG_BUF((LOG_MISC, 90, header, msg->iov[i].iov_base, - msg->iov[i].iov_len)); - prf->Update(prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len); + msg->iov[i].iov_len)); + prf->Update(prf->prfctx, msg->iov[i].iov_base, + msg->iov[i].iov_len); } prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); prf_free(prf); - LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", - buf + ISAKMP_HASH_DATA_OFF, hash->hashsize)); + LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf + + ISAKMP_HASH_DATA_OFF, hash->hashsize)); return 0; } /* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */ static int -ipsec_informational_pre_hook(struct message * msg) +ipsec_informational_pre_hook(struct message *msg) { struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa; @@ -2217,7 +2254,7 @@ ipsec_informational_pre_hook(struct message * msg) * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by. */ static int -ipsec_informational_post_hook(struct message * msg) +ipsec_informational_post_hook(struct message *msg) { if (!msg->isakmp_sa) return 0; @@ -2225,13 +2262,14 @@ ipsec_informational_post_hook(struct message * msg) } ssize_t -ipsec_id_size(char *section, u_int8_t * id) +ipsec_id_size(char *section, u_int8_t *id) { - char *type, *data; + char *type, *data; type = conf_get_str(section, "ID-type"); if (!type) { - log_print("ipsec_id_size: section %s has no \"ID-type\" tag", section); + log_print("ipsec_id_size: section %s has no \"ID-type\" tag", + section); return -1; } *id = constant_value(ipsec_id_cst, type); @@ -2251,30 +2289,31 @@ ipsec_id_size(char *section, u_int8_t * id) case IPSEC_ID_DER_ASN1_GN: data = conf_get_str(section, "Name"); if (!data) { - log_print("ipsec_id_size: section %s has no \"Name\" tag", section); + log_print("ipsec_id_size: section %s has no \"Name\" tag", + section); return -1; } return strlen(data); } log_print("ipsec_id_size: unrecognized/unsupported ID-type %d (%s)", - *id, type); + *id, type); return -1; } /* * Generate a string version of the ID. */ -char * -ipsec_id_string(u_int8_t * id, size_t id_len) +char * +ipsec_id_string(u_int8_t *id, size_t id_len) { char *buf = 0; char *addrstr = 0; size_t len, size; /* - * XXX Real ugly way of making the offsets correct. Be aware that id now - * will point before the actual buffer and cannot be dereferenced without - * an offset larger than or equal to ISAKM_GEN_SZ. + * XXX Real ugly way of making the offsets correct. Be aware that id + * now will point before the actual buffer and cannot be dereferenced + * without an offset larger than or equal to ISAKM_GEN_SZ. */ id -= ISAKMP_GEN_SZ; @@ -2287,7 +2326,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len) * estimate. */ size = MAX(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", - sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF); + sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF); buf = malloc(size); if (!buf) /* XXX Log? */ @@ -2316,7 +2355,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len) case IPSEC_ID_USER_FQDN: strlcpy(buf, GET_ISAKMP_ID_TYPE(id) == IPSEC_ID_FQDN ? "fqdn/" : "ufqdn/", - size); + size); len = strlen(buf); memcpy(buf + len, id + ISAKMP_ID_DATA_OFF, id_len); @@ -2328,7 +2367,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len) strlcpy(buf, "asn1_dn/", size); len = strlen(buf); addrstr = x509_DN_string(id + ISAKMP_ID_DATA_OFF, - id_len - ISAKMP_ID_DATA_OFF); + id_len - ISAKMP_ID_DATA_OFF); if (!addrstr) goto fail; if (size < len + strlen(addrstr) + 1) @@ -2339,8 +2378,9 @@ ipsec_id_string(u_int8_t * id, size_t id_len) default: /* Unknown type. */ - LOG_DBG((LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n", - GET_ISAKMP_ID_TYPE(id))); + LOG_DBG((LOG_MISC, 10, + "ipsec_id_string: unknown identity type %d\n", + GET_ISAKMP_ID_TYPE(id))); goto fail; } diff --git a/sbin/isakmpd/ipsec.h b/sbin/isakmpd/ipsec.h index a39184f041a..1b3c9963c1f 100644 --- a/sbin/isakmpd/ipsec.h +++ b/sbin/isakmpd/ipsec.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.h,v 1.23 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ipsec.h,v 1.24 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ /* @@ -67,8 +67,8 @@ struct ipsec_exch { u_int8_t pfs; /* - * A copy of the initiator SA payload body for later computation of hashes. - * Phase 1 only. + * A copy of the initiator SA payload body for later computation of + * hashes. Phase 1 only. */ size_t sa_i_b_len; u_int8_t *sa_i_b; @@ -144,34 +144,30 @@ struct ipsec_proto { u_int8_t *keymat[2]; }; -extern u_int8_t *ipsec_add_hash_payload(struct message * msg, size_t); +extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t); extern int ipsec_ah_keylength(struct proto *); extern u_int8_t *ipsec_build_id(char *, size_t *); extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); -extern void -ipsec_decode_transform(struct message *, struct sa *, - struct proto *, u_int8_t *); +extern void ipsec_decode_transform(struct message *, struct sa *, + struct proto *, u_int8_t *); extern int ipsec_esp_authkeylength(struct proto *); extern int ipsec_esp_enckeylength(struct proto *); -extern int ipsec_fill_in_hash(struct message * msg); +extern int ipsec_fill_in_hash(struct message *); extern int ipsec_gen_g_x(struct message *); -extern int -ipsec_get_id(char *, int *, struct sockaddr **, - struct sockaddr **, u_int8_t *, u_int16_t *); +extern int ipsec_get_id(char *, int *, struct sockaddr **, + struct sockaddr **, u_int8_t *, u_int16_t *); extern ssize_t ipsec_id_size(char *, u_int8_t *); extern char *ipsec_id_string(u_int8_t *, size_t); extern void ipsec_init(void); -extern int ipsec_initial_contact(struct message * msg); -extern int -ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, u_int16_t, - void *); +extern int ipsec_initial_contact(struct message *); +extern int ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, + u_int16_t, void *); extern int ipsec_keymat_length(struct proto *); extern int ipsec_save_g_x(struct message *); extern struct sa *ipsec_sa_lookup(struct sockaddr *, u_int32_t, u_int8_t); -extern char * -ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, size_t, - int); +extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, + size_t, int); extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); #endif /* _IPSEC_H_ */ diff --git a/sbin/isakmpd/isakmp_cfg.c b/sbin/isakmpd/isakmp_cfg.c index 9a31de1583a..df6b8f15b10 100644 --- a/sbin/isakmpd/isakmp_cfg.c +++ b/sbin/isakmpd/isakmp_cfg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmp_cfg.c,v 1.28 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: isakmp_cfg.c,v 1.29 2004/05/23 18:17:56 hshoexer Exp $ */ /* * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. @@ -57,7 +57,7 @@ * Validation script used to test messages for correct content of * payloads depending on the exchange type. */ -int16_t script_transaction[] = { +int16_t script_transaction[] = { ISAKMP_PAYLOAD_ATTRIBUTE, /* Initiator -> responder. */ EXCHANGE_SCRIPT_SWITCH, ISAKMP_PAYLOAD_ATTRIBUTE, /* Responder -> initiator. */ @@ -65,28 +65,26 @@ int16_t script_transaction[] = { }; static int cfg_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); -static int -cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t, - u_int32_t, char *, u_int8_t **, u_int16_t *); +static int cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t, + u_int32_t, char *, u_int8_t **, u_int16_t *); static int cfg_initiator_send_ATTR(struct message *); static int cfg_initiator_recv_ATTR(struct message *); static int cfg_responder_recv_ATTR(struct message *); static int cfg_responder_send_ATTR(struct message *); u_int8_t *cfg_add_hash(struct message *); -int -cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *, - u_int16_t); +int cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *, + u_int16_t); int cfg_verify_hash(struct message * msg); /* Server: SET/ACK Client; REQ/REPLY */ -int (*isakmp_cfg_initiator[]) (struct message *) = { +int (*isakmp_cfg_initiator[]) (struct message *) = { cfg_initiator_send_ATTR, cfg_initiator_recv_ATTR }; /* Server: REQ/REPLY Client: SET/ACK */ -int (*isakmp_cfg_responder[]) (struct message *) = { +int (*isakmp_cfg_responder[]) (struct message *) = { cfg_responder_recv_ATTR, cfg_responder_send_ATTR }; @@ -96,7 +94,7 @@ int (*isakmp_cfg_responder[]) (struct message *) = { * When we are "the client", this starts REQ/REPLY mode */ static int -cfg_initiator_send_ATTR(struct message * msg) +cfg_initiator_send_ATTR(struct message *msg) { struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_exch *ie = msg->exchange->data; @@ -116,9 +114,11 @@ cfg_initiator_send_ATTR(struct message * msg) } /* We initiated this exchange, check isakmp_sa for other side. */ if (isakmp_sa->initiator) - id_string = ipsec_id_string(isakmp_sa->id_r, isakmp_sa->id_r_len); + id_string = ipsec_id_string(isakmp_sa->id_r, + isakmp_sa->id_r_len); else - id_string = ipsec_id_string(isakmp_sa->id_i, isakmp_sa->id_i_len); + id_string = ipsec_id_string(isakmp_sa->id_i, + isakmp_sa->id_i_len); if (!id_string) { log_print("cfg_initiator_send_ATTR: cannot parse ID"); goto fail; @@ -132,49 +132,50 @@ cfg_initiator_send_ATTR(struct message * msg) /* SET/ACK mode */ ie->cfg_type = ISAKMP_CFG_SET; - LOG_DBG((LOG_NEGOTIATION, 10, "cfg_initiator_send_ATTR: SET/ACK mode")); + LOG_DBG((LOG_NEGOTIATION, 10, + "cfg_initiator_send_ATTR: SET/ACK mode")); #define ATTRFIND(STR,ATTR4,LEN4,ATTR6,LEN6) do \ { \ - if ((sa = conf_get_address (id_string, STR)) != NULL) \ - switch (sa->sa_family) \ - { \ - case AF_INET: \ - bit_set (attrbits, ATTR4); \ - attrlen += ISAKMP_ATTR_SZ + LEN4; \ - break; \ - case AF_INET6: \ - bit_set (attrbits, ATTR6); \ - attrlen += ISAKMP_ATTR_SZ + LEN6; \ - break; \ - default: \ - break; \ - } \ - free (sa); \ - } while (0) + if ((sa = conf_get_address (id_string, STR)) != NULL) \ + switch (sa->sa_family) { \ + case AF_INET: \ + bit_set (attrbits, ATTR4); \ + attrlen += ISAKMP_ATTR_SZ + LEN4; \ + break; \ + case AF_INET6: \ + bit_set (attrbits, ATTR6); \ + attrlen += ISAKMP_ATTR_SZ + LEN6; \ + break; \ + default: \ + break; \ + } \ + free (sa); \ + } while (0) /* * XXX We don't simultaneously support IPv4 and IPv6 * addresses. */ ATTRFIND("Address", ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16); + ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16); ATTRFIND("Netmask", ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16); + ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16); ATTRFIND("Nameserver", ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16); + ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16); ATTRFIND("WINS-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16); + ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16); ATTRFIND("DHCP-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16); + ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16); #ifdef notyet ATTRFIND("Network", ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET, 8, - ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17); + ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17); #endif #undef ATTRFIND if (conf_get_str(id_string, "Lifetime")) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); + bit_set(attrbits, + ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); attrlen += ISAKMP_ATTR_SZ + 4; } } else { @@ -184,38 +185,45 @@ cfg_initiator_send_ATTR(struct message * msg) ie->cfg_type = ISAKMP_CFG_REQUEST; LOG_DBG((LOG_NEGOTIATION, 10, - "cfg_initiator_send_ATTR: REQ/REPLY mode")); + "cfg_initiator_send_ATTR: REQ/REPLY mode")); alist = conf_get_list(id_string, "Attributes"); if (alist) { for (anode = TAILQ_FIRST(&alist->fields); anode; - anode = TAILQ_NEXT(anode, link)) { + anode = TAILQ_NEXT(anode, link)) { if (strcasecmp(anode->field, "Address") == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS); bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS); attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "Netmask") == 0) { + } else if (strcasecmp(anode->field, "Netmask") + == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK); bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK); attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "Nameserver") == 0) { + } else if (strcasecmp(anode->field, + "Nameserver") == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS); bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS); attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "WINS-server") == 0) { + } else if (strcasecmp(anode->field, + "WINS-server") == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS); bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS); attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "DHCP-server") == 0) { + } else if (strcasecmp(anode->field, + "DHCP-server") == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP); bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP); attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "Lifetime") == 0) { + } else if (strcasecmp(anode->field, + "Lifetime") == 0) { bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); attrlen += ISAKMP_ATTR_SZ; } else { - log_print("cfg_initiator_send_ATTR: unknown attribute " - "%.20s in section [%s]", anode->field, id_string); + log_print("cfg_initiator_send_ATTR: " + "unknown attribute %.20s in " + "section [%s]", anode->field, + id_string); } } @@ -226,11 +234,11 @@ cfg_initiator_send_ATTR(struct message * msg) if (attrlen == 0) { /* No data found. */ log_print("cfg_initiator_send_ATTR: no IKECFG attributes " - "found for [%s]", id_string); + "found for [%s]", id_string); /* - * We can continue, but this indicates a configuration error that - * the user probably will want to correct. + * We can continue, but this indicates a configuration error + * that the user probably will want to correct. */ free(id_string); return 0; @@ -239,10 +247,11 @@ cfg_initiator_send_ATTR(struct message * msg) attrp = calloc(1, attrlen); if (!attrp) { log_error("cfg_initiator_send_ATTR: calloc (1, %lu) failed", - (unsigned long) attrlen); + (unsigned long)attrlen); goto fail; } - if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, 1)) { + if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, + 1)) { free(attrp); goto fail; } @@ -322,8 +331,8 @@ cfg_initiator_send_ATTR(struct message * msg) sa = conf_get_address(id_string, field); SET_ISAKMP_ATTR_LENGTH_VALUE(attr, length); - memcpy(attr + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata(sa), - length); + memcpy(attr + ISAKMP_ATTR_VALUE_OFF, + sockaddr_addrdata(sa), length); free(sa); @@ -346,10 +355,10 @@ fail: * As "the client", this ends REQ/REPLY. */ static int -cfg_initiator_recv_ATTR(struct message * msg) +cfg_initiator_recv_ATTR(struct message *msg) { - struct payload *attrp - = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); + struct payload *attrp = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); struct ipsec_exch *ie = msg->exchange->data; struct sa *isakmp_sa = msg->isakmp_sa; struct isakmp_cfg_attr *attr; @@ -371,51 +380,52 @@ cfg_initiator_recv_ATTR(struct message * msg) case ISAKMP_CFG_ACK: if (ie->cfg_type != ISAKMP_CFG_SET) { log_print("cfg_initiator_recv_ATTR: bad packet type ACK"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 0); return -1; } break; case ISAKMP_CFG_REPLY: if (ie->cfg_type != ISAKMP_CFG_REQUEST) { log_print("cfg_initiator_recv_ATTR: bad packet type REPLY"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 0); return -1; } break; default: - log_print("cfg_initiator_recv_ATTR: " - "unexpected configuration message type %d", - attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]); + log_print("cfg_initiator_recv_ATTR: unexpected configuration " + "message type %d", attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]); message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); return -1; } attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(attrp->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, ie); + GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + cfg_decode_attribute, ie); switch (ie->cfg_type) { - case ISAKMP_CFG_ACK: - { + case ISAKMP_CFG_ACK: { /* SET/ACK -- Server side (ACK from client) */ msg->transport->vtbl->get_src(isakmp_sa->transport, &sa); if (sockaddr2text(sa, &addr, 0) < 0) addr = (char *) uk_addr; for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, "cfg_initiator_recv_ATTR: " - "client %s ACKs attribute %s", addr, - constant_name(isakmp_cfg_attr_cst, attr->type))); + attr = LIST_NEXT(attr, link)) + LOG_DBG((LOG_NEGOTIATION, 50, + "cfg_initiator_recv_ATTR: " + "client %s ACKs attribute %s", addr, + constant_name(isakmp_cfg_attr_cst, + attr->type))); if (addr != uk_addr) free(addr); } break; - case ISAKMP_CFG_REPLY: - { + case ISAKMP_CFG_REPLY: { /* * REQ/REPLY: effect attributes we've gotten * responses on. @@ -425,10 +435,12 @@ cfg_initiator_recv_ATTR(struct message * msg) addr = (char *) uk_addr; for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, "cfg_initiator_recv_ATTR: " - "server %s replied with attribute %s", addr, - constant_name(isakmp_cfg_attr_cst, attr->type))); + attr = LIST_NEXT(attr, link)) + LOG_DBG((LOG_NEGOTIATION, 50, + "cfg_initiator_recv_ATTR: " + "server %s replied with attribute %s", + addr, constant_name(isakmp_cfg_attr_cst, + attr->type))); if (addr != uk_addr) free(addr); @@ -448,10 +460,10 @@ cfg_initiator_recv_ATTR(struct message * msg) * As "the client", this starts SET/ACK (initiated by the server). */ static int -cfg_responder_recv_ATTR(struct message * msg) +cfg_responder_recv_ATTR(struct message *msg) { - struct payload *attrp - = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); + struct payload *attrp = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); struct ipsec_exch *ie = msg->exchange->data; struct sa *isakmp_sa = msg->isakmp_sa; struct isakmp_cfg_attr *attr; @@ -473,21 +485,20 @@ cfg_responder_recv_ATTR(struct message * msg) default: message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); log_print("cfg_responder_recv_ATTR: " - "unexpected configuration message type %d", ie->cfg_type); + "unexpected configuration message type %d", ie->cfg_type); return -1; } attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(attrp->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, ie); + GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + cfg_decode_attribute, ie); switch (ie->cfg_type) { case ISAKMP_CFG_REQUEST: /* We're done. */ break; - case ISAKMP_CFG_SET: - { + case ISAKMP_CFG_SET: { /* SET/ACK -- Client side (SET from server) */ const char *uk_addr = "<unknown>"; @@ -496,17 +507,20 @@ cfg_responder_recv_ATTR(struct message * msg) addr = (char *) uk_addr; for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, "cfg_responder_recv_ATTR: " - "server %s asks us to SET attribute %s", addr, - constant_name(isakmp_cfg_attr_cst, attr->type))); + attr = LIST_NEXT(attr, link)) + LOG_DBG((LOG_NEGOTIATION, 50, + "cfg_responder_recv_ATTR: " + "server %s asks us to SET attribute %s", + addr, constant_name(isakmp_cfg_attr_cst, + attr->type))); /* - * XXX Here's the place to add code to walk through each attribute - * XXX and send them along to dhclient or whatever. Each attribute - * XXX that we act upon (such as setting a netmask), should be - * XXX marked like this for us to send the proper ACK response: - * XXX attr->attr_used++; + * XXX Here's the place to add code to walk through + * XXX each attribute and send them along to dhclient + * XXX or whatever. Each attribute that we act upon + * XXX (such as setting a netmask), should be marked + * XXX like this for us to send the proper ACK + * XXX response: attr->attr_used++; */ if (addr != uk_addr) @@ -527,7 +541,7 @@ cfg_responder_recv_ATTR(struct message * msg) * As "the client", this ends SET/ACK mode. */ static int -cfg_responder_send_ATTR(struct message * msg) +cfg_responder_send_ATTR(struct message *msg) { struct ipsec_exch *ie = msg->exchange->data; struct sa *isakmp_sa = msg->isakmp_sa; @@ -542,22 +556,25 @@ cfg_responder_send_ATTR(struct message * msg) } /* We are responder, check isakmp_sa for other side. */ if (isakmp_sa->initiator ^ (ie->cfg_type == ISAKMP_CFG_REQUEST)) - id_string = ipsec_id_string(isakmp_sa->id_i, isakmp_sa->id_i_len); + id_string = ipsec_id_string(isakmp_sa->id_i, + isakmp_sa->id_i_len); else - id_string = ipsec_id_string(isakmp_sa->id_r, isakmp_sa->id_r_len); + id_string = ipsec_id_string(isakmp_sa->id_r, + isakmp_sa->id_r_len); if (!id_string) { log_print("cfg_responder_send_ATTR: cannot parse client's ID"); return -1; } if (cfg_encode_attributes(&ie->attrs, (ie->cfg_type == ISAKMP_CFG_SET ? - ISAKMP_CFG_ACK : ISAKMP_CFG_REPLY), - ie->cfg_id, id_string, &attrp, &attrlen)) { + ISAKMP_CFG_ACK : ISAKMP_CFG_REPLY), ie->cfg_id, id_string, &attrp, + &attrlen)) { free(id_string); return -1; } free(id_string); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, 1)) { + if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, + 1)) { free(attrp); return -1; } @@ -568,8 +585,8 @@ cfg_responder_send_ATTR(struct message * msg) return 0; } -u_int8_t * -cfg_add_hash(struct message * msg) +u_int8_t * +cfg_add_hash(struct message *msg) { struct ipsec_sa *isa = msg->isakmp_sa->data; struct hash *hash = hash_get(isa->hash); @@ -578,11 +595,11 @@ cfg_add_hash(struct message * msg) hashp = malloc(ISAKMP_HASH_SZ + hash->hashsize); if (!hashp) { log_error("cfg_add_hash: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long) hash->hashsize); + ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); return 0; } if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, hashp, - ISAKMP_HASH_SZ + hash->hashsize, 1)) { + ISAKMP_HASH_SZ + hash->hashsize, 1)) { free(hashp); return 0; } @@ -591,18 +608,19 @@ cfg_add_hash(struct message * msg) int cfg_finalize_hash(struct message * msg, u_int8_t * hashp, u_int8_t * data, - u_int16_t length) + u_int16_t length) { struct ipsec_sa *isa = msg->isakmp_sa->data; struct prf *prf; - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); + prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, + isa->skeyid_len); if (!prf) return -1; prf->Init(prf->prfctx); prf->Update(prf->prfctx, msg->exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); + ISAKMP_HDR_MESSAGE_ID_LEN); prf->Update(prf->prfctx, data, length); prf->Final(hashp + ISAKMP_GEN_SZ, prf->prfctx); prf_free(prf); @@ -610,7 +628,7 @@ cfg_finalize_hash(struct message * msg, u_int8_t * hashp, u_int8_t * data, } int -cfg_verify_hash(struct message * msg) +cfg_verify_hash(struct message *msg) { struct payload *hashp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]); struct ipsec_sa *isa = msg->isakmp_sa->data; @@ -620,7 +638,8 @@ cfg_verify_hash(struct message * msg) if (!hashp) { log_print("cfg_verify_hash: phase 2 message missing HASH"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 0); return -1; } hash = hashp->p; @@ -628,26 +647,28 @@ cfg_verify_hash(struct message * msg) comp_hash = malloc(hash_len - ISAKMP_GEN_SZ); if (!comp_hash) { log_error("cfg_verify_hash: malloc (%lu) failed", - (unsigned long) hash_len - ISAKMP_GEN_SZ); + (unsigned long)hash_len - ISAKMP_GEN_SZ); return -1; } /* Verify hash. */ prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); + isa->skeyid_len); if (!prf) { free(comp_hash); return -1; } prf->Init(prf->prfctx); prf->Update(prf->prfctx, msg->exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); + ISAKMP_HDR_MESSAGE_ID_LEN); prf->Update(prf->prfctx, hash + hash_len, - msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); + msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); prf->Final(comp_hash, prf->prfctx); prf_free(prf); - if (memcmp(hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ) != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + if (memcmp(hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ) + != 0) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 0); free(comp_hash); return -1; } @@ -666,7 +687,7 @@ cfg_verify_hash(struct message * msg) */ static int cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vie) + void *vie) { struct ipsec_exch *ie = vie; struct isakmp_cfg_attr *attr; @@ -676,13 +697,13 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, return 0; if (type == 0 || type >= ISAKMP_CFG_ATTR_FUTURE_MIN) { LOG_DBG((LOG_NEGOTIATION, 30, - "cfg_decode_attribute: invalid attr type %u", type)); + "cfg_decode_attribute: invalid attr type %u", type)); return -1; } attr = calloc(1, sizeof *attr); if (!attr) { log_error("cfg_decode_attribute: calloc (1, %lu) failed", - (unsigned long) sizeof *attr); + (unsigned long)sizeof *attr); return -1; } attr->type = type; @@ -690,7 +711,8 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, if (len) { attr->value = malloc(len); if (!attr->value) { - log_error("cfg_decode_attribute: malloc (%d) failed", len); + log_error("cfg_decode_attribute: malloc (%d) failed", + len); free(attr); /* Should we also deallocate all other values? */ return -1; @@ -705,9 +727,8 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, * Encode list of attributes from ie->attrs into a attribute payload. */ static int -cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type, - u_int32_t cfg_id, char *id_string, u_int8_t ** attrp, - u_int16_t * len) +cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, + u_int32_t cfg_id, char *id_string, u_int8_t **attrp, u_int16_t *len) { struct isakmp_cfg_attr *attr; struct sockaddr *sa; @@ -769,7 +790,7 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type, *attrp = calloc(1, *len); if (!*attrp) { log_error("cfg_encode_attributes: calloc (1, %lu) failed", - (unsigned long) *len); + (unsigned long)*len); return -1; } SET_ISAKMP_ATTRIBUTE_TYPE(*attrp, type); @@ -853,16 +874,18 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type, case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: sa = conf_get_address(id_string, field); if (!sa) { - LOG_DBG((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: " - "attribute not found: %s", field)); + LOG_DBG((LOG_NEGOTIATION, 10, + "cfg_responder_send_ATTR: " + "attribute not found: %s", field)); attr->length = 0; break; } if (sa->sa_family != family) { - log_print("cfg_responder_send_ATTR: attribute %s - expected %s " - "got %s data", field, - (family == AF_INET ? "IPv4" : "IPv6"), - (sa->sa_family == AF_INET ? "IPv4" : "IPv6")); + log_print("cfg_responder_send_ATTR: " + "attribute %s - expected %s got %s data", + field, + (family == AF_INET ? "IPv4" : "IPv6"), + (sa->sa_family == AF_INET ? "IPv4" : "IPv6")); free(sa); attr->length = 0; break; @@ -870,48 +893,56 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type, /* Temporary limit length for the _SUBNET types. */ if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) attr->length = 4; - else if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) + else if (attr->type == + ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) attr->length = 16; - memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata(sa), - attr->length); + memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF, + sockaddr_addrdata(sa), attr->length); free(sa); /* _SUBNET types need some extra work. */ if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) { sa = conf_get_address(id_string, "Netmask"); if (!sa) { - LOG_DBG((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: " + LOG_DBG((LOG_NEGOTIATION, 10, + "cfg_responder_send_ATTR: " "attribute not found: Netmask")); attr->length = 0; break; } if (sa->sa_family != AF_INET) { - log_print("cfg_responder_send_ATTR: attribute Netmask - " - "expected IPv4 got IPv6 data"); + log_print("cfg_responder_send_ATTR: " + "attribute Netmask - expected " + "IPv4 got IPv6 data"); free(sa); attr->length = 0; break; } - memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF + attr->length, - sockaddr_addrdata(sa), attr->length); + memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF + + attr->length, sockaddr_addrdata(sa), + attr->length); attr->length = 8; free(sa); - } else if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) { - int prefix = conf_get_num(id_string, "Prefix", -1); + } else if (attr->type == + ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) { + int prefix = conf_get_num(id_string, "Prefix", + -1); if (prefix == -1) { log_print("cfg_responder_send_ATTR: " - "attribute not found: Prefix"); + "attribute not found: Prefix"); attr->length = 0; break; } else if (prefix < -1 || prefix > 128) { - log_print("cfg_responder_send_ATTR: attribute Prefix - " - "invalid value %d", prefix); + log_print("cfg_responder_send_ATTR: " + "attribute Prefix - invalid value %d", + prefix); attr->length = 0; break; } - *(*attrp + off + ISAKMP_ATTR_VALUE_OFF + 16) = (u_int8_t) prefix; + *(*attrp + off + ISAKMP_ATTR_VALUE_OFF + 16) = + (u_int8_t)prefix; attr->length = 17; } break; diff --git a/sbin/isakmpd/isakmp_cfg.h b/sbin/isakmpd/isakmp_cfg.h index 58f9e00f235..169fa29a08d 100644 --- a/sbin/isakmpd/isakmp_cfg.h +++ b/sbin/isakmpd/isakmp_cfg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmp_cfg.h,v 1.4 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: isakmp_cfg.h,v 1.5 2004/05/23 18:17:56 hshoexer Exp $ */ /* * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. @@ -46,8 +46,8 @@ struct isakmp_cfg_attr { struct message; -extern int (*isakmp_cfg_initiator[]) (struct message *); -extern int (*isakmp_cfg_responder[]) (struct message *); +extern int (*isakmp_cfg_initiator[])(struct message *); +extern int (*isakmp_cfg_responder[])(struct message *); extern int16_t script_transaction[]; #endif /* _ISAKMP_CFG_H_ */ diff --git a/sbin/isakmpd/isakmp_doi.c b/sbin/isakmpd/isakmp_doi.c index 1ef681f0942..ea279b66fff 100644 --- a/sbin/isakmpd/isakmp_doi.c +++ b/sbin/isakmpd/isakmp_doi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmp_doi.c,v 1.19 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: isakmp_doi.c,v 1.20 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: isakmp_doi.c,v 1.42 2000/09/12 16:29:41 ho Exp $ */ /* @@ -59,13 +59,11 @@ static int isakmp_responder(struct message *); static void isakmp_setup_situation(u_int8_t *); static size_t isakmp_situation_size(void); static u_int8_t isakmp_spi_size(u_int8_t); -static int -isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); +static int isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, + void *); static int isakmp_validate_exchange(u_int8_t); -static int -isakmp_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, - size_t, struct exchange *); +static int isakmp_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, + size_t, struct exchange *); static int isakmp_validate_key_information(u_int8_t *, size_t); static int isakmp_validate_notification(u_int16_t); static int isakmp_validate_proto(u_int8_t); @@ -117,8 +115,8 @@ isakmp_doi_init(void) #ifdef USE_DEBUG int -isakmp_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vmsg) +isakmp_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) { /* XXX Not implemented yet. */ return 0; @@ -126,18 +124,18 @@ isakmp_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, #endif /* USE_DEBUG */ static void -isakmp_finalize_exchange(struct message * msg) +isakmp_finalize_exchange(struct message *msg) { } static struct keystate * -isakmp_get_keystate(struct message * msg) +isakmp_get_keystate(struct message *msg) { return 0; } static void -isakmp_setup_situation(u_int8_t * buf) +isakmp_setup_situation(u_int8_t *buf) { /* Nothing to do. */ } @@ -217,15 +215,15 @@ static int isakmp_initiator(struct message *msg) { if (msg->exchange->type != ISAKMP_EXCH_INFO) { - log_print("isakmp_initiator: unsupported exchange type %d in phase %d", - msg->exchange->type, msg->exchange->phase); + log_print("isakmp_initiator: unsupported exchange type %d " + "in phase %d", msg->exchange->type, msg->exchange->phase); return -1; } return message_send_info(msg); } static int -isakmp_responder(struct message * msg) +isakmp_responder(struct message *msg) { struct payload *p; @@ -256,7 +254,8 @@ isakmp_responder(struct message * msg) default: /* XXX So far we don't accept any proposals. */ if (TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_SA])) { - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, + 0, 1, 0); return -1; } } diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index f8dc4d7b7b1..4e8f70b21c2 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.62 2004/05/19 14:30:26 ho Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.63 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -157,7 +157,8 @@ parse_args(int argc, char *argv[]) for (cls = 0; cls < LOG_ENDCLASS; cls++) log_debug_cmd(cls, level); } else - log_print("parse_args: -D argument unparseable: %s", optarg); + log_print("parse_args: -D argument " + "unparseable: %s", optarg); } else log_debug_cmd(cls, level); break; @@ -197,7 +198,8 @@ parse_args(int argc, char *argv[]) seed = strtoul(optarg, &ep, 0); srandom(seed); if (*ep != '\0') - log_fatal("parse_args: invalid numeric arg to -r (%s)", optarg); + log_fatal("parse_args: invalid numeric arg " + "to -r (%s)", optarg); regrand = 1; break; @@ -281,7 +283,7 @@ sigusr2(int sig) } static int -phase2_sa_check(struct sa * sa, void *arg) +phase2_sa_check(struct sa *sa, void *arg) { return sa->phase == 2; } @@ -290,7 +292,7 @@ static void daemon_shutdown(void) { /* Perform a (protocol-wise) clean shutdown of the daemon. */ - struct sa *sa; + struct sa *sa; if (sigtermed == 1) { log_print("isakmpd: shutting down..."); @@ -330,7 +332,7 @@ daemon_shutdown_now(int sig) static void write_pid_file(void) { - FILE *fp; + FILE *fp; /* Ignore errors. This will fail with USE_PRIVSEP. */ unlink(pid_file); @@ -338,11 +340,12 @@ write_pid_file(void) fp = monitor_fopen(pid_file, "w"); if (fp != NULL) { if (fprintf(fp, "%ld\n", (long) getpid()) < 0) - log_error("write_pid_file: failed to write PID to \"%.100s\"", - pid_file); + log_error("write_pid_file: failed to write PID to " + "\"%.100s\"", pid_file); fclose(fp); } else - log_fatal("write_pid_file: fopen (\"%.100s\", \"w\") failed", pid_file); + log_fatal("write_pid_file: fopen (\"%.100s\", \"w\") failed", + pid_file); } int @@ -430,10 +433,12 @@ main(int argc, char *argv[]) mask_size = howmany(n, NFDBITS) * sizeof(fd_mask); rfds = (fd_set *) malloc(mask_size); if (!rfds) - log_fatal("main: malloc (%lu) failed", (unsigned long) mask_size); + log_fatal("main: malloc (%lu) failed", + (unsigned long)mask_size); wfds = (fd_set *) malloc(mask_size); if (!wfds) - log_fatal("main: malloc (%lu) failed", (unsigned long) mask_size); + log_fatal("main: malloc (%lu) failed", + (unsigned long)mask_size); #if defined (USE_PRIVSEP) monitor_init_done(); @@ -457,15 +462,17 @@ main(int argc, char *argv[]) rehash_timers(); } /* - * and if someone set 'sigtermed' (SIGTERM, SIGINT or via the UI), - * this indicates we should start a controlled shutdown of the daemon. + * and if someone set 'sigtermed' (SIGTERM, SIGINT or via the + * UI), this indicates we should start a controlled shutdown + * of the daemon. * - * Note: Since _one_ message is sent per iteration of this enclosing - * while-loop, and we want to send a number of DELETE notifications, - * we must loop atleast this number of times. The daemon_shutdown() - * function starts by queueing the DELETEs, all other calls just - * increments the 'sigtermed' variable until it reaches a "safe" - * value, and the daemon exits. + * Note: Since _one_ message is sent per iteration of this + * enclosing while-loop, and we want to send a number of + * DELETE notifications, we must loop atleast this number of + * times. The daemon_shutdown() function starts by queueing + * the DELETEs, all other calls just increments the + * 'sigtermed' variable until it reaches a "safe" value, and + * the daemon exits. */ if (sigtermed) daemon_shutdown(); @@ -478,8 +485,9 @@ main(int argc, char *argv[]) n = ui_socket + 1; /* - * XXX Some day we might want to deal with an abstract application - * class instead, with many instantiations possible. + * XXX Some day we might want to deal with an abstract + * application class instead, with many instantiations + * possible. */ if (!app_none && app_socket >= 0) { FD_SET(app_socket, rfds); @@ -514,7 +522,8 @@ main(int argc, char *argv[]) transport_send_messages(wfds); if (FD_ISSET(ui_socket, rfds)) ui_handler(); - if (!app_none && app_socket >= 0 && FD_ISSET(app_socket, rfds)) + if (!app_none && app_socket >= 0 && + FD_ISSET(app_socket, rfds)) app_handler(); } timer_handle_expirations(); diff --git a/sbin/isakmpd/key.c b/sbin/isakmpd/key.c index 168188a8b32..cfd9f7ac6dd 100644 --- a/sbin/isakmpd/key.c +++ b/sbin/isakmpd/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.16 2004/05/23 16:13:39 deraadt Exp $ */ +/* $OpenBSD: key.c,v 1.17 2004/05/23 18:17:56 hshoexer Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -49,43 +49,45 @@ key_free(int type, int private, void *key) /* Convert from internal form to serialized */ void -key_serialize(int type, int private, void *key, u_int8_t **data, size_t *datalenp) +key_serialize(int type, int private, void *key, u_int8_t **data, + size_t *datalenp) { u_int8_t *p; size_t datalen; switch (type) { case ISAKMP_KEY_PASSPHRASE: - *datalenp = strlen((char *) key); - *data = (u_int8_t *) strdup((char *) key); + *datalenp = strlen((char *)key); + *data = (u_int8_t *)strdup((char *)key); break; case ISAKMP_KEY_RSA: switch (private) { case ISAKMP_KEYTYPE_PUBLIC: - datalen = i2d_RSAPublicKey((RSA *) key, NULL); + datalen = i2d_RSAPublicKey((RSA *)key, NULL); *data = p = malloc(datalen); if (!p) { log_error("key_serialize: malloc (%lu) failed", - (unsigned long) datalen); + (unsigned long)datalen); return; } *datalenp = i2d_RSAPublicKey((RSA *) key, &p); break; case ISAKMP_KEYTYPE_PRIVATE: - datalen = i2d_RSAPrivateKey((RSA *) key, NULL); + datalen = i2d_RSAPrivateKey((RSA *)key, NULL); *data = p = malloc(datalen); if (!p) { log_error("key_serialize: malloc (%lu) failed", - (unsigned long) datalen); + (unsigned long)datalen); return; } - *datalenp = i2d_RSAPrivateKey((RSA *) key, &p); + *datalenp = i2d_RSAPrivateKey((RSA *)key, &p); break; } break; default: - log_error("key_serialize: unknown/unsupported key type %d", type); + log_error("key_serialize: unknown/unsupported key type %d", + type); break; } } @@ -94,12 +96,12 @@ key_serialize(int type, int private, void *key, u_int8_t **data, size_t *datalen char * key_printable(int type, int private, u_int8_t *data, int datalen) { - char *s; - int i; + char *s; + int i; switch (type) { case ISAKMP_KEY_PASSPHRASE: - return strdup((char *) data); + return strdup((char *)data); case ISAKMP_KEY_RSA: s = malloc(datalen * 2 + 1); @@ -114,7 +116,8 @@ key_printable(int type, int private, u_int8_t *data, int datalen) return s; default: - log_error("key_printable: unknown/unsupported key type %d", type); + log_error("key_printable: unknown/unsupported key type %d", + type); return 0; } } @@ -125,7 +128,7 @@ key_internalize(int type, int private, u_int8_t *data, int datalen) { switch (type) { case ISAKMP_KEY_PASSPHRASE: - return strdup((char *) data); + return strdup((char *)data); case ISAKMP_KEY_RSA: switch (private) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L @@ -170,10 +173,11 @@ key_from_printable(int type, int private, char *key, u_int8_t **data, break; case ISAKMP_KEY_RSA: - datalen = (strlen(key) + 1) / 2; /* Round up, just in case */ + datalen = (strlen(key) + 1) / 2; /* Round up, just in case */ *data = malloc(datalen); if (!*data) { - log_error("key_from_printable: malloc (%d) failed", datalen); + log_error("key_from_printable: malloc (%d) failed", + datalen); *datalenp = 0; return; } @@ -181,7 +185,8 @@ key_from_printable(int type, int private, char *key, u_int8_t **data, break; default: - log_error("key_from_printable: unknown/unsupported key type %d", type); + log_error("key_from_printable: unknown/unsupported key type %d", + type); *data = NULL; *datalenp = 0; break; diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c index c48b8771eaa..55ac7c1abc8 100644 --- a/sbin/isakmpd/log.c +++ b/sbin/isakmpd/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.43 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: log.c,v 1.44 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */ /* @@ -135,8 +135,8 @@ log_reinit(void) for (class = 0; class < LOG_ENDCLASS; class++) log_debug_cmd(class, level); else { - log_print("init: invalid logging class or level: %s", - logclass->field); + log_print("init: invalid logging class or " + "level: %s", logclass->field); continue; } } else @@ -190,13 +190,15 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap, len = vsnprintf(buffer, sizeof buffer, fmt, ap); if (len > 0 && len < (int) sizeof buffer - 1 && error) - snprintf(buffer + len, sizeof buffer - len, ": %s", strerror(errno)); + snprintf(buffer + len, sizeof buffer - len, ": %s", + strerror(errno)); if (log_output) { gettimeofday(&now, 0); t = now.tv_sec; tm = localtime(&t); if (class >= 0) - snprintf(nbuf, sizeof nbuf, "%02d%02d%02d.%06ld %s %02d ", + snprintf(nbuf, sizeof nbuf, + "%02d%02d%02d.%06ld %s %02d ", tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec, _log_get_class(class), level); else /* LOG_PRINT (-1) or LOG_REPORT (-2) */ @@ -215,9 +217,11 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap, fprintf(log_output, fallback_msg, errno); /* - * Close log_output to prevent isakmpd from locking the file. - * We may need to explicitly close stdout to do this properly. - * XXX - Figure out how to match two FILE *'s and rewrite. + * Close log_output to prevent isakmpd from locking + * the file. We may need to explicitly close stdout + * to do this properly. + * XXX - Figure out how to match two FILE *'s and + * rewrite. */ if (fileno(log_output) != -1 && fileno(stdout) == fileno(log_output)) @@ -232,8 +236,8 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap, syslog_level, "%s", buffer); } } else - syslog(class == LOG_REPORT ? LOG_ALERT : syslog_level, - "%s", buffer); + syslog(class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s", + buffer); } #ifdef USE_DEBUG @@ -243,7 +247,8 @@ log_debug(int cls, int level, const char *fmt, ...) va_list ap; /* - * If we are not debugging this class, or the level is too low, just return. + * If we are not debugging this class, or the level is too low, just + * return. */ if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) return; @@ -260,7 +265,8 @@ log_debug_buf(int cls, int level, const char *header, const u_int8_t *buf, char s[73]; /* - * If we are not debugging this class, or the level is too low, just return. + * If we are not debugging this class, or the level is too low, just + * return. */ if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) return; @@ -292,15 +298,16 @@ log_debug_cmd(int cls, int level) return; } if (level < 0) { - log_print("log_debug_cmd: invalid debugging level %d for class %d", - level, cls); + log_print("log_debug_cmd: invalid debugging level %d for " + "class %d", level, cls); return; } if (level == log_level[cls]) - log_print("log_debug_cmd: log level unchanged for class %d", cls); + log_print("log_debug_cmd: log level unchanged for class %d", + cls); else { - log_print("log_debug_cmd: log level changed from %d to %d for class %d", - log_level[cls], level, cls); + log_print("log_debug_cmd: log level changed from %d to %d " + "for class %d", log_level[cls], level, cls); log_level[cls] = level; } } @@ -325,7 +332,7 @@ log_debug_toggle(void) void log_print(const char *fmt, ...) { - va_list ap; + va_list ap; va_start(ap, fmt); _log_print(0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0); @@ -335,9 +342,9 @@ log_print(const char *fmt, ...) void log_verbose(const char *fmt, ...) { - va_list ap; + va_list ap; #ifdef USE_DEBUG - int i; + int i; #endif /* USE_DEBUG */ if (verbose_logging == 0) @@ -357,7 +364,7 @@ log_verbose(const char *fmt, ...) void log_error(const char *fmt, ...) { - va_list ap; + va_list ap; va_start(ap, fmt); _log_print(1, LOG_ERR, fmt, ap, LOG_PRINT, 0); @@ -367,7 +374,7 @@ log_error(const char *fmt, ...) void log_fatal(const char *fmt, ...) { - va_list ap; + va_list ap; va_start(ap, fmt); _log_print(1, LOG_CRIT, fmt, ap, LOG_PRINT, 0); @@ -458,8 +465,8 @@ void log_packet_restart(char *newname) { if (packet_log) { - log_print("log_packet_restart: capture already active on file \"%s\"", - pcaplog_file); + log_print("log_packet_restart: capture already active on " + "file \"%s\"", pcaplog_file); return; } if (newname) @@ -482,7 +489,7 @@ log_packet_stop(void) } void -log_packet_iov(struct sockaddr * src, struct sockaddr * dst, struct iovec * iov, +log_packet_iov(struct sockaddr *src, struct sockaddr *dst, struct iovec *iov, int iovcnt) { struct isakmp_hdr *isakmphdr; @@ -528,8 +535,10 @@ log_packet_iov(struct sockaddr * src, struct sockaddr * dst, struct iovec * iov, goto setup_ip4; case AF_INET: - hdr.ip.ip4.ip_src.s_addr = ((struct sockaddr_in *) src)->sin_addr.s_addr; - hdr.ip.ip4.ip_dst.s_addr = ((struct sockaddr_in *) dst)->sin_addr.s_addr; + hdr.ip.ip4.ip_src.s_addr = + ((struct sockaddr_in *)src)->sin_addr.s_addr; + hdr.ip.ip4.ip_dst.s_addr = + ((struct sockaddr_in *)dst)->sin_addr.s_addr; setup_ip4: hdrlen = sizeof hdr.ip.ip4; @@ -550,9 +559,11 @@ setup_ip4: hdr.ip.ip6.ip6_vfc = IPV6_VERSION; hdr.ip.ip6.ip6_nxt = IPPROTO_UDP; hdr.ip.ip6.ip6_plen = udp.uh_ulen; - memcpy(&hdr.ip.ip6.ip6_src, &((struct sockaddr_in6 *) src)->sin6_addr, + memcpy(&hdr.ip.ip6.ip6_src, + &((struct sockaddr_in6 *)src)->sin6_addr, sizeof hdr.ip.ip6.ip6_src); - memcpy(&hdr.ip.ip6.ip6_dst, &((struct sockaddr_in6 *) dst)->sin6_addr, + memcpy(&hdr.ip.ip6.ip6_dst, + &((struct sockaddr_in6 *)dst)->sin6_addr, sizeof hdr.ip.ip6.ip6_dst); break; } @@ -641,7 +652,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d) sum += phu.pa[i / 2]; sp = (u_int16_t *) u; - for (i = 0; i < (int) sizeof(struct udphdr); i += 2) + for (i = 0; i < (int)sizeof(struct udphdr); i += 2) sum += *sp++; sp = d; @@ -649,7 +660,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d) sum += *sp++; if (tlen & 1) - sum += htons((*(const char *) sp) << 8); + sum += htons((*(const char *)sp) << 8); while (sum > 0xffff) sum = (sum & 0xffff) + (sum >> 16); @@ -662,7 +673,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d) static u_int16_t in_cksum(const u_int16_t *w, int len) { - int nleft = len, sum = 0; + int nleft = len, sum = 0; u_int16_t answer; while (nleft > 1) { diff --git a/sbin/isakmpd/log.h b/sbin/isakmpd/log.h index 1efa9e78d0e..dc36f5d144d 100644 --- a/sbin/isakmpd/log.h +++ b/sbin/isakmpd/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.20 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: log.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */ /* @@ -66,19 +66,18 @@ enum log_classes { #define LOG_DBG(x) log_debug x #define LOG_DBG_BUF(x) log_debug_buf x -extern void -log_debug(int, int, const char *,...) -__attribute__((__format__(__printf__, 3, 4))); - extern void log_debug_buf(int, int, const char *, const u_int8_t *, size_t); - extern void log_debug_cmd(int, int); - extern void log_debug_toggle(void); +extern void log_debug(int, int, const char *,...) + __attribute__((__format__(__printf__, 3, 4))); +extern void log_debug_buf(int, int, const char *, const u_int8_t *, size_t); +extern void log_debug_cmd(int, int); +extern void log_debug_toggle(void); #define PCAP_FILE_DEFAULT "/var/run/isakmpd.pcap" - extern void log_packet_init(char *); - extern void log_packet_iov(struct sockaddr *, struct sockaddr *, +extern void log_packet_init(char *); +extern void log_packet_iov(struct sockaddr *, struct sockaddr *, struct iovec *, int); - extern void log_packet_restart(char *); - extern void log_packet_stop(void); +extern void log_packet_restart(char *); +extern void log_packet_stop(void); #else /* !USE_DEBUG */ @@ -88,17 +87,16 @@ __attribute__((__format__(__printf__, 3, 4))); #endif /* USE_DEBUG */ extern FILE *log_current(void); -extern void -log_error(const char *,...) -__attribute__((__format__(__printf__, 1, 2))); - extern void log_fatal(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); - extern void log_print(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); - extern void log_verbose(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); - extern void log_to(FILE *); - extern void log_init(int); - extern void log_reinit(void); +extern void log_error(const char *,...) + __attribute__((__format__(__printf__, 1, 2))); +extern void log_fatal(const char *,...) + __attribute__((__format__(__printf__, 1, 2))); +extern void log_print(const char *,...) + __attribute__((__format__(__printf__, 1, 2))); +extern void log_verbose(const char *,...) + __attribute__((__format__(__printf__, 1, 2))); +extern void log_to(FILE *); +extern void log_init(int); +extern void log_reinit(void); #endif /* _LOG_H_ */ diff --git a/sbin/isakmpd/math_2n.c b/sbin/isakmpd/math_2n.c index c5e37b3a27e..78a041e62fe 100644 --- a/sbin/isakmpd/math_2n.c +++ b/sbin/isakmpd/math_2n.c @@ -1,4 +1,4 @@ -/* $OpenBSD: math_2n.c,v 1.14 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: math_2n.c,v 1.15 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: math_2n.c,v 1.15 1999/04/20 09:23:30 niklas Exp $ */ /* @@ -65,7 +65,7 @@ CHUNK_TYPE b2n_mask[CHUNK_BITS] = { }; /* Convert a hex character to its integer value. */ -static u_int8_t +static u_int8_t hex2int(char c) { if (c <= '9') @@ -86,7 +86,7 @@ b2n_random(b2n_ptr n, u_int32_t bits) /* Get the number of significant bits right */ if (bits & CHUNK_MASK) { - CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1; + CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1; n->limp[n->chunks - 1] &= m; } n->dirty = 1; @@ -169,7 +169,7 @@ int b2n_set_ui(b2n_ptr n, unsigned int val) { #if CHUNK_BITS < 32 - int i, chunks; + int i, chunks; chunks = (CHUNK_BYTES - 1 + sizeof(val)) / CHUNK_BYTES; @@ -193,7 +193,7 @@ b2n_set_ui(b2n_ptr n, unsigned int val) int b2n_set_str(b2n_ptr n, char *str) { - int i, j, w, len, chunks; + int i, j, w, len, chunks; CHUNK_TYPE tmp; if (strncasecmp(str, "0x", 2)) @@ -216,8 +216,8 @@ b2n_set_str(b2n_ptr n, char *str) for (w = 0, i = 0; i < chunks; i++) { tmp = 0; - for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); j > 0; - j--) { + for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); + j > 0; j--) { tmp <<= 8; tmp |= (hex2int(str[w]) << 4) | hex2int(str[w + 1]); w += 2; @@ -281,9 +281,10 @@ b2n_snprint(char *buf, size_t sz, b2n_ptr n) tmp >>= 8; } - for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0 && k < sz - 3; j--) + for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0 + && k < sz - 3; j--) if (flag || (i == n->chunks - 1 && j == 0) || - buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') { + buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') { buf[k++] = buffer[2 * j]; buf[k++] = buffer[2 * j + 1]; flag = 1; @@ -299,7 +300,7 @@ b2n_snprint(char *buf, size_t sz, b2n_ptr n) u_int32_t b2n_sigbit(b2n_ptr n) { - int i, j; + int i, j; if (!n->dirty) return n->bits; @@ -367,8 +368,8 @@ b2n_add(b2n_ptr d, b2n_ptr a, b2n_ptr b) int b2n_cmp(b2n_ptr n, b2n_ptr m) { - int sn, sm; - int i; + int sn, sm; + int i; sn = b2n_sigbit(n); sm = b2n_sigbit(m); @@ -390,7 +391,7 @@ b2n_cmp(b2n_ptr n, b2n_ptr m) int b2n_cmp_null(b2n_ptr a) { - int i = 0; + int i = 0; do { if (a->limp[i]) @@ -416,7 +417,7 @@ b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s) min = s & CHUNK_MASK; add = (!(bits & CHUNK_MASK) || ((bits & CHUNK_MASK) + min) > CHUNK_MASK) - ? 1 : 0; + ? 1 : 0; chunks = n->chunks; if (b2n_resize(d, chunks + maj + add)) return -1; @@ -448,8 +449,8 @@ b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s) int b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s) { - int maj, min, size = n->chunks, newsize; - b2n_ptr tmp; + int maj, min, size = n->chunks, newsize; + b2n_ptr tmp; if (!s) return b2n_set(d, n); @@ -484,8 +485,8 @@ b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s) int b2n_mul(b2n_ptr d, b2n_ptr n, b2n_ptr m) { - int i, j; - b2n_t tmp, tmp2; + int i, j; + b2n_t tmp, tmp2; if (!b2n_cmp_null(m) || !b2n_cmp_null(n)) return b2n_set_null(d); @@ -537,8 +538,8 @@ fail: int b2n_square(b2n_ptr d, b2n_ptr n) { - int i, j, maj, min, bits, chunk; - b2n_t t; + int i, j, maj, min, bits, chunk; + b2n_t t; maj = b2n_sigbit(n); min = maj & CHUNK_MASK; @@ -580,8 +581,8 @@ b2n_square(b2n_ptr d, b2n_ptr n) int b2n_div_q(b2n_ptr d, b2n_ptr n, b2n_ptr m) { - b2n_t r; - int rv; + b2n_t r; + int rv; b2n_init(r); rv = b2n_div(d, r, n, m); @@ -592,8 +593,8 @@ b2n_div_q(b2n_ptr d, b2n_ptr n, b2n_ptr m) int b2n_div_r(b2n_ptr r, b2n_ptr n, b2n_ptr m) { - b2n_t q; - int rv; + b2n_t q; + int rv; b2n_init(q); rv = b2n_div(q, r, n, m); @@ -604,9 +605,9 @@ b2n_div_r(b2n_ptr r, b2n_ptr n, b2n_ptr m) int b2n_div(b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m) { - int i, j, len, bits; - u_int32_t sm, sn; - b2n_t nenn, div, shift, mask; + int i, j, len, bits; + u_int32_t sm, sn; + b2n_t nenn, div, shift, mask; /* If Teiler > Zaehler, the result is 0 */ if ((sm = b2n_sigbit(m)) > (sn = b2n_sigbit(n))) { @@ -651,8 +652,8 @@ b2n_div(b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m) /* The first iteration is done over the relevant bits */ bits = (CHUNK_MASK + sn) & CHUNK_MASK; for (i = len; i >= 0 && b2n_sigbit(nenn) >= sm; i--) - for (j = (i == len ? bits : CHUNK_MASK); j >= 0 && b2n_sigbit(nenn) >= sm; - j--) { + for (j = (i == len ? bits : CHUNK_MASK); j >= 0 + && b2n_sigbit(nenn) >= sm; j--) { if (nenn->limp[i] & b2n_mask[j]) { if (b2n_sub(nenn, nenn, shift)) goto fail; @@ -685,7 +686,7 @@ fail: int b2n_mod(b2n_ptr m, b2n_ptr n, b2n_ptr p) { - int bits, size; + int bits, size; if (b2n_div_r(m, n, p)) return -1; @@ -706,7 +707,7 @@ b2n_mod(b2n_ptr m, b2n_ptr n, b2n_ptr p) int b2n_gcd(b2n_ptr e, b2n_ptr go, b2n_ptr ho) { - b2n_t g, h; + b2n_t g, h; b2n_init(g); b2n_init(h); @@ -736,7 +737,7 @@ fail: int b2n_mul_inv(b2n_ptr ga, b2n_ptr be, b2n_ptr p) { - b2n_t a; + b2n_t a; b2n_init(a); if (b2n_set_ui(a, 1)) @@ -756,7 +757,7 @@ fail: int b2n_div_mod(b2n_ptr ga, b2n_ptr a, b2n_ptr be, b2n_ptr p) { - b2n_t s0, s1, s2, q, r0, r1; + b2n_t s0, s1, s2, q, r0, r1; /* There is no multiplicative inverse to Null. */ if (!b2n_cmp_null(be)) @@ -823,8 +824,8 @@ fail: int b2n_trace(b2n_ptr ho, b2n_ptr a, b2n_ptr p) { - int i, m = b2n_sigbit(p) - 1; - b2n_t h; + int i, m = b2n_sigbit(p) - 1; + b2n_t h; b2n_init(h); if (b2n_set(h, a)) @@ -856,8 +857,8 @@ fail: int b2n_halftrace(b2n_ptr ho, b2n_ptr a, b2n_ptr p) { - int i, m = b2n_sigbit(p) - 1; - b2n_t h; + int i, m = b2n_sigbit(p) - 1; + b2n_t h; b2n_init(h); if (b2n_set(h, a)) @@ -894,8 +895,8 @@ fail: int b2n_sqrt(b2n_ptr zo, b2n_ptr b, b2n_ptr ip) { - int i, m = b2n_sigbit(ip) - 1; - b2n_t w, p, temp, z; + int i, m = b2n_sigbit(ip) - 1; + b2n_t w, p, temp, z; if (!b2n_cmp_null(b)) return b2n_set_null(z); @@ -960,7 +961,7 @@ fail: int b2n_exp_mod(b2n_ptr d, b2n_ptr b0, u_int32_t e, b2n_ptr p) { - b2n_t u, b; + b2n_t u, b; b2n_init(u); b2n_init(b); @@ -1005,9 +1006,9 @@ fail: int b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0) { - int i, carry; - b2n_ptr a, b; - b2n_t d; + int i, carry; + b2n_ptr a, b; + b2n_t d; if (!b2n_cmp_null(a0)) return b2n_set(d0, b0); @@ -1047,8 +1048,8 @@ b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0) int b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b) { - int i, carry; - b2n_t d; + int i, carry; + b2n_t d; if (b2n_cmp(a, b) <= 0) return b2n_set_null(d0); @@ -1082,7 +1083,7 @@ b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b) int b2n_3mul(b2n_ptr d0, b2n_ptr e) { - b2n_t d; + b2n_t d; b2n_init(d); if (b2n_lshift(d, e, 1)) diff --git a/sbin/isakmpd/math_ec2n.c b/sbin/isakmpd/math_ec2n.c index 5843ba1c8b3..c06b37cb311 100644 --- a/sbin/isakmpd/math_ec2n.c +++ b/sbin/isakmpd/math_ec2n.c @@ -1,4 +1,4 @@ -/* $OpenBSD: math_ec2n.c,v 1.10 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: math_ec2n.c,v 1.11 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: math_ec2n.c,v 1.9 1999/04/20 09:23:31 niklas Exp $ */ /* @@ -98,7 +98,7 @@ ec2ng_set(ec2ng_ptr d, ec2ng_ptr n) int ec2np_right(b2n_ptr n, ec2np_ptr p, ec2ng_ptr g) { - b2n_t temp; + b2n_t temp; b2n_init(temp); @@ -134,9 +134,8 @@ fail: int ec2np_ison(ec2np_ptr p, ec2ng_ptr g) { - int res; - - b2n_t x, y, temp; + int res; + b2n_t x, y, temp; if (p->inf) return 1; @@ -180,7 +179,7 @@ fail: int ec2np_find_y(ec2np_ptr p, ec2ng_ptr g) { - b2n_t right; + b2n_t right; b2n_init(right); @@ -217,8 +216,8 @@ fail: int ec2np_add(ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g) { - b2n_t lambda, temp; - ec2np_t pn; + b2n_t lambda, temp; + ec2np_t pn; /* Check for Neutral Element */ if (b->inf) @@ -226,7 +225,8 @@ ec2np_add(ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g) if (a->inf) return ec2np_set(d, b); - if (!b2n_cmp(a->x, b->x) && (b2n_cmp(a->y, b->y) || !b2n_cmp_null(a->x))) { + if (!b2n_cmp(a->x, b->x) && (b2n_cmp(a->y, b->y) || + !b2n_cmp_null(a->x))) { d->inf = 1; if (b2n_set_null(d->x)) return -1; @@ -303,9 +303,9 @@ fail: int ec2np_mul(ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g) { - int i, j, bits, start; - b2n_t h, k; - ec2np_t q, mina; + int i, j, bits, start; + b2n_t h, k; + ec2np_t q, mina; if (!b2n_cmp_null(e)) { d->inf = 1; @@ -356,10 +356,12 @@ ec2np_mul(ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g) if (i > 0 || j > 0) { if (ec2np_add(q, q, q, g)) goto fail; - if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i] & b2n_mask[j])) { + if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i] + & b2n_mask[j])) { if (ec2np_add(q, q, a, g)) goto fail; - } else if (!(h->limp[i] & b2n_mask[j]) && (k->limp[i] & b2n_mask[j])) + } else if (!(h->limp[i] & b2n_mask[j]) + && (k->limp[i] & b2n_mask[j])) if (ec2np_add(q, q, mina, g)) goto fail; } diff --git a/sbin/isakmpd/math_ec2n.h b/sbin/isakmpd/math_ec2n.h index 078eb4b19d9..247f84aecc5 100644 --- a/sbin/isakmpd/math_ec2n.h +++ b/sbin/isakmpd/math_ec2n.h @@ -1,4 +1,4 @@ -/* $OpenBSD: math_ec2n.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: math_ec2n.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: math_ec2n.h,v 1.4 1999/04/17 23:20:37 niklas Exp $ */ /* @@ -54,9 +54,9 @@ typedef _ec2n_point ec2np_t[1]; } \ while (0) -void ec2np_init(ec2np_ptr); -void ec2np_clear(ec2np_ptr); -int ec2np_set(ec2np_ptr, ec2np_ptr); +void ec2np_init(ec2np_ptr); +void ec2np_clear(ec2np_ptr); +int ec2np_set(ec2np_ptr, ec2np_ptr); #define ec2np_set_x_ui(n, y) b2n_set_ui ((n)->x, y) #define ec2np_set_y_ui(n, x) b2n_set_ui ((n)->y, x) @@ -72,9 +72,9 @@ typedef struct { typedef _ec2n_group *ec2ng_ptr; typedef _ec2n_group ec2ng_t[1]; -void ec2ng_init(ec2ng_ptr); -void ec2ng_clear(ec2ng_ptr); -int ec2ng_set(ec2ng_ptr, ec2ng_ptr); +void ec2ng_init(ec2ng_ptr); +void ec2ng_clear(ec2ng_ptr); +int ec2ng_set(ec2ng_ptr, ec2ng_ptr); #define ec2ng_set_a_ui(n, x) b2n_set_ui ((n)->a, x) #define ec2ng_set_b_ui(n, x) b2n_set_ui ((n)->b, x) @@ -85,10 +85,10 @@ int ec2ng_set(ec2ng_ptr, ec2ng_ptr); /* Functions for computing on the elliptic group. */ -int ec2np_add(ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr); -int ec2np_find_y(ec2np_ptr, ec2ng_ptr); -int ec2np_ison(ec2np_ptr, ec2ng_ptr); -int ec2np_mul(ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr); -int ec2np_right(b2n_ptr n, ec2np_ptr, ec2ng_ptr); +int ec2np_add(ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr); +int ec2np_find_y(ec2np_ptr, ec2ng_ptr); +int ec2np_ison(ec2np_ptr, ec2ng_ptr); +int ec2np_mul(ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr); +int ec2np_right(b2n_ptr n, ec2np_ptr, ec2ng_ptr); #endif /* _MATH_2N_H_ */ diff --git a/sbin/isakmpd/math_group.c b/sbin/isakmpd/math_group.c index 124a58b97d1..c723a81d1a4 100644 --- a/sbin/isakmpd/math_group.c +++ b/sbin/isakmpd/math_group.c @@ -1,4 +1,4 @@ -/* $OpenBSD: math_group.c,v 1.21 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: math_group.c,v 1.22 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: math_group.c,v 1.25 2000/04/07 19:53:26 niklas Exp $ */ /* @@ -44,17 +44,17 @@ #include "math_mp.h" /* We do not want to export these definitions. */ -int modp_getlen(struct group *); -void modp_getraw(struct group *, math_mp_t, u_int8_t *); -int modp_setraw(struct group *, math_mp_t, u_int8_t *, int); -int modp_setrandom(struct group *, math_mp_t); -int modp_operation(struct group *, math_mp_t, math_mp_t, math_mp_t); - -int ec2n_getlen(struct group *); -void ec2n_getraw(struct group *, ec2np_ptr, u_int8_t *); -int ec2n_setraw(struct group *, ec2np_ptr, u_int8_t *, int); -int ec2n_setrandom(struct group *, ec2np_ptr); -int ec2n_operation(struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr); +int modp_getlen(struct group *); +void modp_getraw(struct group *, math_mp_t, u_int8_t *); +int modp_setraw(struct group *, math_mp_t, u_int8_t *, int); +int modp_setrandom(struct group *, math_mp_t); +int modp_operation(struct group *, math_mp_t, math_mp_t, math_mp_t); + +int ec2n_getlen(struct group *); +void ec2n_getraw(struct group *, ec2np_ptr, u_int8_t *); +int ec2n_setraw(struct group *, ec2np_ptr, u_int8_t *, int); +int ec2n_setrandom(struct group *, ec2np_ptr); +int ec2n_operation(struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr); struct ec2n_group { ec2np_t gen; /* Generator */ @@ -280,17 +280,17 @@ struct modp_dscr oakley_modp[] = */ struct ec2n_dscr oakley_ec2n[] = { - {OAKLEY_GRP_3, 76, /* This group is also considered insecure + { OAKLEY_GRP_3, 76, /* This group is also considered insecure * (P1363) */ - "0x0800000000000000000000004000000000000001", - "0x7b", - "0x00", - "0x7338f"}, - {OAKLEY_GRP_4, 91, - "0x020000000000000000000000000000200000000000000001", - "0x18", - "0x00", - "0x1ee9"}, + "0x0800000000000000000000004000000000000001", + "0x7b", + "0x00", + "0x7338f" }, + { OAKLEY_GRP_4, 91, + "0x020000000000000000000000000000200000000000000001", + "0x18", + "0x00", + "0x1ee9" }, }; #endif /* USE_EC */ @@ -424,7 +424,7 @@ struct group groups[] = { void group_init(void) { - int i; + int i; for (i = sizeof(groups) / sizeof(groups[0]) - 1; i >= 0; i--) switch (groups[i].type) { @@ -442,13 +442,13 @@ group_init(void) break; default: - log_print("Unknown group type %d at index %d in group_init().", - groups[i].type, i); + log_print("Unknown group type %d at index %d in " + "group_init().", groups[i].type, i); break; } } -struct group * +struct group * group_get(u_int32_t id) { struct group *new, *clone; @@ -461,7 +461,8 @@ group_get(u_int32_t id) new = malloc(sizeof *new); if (!new) { - log_error("group_get: malloc (%lu) failed", (unsigned long) sizeof *new); + log_error("group_get: malloc (%lu) failed", + (unsigned long)sizeof *new); return 0; } switch (clone->type) { @@ -484,7 +485,7 @@ group_get(u_int32_t id) } void -group_free(struct group * grp) +group_free(struct group *grp) { switch (grp->type) { #ifdef USE_EC @@ -502,15 +503,15 @@ group_free(struct group * grp) free(grp); } -struct group * -modp_clone(struct group * new, struct group * clone) +struct group * +modp_clone(struct group *new, struct group *clone) { struct modp_group *new_grp, *clone_grp = clone->group; new_grp = malloc(sizeof *new_grp); if (!new_grp) { log_print("modp_clone: malloc (%lu) failed", - (unsigned long) sizeof *new_grp); + (unsigned long)sizeof *new_grp); free(new); return 0; } @@ -542,7 +543,7 @@ modp_clone(struct group * new, struct group * clone) } void -modp_free(struct group * old) +modp_free(struct group *old) { struct modp_group *grp = old->group; @@ -564,14 +565,15 @@ modp_free(struct group * old) } void -modp_init(struct group * group) +modp_init(struct group *group) { - struct modp_dscr *dscr = (struct modp_dscr *) group->group; + struct modp_dscr *dscr = (struct modp_dscr *)group->group; struct modp_group *grp; grp = malloc(sizeof *grp); if (!grp) - log_fatal("modp_init: malloc (%lu) failed", (unsigned long) sizeof *grp); + log_fatal("modp_init: malloc (%lu) failed", + (unsigned long)sizeof *grp); group->bits = dscr->bits; @@ -602,15 +604,15 @@ modp_init(struct group * group) } #ifdef USE_EC -struct group * -ec2n_clone(struct group * new, struct group * clone) +struct group * +ec2n_clone(struct group *new, struct group *clone) { struct ec2n_group *new_grp, *clone_grp = clone->group; new_grp = malloc(sizeof *new_grp); if (!new_grp) { log_error("ec2n_clone: malloc (%lu) failed", - (unsigned long) sizeof *new_grp); + (unsigned long)sizeof *new_grp); free(new); return 0; } @@ -648,7 +650,7 @@ fail: } void -ec2n_free(struct group * old) +ec2n_free(struct group *old) { struct ec2n_group *grp = old->group; @@ -662,14 +664,15 @@ ec2n_free(struct group * old) } void -ec2n_init(struct group * group) +ec2n_init(struct group *group) { - struct ec2n_dscr *dscr = (struct ec2n_dscr *) group->group; + struct ec2n_dscr *dscr = (struct ec2n_dscr *)group->group; struct ec2n_group *grp; grp = malloc(sizeof *grp); if (!grp) - log_fatal("ec2n_init: malloc (%lu) failed", (unsigned long) sizeof *grp); + log_fatal("ec2n_init: malloc (%lu) failed", + (unsigned long)sizeof *grp); group->bits = dscr->bits; @@ -711,28 +714,28 @@ fail: #endif /* USE_EC */ int -modp_getlen(struct group * group) +modp_getlen(struct group *group) { - struct modp_group *grp = (struct modp_group *) group->group; + struct modp_group *grp = (struct modp_group *)group->group; return mpz_sizeinoctets(grp->p); } void -modp_getraw(struct group * grp, math_mp_t v, u_int8_t * d) +modp_getraw(struct group *grp, math_mp_t v, u_int8_t *d) { mpz_getraw(d, v, grp->getlen(grp)); } int -modp_setraw(struct group * grp, math_mp_t d, u_int8_t * s, int l) +modp_setraw(struct group *grp, math_mp_t d, u_int8_t *s, int l) { mpz_setraw(d, s, l); return 0; } int -modp_setrandom(struct group * grp, math_mp_t d) +modp_setrandom(struct group *grp, math_mp_t d) { int i, l = grp->getlen(grp); u_int32_t tmp = 0; @@ -760,9 +763,9 @@ modp_setrandom(struct group * grp, math_mp_t d) } int -modp_operation(struct group * group, math_mp_t d, math_mp_t a, math_mp_t e) +modp_operation(struct group *group, math_mp_t d, math_mp_t a, math_mp_t e) { - struct modp_group *grp = (struct modp_group *) group->group; + struct modp_group *grp = (struct modp_group *)group->group; #if MP_FLAVOUR == MP_FLAVOUR_GMP mpz_powm(d, a, e, grp->p); @@ -776,16 +779,16 @@ modp_operation(struct group * group, math_mp_t d, math_mp_t a, math_mp_t e) #ifdef USE_EC int -ec2n_getlen(struct group * group) +ec2n_getlen(struct group *group) { - struct ec2n_group *grp = (struct ec2n_group *) group->group; - int bits = b2n_sigbit(grp->grp->p) - 1; + struct ec2n_group *grp = (struct ec2n_group *)group->group; + int bits = b2n_sigbit(grp->grp->p) - 1; return (7 + bits) >> 3; } void -ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e) +ec2n_getraw(struct group *group, ec2np_ptr xo, u_int8_t *e) { struct ec2n_group *grp = (struct ec2n_group *) group->group; int chunks, bytes, i, j; @@ -798,7 +801,8 @@ ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e) for (i = chunks - 1; i >= 0; i--) { tmp = (i >= x->chunks ? 0 : x->limp[i]); - for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0; j--) { + for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0; + j--) { e[j] = tmp & 0xff; tmp >>= 8; } @@ -807,7 +811,7 @@ ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e) } int -ec2n_setraw(struct group * grp, ec2np_ptr out, u_int8_t * s, int l) +ec2n_setraw(struct group *grp, ec2np_ptr out, u_int8_t *s, int l) { int len, bytes, i, j; b2n_ptr outx = out->x; @@ -831,7 +835,7 @@ ec2n_setraw(struct group * grp, ec2np_ptr out, u_int8_t * s, int l) } int -ec2n_setrandom(struct group * group, ec2np_ptr x) +ec2n_setrandom(struct group *group, ec2np_ptr x) { b2n_ptr d = x->x; struct ec2n_group *grp = (struct ec2n_group *) group->group; @@ -847,10 +851,10 @@ ec2n_setrandom(struct group * group, ec2np_ptr x) * set to zero. */ int -ec2n_operation(struct group * grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e) +ec2n_operation(struct group *grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e) { b2n_ptr ex = e->x; - struct ec2n_group *group = (struct ec2n_group *) grp->group; + struct ec2n_group *group = (struct ec2n_group *)grp->group; if (a->y->chunks == 0) if (ec2np_find_y(a, group->grp)) diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 72bb3f0c9a9..24e77b01719 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.72 2004/04/29 22:36:26 hshoexer Exp $ */ +/* $OpenBSD: message.c,v 1.73 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -95,12 +95,13 @@ static int message_validate_vendor(struct message *, struct payload *); static void message_packet_log(struct message *); -static int (*message_validate_payload[]) (struct message *, struct payload *) = +static int (*message_validate_payload[])(struct message *, struct payload *) = { - message_validate_sa, message_validate_proposal, message_validate_transform, - message_validate_key_exch, message_validate_id, message_validate_cert, - message_validate_cert_req, message_validate_hash, message_validate_sig, - message_validate_nonce, message_validate_notify, message_validate_delete, + message_validate_sa, message_validate_proposal, + message_validate_transform, message_validate_key_exch, + message_validate_id, message_validate_cert, message_validate_cert_req, + message_validate_hash, message_validate_sig, message_validate_nonce, + message_validate_notify, message_validate_delete, message_validate_vendor, message_validate_attribute }; @@ -125,7 +126,7 @@ static u_int32_t last_xf_no; * segment buffer sized SZ, copied from BUF if given. */ struct message * -message_alloc(struct transport * t, u_int8_t * buf, size_t sz) +message_alloc(struct transport *t, u_int8_t *buf, size_t sz) { struct message *msg; int i; @@ -134,7 +135,7 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz) * We use calloc(3) because it zeroes the structure which we rely on in * message_free when determining what sub-allocations to free. */ - msg = (struct message *) calloc(1, sizeof *msg); + msg = (struct message *)calloc(1, sizeof *msg); if (!msg) return 0; msg->iov = calloc(1, sizeof *msg->iov); @@ -151,7 +152,8 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz) msg->iovlen = 1; if (buf) memcpy(msg->iov[0].iov_base, buf, sz); - msg->nextp = (u_int8_t *) msg->iov[0].iov_base + ISAKMP_HDR_NEXT_PAYLOAD_OFF; + msg->nextp = (u_int8_t *)msg->iov[0].iov_base + + ISAKMP_HDR_NEXT_PAYLOAD_OFF; msg->transport = t; transport_reference(t); for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++) @@ -166,7 +168,7 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz) * ISAKMP header as the first segment. */ struct message * -message_alloc_reply(struct message * msg) +message_alloc_reply(struct message *msg) { struct message *reply; @@ -180,7 +182,7 @@ message_alloc_reply(struct message * msg) /* Free up all resources used by the MSG message. */ void -message_free(struct message * msg) +message_free(struct message *msg) { u_int32_t i; struct payload *payload, *next; @@ -199,12 +201,14 @@ message_free(struct message * msg) if (msg->retrans) timer_remove_event(msg->retrans); for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++) - for (payload = TAILQ_FIRST(&msg->payload[i]); payload; payload = next) { + for (payload = TAILQ_FIRST(&msg->payload[i]); payload; + payload = next) { next = TAILQ_NEXT(payload, link); free(payload); } while (TAILQ_FIRST(&msg->post_send) != 0) - TAILQ_REMOVE(&msg->post_send, TAILQ_FIRST(&msg->post_send), link); + TAILQ_REMOVE(&msg->post_send, TAILQ_FIRST(&msg->post_send), + link); /* If we are on the send queue, remove us from there. */ if (msg->flags & MSG_IN_TRANSIT) { @@ -230,10 +234,9 @@ message_free(struct message * msg) * parsed payloads. */ static int -message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next, - u_int8_t * buf, set * accepted_payloads, - int (*func) (struct message *, struct payload *, - u_int8_t, u_int8_t *)) +message_parse_payloads(struct message *msg, struct payload *p, u_int8_t next, + u_int8_t *buf, set *accepted_payloads, int (*func)(struct message *, + struct payload *, u_int8_t, u_int8_t *)) { u_int8_t payload; u_int16_t len; @@ -242,14 +245,15 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next, do { LOG_DBG((LOG_MESSAGE, 50, "message_parse_payloads: offset %ld payload %s", - (long) (buf - (u_int8_t *) msg->iov[0].iov_base), + (long)(buf - (u_int8_t *) msg->iov[0].iov_base), constant_name(isakmp_payload_cst, next))); /* Does this payload's header fit? */ - if (buf + ISAKMP_GEN_SZ - > (u_int8_t *) msg->iov[0].iov_base + msg->iov[0].iov_len) { + if (buf + ISAKMP_GEN_SZ > (u_int8_t *)msg->iov[0].iov_base + + msg->iov[0].iov_len) { log_print("message_parse_payloads: short message"); - message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, + 0, 1, 1); return -1; } /* Ponder on the payload that is at BUF... */ @@ -259,16 +263,19 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next, next = GET_ISAKMP_GEN_NEXT_PAYLOAD(buf); if (next >= ISAKMP_PAYLOAD_RESERVED_MIN && next <= ISAKMP_PAYLOAD_RESERVED_MAX) { - log_print("message_parse_payloads: invalid next payload type %d " - "in payload of type %d", next, payload); - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + log_print("message_parse_payloads: invalid next " + "payload type %d in payload of type %d", next, + payload); + message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, + 0, 1, 1); return -1; } /* Reserved fields in ISAKMP messages should be zero. */ if (GET_ISAKMP_GEN_RESERVED(buf) != 0) { - log_print("message_parse_payloads: reserved field non-zero: %x", - GET_ISAKMP_GEN_RESERVED(buf)); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + log_print("message_parse_payloads: reserved field " + "non-zero: %x", GET_ISAKMP_GEN_RESERVED(buf)); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 1); return -1; } /* @@ -279,17 +286,23 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next, if (message_payload_sz(payload) == 0) { log_print("message_parse_payloads: unknown minimum " "payload size for payload type %u", payload); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 1); return -1; } if (len < message_payload_sz(payload)) { - log_print("message_parse_payloads: payload too short: %u", len); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + log_print("message_parse_payloads: payload too " + "short: %u", len); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 1); return -1; } - if (buf + len > (u_int8_t *) msg->iov[0].iov_base + msg->iov[0].iov_len) { - log_print("message_parse_payloads: payload too long: %u", len); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + if (buf + len > (u_int8_t *)msg->iov[0].iov_base + + msg->iov[0].iov_len) { + log_print("message_parse_payloads: payload too " + "long: %u", len); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, + 0, 1, 1); return -1; } /* Ignore private payloads. */ @@ -304,9 +317,10 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next, * this stage. */ if (!ISSET(payload, accepted_payloads)) { - log_print("message_parse_payloads: payload type %d unexpected", - payload); - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + log_print("message_parse_payloads: payload type %d " + "unexpected", payload); + message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, + 0, 1, 1); return -1; } /* Call the payload handler specified by the caller. */ @@ -329,10 +343,10 @@ next_payload: * generic payload header. */ static int -message_parse_proposal(struct message * msg, struct payload * p, - u_int8_t payload, u_int8_t * buf) +message_parse_proposal(struct message *msg, struct payload *p, u_int8_t payload, + u_int8_t *buf) { - set payload_set; + set payload_set; /* Put the proposal into the proposal bucket. */ message_index_payload(msg, p, payload, buf); @@ -340,31 +354,28 @@ message_parse_proposal(struct message * msg, struct payload * p, ZERO(&payload_set); SET(ISAKMP_PAYLOAD_TRANSFORM, &payload_set); if (message_parse_payloads(msg, - TAILQ_LAST(&msg->payload - [ISAKMP_PAYLOAD_PROPOSAL], - payload_head), - ISAKMP_PAYLOAD_TRANSFORM, - buf + ISAKMP_PROP_SPI_OFF - + GET_ISAKMP_PROP_SPI_SZ(buf), - &payload_set, message_parse_transform) == -1) + TAILQ_LAST(&msg->payload[ISAKMP_PAYLOAD_PROPOSAL], payload_head), + ISAKMP_PAYLOAD_TRANSFORM, buf + ISAKMP_PROP_SPI_OFF + + GET_ISAKMP_PROP_SPI_SZ(buf), &payload_set, message_parse_transform) + == -1) return -1; return 0; } static int -message_parse_transform(struct message * msg, struct payload * p, - u_int8_t payload, u_int8_t * buf) +message_parse_transform(struct message *msg, struct payload *p, + u_int8_t payload, u_int8_t *buf) { /* Put the transform into the transform bucket. */ message_index_payload(msg, p, payload, buf); LOG_DBG((LOG_MESSAGE, 50, "Transform %d's attributes", - GET_ISAKMP_TRANSFORM_NO(buf))); + GET_ISAKMP_TRANSFORM_NO(buf))); #ifdef USE_DEBUG attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - msg->exchange->doi->debug_attribute, msg); + GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + msg->exchange->doi->debug_attribute, msg); #endif return 0; @@ -418,18 +429,19 @@ message_payload_sz(u_int8_t payload) /* Validate the attribute payload P in message MSG. */ static int -message_validate_attribute(struct message * msg, struct payload * p) +message_validate_attribute(struct message *msg, struct payload *p) { #ifdef USE_ISAKMP_CFG /* If we don't have an exchange yet, create one. */ if (!msg->exchange) { - if (zero_test((u_int8_t *) msg->iov[0].iov_base - + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) + if (zero_test((u_int8_t *) msg->iov[0].iov_base + + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) msg->exchange = exchange_setup_p1(msg, IPSEC_DOI_IPSEC); else msg->exchange = exchange_setup_p2(msg, IPSEC_DOI_IPSEC); if (!msg->exchange) { - log_print("message_validate_attribute: can not create exchange"); + log_print("message_validate_attribute: can not " + "create exchange"); message_free(msg); return -1; } @@ -440,7 +452,7 @@ message_validate_attribute(struct message * msg, struct payload * p) /* Validate the certificate payload P in message MSG. */ static int -message_validate_cert(struct message * msg, struct payload * p) +message_validate_cert(struct message *msg, struct payload *p) { if (GET_ISAKMP_CERT_ENCODING(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); @@ -454,7 +466,7 @@ static int message_validate_cert_req(struct message * msg, struct payload * p) { struct cert_handler *cert; - size_t len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF; + size_t len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF; if (GET_ISAKMP_CERTREQ_TYPE(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); @@ -465,9 +477,8 @@ message_validate_cert_req(struct message * msg, struct payload * p) * is included in the payload check if it can be decoded */ cert = cert_get(GET_ISAKMP_CERTREQ_TYPE(p->p)); - if (!cert - || (len && !cert->certreq_validate(p->p + ISAKMP_CERTREQ_AUTHORITY_OFF, - len))) { + if (!cert || (len && !cert->certreq_validate(p->p + + ISAKMP_CERTREQ_AUTHORITY_OFF, len))) { message_drop(msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, 1); return -1; } @@ -479,14 +490,14 @@ message_validate_cert_req(struct message * msg, struct payload * p) * an exchange if we do not have one already. */ static int -message_validate_delete(struct message * msg, struct payload * p) +message_validate_delete(struct message *msg, struct payload *p) { u_int8_t proto = GET_ISAKMP_DELETE_PROTO(p->p); struct doi *doi; struct sa *sa, *isakmp_sa; struct sockaddr *dst, *dst_isa; u_int32_t nspis = GET_ISAKMP_DELETE_NSPIS(p->p); - u_int8_t *spis = (u_int8_t *) p->p + ISAKMP_DELETE_SPI_OFF; + u_int8_t *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF; u_int32_t i; char *addr; @@ -504,7 +515,8 @@ message_validate_delete(struct message * msg, struct payload * p) else msg->exchange = exchange_setup_p2(msg, doi->id); if (!msg->exchange) { - log_print("message_validate_delete: can not create exchange"); + log_print("message_validate_delete: can not create " + "exchange"); message_free(msg); return -1; } @@ -520,22 +532,25 @@ message_validate_delete(struct message * msg, struct payload * p) isakmp_sa = msg->isakmp_sa; if (!isakmp_sa) { /* XXX should not happen? */ - log_print("message_validate_delete: invalid spi " - "(no valid ISAKMP SA found)"); + log_print("message_validate_delete: invalid spi (no " + "valid ISAKMP SA found)"); message_free(msg); return -1; } - isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport, &dst_isa); + isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport, + &dst_isa); /* Get SA to be deleted. */ msg->transport->vtbl->get_dst(msg->transport, &dst); if (proto == ISAKMP_PROTO_ISAKMP) - sa = sa_lookup_isakmp_sa(dst, spis + i * ISAKMP_HDR_COOKIES_LEN); + sa = sa_lookup_isakmp_sa(dst, spis + i + * ISAKMP_HDR_COOKIES_LEN); else - sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i], proto); + sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i], + proto); if (!sa) { - LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: invalid spi " - "(no valid SA found)")); + LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: " + "invalid spi (no valid SA found)")); message_free(msg); return -1; } @@ -543,12 +558,12 @@ message_validate_delete(struct message * msg, struct payload * p) /* Destination addresses must match. */ if (dst->sa_family != dst_isa->sa_family || - memcmp(sockaddr_addrdata(dst_isa), sockaddr_addrdata(dst), - sockaddr_addrlen(dst))) { + memcmp(sockaddr_addrdata(dst_isa), sockaddr_addrdata(dst), + sockaddr_addrlen(dst))) { sockaddr2text(dst_isa, &addr, 0); log_print("message_validate_delete: invalid spi " - "(illegal delete request from %s)", addr); + "(illegal delete request from %s)", addr); free(addr); message_free(msg); return -1; @@ -564,7 +579,7 @@ message_validate_delete(struct message * msg, struct payload * p) * except INFORMATIONAL. This should be actually done here. */ static int -message_validate_hash(struct message * msg, struct payload * p) +message_validate_hash(struct message *msg, struct payload *p) { struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa; @@ -580,7 +595,8 @@ message_validate_hash(struct message * msg, struct payload * p) if (isakmp_sa == NULL) { log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 1); return -1; } isa = isakmp_sa->data; @@ -588,27 +604,30 @@ message_validate_hash(struct message * msg, struct payload * p) if (hash == NULL) { log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 1); return -1; } /* If no SKEYID_a, we can not do anything (should not happen). */ if (!isa->skeyid_a) { log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 1); return -1; } /* Allocate the prf and start calculating our HASH(1). */ - LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a", isa->skeyid_a, - isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); + LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a", + isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, + isa->skeyid_len); if (!prf) { message_free(msg); return -1; } - comp_hash = (u_int8_t *) malloc(hash->hashsize); + comp_hash = (u_int8_t *)malloc(hash->hashsize); if (!comp_hash) { log_error("message_validate_hash: malloc (%lu) failed", - (unsigned long) hash->hashsize); + (unsigned long)hash->hashsize); prf_free(prf); message_free(msg); return -1; @@ -618,22 +637,24 @@ message_validate_hash(struct message * msg, struct payload * p) prf->Init(prf->prfctx); LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: message_id", - message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update(prf->prfctx, message_id, ISAKMP_HDR_MESSAGE_ID_LEN); rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); - rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - - (rest - (u_int8_t *) msg->iov[0].iov_base)); - LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: payloads after HASH(1)", - rest, rest_len)); + rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - (rest - + (u_int8_t *)msg->iov[0].iov_base)); + LOG_DBG_BUF((LOG_MISC, 90, + "message_validate_hash: payloads after HASH(1)", rest, rest_len)); prf->Update(prf->prfctx, rest, rest_len); prf->Final(comp_hash, prf->prfctx); prf_free(prf); if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash, hash->hashsize)) { - log_print("message_validate_hash: invalid hash value for %s payload", - TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_DELETE]) - ? "DELETE" : "NOTIFY"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + log_print("message_validate_hash: invalid hash value for " + "%s payload", + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_DELETE]) ? + "DELETE" : "NOTIFY"); + message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, + 0, 1, 0); free(comp_hash); return -1; } @@ -647,7 +668,7 @@ message_validate_hash(struct message * msg, struct payload * p) /* Validate the identification payload P in message MSG. */ static int -message_validate_id(struct message * msg, struct payload * p) +message_validate_id(struct message *msg, struct payload *p) { struct exchange *exchange = msg->exchange; size_t len = GET_ISAKMP_GEN_LENGTH(p->p); @@ -659,11 +680,9 @@ message_validate_id(struct message * msg, struct payload * p) return -1; } if (exchange->doi - && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p), - p->p + ISAKMP_ID_DOI_DATA_OFF, - p->p + ISAKMP_ID_DATA_OFF, - len - ISAKMP_ID_DATA_OFF, - exchange)) { + && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p), + p->p + ISAKMP_ID_DOI_DATA_OFF, p->p + ISAKMP_ID_DATA_OFF, len - + ISAKMP_ID_DATA_OFF, exchange)) { message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 1); return -1; } @@ -672,7 +691,7 @@ message_validate_id(struct message * msg, struct payload * p) /* Validate the key exchange payload P in message MSG. */ static int -message_validate_key_exch(struct message * msg, struct payload * p) +message_validate_key_exch(struct message *msg, struct payload *p) { struct exchange *exchange = msg->exchange; size_t len = GET_ISAKMP_GEN_LENGTH(p->p); @@ -683,10 +702,10 @@ message_validate_key_exch(struct message * msg, struct payload * p) message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); return -1; } - if (exchange->doi - && exchange->doi->validate_key_information(p->p + ISAKMP_KE_DATA_OFF, - len - ISAKMP_KE_DATA_OFF)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION, 0, 1, 1); + if (exchange->doi && exchange->doi->validate_key_information(p->p + + ISAKMP_KE_DATA_OFF, len - ISAKMP_KE_DATA_OFF)) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION, + 0, 1, 1); return -1; } return 0; @@ -694,7 +713,7 @@ message_validate_key_exch(struct message * msg, struct payload * p) /* Validate the nonce payload P in message MSG. */ static int -message_validate_nonce(struct message * msg, struct payload * p) +message_validate_nonce(struct message *msg, struct payload *p) { if (!msg->exchange) { /* We should have an exchange at this point. */ @@ -711,7 +730,7 @@ message_validate_nonce(struct message * msg, struct payload * p) * an exchange if we do not have one already. */ static int -message_validate_notify(struct message * msg, struct payload * p) +message_validate_notify(struct message *msg, struct payload *p) { u_int8_t proto = GET_ISAKMP_NOTIFY_PROTO(p->p); u_int16_t type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p); @@ -725,13 +744,14 @@ message_validate_notify(struct message * msg, struct payload * p) } /* If we don't have an exchange yet, create one. */ if (!msg->exchange) { - if (zero_test((u_int8_t *) msg->iov[0].iov_base - + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) + if (zero_test((u_int8_t *) msg->iov[0].iov_base + + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) msg->exchange = exchange_setup_p1(msg, doi->id); else msg->exchange = exchange_setup_p2(msg, doi->id); if (!msg->exchange) { - log_print("message_validate_notify: can not create exchange"); + log_print("message_validate_notify: can not create " + "exchange"); message_free(msg); return -1; } @@ -761,7 +781,7 @@ message_validate_notify(struct message * msg, struct payload * p) /* Validate the proposal payload P in message MSG. */ static int -message_validate_proposal(struct message * msg, struct payload * p) +message_validate_proposal(struct message *msg, struct payload *p) { u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->p); u_int8_t *sa = p->context->p; @@ -803,7 +823,7 @@ message_validate_proposal(struct message * msg, struct payload * p) * first due to the IANA assigned payload number? */ static int -message_validate_sa(struct message * msg, struct payload * p) +message_validate_sa(struct message *msg, struct payload *p) { set payload_set; size_t len; @@ -819,12 +839,13 @@ message_validate_sa(struct message * msg, struct payload * p) } /* * It's time to figure out what SA this message is about. If it is - * already set, then we are creating a new phase 1 SA. Otherwise, lookup - * the SA using the cookies and the message ID. If we cannot find - * it, and the phase 1 SA is ready, setup a phase 2 SA. + * already set, then we are creating a new phase 1 SA. Otherwise, + * lookup the SA using the cookies and the message ID. If we cannot + * find it, and the phase 1 SA is ready, setup a phase 2 SA. */ if (!exchange) { - if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN)) + if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF, + ISAKMP_HDR_RCOOKIE_LEN)) exchange = exchange_setup_p1(msg, doi_id); else if (msg->isakmp_sa->flags & SA_FLAG_READY) exchange = exchange_setup_p2(msg, doi_id); @@ -862,9 +883,10 @@ message_validate_sa(struct message * msg, struct payload * p) * the length of the situation field is. */ if (exchange->doi->validate_situation(p->p + ISAKMP_SA_SIT_OFF, &len, - GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) { + GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) { log_print("message_validate_sa: situation not supported"); - message_drop(msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, + 0, 1, 1); return -1; } /* @@ -878,8 +900,8 @@ message_validate_sa(struct message * msg, struct payload * p) ZERO(&payload_set); SET(ISAKMP_PAYLOAD_PROPOSAL, &payload_set); if (message_parse_payloads(msg, p, ISAKMP_PAYLOAD_PROPOSAL, - p->p + ISAKMP_SA_SIT_OFF + len, &payload_set, - message_parse_proposal) == -1) + p->p + ISAKMP_SA_SIT_OFF + len, &payload_set, + message_parse_proposal) == -1) return -1; return 0; @@ -887,7 +909,7 @@ message_validate_sa(struct message * msg, struct payload * p) /* Validate the signature payload P in message MSG. */ static int -message_validate_sig(struct message * msg, struct payload * p) +message_validate_sig(struct message *msg, struct payload *p) { if (!msg->exchange) { /* We should have an exchange at this point. */ @@ -901,7 +923,7 @@ message_validate_sig(struct message * msg, struct payload * p) /* Validate the transform payload P in message MSG. */ static int -message_validate_transform(struct message * msg, struct payload * p) +message_validate_transform(struct message *msg, struct payload *p) { u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->context->p); u_int8_t *prop = p->context->p; @@ -919,12 +941,13 @@ message_validate_transform(struct message * msg, struct payload * p) } /* Check that the reserved field is zero. */ if (!zero_test(p->p + ISAKMP_TRANSFORM_RESERVED_OFF, - ISAKMP_TRANSFORM_RESERVED_LEN)) { + ISAKMP_TRANSFORM_RESERVED_LEN)) { message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); return -1; } /* - * Check that we get monotonically increasing transform numbers per proposal. + * Check that we get monotonically increasing transform numbers per + * proposal. */ if (prop != last_prop) last_prop = prop; @@ -936,10 +959,10 @@ message_validate_transform(struct message * msg, struct payload * p) /* Validate the attributes. */ if (attribute_map(p->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(p->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - msg->exchange->doi->validate_attribute, msg)) { - message_drop(msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED, 0, 1, 1); + GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + msg->exchange->doi->validate_attribute, msg)) { + message_drop(msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED, + 0, 1, 1); return -1; } return 0; @@ -947,7 +970,7 @@ message_validate_transform(struct message * msg, struct payload * p) /* Validate the vendor payload P in message MSG. */ static int -message_validate_vendor(struct message * msg, struct payload * p) +message_validate_vendor(struct message *msg, struct payload *p) { if (!msg->exchange) { /* We should have an exchange at this point. */ @@ -971,8 +994,8 @@ message_validate_vendor(struct message * msg, struct payload * p) * node so we can go from transforms -> payloads -> SAs. */ static int -message_index_payload(struct message * msg, struct payload * p, - u_int8_t payload, u_int8_t * buf) +message_index_payload(struct message *msg, struct payload *p, u_int8_t payload, + u_int8_t *buf) { struct payload *payload_node; @@ -994,19 +1017,19 @@ message_index_payload(struct message * msg, struct payload * p, * computed message length (i.e. without padding) in msg->iov[0].iov_len. */ static int -message_sort_payloads(struct message * msg, u_int8_t next) +message_sort_payloads(struct message *msg, u_int8_t next) { - set payload_set; - int i, sz; + set payload_set; + int i, sz; ZERO(&payload_set); for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++) - if (i != ISAKMP_PAYLOAD_PROPOSAL && i != ISAKMP_PAYLOAD_TRANSFORM) + if (i != ISAKMP_PAYLOAD_PROPOSAL && i != + ISAKMP_PAYLOAD_TRANSFORM) SET(i, &payload_set); - sz = - message_parse_payloads(msg, 0, next, - (u_int8_t *) msg->iov[0].iov_base + ISAKMP_HDR_SZ, - &payload_set, message_index_payload); + sz = message_parse_payloads(msg, 0, next, + (u_int8_t *)msg->iov[0].iov_base + ISAKMP_HDR_SZ, &payload_set, + message_index_payload); if (sz == -1) return -1; msg->iov[0].iov_len = ISAKMP_HDR_SZ + sz; @@ -1016,19 +1039,20 @@ message_sort_payloads(struct message * msg, u_int8_t next) /* Run all the generic payload tests that the drafts specify. */ static int -message_validate_payloads(struct message * msg) +message_validate_payloads(struct message *msg) { int i; struct payload *p; for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++) - for (p = TAILQ_FIRST(&msg->payload[i]); p; p = TAILQ_NEXT(p, link)) { - LOG_DBG((LOG_MESSAGE, 60, - "message_validate_payloads: " - "payload %s at %p of message %p", - constant_name(isakmp_payload_cst, i), p->p, msg)); + for (p = TAILQ_FIRST(&msg->payload[i]); p; + p = TAILQ_NEXT(p, link)) { + LOG_DBG((LOG_MESSAGE, 60, "message_validate_payloads: " + "payload %s at %p of message %p", + constant_name(isakmp_payload_cst, i), p->p, msg)); field_dump_payload(fields[i - ISAKMP_PAYLOAD_SA], p->p); - if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] (msg, p)) + if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] + (msg, p)) return -1; } return 0; @@ -1040,7 +1064,7 @@ message_validate_payloads(struct message * msg) * the exchange this message, MSG, is part of, and feed it there. */ int -message_recv(struct message * msg) +message_recv(struct message *msg) { u_int8_t *buf = msg->iov[0].iov_base; size_t sz = msg->iov[0].iov_len; @@ -1054,7 +1078,8 @@ message_recv(struct message * msg) /* Messages shorter than an ISAKMP header are bad. */ if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) { log_print("message_recv: bad message length"); - message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); + message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, + 0, 1, 1); return -1; } #ifdef USE_DEBUG @@ -1063,28 +1088,29 @@ message_recv(struct message * msg) #endif /* - * If the responder cookie is zero, this is a request to setup an ISAKMP SA. - * Otherwise the cookies should refer to an existing ISAKMP SA. + * If the responder cookie is zero, this is a request to setup an + * ISAKMP SA. Otherwise the cookies should refer to an existing + * ISAKMP SA. * - * XXX This is getting ugly, please reread later to see if it can be made - * nicer. + * XXX This is getting ugly, please reread later to see if it can be + * made nicer. */ setup_isakmp_sa = zero_test(buf + ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN); if (setup_isakmp_sa) { /* - * This might be a retransmission of a former ISAKMP SA setup message. - * If so, just drop it. + * This might be a retransmission of a former ISAKMP SA setup + * message. If so, just drop it. * XXX Must we really look in both the SA and exchange pools? */ if (exchange_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF) - || sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)) { + || sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)) { /* - * XXX Later we should differentiate between retransmissions and - * potential replay attacks. + * XXX Later we should differentiate between + * retransmissions and potential replay attacks. */ LOG_DBG((LOG_MESSAGE, 90, - "message_recv: dropping setup for existing SA")); + "message_recv: dropping setup for existing SA")); message_free(msg); return -1; } @@ -1094,19 +1120,20 @@ message_recv(struct message * msg) sa_reference(msg->isakmp_sa); /* - * If we cannot find an ISAKMP SA out of the cookies, this is either - * a responder's first reply, and we need to upgrade our exchange, - * or it's just plain invalid cookies. + * If we cannot find an ISAKMP SA out of the cookies, this is + * either a responder's first reply, and we need to upgrade + * our exchange, or it's just plain invalid cookies. */ if (!msg->isakmp_sa) { - msg->exchange - = exchange_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF); + msg->exchange = exchange_lookup_from_icookie(buf + + ISAKMP_HDR_ICOOKIE_OFF); if (msg->exchange && msg->exchange->phase == 1 - && zero_test(msg->exchange->cookies + ISAKMP_HDR_RCOOKIE_OFF, - ISAKMP_HDR_RCOOKIE_LEN)) + && zero_test(msg->exchange->cookies + + ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN)) exchange_upgrade_p1(msg); else { - log_print("message_recv: invalid cookie(s) %08x%08x %08x%08x", + log_print("message_recv: invalid cookie(s) " + "%08x%08x %08x%08x", decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF), decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF + 4), decode_32(buf + ISAKMP_HDR_RCOOKIE_OFF), @@ -1116,13 +1143,13 @@ message_recv(struct message * msg) tmp_proto.proto = ISAKMP_PROTO_ISAKMP; tmp_proto.spi_sz[1] = ISAKMP_HDR_COOKIES_LEN; tmp_proto.spi[1] = buf + ISAKMP_HDR_COOKIES_OFF; - message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE, &tmp_proto, 1, - 1); + message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE, + &tmp_proto, 1, 1); return -1; } #if 0 - msg->isakmp_sa - = sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF); + msg->isakmp_sa = sa_lookup_from_icookie(buf + + ISAKMP_HDR_ICOOKIE_OFF); if (msg->isakmp_sa) sa_isakmp_upgrade(msg); #endif @@ -1134,30 +1161,30 @@ message_recv(struct message * msg) return -1; if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) >= ISAKMP_PAYLOAD_RESERVED_MIN) { - log_print("message_recv: " - "invalid payload type %d in ISAKMP header " - "(check passphrases, if applicable and in Phase 1)", - GET_ISAKMP_HDR_NEXT_PAYLOAD(buf)); + log_print("message_recv: invalid payload type %d in ISAKMP " + "header (check passphrases, if applicable and in Phase 1)", + GET_ISAKMP_HDR_NEXT_PAYLOAD(buf)); message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); return -1; } /* Validate that the message is of version 1.0. */ if (ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)) != 1) { log_print("message_recv: invalid version major %d", - ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf))); + ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf))); message_drop(msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, 1); return -1; } if (ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)) != 0) { log_print("message_recv: invalid version minor %d", - ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf))); + ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf))); message_drop(msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, 1); return -1; } /* - * Validate the exchange type. If it's a DOI-specified exchange wait until - * after all payloads have been seen for the validation as the SA payload - * might not yet have been parsed, thus the DOI might be unknown. + * Validate the exchange type. If it's a DOI-specified exchange wait + * until after all payloads have been seen for the validation as the + * SA payload might not yet have been parsed, thus the DOI might be + * unknown. */ exch_type = GET_ISAKMP_HDR_EXCH_TYPE(buf); if (exch_type == ISAKMP_EXCH_NONE @@ -1165,7 +1192,7 @@ message_recv(struct message * msg) exch_type <= ISAKMP_EXCH_FUTURE_MAX) || (setup_isakmp_sa && exch_type >= ISAKMP_EXCH_DOI_MIN)) { log_print("message_recv: invalid exchange type %s", - constant_name(isakmp_exch_cst, exch_type)); + constant_name(isakmp_exch_cst, exch_type)); message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); return -1; } @@ -1174,10 +1201,10 @@ message_recv(struct message * msg) * have an ISAKMP SA to decrypt with. */ flags = GET_ISAKMP_HDR_FLAGS(buf); - if (flags - & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT | ISAKMP_FLAGS_AUTH_ONLY)) { + if (flags & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT | + ISAKMP_FLAGS_AUTH_ONLY)) { log_print("message_recv: invalid flags 0x%x", - GET_ISAKMP_HDR_FLAGS(buf)); + GET_ISAKMP_HDR_FLAGS(buf)); message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1); return -1; } @@ -1199,19 +1226,20 @@ message_recv(struct message * msg) */ msg->exchange = exchange_lookup(buf, 0); if (!msg->exchange) { - log_print("message_recv: phase 1 message after ISAKMP SA is ready"); + log_print("message_recv: phase 1 message after " + "ISAKMP SA is ready"); message_free(msg); return -1; } else if (msg->exchange->last_sent) { - LOG_DBG((LOG_MESSAGE, 80, - "message_recv: resending last message from phase 1")); + LOG_DBG((LOG_MESSAGE, 80, "message_recv: resending " + "last message from phase 1")); message_send(msg->exchange->last_sent); } } if (flags & ISAKMP_FLAGS_ENC) { if (!msg->isakmp_sa) { - LOG_DBG((LOG_MISC, 10, - "message_recv: no isakmp_sa for encrypted message")); + LOG_DBG((LOG_MISC, 10, "message_recv: no isakmp_sa " + "for encrypted message")); message_free(msg); return -1; } @@ -1237,11 +1265,11 @@ message_recv(struct message * msg) message_packet_log(msg); /* - * Check the overall payload structure at the same time as indexing them by - * type. + * Check the overall payload structure at the same time as indexing + * them by type. */ if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) != ISAKMP_PAYLOAD_NONE - && message_sort_payloads(msg, GET_ISAKMP_HDR_NEXT_PAYLOAD(buf))) { + && message_sort_payloads(msg, GET_ISAKMP_HDR_NEXT_PAYLOAD(buf))) { if (ks) free(ks); return -1; @@ -1274,7 +1302,8 @@ message_recv(struct message * msg) */ if (exch_type >= ISAKMP_EXCH_DOI_MIN && exch_type <= ISAKMP_EXCH_DOI_MAX && msg->exchange->doi->validate_exchange(exch_type)) { - log_print("message_recv: invalid DOI exchange type %d", exch_type); + log_print("message_recv: invalid DOI exchange type %d", + exch_type); message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); if (ks) free(ks); @@ -1299,7 +1328,7 @@ message_recv(struct message * msg) if ((flags & ISAKMP_FLAGS_ENC) == 0 && (msg->exchange->phase == 2 || msg->exchange->keystate)) { log_print("message_recv: cleartext phase %d message", - msg->exchange->phase); + msg->exchange->phase); message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1); return -1; } @@ -1310,7 +1339,7 @@ message_recv(struct message * msg) } void -message_send_expire(struct message * msg) +message_send_expire(struct message *msg) { msg->retrans = 0; @@ -1319,7 +1348,7 @@ message_send_expire(struct message * msg) /* Queue up message MSG for transmittal. */ void -message_send(struct message * msg) +message_send(struct message *msg) { struct exchange *exchange = msg->exchange; struct message *m; @@ -1352,8 +1381,8 @@ message_send(struct message * msg) /* Keep the COMMIT bit on. */ if (exchange->flags & EXCHANGE_FLAG_COMMITTED) SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base, - GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) - | ISAKMP_FLAGS_COMMIT); + GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) + | ISAKMP_FLAGS_COMMIT); #ifdef USE_DEBUG message_dump_raw("message_send", msg, LOG_MESSAGE); @@ -1372,7 +1401,7 @@ message_send(struct message * msg) for (m = TAILQ_FIRST(q); m; m = TAILQ_NEXT(m, link)) if (m == msg) { LOG_DBG((LOG_MESSAGE, 60, - "message_send: msg %p already on sendq %p", m, q)); + "message_send: msg %p already on sendq %p", m, q)); return; } TAILQ_INSERT_TAIL(q, msg, link); @@ -1384,14 +1413,14 @@ message_send(struct message * msg) * identifying the exchange. */ void -message_setup_header(struct message * msg, u_int8_t exchange, u_int8_t flags, - u_int8_t * msg_id) +message_setup_header(struct message *msg, u_int8_t exchange, u_int8_t flags, + u_int8_t *msg_id) { - u_int8_t *buf = msg->iov[0].iov_base; + u_int8_t *buf = msg->iov[0].iov_base; SET_ISAKMP_HDR_ICOOKIE(buf, msg->exchange->cookies); - SET_ISAKMP_HDR_RCOOKIE(buf, - msg->exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN); + SET_ISAKMP_HDR_RCOOKIE(buf, msg->exchange->cookies + + ISAKMP_HDR_ICOOKIE_LEN); SET_ISAKMP_HDR_NEXT_PAYLOAD(buf, ISAKMP_PAYLOAD_NONE); SET_ISAKMP_HDR_VERSION(buf, ISAKMP_VERSION_MAKE(1, 0)); SET_ISAKMP_HDR_EXCH_TYPE(buf, exchange); @@ -1409,8 +1438,8 @@ message_setup_header(struct message * msg, u_int8_t exchange, u_int8_t flags, * XXX We might want to resize the iov array several slots at a time. */ int -message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf, - size_t sz, int link) +message_add_payload(struct message *msg, u_int8_t payload, u_int8_t *buf, + size_t sz, int link) { struct iovec *new_iov; struct payload *payload_node; @@ -1418,14 +1447,15 @@ message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf, payload_node = calloc(1, sizeof *payload_node); if (!payload_node) { log_error("message_add_payload: calloc (1, %lu) failed", - (unsigned long) sizeof *payload_node); + (unsigned long)sizeof *payload_node); return -1; } - new_iov - = (struct iovec *) realloc(msg->iov, (msg->iovlen + 1) * sizeof *msg->iov); + new_iov = (struct iovec *) realloc(msg->iov, (msg->iovlen + 1) * + sizeof *msg->iov); if (!new_iov) { - log_error("message_add_payload: realloc (%p, %lu) failed", msg->iov, - (msg->iovlen + 1) * (unsigned long) sizeof *msg->iov); + log_error("message_add_payload: realloc (%p, %lu) failed", + msg->iov, (msg->iovlen + 1) * + (unsigned long)sizeof *msg->iov); free(payload_node); return -1; } @@ -1440,11 +1470,12 @@ message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf, SET_ISAKMP_GEN_RESERVED(buf, 0); SET_ISAKMP_GEN_LENGTH(buf, sz); SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, - GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) + sz); + GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) + sz); /* - * For the sake of exchange_validate we index the payloads even in outgoing - * messages, however context and flags are uninteresting in this situation. + * For the sake of exchange_validate we index the payloads even in + * outgoing messages, however context and flags are uninteresting in + * this situation. */ payload_node->p = buf; TAILQ_INSERT_TAIL(&msg->payload[payload], payload_node, link); @@ -1461,12 +1492,12 @@ struct info_args { struct { u_int16_t msg_type; u_int8_t *spi; - } n; + } n; struct { u_int16_t nspis; u_int8_t *spis; - } d; - } u; + } d; + } u; }; /* @@ -1481,9 +1512,8 @@ struct info_args { * status value? */ void -message_send_notification(struct message * msg, struct sa * isakmp_sa, - u_int16_t notify, struct proto * proto, - int incoming) +message_send_notification(struct message *msg, struct sa *isakmp_sa, + u_int16_t notify, struct proto * proto, int incoming) { struct info_args args; struct sa *doi_sa = proto ? proto->sa : isakmp_sa; @@ -1495,17 +1525,17 @@ message_send_notification(struct message * msg, struct sa * isakmp_sa, args.u.n.msg_type = notify; args.u.n.spi = proto ? proto->spi[incoming] : 0; if (isakmp_sa && (isakmp_sa->flags & SA_FLAG_READY)) - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0, 0); + exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, + 0, 0); else exchange_establish_p1(msg->transport, ISAKMP_EXCH_INFO, - msg->exchange - ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP, - 0, &args, 0, 0); + msg->exchange ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP, + 0, &args, 0, 0); } /* Send a DELETE inside an informational exchange for each protocol in SA. */ void -message_send_delete(struct sa * sa) +message_send_delete(struct sa *sa) { struct info_args args; struct proto *proto; @@ -1516,8 +1546,8 @@ message_send_delete(struct sa * sa) isakmp_sa = sa_isakmp_lookup_by_peer(dst, sysdep_sa_len(dst)); if (!isakmp_sa) { /* - * XXX We ought to setup an ISAKMP SA with our peer here and send - * the DELETE over that one. + * XXX We ought to setup an ISAKMP SA with our peer here and + * send the DELETE over that one. */ return; } @@ -1525,22 +1555,23 @@ message_send_delete(struct sa * sa) args.doi = sa->doi->id; args.u.d.nspis = 1; for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { + proto = TAILQ_NEXT(proto, link)) { args.proto = proto->proto; args.spi_sz = proto->spi_sz[1]; args.u.d.spis = proto->spi[1]; - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0, 0); + exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, + 0, 0); } } /* Build the informational message into MSG. */ int -message_send_info(struct message * msg) +message_send_info(struct message *msg) { u_int8_t *buf; size_t sz; struct info_args *args = msg->extra; - u_int8_t payload; + u_int8_t payload; /* Let the DOI get the first hand on the message. */ if (msg->exchange->doi->informational_pre_hook) @@ -1548,10 +1579,11 @@ message_send_info(struct message * msg) return -1; sz = (args->discr == 'N' ? ISAKMP_NOTIFY_SPI_OFF + args->spi_sz - : ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz); + : ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz); buf = calloc(1, sz); if (!buf) { - log_error("message_send_info: calloc (1, %lu) failed", (unsigned long) sz); + log_error("message_send_info: calloc (1, %lu) failed", + (unsigned long)sz); message_free(msg); return -1; } @@ -1575,7 +1607,7 @@ message_send_info(struct message * msg) SET_ISAKMP_DELETE_SPI_SZ(buf, args->spi_sz); SET_ISAKMP_DELETE_NSPIS(buf, args->u.d.nspis); memcpy(buf + ISAKMP_DELETE_SPI_OFF, args->u.d.spis, - args->u.d.nspis * args->spi_sz); + args->u.d.nspis * args->spi_sz); msg->flags |= MSG_PRIORITIZED; break; } @@ -1601,8 +1633,8 @@ message_send_info(struct message * msg) * set, free the message when ready with it. */ void -message_drop(struct message * msg, int notify, struct proto * proto, - int incoming, int clean) +message_drop(struct message *msg, int notify, struct proto *proto, int incoming, + int clean) { struct transport *t = msg->transport; struct sockaddr *dst; @@ -1616,25 +1648,27 @@ message_drop(struct message * msg, int notify, struct proto * proto, } switch (dst->sa_family) { case AF_INET: - port = ((struct sockaddr_in *) dst)->sin_port; + port = ((struct sockaddr_in *)dst)->sin_port; break; case AF_INET6: - port = ((struct sockaddr_in6 *) dst)->sin6_port; + port = ((struct sockaddr_in6 *)dst)->sin6_port; break; default: - log_print("message_drop: unknown protocol family %d", dst->sa_family); + log_print("message_drop: unknown protocol family %d", + dst->sa_family); } log_print("dropped message from %s port %d due to notification type %s", - address ? address : "<unknown>", htons(port), - constant_name(isakmp_notify_cst, notify)); + address ? address : "<unknown>", htons(port), + constant_name(isakmp_notify_cst, notify)); if (address) free(address); /* If specified, return a notification. */ if (notify) - message_send_notification(msg, msg->isakmp_sa, notify, proto, incoming); + message_send_notification(msg, msg->isakmp_sa, notify, proto, + incoming); if (clean) message_free(msg); } @@ -1644,9 +1678,9 @@ message_drop(struct message * msg, int notify, struct proto * proto, * as we can without resorting to per-payload handling. */ void -message_dump_raw(char *header, struct message * msg, int class) +message_dump_raw(char *header, struct message *msg, int class) { - u_int32_t i, j, k = 0; + u_int32_t i, j, k = 0; char buf[80], *p = buf; LOG_DBG((class, 70, "%s: message %p", header, msg)); @@ -1654,7 +1688,7 @@ message_dump_raw(char *header, struct message * msg, int class) for (i = 0; i < msg->iovlen; i++) for (j = 0; j < msg->iov[i].iov_len; j++) { snprintf(p, sizeof buf - (int) (p - buf), "%02x", - ((u_int8_t *) msg->iov[i].iov_base)[j]); + ((u_int8_t *) msg->iov[i].iov_base)[j]); p += 2; if (++k % 32 == 0) { *p = '\0'; @@ -1669,7 +1703,7 @@ message_dump_raw(char *header, struct message * msg, int class) } static void -message_packet_log(struct message * msg) +message_packet_log(struct message *msg) { #ifdef USE_DEBUG struct sockaddr *src, *dst; @@ -1698,7 +1732,7 @@ message_packet_log(struct message * msg) * we encrypt. */ static int -message_encrypt(struct message * msg) +message_encrypt(struct message *msg) { struct exchange *exchange = msg->exchange; size_t i, sz = 0; @@ -1709,23 +1743,24 @@ message_encrypt(struct message * msg) return 0; /* - * For encryption we need to put all payloads together in a single buffer. - * This buffer should be padded to the current crypto transform's blocksize. + * For encryption we need to put all payloads together in a single + * buffer. This buffer should be padded to the current crypto + * transform's blocksize. */ for (i = 1; i < msg->iovlen; i++) sz += msg->iov[i].iov_len; - sz = ((sz + exchange->crypto->blocksize - 1) / exchange->crypto->blocksize) - * exchange->crypto->blocksize; + sz = ((sz + exchange->crypto->blocksize - 1) / + exchange->crypto->blocksize) * exchange->crypto->blocksize; buf = realloc(msg->iov[1].iov_base, sz); if (!buf) { log_error("message_encrypt: realloc (%p, %lu) failed", - msg->iov[1].iov_base, (unsigned long) sz); + msg->iov[1].iov_base, (unsigned long) sz); return -1; } msg->iov[1].iov_base = buf; for (i = 2; i < msg->iovlen; i++) { memcpy(buf + msg->iov[1].iov_len, msg->iov[i].iov_base, - msg->iov[i].iov_len); + msg->iov[i].iov_len); msg->iov[1].iov_len += msg->iov[i].iov_len; free(msg->iov[i].iov_base); } @@ -1736,8 +1771,7 @@ message_encrypt(struct message * msg) msg->iovlen = 2; SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base, - GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) - | ISAKMP_FLAGS_ENC); + GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) | ISAKMP_FLAGS_ENC); SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); crypto_encrypt(exchange->keystate, buf, msg->iov[1].iov_len); msg->flags |= MSG_ENCRYPTED; @@ -1753,7 +1787,7 @@ message_encrypt(struct message * msg) * this specific SA. */ static int -message_check_duplicate(struct message * msg) +message_check_duplicate(struct message *msg) { struct exchange *exchange = msg->exchange; size_t sz = msg->iov[0].iov_len; @@ -1764,23 +1798,25 @@ message_check_duplicate(struct message * msg) return 0; LOG_DBG((LOG_MESSAGE, 90, "message_check_duplicate: last_received %p", - exchange->last_received)); + exchange->last_received)); if (exchange->last_received) { LOG_DBG_BUF((LOG_MESSAGE, 95, - "message_check_duplicate: last_received", - exchange->last_received->orig, - exchange->last_received->orig_sz)); + "message_check_duplicate: last_received", + exchange->last_received->orig, + exchange->last_received->orig_sz)); /* Is it a duplicate, lose the new one. */ if (sz == exchange->last_received->orig_sz && memcmp(pkt, exchange->last_received->orig, sz) == 0) { LOG_DBG((LOG_MESSAGE, 80, - "message_check_duplicate: dropping dup")); + "message_check_duplicate: dropping dup")); /* - * Retransmit if the previos sent message was the last of an - * exchange, otherwise just wait for the ordinary retransmission. + * Retransmit if the previos sent message was the last + * of an exchange, otherwise just wait for the + * ordinary retransmission. */ - if (exchange->last_sent && (exchange->last_sent->flags & MSG_LAST)) + if (exchange->last_sent && (exchange->last_sent->flags + & MSG_LAST)) message_send(exchange->last_sent); message_free(msg); return -1; @@ -1794,10 +1830,10 @@ message_check_duplicate(struct message * msg) if (exchange->last_sent == exchange->in_transit) { if (exchange->in_transit->flags & MSG_PRIORITIZED) TAILQ_REMOVE(&exchange->in_transit->transport->prio_sendq, - exchange->in_transit, link); + exchange->in_transit, link); else TAILQ_REMOVE(&exchange->in_transit->transport->sendq, - exchange->in_transit, link); + exchange->in_transit, link); exchange->in_transit = 0; } message_free(exchange->last_sent); @@ -1808,8 +1844,7 @@ message_check_duplicate(struct message * msg) /* Helper to message_negotiate_sa. */ static INLINE struct payload * -step_transform(struct payload * tp, struct payload ** propp, - struct payload ** sap) +step_transform(struct payload *tp, struct payload **propp, struct payload **sap) { tp = TAILQ_NEXT(tp, link); if (tp) { @@ -1824,9 +1859,8 @@ step_transform(struct payload * tp, struct payload ** propp, * SA payload) we accept as a full protection suite. */ int -message_negotiate_sa(struct message * msg, - int (*validate) (struct exchange *, struct sa *, - struct sa *)) +message_negotiate_sa(struct message *msg, int (*validate)(struct exchange *, + struct sa *, struct sa *)) { struct payload *tp, *propp, *sap, *next_tp = 0, *next_propp, *next_sap; struct payload *saved_tp = 0, *saved_propp = 0, *saved_sap = 0; @@ -1858,7 +1892,7 @@ message_negotiate_sa(struct message * msg, sa = TAILQ_FIRST(&exchange->sa_list); for (tp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); tp; - tp = next_tp) { + tp = next_tp) { propp = tp->context; sap = propp->context; sap->flags |= PL_MARK; @@ -1866,16 +1900,16 @@ message_negotiate_sa(struct message * msg, /* For each transform, see if it is compatible. */ if (!attribute_map(tp->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(tp->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - exchange->doi->is_attribute_incompatible, msg)) { - LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: " - "transform %d proto %d proposal %d ok", - GET_ISAKMP_TRANSFORM_NO(tp->p), - GET_ISAKMP_PROP_PROTO(propp->p), - GET_ISAKMP_PROP_NO(propp->p))); - if (sa_add_transform(sa, tp, exchange->initiator, &proto)) + GET_ISAKMP_GEN_LENGTH(tp->p) - + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + exchange->doi->is_attribute_incompatible, msg)) { + LOG_DBG((LOG_NEGOTIATION, 30, "message_negotiate_sa: " + "transform %d proto %d proposal %d ok", + GET_ISAKMP_TRANSFORM_NO(tp->p), + GET_ISAKMP_PROP_PROTO(propp->p), + GET_ISAKMP_PROP_NO(propp->p))); + if (sa_add_transform(sa, tp, exchange->initiator, + &proto)) goto cleanup; suite_ok_so_far = 1; @@ -1883,8 +1917,8 @@ message_negotiate_sa(struct message * msg, saved_propp = next_propp; saved_sap = next_sap; /* Skip to last transform of this protocol proposal. */ - while ((next_tp = step_transform(tp, &next_propp, &next_sap)) - && next_propp == propp) + while ((next_tp = step_transform(tp, &next_propp, + &next_sap)) && next_propp == propp) tp = next_tp; } retry_transform: @@ -1894,27 +1928,30 @@ retry_transform: */ if (next_tp && propp != next_propp && sap == next_sap && (GET_ISAKMP_PROP_NO(propp->p) - == GET_ISAKMP_PROP_NO(next_propp->p))) { + == GET_ISAKMP_PROP_NO(next_propp->p))) { if (!suite_ok_so_far) { LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proto %d proposal %d failed", - GET_ISAKMP_PROP_PROTO(propp->p), - GET_ISAKMP_PROP_NO(propp->p))); + "message_negotiate_sa: proto %d proposal " + "%d failed", + GET_ISAKMP_PROP_PROTO(propp->p), + GET_ISAKMP_PROP_NO(propp->p))); /* * Remove potentially succeeded choices from * the SA. */ while (TAILQ_FIRST(&sa->protos)) - TAILQ_REMOVE(&sa->protos, TAILQ_FIRST(&sa->protos), link); + TAILQ_REMOVE(&sa->protos, + TAILQ_FIRST(&sa->protos), link); /* * Skip to the last transform of this * protection suite. */ - while ((next_tp = step_transform(tp, &next_propp, &next_sap)) - && (GET_ISAKMP_PROP_NO(next_propp->p) - == GET_ISAKMP_PROP_NO(propp->p)) - && next_sap == sap) + while ((next_tp = step_transform(tp, + &next_propp, &next_sap)) + && (GET_ISAKMP_PROP_NO(next_propp->p) + == GET_ISAKMP_PROP_NO(propp->p)) + && next_sap == sap) tp = next_tp; } suite_ok_so_far = 0; @@ -1924,33 +1961,35 @@ retry_transform: * suite. */ if (!next_tp - || (propp != next_propp - && (GET_ISAKMP_PROP_NO(propp->p) - != GET_ISAKMP_PROP_NO(next_propp->p))) + || (propp != next_propp && (GET_ISAKMP_PROP_NO(propp->p) + != GET_ISAKMP_PROP_NO(next_propp->p))) || sap != next_sap) { /* - * Check if the suite we just considered was OK, if so we check - * it against the accepted ones. + * Check if the suite we just considered was OK, if so + * we check it against the accepted ones. */ if (suite_ok_so_far) { - if (!validate || validate(exchange, sa, msg->isakmp_sa)) { + if (!validate || validate(exchange, sa, + msg->isakmp_sa)) { LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proposal %d succeeded", - GET_ISAKMP_PROP_NO(propp->p))); + "message_negotiate_sa: proposal " + "%d succeeded", + GET_ISAKMP_PROP_NO(propp->p))); /* * Skip to the last transform of this * SA. */ - while ((next_tp - = step_transform(tp, &next_propp, &next_sap)) - && next_sap == sap) + while ((next_tp = step_transform(tp, + &next_propp, &next_sap)) + && next_sap == sap) tp = next_tp; } else { /* Backtrack. */ LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proposal %d failed", - GET_ISAKMP_PROP_NO(propp->p))); + "message_negotiate_sa: proposal " + "%d failed", + GET_ISAKMP_PROP_NO(propp->p))); next_tp = saved_tp; next_propp = saved_propp; next_sap = saved_sap; @@ -1961,8 +2000,9 @@ retry_transform: * choices from the SA. */ while (TAILQ_FIRST(&sa->protos)) - TAILQ_REMOVE(&sa->protos, TAILQ_FIRST(&sa->protos), - link); + TAILQ_REMOVE(&sa->protos, + TAILQ_FIRST(&sa->protos), + link); goto retry_transform; } } @@ -1971,12 +2011,15 @@ retry_transform: if (!next_tp || sap != next_sap) { if (!suite_ok_so_far) { /* - * XXX We cannot possibly call this a drop... seeing we just turn - * down one of the offers, can we? I suggest renaming - * message_drop to something else. + * XXX We cannot possibly call this a drop... + * seeing we just turn down one of the offers, + * can we? I suggest renaming message_drop to + * something else. */ - log_print("message_negotiate_sa: no compatible proposal found"); - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + log_print("message_negotiate_sa: no " + "compatible proposal found"); + message_drop(msg, + ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); } sa = TAILQ_NEXT(sa, next); } @@ -1998,7 +2041,7 @@ cleanup: * found in the exchange MSG is part of.. */ int -message_add_sa_payload(struct message * msg) +message_add_sa_payload(struct message *msg) { struct exchange *exchange = msg->exchange; u_int8_t *sa_buf, *saved_nextp_sa, *saved_nextp_prop; @@ -2016,14 +2059,14 @@ message_add_sa_payload(struct message * msg) * Generate SA payloads. */ for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { + sa = TAILQ_NEXT(sa, next)) { /* Setup a SA payload. */ sa_len = ISAKMP_SA_SIT_OFF + doi->situation_size(); extra_sa_len = 0; sa_buf = malloc(sa_len); if (!sa_buf) { log_error("message_add_sa_payload: malloc (%lu) failed", - (unsigned long) sa_len); + (unsigned long)sa_len); goto cleanup; } SET_ISAKMP_SA_DOI(sa_buf, doi->id); @@ -2032,7 +2075,7 @@ message_add_sa_payload(struct message * msg) /* Count transforms. */ nprotos = 0; for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) + proto = TAILQ_NEXT(proto, link)) nprotos++; /* @@ -2041,44 +2084,49 @@ message_add_sa_payload(struct message * msg) */ transforms = calloc(nprotos, sizeof *transforms); if (!transforms) { - log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos, - (unsigned long) sizeof *transforms); + log_error("message_add_sa_payload: calloc (%d, %lu) " + "failed", nprotos, + (unsigned long)sizeof *transforms); goto cleanup; } transform_lens = calloc(nprotos, sizeof *transform_lens); if (!transform_lens) { - log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos, - (unsigned long) sizeof *transform_lens); + log_error("message_add_sa_payload: calloc (%d, %lu) " + "failed", nprotos, + (unsigned long) sizeof *transform_lens); goto cleanup; } proposals = calloc(nprotos, sizeof *proposals); if (!proposals) { - log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos, - (unsigned long) sizeof *proposals); + log_error("message_add_sa_payload: calloc (%d, %lu) " + "failed", nprotos, + (unsigned long)sizeof *proposals); goto cleanup; } proposal_lens = calloc(nprotos, sizeof *proposal_lens); if (!proposal_lens) { - log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos, - (unsigned long) sizeof *proposal_lens); + log_error("message_add_sa_payload: calloc (%d, %lu) " + "failed", nprotos, + (unsigned long)sizeof *proposal_lens); goto cleanup; } /* Pick out the chosen transforms. */ for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto; - proto = TAILQ_NEXT(proto, link), i++) { - transform_lens[i] = GET_ISAKMP_GEN_LENGTH(proto->chosen->p); + proto = TAILQ_NEXT(proto, link), i++) { + transform_lens[i] = + GET_ISAKMP_GEN_LENGTH(proto->chosen->p); transforms[i] = malloc(transform_lens[i]); if (!transforms[i]) { - log_error("message_add_sa_payload: malloc (%lu) failed", - (unsigned long) transform_lens[i]); + log_error("message_add_sa_payload: malloc " + "(%lu) failed", + (unsigned long)transform_lens[i]); goto cleanup; } /* Get incoming SPI from application. */ if (doi->get_spi) { spi = doi->get_spi(&spi_sz, - GET_ISAKMP_PROP_PROTO(proto->chosen - ->context->p), - msg); + GET_ISAKMP_PROP_PROTO(proto->chosen->context->p), + msg); if (spi_sz && !spi) goto cleanup; proto->spi[1] = spi; @@ -2089,17 +2137,20 @@ message_add_sa_payload(struct message * msg) proposal_lens[i] = ISAKMP_PROP_SPI_OFF + spi_sz; proposals[i] = malloc(proposal_lens[i]); if (!proposals[i]) { - log_error("message_add_sa_payload: malloc (%lu) failed", - (unsigned long) proposal_lens[i]); + log_error("message_add_sa_payload: malloc " + "(%lu) failed", + (unsigned long)proposal_lens[i]); goto cleanup; } - memcpy(transforms[i], proto->chosen->p, transform_lens[i]); + memcpy(transforms[i], proto->chosen->p, + transform_lens[i]); memcpy(proposals[i], proto->chosen->context->p, - ISAKMP_PROP_SPI_OFF); + ISAKMP_PROP_SPI_OFF); SET_ISAKMP_PROP_NTRANSFORMS(proposals[i], 1); SET_ISAKMP_PROP_SPI_SZ(proposals[i], spi_sz); if (spi_sz) - memcpy(proposals[i] + ISAKMP_PROP_SPI_OFF, spi, spi_sz); + memcpy(proposals[i] + ISAKMP_PROP_SPI_OFF, spi, + spi_sz); extra_sa_len += proposal_lens[i] + transform_lens[i]; } @@ -2108,24 +2159,25 @@ message_add_sa_payload(struct message * msg) * lengths of the payloads containing others. We also need to * reset these payload's "next payload type" field. */ - if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) + if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, + sa_len, 1)) goto cleanup; SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + extra_sa_len); sa_buf = 0; saved_nextp_sa = msg->nextp; for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto; - proto = TAILQ_NEXT(proto, link), i++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, proposals[i], - proposal_lens[i], i > 1)) + proto = TAILQ_NEXT(proto, link), i++) { + if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, + proposals[i], proposal_lens[i], i > 1)) goto cleanup; - SET_ISAKMP_GEN_LENGTH(proposals[i], - proposal_lens[i] + transform_lens[i]); + SET_ISAKMP_GEN_LENGTH(proposals[i], proposal_lens[i] + + transform_lens[i]); proposals[i] = 0; saved_nextp_prop = msg->nextp; if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, - transforms[i], transform_lens[i], 0)) + transforms[i], transform_lens[i], 0)) goto cleanup; msg->nextp = saved_nextp_prop; transforms[i] = 0; @@ -2164,8 +2216,8 @@ cleanup: * Return a copy of MSG's constants starting from OFFSET and stash the size * in SZP. It is the callers responsibility to free this up. */ -u_int8_t * -message_copy(struct message * msg, size_t offset, size_t * szp) +u_int8_t * +message_copy(struct message *msg, size_t offset, size_t *szp) { int skip = 0; size_t i, sz = 0; @@ -2189,7 +2241,7 @@ message_copy(struct message * msg, size_t offset, size_t * szp) p = buf; for (i = skip + 1; i < msg->iovlen; i++) { memcpy(p, (u_int8_t *) msg->iov[i].iov_base + start, - msg->iov[i].iov_len - start); + msg->iov[i].iov_len - start); p += msg->iov[i].iov_len - start; start = 0; } @@ -2198,8 +2250,8 @@ message_copy(struct message * msg, size_t offset, size_t * szp) /* Register a post-send function POST_SEND with message MSG. */ int -message_register_post_send(struct message * msg, - void (*post_send) (struct message *)) +message_register_post_send(struct message *msg, + void (*post_send)(struct message *)) { struct post_send *node; @@ -2213,7 +2265,7 @@ message_register_post_send(struct message * msg, /* Run the post-send functions of message MSG. */ void -message_post_send(struct message * msg) +message_post_send(struct message *msg) { struct post_send *node; diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h index 45fdfb30835..63c2571cd06 100644 --- a/sbin/isakmpd/message.h +++ b/sbin/isakmpd/message.h @@ -1,4 +1,4 @@ -/* $OpenBSD: message.h,v 1.18 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: message.h,v 1.19 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */ /* @@ -55,7 +55,8 @@ struct payload { u_int8_t *p; /* - * A pointer to the parent payload, used for proposal and transform payloads. + * A pointer to the parent payload, used for proposal and transform + * payloads. */ struct payload *context; @@ -88,7 +89,8 @@ struct message { u_int flags; /* - * This is the transport the message either arrived on or will be sent to. + * This is the transport the message either arrived on or will be sent + * to. */ struct transport *transport; @@ -102,11 +104,12 @@ struct message { struct exchange *exchange; /* - * A segmented buffer structure holding the messages raw contents. On input - * only segment 0 will be filled, holding all of the message. On output, as - * long as the message body is unencrypted each segment will be one payload, - * after encryption segment 0 will be the unencrypted header, and segment 1 - * will be the encrypted payloads, all of them. + * A segmented buffer structure holding the messages raw contents. On + * input only segment 0 will be filled, holding all of the message. + * On output, as long as the message body is unencrypted each segment + * will be one payload, after encryption segment 0 will be the + * unencrypted header, and segment 1 will be the encrypted payloads, + * all of them. */ struct iovec *iov; @@ -117,7 +120,7 @@ struct message { u_int8_t *nextp; /* "Smart" pointers to each payload, sorted by type. */ - TAILQ_HEAD(payload_head, payload) payload[ISAKMP_PAYLOAD_RESERVED_MIN]; + TAILQ_HEAD(payload_head, payload) payload[ISAKMP_PAYLOAD_RESERVED_MIN]; /* Number of times this message has been sent. */ int xmits; @@ -125,7 +128,7 @@ struct message { /* The timeout event causing retransmission of this message. */ struct event *retrans; - /* The (possibly encrypted) message text, used for duplicate testing. */ + /* The (possibly encrypted) message text, used for duplicate testing. */ u_int8_t *orig; size_t orig_sz; @@ -139,7 +142,7 @@ struct message { * Hooks for stuff needed to be done after the message has gone out to * the wire. */ - TAILQ_HEAD(post_send_head, post_send) post_send; + TAILQ_HEAD(post_send_head, post_send) post_send; }; /* Message flags. */ @@ -162,8 +165,7 @@ struct message { TAILQ_HEAD(msg_head, message); -extern int -message_add_payload(struct message *, u_int8_t, u_int8_t *, +extern int message_add_payload(struct message *, u_int8_t, u_int8_t *, size_t, int); extern int message_add_sa_payload(struct message *); extern struct message *message_alloc(struct transport *, u_int8_t *, size_t); @@ -172,21 +174,19 @@ extern u_int8_t *message_copy(struct message *, size_t, size_t *); extern void message_drop(struct message *, int, struct proto *, int, int); extern void message_dump_raw(char *, struct message *, int); extern void message_free(struct message *); -extern int -message_negotiate_sa(struct message *, - int (*) (struct exchange *, struct sa *, - struct sa *)); - extern int message_recv(struct message *); - extern int message_register_post_send(struct message *, - void (*) (struct message *)); - extern void message_post_send(struct message *); - extern void message_send(struct message *); - extern void message_send_expire(struct message *); - extern void message_send_delete(struct sa *); - extern int message_send_info(struct message *); - extern void message_send_notification(struct message *, struct sa *, - u_int16_t, struct proto *, int); - extern void message_setup_header(struct message *, u_int8_t, u_int8_t, - u_int8_t *); +extern int message_negotiate_sa(struct message *, + int (*)(struct exchange *, struct sa *, struct sa *)); +extern int message_recv(struct message *); +extern int message_register_post_send(struct message *, + void (*) (struct message *)); +extern void message_post_send(struct message *); +extern void message_send(struct message *); +extern void message_send_expire(struct message *); +extern void message_send_delete(struct sa *); +extern int message_send_info(struct message *); +extern void message_send_notification(struct message *, struct sa *, + u_int16_t, struct proto *, int); +extern void message_setup_header(struct message *, u_int8_t, u_int8_t, + u_int8_t *); #endif /* _MESSAGE_H_ */ diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c index a1604bb493f..0fe3a0190e0 100644 --- a/sbin/isakmpd/monitor.c +++ b/sbin/isakmpd/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.20 2004/05/10 18:34:15 deraadt Exp $ */ +/* $OpenBSD: monitor.c,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ /* * Copyright (c) 2003 Håkan Olsson. All rights reserved. @@ -117,10 +117,12 @@ monitor_init(void) log_fatal("monitor_init: chroot failed"); if (setgid(pw->pw_gid) != 0) - log_fatal("monitor_init: setgid(%d) failed", pw->pw_gid); + log_fatal("monitor_init: setgid(%d) failed", + pw->pw_gid); if (setuid(pw->pw_uid) != 0) - log_fatal("monitor_init: setuid(%d) failed", pw->pw_uid); + log_fatal("monitor_init: setuid(%d) failed", + pw->pw_uid); LOG_DBG((LOG_MISC, 10, "monitor_init: privileges dropped for child process")); @@ -134,14 +136,15 @@ monitor_init(void) int monitor_open(const char *path, int flags, mode_t mode) { - int fd, mode32 = (int32_t) mode; - int32_t err; - char realpath[MAXPATHLEN]; + int fd, mode32 = (int32_t) mode; + int32_t err; + char realpath[MAXPATHLEN]; if (path[0] == '/') strlcpy(realpath, path, sizeof realpath); else - snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, path); + snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, + path); /* Write data to priv process. */ if (m_write_int32(m_state.s, MONITOR_GET_FD)) @@ -180,8 +183,8 @@ errout: FILE * monitor_fopen(const char *path, const char *mode) { - FILE *fp; - int fd, flags = 0, mask, saved_errno; + FILE *fp; + int fd, flags = 0, mask, saved_errno; /* Only the child process is supposed to run this. */ if (m_state.pid) @@ -192,10 +195,12 @@ monitor_fopen(const char *path, const char *mode) flags = (mode[1] == '+' ? O_RDWR : O_RDONLY); break; case 'w': - flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | O_TRUNC; + flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | + O_TRUNC; break; case 'a': - flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | O_APPEND; + flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | + O_APPEND; break; default: log_fatal("monitor_fopen: bad call"); @@ -239,33 +244,33 @@ monitor_stat(const char *path, struct stat *sb) int monitor_socket(int domain, int type, int protocol) { - int s; - int32_t err; + int s; + int32_t err; if (m_write_int32(m_state.s, MONITOR_GET_SOCKET)) goto errout; - if (m_write_int32(m_state.s, (int32_t) domain)) + if (m_write_int32(m_state.s, (int32_t)domain)) goto errout; - if (m_write_int32(m_state.s, (int32_t) type)) + if (m_write_int32(m_state.s, (int32_t)type)) goto errout; - if (m_write_int32(m_state.s, (int32_t) protocol)) + if (m_write_int32(m_state.s, (int32_t)protocol)) goto errout; if (m_read_int32(m_state.s, &err)) goto errout; if (err != 0) { - errno = (int) err; + errno = (int)err; return -1; } /* Read result. */ s = mm_receive_fd(m_state.s); if (s < 0) { log_error("monitor_socket: mm_receive_fd () failed: %s", - strerror(errno)); + strerror(errno)); return -1; } return s; @@ -277,34 +282,34 @@ errout: int monitor_setsockopt(int s, int level, int optname, const void *optval, - socklen_t optlen) + socklen_t optlen) { - int32_t ret, err; + int32_t ret, err; if (m_write_int32(m_state.s, MONITOR_SETSOCKOPT)) goto errout; if (mm_send_fd(m_state.s, s)) goto errout; - if (m_write_int32(m_state.s, (int32_t) level)) + if (m_write_int32(m_state.s, (int32_t)level)) goto errout; - if (m_write_int32(m_state.s, (int32_t) optname)) + if (m_write_int32(m_state.s, (int32_t)optname)) goto errout; - if (m_write_int32(m_state.s, (int32_t) optlen)) + if (m_write_int32(m_state.s, (int32_t)optlen)) goto errout; - if (m_write_raw(m_state.s, (char *) optval, (size_t) optlen)) + if (m_write_raw(m_state.s, (char *)optval, (size_t)optlen)) goto errout; if (m_read_int32(m_state.s, &err)) goto errout; if (err != 0) - errno = (int) err; + errno = (int)err; if (m_read_int32(m_state.s, &ret)) goto errout; - return (int) ret; + return (int)ret; errout: log_print("monitor_setsockopt: read/write error"); @@ -314,28 +319,28 @@ errout: int monitor_bind(int s, const struct sockaddr *name, socklen_t namelen) { - int32_t ret, err; + int32_t ret, err; if (m_write_int32(m_state.s, MONITOR_BIND)) goto errout; if (mm_send_fd(m_state.s, s)) goto errout; - if (m_write_int32(m_state.s, (int32_t) namelen)) + if (m_write_int32(m_state.s, (int32_t)namelen)) goto errout; - if (m_write_raw(m_state.s, (char *) name, (size_t) namelen)) + if (m_write_raw(m_state.s, (char *)name, (size_t)namelen)) goto errout; if (m_read_int32(m_state.s, &err)) goto errout; if (err != 0) - errno = (int) err; + errno = (int)err; if (m_read_int32(m_state.s, &ret)) goto errout; - return (int) ret; + return (int)ret; errout: log_print("monitor_bind: read/write error"); @@ -345,8 +350,8 @@ errout: int monitor_mkfifo(const char *path, mode_t mode) { - int32_t ret, err; - char realpath[MAXPATHLEN]; + int32_t ret, err; + char realpath[MAXPATHLEN]; /* Only the child process is supposed to run this. */ if (m_state.pid) @@ -355,7 +360,8 @@ monitor_mkfifo(const char *path, mode_t mode) if (path[0] == '/') strlcpy(realpath, path, sizeof realpath); else - snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, path); + snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, + path); if (m_write_int32(m_state.s, MONITOR_MKFIFO)) goto errout; @@ -363,7 +369,7 @@ monitor_mkfifo(const char *path, mode_t mode) if (m_write_raw(m_state.s, realpath, strlen(realpath) + 1)) goto errout; - ret = (int32_t) mode; + ret = (int32_t)mode; if (m_write_int32(m_state.s, ret)) goto errout; @@ -371,12 +377,12 @@ monitor_mkfifo(const char *path, mode_t mode) goto errout; if (err != 0) - errno = (int) err; + errno = (int)err; if (m_read_int32(m_state.s, &ret)) goto errout; - return (int) ret; + return (int)ret; errout: log_print("monitor_mkfifo: read/write error"); @@ -401,11 +407,11 @@ monitor_opendir(const char *path) } /* Now build a list with all dirents from fd. */ if (fstat(fd, &sb) < 0) { - (void) close(fd); + (void)close(fd); return NULL; } if (!S_ISDIR(sb.st_mode)) { - (void) close(fd); + (void)close(fd); errno = EACCES; return NULL; } @@ -415,21 +421,21 @@ monitor_opendir(const char *path) buf = calloc(bufsize, sizeof(char)); if (buf == NULL) { - (void) close(fd); + (void)close(fd); errno = EACCES; return NULL; } nbytes = getdirentries(fd, buf, bufsize, &base); if (nbytes <= 0) { - (void) close(fd); + (void)close(fd); free(buf); errno = EACCES; return NULL; } - (void) close(fd); + (void)close(fd); for (entries = 0, cp = buf; cp < buf + nbytes;) { - dp = (struct dirent *) cp; + dp = (struct dirent *)cp; cp += dp->d_reclen; entries++; } @@ -450,7 +456,7 @@ monitor_opendir(const char *path) direntries->current = 0; for (entries = 0, cp = buf; cp < buf + nbytes;) { - dp = (struct dirent *) cp; + dp = (struct dirent *)cp; direntries->dirents[entries++] = dp; cp += dp->d_reclen; } @@ -500,7 +506,7 @@ monitor_got_sigchld(int sig) static void sig_pass_to_chld(int sig) { - int oerrno = errno; + int oerrno = errno; if (m_state.pid != -1) kill(m_state.pid, sig); @@ -511,10 +517,10 @@ sig_pass_to_chld(int sig) void monitor_loop(int debugging) { - pid_t pid; - fd_set *fds; - size_t fdsn; - int n, maxfd; + pid_t pid; + fd_set *fds; + size_t fdsn; + int n, maxfd; if (!debugging) log_to(0); @@ -522,7 +528,7 @@ monitor_loop(int debugging) maxfd = m_state.s + 1; fdsn = howmany(maxfd, NFDBITS) * sizeof(fd_mask); - fds = (fd_set *) malloc(fdsn); + fds = (fd_set *)malloc(fdsn); if (!fds) { kill(m_state.pid, SIGTERM); log_fatal("monitor_loop: malloc (%lu) failed", @@ -539,8 +545,8 @@ monitor_loop(int debugging) while (cur_state < STATE_QUIT) { /* - * Currently, there is no need for us to hang around if the child - * is in the process of shutting down. + * Currently, there is no need for us to hang around if the + * child is in the process of shutting down. */ if (sigtermed || sigchlded) { if (sigtermed) @@ -573,7 +579,7 @@ monitor_loop(int debugging) } } else if (n) if (FD_ISSET(m_state.s, fds)) { - int32_t msgcode; + int32_t msgcode; if (m_read_int32(m_state.s, &msgcode)) m_flush(m_state.s); else @@ -631,10 +637,10 @@ monitor_loop(int debugging) static void m_priv_getfd(int s) { - char path[MAXPATHLEN]; - int32_t v, err; - int flags; - mode_t mode; + char path[MAXPATHLEN]; + int32_t v, err; + int flags; + mode_t mode; /* * We expect the following data on the socket: @@ -649,7 +655,7 @@ m_priv_getfd(int s) if (m_read_int32(s, &v)) goto errout; - flags = (int) v; + flags = (int)v; if (m_read_int32(s, &v)) goto errout; @@ -660,9 +666,9 @@ m_priv_getfd(int s) v = -1; } else { err = 0; - v = (int32_t) open(path, flags, mode); + v = (int32_t)open(path, flags, mode); if (v < 0) - err = (int32_t) errno; + err = (int32_t)errno; } if (m_write_int32(s, err)) @@ -684,25 +690,25 @@ errout: static void m_priv_getsocket(int s) { - int domain, type, protocol; - int32_t v, err; + int domain, type, protocol; + int32_t v, err; if (m_read_int32(s, &v)) goto errout; - domain = (int) v; + domain = (int)v; if (m_read_int32(s, &v)) goto errout; - type = (int) v; + type = (int)v; if (m_read_int32(s, &v)) goto errout; - protocol = (int) v; + protocol = (int)v; err = 0; - v = (int32_t) socket(domain, type, protocol); + v = (int32_t)socket(domain, type, protocol); if (v < 0) - err = (int32_t) errno; + err = (int32_t)errno; if (m_write_int32(s, err)) goto errout; @@ -723,10 +729,10 @@ errout: static void m_priv_setsockopt(int s) { - int sock, level, optname; - char *optval = 0; - socklen_t optlen; - int32_t v, err; + int sock, level, optname; + char *optval = 0; + socklen_t optlen; + int32_t v, err; sock = mm_receive_fd(s); if (sock < 0) @@ -741,7 +747,7 @@ m_priv_setsockopt(int s) if (m_read_int32(s, &optlen)) goto errout; - optval = (char *) malloc(optlen); + optval = (char *)malloc(optlen); if (!optval) goto errout; @@ -753,9 +759,9 @@ m_priv_setsockopt(int s) v = -1; } else { err = 0; - v = (int32_t) setsockopt(sock, level, optname, optval, optlen); + v = (int32_t)setsockopt(sock, level, optname, optval, optlen); if (v < 0) - err = (int32_t) errno; + err = (int32_t)errno; } close(sock); @@ -783,10 +789,10 @@ errout: static void m_priv_bind(int s) { - int sock; + int sock; struct sockaddr *name = 0; - socklen_t namelen; - int32_t v, err; + socklen_t namelen; + int32_t v, err; sock = mm_receive_fd(s); if (sock < 0) @@ -796,11 +802,11 @@ m_priv_bind(int s) goto errout; namelen = (socklen_t) v; - name = (struct sockaddr *) malloc(namelen); + name = (struct sockaddr *)malloc(namelen); if (!name) goto errout; - if (m_read_raw(s, (char *) name, (size_t) namelen)) + if (m_read_raw(s, (char *)name, (size_t)namelen)) goto errout; if (m_priv_check_bind(name, namelen) != 0) { @@ -808,11 +814,11 @@ m_priv_bind(int s) v = -1; } else { err = 0; - v = (int32_t) bind(sock, name, namelen); + v = (int32_t)bind(sock, name, namelen); if (v < 0) { log_error("m_priv_bind: bind(%d,%p,%d) returned %d", - sock, name, namelen, v); - err = (int32_t) errno; + sock, name, namelen, v); + err = (int32_t)errno; } } @@ -841,9 +847,9 @@ errout: static void m_priv_mkfifo(int s) { - char path[MAXPATHLEN]; - mode_t mode; - int32_t v, err; + char path[MAXPATHLEN]; + mode_t mode; + int32_t v, err; if (m_read_raw(s, path, MAXPATHLEN)) goto errout; @@ -856,18 +862,19 @@ m_priv_mkfifo(int s) * ui_fifo is set before creation of the unpriv'ed child. So path * should exactly match ui_fifo. It's also restricted to /var/run. */ - if (m_priv_local_sanitize_path(path, sizeof path, O_RDWR) != 0 || - strncmp(ui_fifo, path, strlen(ui_fifo))) { + if (m_priv_local_sanitize_path(path, sizeof path, O_RDWR) != 0 + || strncmp(ui_fifo, path, strlen(ui_fifo))) { err = EACCES; v = -1; } else { unlink(path); /* XXX See ui.c:ui_init() */ err = 0; - v = (int32_t) mkfifo(path, mode); + v = (int32_t)mkfifo(path, mode); if (v) { - log_error("m_priv_mkfifo: mkfifo(\"%s\", %o) failed", path, mode); - err = (int32_t) errno; + log_error("m_priv_mkfifo: mkfifo(\"%s\", %o) failed", + path, mode); + err = (int32_t)errno; } } @@ -892,7 +899,8 @@ errout: int m_write_int32(int s, int32_t value) { - u_int32_t v; + u_int32_t v; + memcpy(&v, &value, sizeof v); return (write(s, &v, sizeof v) == -1); } @@ -909,7 +917,8 @@ m_write_raw(int s, char *data, size_t dlen) int m_read_int32(int s, int32_t *value) { - u_int32_t v; + u_int32_t v; + if (read(s, &v, sizeof v) != sizeof v) return 1; memcpy(value, &v, sizeof v); @@ -919,8 +928,9 @@ m_read_int32(int s, int32_t *value) int m_read_raw(int s, char *data, size_t maxlen) { - u_int32_t v; - int r; + u_int32_t v; + int r; + if (m_read_int32(s, &v)) return 1; if (v > maxlen) @@ -933,7 +943,7 @@ m_read_raw(int s, char *data, size_t maxlen) void m_flush(int s) { - u_int8_t tmp; + u_int8_t tmp; int one = 1; ioctl(s, FIONBIO, &one);/* Non-blocking */ @@ -945,7 +955,7 @@ m_flush(int s) static int m_priv_local_sanitize_path(char *path, size_t pmax, int flags) { - char *p; + char *p; /* * We only permit paths starting with @@ -957,7 +967,7 @@ m_priv_local_sanitize_path(char *path, size_t pmax, int flags) goto bad_path; /* Any path containing '..' is invalid. */ - for (p = path; *p && (p - path) < (int) pmax; p++) + for (p = path; *p && (p - path) < (int)pmax; p++) if (*p == '.' && *(p + 1) == '.') goto bad_path; @@ -1027,9 +1037,9 @@ m_priv_check_bind(const struct sockaddr *sa, socklen_t salen) log_print("NULL address"); return 1; } - if (sysdep_sa_len((struct sockaddr *) sa) != salen) { + if (sysdep_sa_len((struct sockaddr *)sa) != salen) { log_print("Length mismatch: %d %d", - (int) sysdep_sa_len((struct sockaddr *) sa), (int) salen); + (int)sysdep_sa_len((struct sockaddr *)sa), (int)salen); return 1; } switch (sa->sa_family) { @@ -1038,14 +1048,14 @@ m_priv_check_bind(const struct sockaddr *sa, socklen_t salen) log_print("Invalid inet address length"); return 1; } - port = ((const struct sockaddr_in *) sa)->sin_port; + port = ((const struct sockaddr_in *)sa)->sin_port; break; case AF_INET6: if (salen != sizeof(struct sockaddr_in6)) { log_print("Invalid inet6 address length"); return 1; } - port = ((const struct sockaddr_in6 *) sa)->sin6_port; + port = ((const struct sockaddr_in6 *)sa)->sin6_port; break; default: log_print("Unknown address family"); @@ -1066,10 +1076,11 @@ static void m_priv_increase_state(int state) { if (state <= cur_state) - log_print("m_priv_increase_state: attempt to decrase state or match " - "current state"); + log_print("m_priv_increase_state: attempt to decrase state " + "or match current state"); if (state < STATE_INIT || state > STATE_QUIT) - log_print("m_priv_increase_state: attempt to switch to invalid state"); + log_print("m_priv_increase_state: attempt to switch to " + "invalid state"); cur_state = state; } @@ -1077,6 +1088,7 @@ static void m_priv_test_state(int state) { if (cur_state != state) - log_print("m_priv_test_state: Illegal state: %d != %d", cur_state, state); + log_print("m_priv_test_state: Illegal state: %d != %d", + cur_state, state); return; } diff --git a/sbin/isakmpd/monitor_fdpass.c b/sbin/isakmpd/monitor_fdpass.c index 0a1e3065c4d..8031416e7e4 100644 --- a/sbin/isakmpd/monitor_fdpass.c +++ b/sbin/isakmpd/monitor_fdpass.c @@ -47,7 +47,7 @@ mm_send_fd(int socket, int fd) cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; - *(int *) CMSG_DATA(cmsg) = fd; + *(int *)CMSG_DATA(cmsg) = fd; vec.iov_base = &ch; vec.iov_len = 1; @@ -60,7 +60,7 @@ mm_send_fd(int socket, int fd) } if (n != 1) { log_error("%s: sendmsg: expected sent 1 got %ld", - __func__, (long) n); + __func__, (long)n); return -1; } return 0; @@ -90,7 +90,7 @@ mm_receive_fd(int socket) } if (n != 1) { log_error("%s: recvmsg: expected received 1 got %ld", __func__, - (long) n); + (long)n); return -1; } cmsg = CMSG_FIRSTHDR(&msg); @@ -99,6 +99,6 @@ mm_receive_fd(int socket) cmsg->cmsg_type); return -1; } - fd = (*(int *) CMSG_DATA(cmsg)); + fd = (*(int *)CMSG_DATA(cmsg)); return fd; } diff --git a/sbin/isakmpd/pf_key_v2.h b/sbin/isakmpd/pf_key_v2.h index f3abff45963..f6f3711f100 100644 --- a/sbin/isakmpd/pf_key_v2.h +++ b/sbin/isakmpd/pf_key_v2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.h,v 1.9 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: pf_key_v2.h,v 1.10 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -42,15 +42,12 @@ struct sockaddr; extern void pf_key_v2_connection_check(char *); extern int pf_key_v2_delete_spi(struct sa *, struct proto *, int); extern int pf_key_v2_enable_sa(struct sa *, struct sa *); -extern int -pf_key_v2_enable_spi(in_addr_t, in_addr_t, in_addr_t, in_addr_t, - u_int8_t *, u_int8_t, in_addr_t); -extern u_int8_t * -pf_key_v2_get_spi(size_t *, u_int8_t, struct sockaddr *, - struct sockaddr *, u_int32_t); -extern int -pf_key_v2_group_spis(struct sa *, struct proto *, struct proto *, - int); +extern int pf_key_v2_enable_spi(in_addr_t, in_addr_t, in_addr_t, + in_addr_t, u_int8_t *, u_int8_t, in_addr_t); +extern u_int8_t *pf_key_v2_get_spi(size_t *, u_int8_t, struct sockaddr *, + struct sockaddr *, u_int32_t); +extern int pf_key_v2_group_spis(struct sa *, struct proto *, + struct proto *, int); extern void pf_key_v2_handler(int); extern int pf_key_v2_open(void); extern int pf_key_v2_set_spi(struct sa *, struct proto *, int, struct sa *); diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index e2fb68512a7..1b3516399f2 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.72 2004/05/23 16:14:22 deraadt Exp $ */ +/* $OpenBSD: policy.c,v 1.73 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -81,7 +81,7 @@ static const char hextab[] = { * Adaptation of Vixie's inet_ntop4 () */ static const char * -my_inet_ntop4(const in_addr_t * src, char *dst, size_t size, int normalize) +my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) { static const char fmt[] = "%03u.%03u.%03u.%03u"; char tmp[sizeof "255.255.255.255"]; @@ -107,10 +107,10 @@ my_inet_ntop6(const unsigned char *src, char *dst, size_t size) { static const char fmt[] = "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; - char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; + char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; - if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], src[4], - src[5], src[6], src[7], src[8], src[9], src[10], src[11], + if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], + src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], src[12], src[13], src[14], src[15]) > (int)size) { errno = ENOSPC; return 0; @@ -209,10 +209,14 @@ policy_callback(char *name) memset(esp_key_rounds, 0, sizeof esp_key_rounds); memset(comp_dict_size, 0, sizeof comp_dict_size); memset(comp_private_alg, 0, sizeof comp_private_alg); - memset(remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); - memset(remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); - memset(local_filter_addr_upper, 0, sizeof local_filter_addr_upper); - memset(local_filter_addr_lower, 0, sizeof local_filter_addr_lower); + memset(remote_filter_addr_upper, 0, + sizeof remote_filter_addr_upper); + memset(remote_filter_addr_lower, 0, + sizeof remote_filter_addr_lower); + memset(local_filter_addr_upper, 0, + sizeof local_filter_addr_upper); + memset(local_filter_addr_lower, 0, + sizeof local_filter_addr_lower); memset(remote_id_addr_upper, 0, sizeof remote_id_addr_upper); memset(remote_id_addr_lower, 0, sizeof remote_id_addr_lower); memset(ah_group_desc, 0, sizeof ah_group_desc); @@ -236,7 +240,8 @@ policy_callback(char *name) pfs = "yes"; is = policy_isakmp_sa->data; - snprintf(phase1_group, sizeof phase1_group, "%u", is->group_desc); + snprintf(phase1_group, sizeof phase1_group, "%u", + is->group_desc); for (proto = TAILQ_FIRST(&policy_sa->protos); proto; proto = TAILQ_NEXT(proto, link)) { @@ -353,7 +358,8 @@ policy_callback(char *name) break; } - for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; + for (attr = proto->chosen->p + + ISAKMP_TRANSFORM_SA_ATTRS_OFF; attr < proto->chosen->p + GET_ISAKMP_GEN_LENGTH(proto->chosen->p); attr = value + len) { @@ -365,7 +371,8 @@ policy_callback(char *name) type = GET_ISAKMP_ATTR_TYPE(attr); fmt = ISAKMP_ATTR_FORMAT(type); type = ISAKMP_ATTR_TYPE(type); - value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : + value = attr + (fmt ? + ISAKMP_ATTR_LENGTH_VALUE_OFF : ISAKMP_ATTR_VALUE_OFF); len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); @@ -1781,15 +1788,15 @@ policy_init(void) /* Allocate memory to keep policies. */ ptr = calloc(sz + 1, sizeof(char)); if (!ptr) - log_fatal("policy_init: calloc (%lu, %lu) failed", (unsigned long)sz + 1, - (unsigned long)sizeof(char)); + log_fatal("policy_init: calloc (%lu, %lu) failed", + (unsigned long)sz + 1, (unsigned long)sizeof(char)); /* Just in case there are short reads... */ for (len = 0; len < sz; len += i) { i = read(fd, ptr + len, sz - len); if (i == -1) - log_fatal("policy_init: read (%d, %p, %lu) failed", fd, ptr + len, - (unsigned long)(sz - len)); + log_fatal("policy_init: read (%d, %p, %lu) failed", fd, + ptr + len, (unsigned long)(sz - len)); } /* We're done with this. */ @@ -1825,9 +1832,9 @@ keynote_cert_init(void) /* Just copy and return. */ void * -keynote_cert_get(u_int8_t * data, u_int32_t len) +keynote_cert_get(u_int8_t *data, u_int32_t len) { - char *foo = malloc(len + 1); + char *foo = malloc(len + 1); if (foo == NULL) return NULL; @@ -1844,8 +1851,8 @@ keynote_cert_get(u_int8_t * data, u_int32_t len) int keynote_cert_validate(void *scert) { - char **foo; - int num, i; + char **foo; + int num, i; if (scert == NULL) return 0; @@ -1873,8 +1880,8 @@ keynote_cert_validate(void *scert) int keynote_cert_insert(int sid, void *scert) { - char **foo; - int num; + char **foo; + int num; if (scert == NULL) return 0; @@ -1898,16 +1905,16 @@ keynote_cert_free(void *cert) /* Verify that the key given to us is valid. */ int -keynote_certreq_validate(u_int8_t * data, u_int32_t len) +keynote_certreq_validate(u_int8_t *data, u_int32_t len) { struct keynote_deckey dc; - int err = 1; - char *dat; + int err = 1; + char *dat; dat = calloc(len + 1, sizeof(char)); if (!dat) { - log_error("keynote_certreq_validate: calloc (%d, %lu) failed", len + 1, - (unsigned long)sizeof(char)); + log_error("keynote_certreq_validate: calloc (%d, %lu) failed", + len + 1, (unsigned long)sizeof(char)); return 0; } memcpy(dat, data, len); @@ -1923,8 +1930,8 @@ keynote_certreq_validate(u_int8_t * data, u_int32_t len) } /* Beats me what we should be doing with this. */ -void * -keynote_certreq_decode(u_int8_t * data, u_int32_t len) +void * +keynote_certreq_decode(u_int8_t *data, u_int32_t len) { /* XXX */ return NULL; @@ -1937,8 +1944,8 @@ keynote_free_aca(void *blob) } int -keynote_cert_obtain(u_int8_t * id, size_t id_len, void *data, u_int8_t ** cert, - u_int32_t * certlen) +keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, + u_int32_t *certlen) { char *dirname, *file, *addr_str; struct stat sb; @@ -1965,26 +1972,26 @@ keynote_cert_obtain(u_int8_t * id, size_t id_len, void *data, u_int8_t ** cert, switch (idtype) { case IPSEC_ID_IPV4_ADDR: case IPSEC_ID_IPV6_ADDR: - util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, - id); + util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? + AF_INET : AF_INET6, id); if (addr_str == 0) return 0; file = calloc(len + strlen(addr_str), sizeof(char)); if (file == NULL) { - log_error("keynote_cert_obtain: failed to allocate %lu bytes", - (unsigned long)len + strlen(addr_str)); + log_error("keynote_cert_obtain: failed to allocate " + "%lu bytes", (unsigned long)len + + strlen(addr_str)); free(addr_str); return 0; } - snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, addr_str, - CREDENTIAL_FILE); + snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, + addr_str, CREDENTIAL_FILE); free(addr_str); break; case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - { + case IPSEC_ID_USER_FQDN: { file = calloc(len + id_len, sizeof(char)); if (file == NULL) { log_error("keynote_cert_obtain: failed to allocate %lu bytes", diff --git a/sbin/isakmpd/prf.c b/sbin/isakmpd/prf.c index c5d538a11b5..fdb91fe9adc 100644 --- a/sbin/isakmpd/prf.c +++ b/sbin/isakmpd/prf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: prf.c,v 1.13 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: prf.c,v 1.14 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: prf.c,v 1.7 1999/05/02 12:50:29 niklas Exp $ */ /* @@ -40,9 +40,9 @@ #include "log.h" #include "prf.h" -void prf_hash_init(struct prf_hash_ctx *); -void prf_hash_update(struct prf_hash_ctx *, unsigned char *, unsigned int); -void prf_hash_final(unsigned char *, struct prf_hash_ctx *); +void prf_hash_init(struct prf_hash_ctx *); +void prf_hash_update(struct prf_hash_ctx *, unsigned char *, unsigned int); +void prf_hash_final(unsigned char *, struct prf_hash_ctx *); /* PRF behaves likes a hash */ @@ -94,7 +94,7 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared, prf = malloc(sizeof *prf); if (!prf) { log_error("prf_alloc: malloc (%lu) failed", - (unsigned long) sizeof *prf); + (unsigned long)sizeof *prf); return 0; } if (type == PRF_HMAC) { @@ -102,19 +102,21 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared, prfctx = malloc(sizeof *prfctx); if (!prfctx) { log_error("prf_alloc: malloc (%lu) failed", - (unsigned long) sizeof *prfctx); + (unsigned long)sizeof *prfctx); goto cleanprf; } prf->prfctx = prfctx; prfctx->ctx = malloc(hash->ctxsize); if (!prfctx->ctx) { - log_error("prf_alloc: malloc (%d) failed", hash->ctxsize); + log_error("prf_alloc: malloc (%d) failed", + hash->ctxsize); goto cleanprfctx; } prfctx->ctx2 = malloc(hash->ctxsize); if (!prfctx->ctx2) { - log_error("prf_alloc: malloc (%d) failed", hash->ctxsize); + log_error("prf_alloc: malloc (%d) failed", + hash->ctxsize); free(prfctx->ctx); goto cleanprfctx; } @@ -123,10 +125,10 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared, prfctx->hash = hash; /* Use the correct function pointers. */ - prf->Init = (void (*) (void *)) prf_hash_init; - prf->Update = (void (*) (void *, unsigned char *, - unsigned int)) prf_hash_update; - prf->Final = (void (*) (unsigned char *, void *)) prf_hash_final; + prf->Init = (void(*)(void *))prf_hash_init; + prf->Update = (void(*)(void *, unsigned char *, + unsigned int))prf_hash_update; + prf->Final = (void(*)(unsigned char *, void *))prf_hash_final; /* Init HMAC contexts. */ hash->HMACInit(hash, shared, sharedsize); diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index 5698323f236..feed2c79d76 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.81 2004/05/13 06:56:34 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.82 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -92,7 +92,7 @@ sa_init(void) sa_tab = malloc((bucket_mask + 1) * sizeof(struct sa_list)); if (!sa_tab) log_fatal("sa_init: malloc (%lu) failed", - (bucket_mask + 1) * (unsigned long) sizeof(struct sa_list)); + (bucket_mask + 1) * (unsigned long)sizeof(struct sa_list)); for (i = 0; i <= bucket_mask; i++) LIST_INIT(&sa_tab[i]); } @@ -102,8 +102,8 @@ sa_init(void) static void sa_resize(void) { - int new_mask = (bucket_mask + 1) * 2 - 1; - int i; + int new_mask = (bucket_mask + 1) * 2 - 1; + int i; struct sa_list *new_tab; new_tab = realloc(sa_tab, (new_mask + 1) * sizeof(struct sa_list)); @@ -145,7 +145,7 @@ sa_check_icookie(struct sa *sa, void *icookie) } /* Lookup an ISAKMP SA out of just the initiator cookie. */ -struct sa * +struct sa * sa_lookup_from_icookie(u_int8_t *cookie) { return sa_find(sa_check_icookie, cookie); @@ -306,7 +306,7 @@ sa_enter(struct sa *sa) * Lookup the SA given by the header fields MSG. PHASE2 is false when * looking for phase 1 SAa and true otherwise. */ -struct sa * +struct sa * sa_lookup_by_header(u_int8_t *msg, int phase2) { return sa_lookup(msg + ISAKMP_HDR_COOKIES_OFF, @@ -344,13 +344,13 @@ sa_lookup(u_int8_t *cookies, u_int8_t *message_id) bucket ^= cp[0] | cp[1] << 8; } bucket &= bucket_mask; - for (sa = LIST_FIRST(&sa_tab[bucket]); sa && - (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 || - (message_id && memcmp(message_id, sa->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN) != 0) || - (!message_id && !zero_test(sa->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN))); - sa = LIST_NEXT(sa, link)) + for (sa = LIST_FIRST(&sa_tab[bucket]); + sa && (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 + || (message_id && memcmp(message_id, sa->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN) != 0) + || (!message_id && !zero_test(sa->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN))); + sa = LIST_NEXT(sa, link)) ; return sa; @@ -369,7 +369,7 @@ sa_create(struct exchange *exchange, struct transport *t) sa = calloc(1, sizeof *sa); if (!sa) { log_error("sa_create: calloc (1, %lu) failed", - (unsigned long) sizeof *sa); + (unsigned long)sizeof *sa); return -1; } sa->transport = t; @@ -390,7 +390,7 @@ sa_create(struct exchange *exchange, struct transport *t) sa->data = calloc(1, sa->doi->sa_size); if (!sa->data) { log_error("sa_create: calloc (1, %lu) failed", - (unsigned long) sa->doi->sa_size); + (unsigned long)sa->doi->sa_size); free(sa); return -1; } @@ -889,10 +889,10 @@ sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase) "protocol mismatch", match, match->no)); return 1; } - avs = (struct attr_validation_state *) calloc(1, sizeof *avs); + avs = (struct attr_validation_state *)calloc(1, sizeof *avs); if (!avs) { log_error("sa_validate_proto_xf: calloc (1, %lu)", - (unsigned long) sizeof *avs); + (unsigned long)sizeof *avs); return 1; } avs->phase = phase; @@ -906,7 +906,7 @@ sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase) /* Check against the transforms we suggested. */ avs->mode++; for (pa = TAILQ_FIRST(&match->xfs); pa && !found; - pa = TAILQ_NEXT(pa, next)) { + pa = TAILQ_NEXT(pa, next)) { if (xf_id != GET_ISAKMP_TRANSFORM_ID(pa->attrs)) continue; @@ -954,7 +954,7 @@ sa_add_transform(struct sa *sa, struct payload *xf, int initiator, proto = calloc(1, sizeof *proto); if (!proto) log_error("sa_add_transform: calloc (1, %lu) failed", - (unsigned long) sizeof *proto); + (unsigned long)sizeof *proto); } else { /* * RFC 2408, section 4.2 states the responder SHOULD use the @@ -989,7 +989,7 @@ sa_add_transform(struct sa *sa, struct payload *xf, int initiator, proto->data = calloc(1, sa->doi->proto_size); if (!proto->data) { log_error("sa_add_transform: calloc (1, %lu) failed", - (unsigned long) sa->doi->proto_size); + (unsigned long)sa->doi->proto_size); goto cleanup; } } @@ -1151,11 +1151,12 @@ sa_flag(char *attr) */ { "__ondemand", SA_FLAG_ONDEMAND - }, { + }, + { "ikecfg", SA_FLAG_IKECFG }, }; - size_t i; + size_t i; for (i = 0; i < sizeof sa_flag_map / sizeof sa_flag_map[0]; i++) if (strcasecmp(attr, sa_flag_map[i].name) == 0) diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 0bdd97d9c73..fdf2323c644 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.36 2004/05/13 06:56:34 ho Exp $ */ +/* $OpenBSD: sa.h,v 1.37 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -77,8 +77,8 @@ struct proto { u_int8_t *spi[2]; /* - * The chosen transform, only valid while the incoming SA payload that held - * it is available for duplicate testing. + * The chosen transform, only valid while the incoming SA payload that + * held it is available for duplicate testing. */ struct payload *chosen; @@ -88,7 +88,7 @@ struct proto { /* DOI-specific data. */ void *data; - /* Proposal transforms data, for validating the responders selection. */ + /* Proposal transforms data, for validating the responders selection. */ TAILQ_HEAD(proto_attr_head, proto_attr) xfs; size_t xf_cnt; }; @@ -107,8 +107,8 @@ struct sa { LIST_ENTRY(sa) link; /* - * When several SA's are being negotiated in one message we connect them - * through this link. + * When several SA's are being negotiated in one message we connect + * them through this link. */ TAILQ_ENTRY(sa) next; @@ -128,7 +128,7 @@ struct sa { u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; /* The protection suite chosen. */ - TAILQ_HEAD(proto_head, proto) protos; + TAILQ_HEAD(proto_head, proto) protos; /* The exchange type we should use when rekeying. */ u_int8_t exch_type; @@ -166,14 +166,15 @@ struct sa { int policy_id; /* - * The key used to authenticate phase 1, in printable format, used only by - * KeyNote. + * The key used to authenticate phase 1, in printable format, used + * only by KeyNote. */ char *keynote_key; /* - * Certificates or other information from Phase 1; these are copied from the - * exchange, so look at exchange.h for an explanation of their use. + * Certificates or other information from Phase 1; these are copied + * from the exchange, so look at exchange.h for an explanation of + * their use. */ int recv_certtype, recv_keytype; /* Certificate received from peer, native format. */ @@ -182,8 +183,8 @@ struct sa { void *recv_key; /* - * Certificates or other information we used to authenticate to the peer, - * Phase 1. + * Certificates or other information we used to authenticate to the + * peer, Phase 1. */ int sent_certtype; /* Certificate (to be) sent to peer, native format. */ @@ -226,9 +227,8 @@ struct sa { #define SA_FLAG_IKECFG 0x40 extern void proto_free(struct proto * proto); -extern int -sa_add_transform(struct sa *, struct payload *, int, - struct proto **); +extern int sa_add_transform(struct sa *, struct payload *, int, + struct proto **); extern int sa_create(struct exchange *, struct transport *); extern int sa_enter(struct sa *); extern void sa_delete(struct sa *, int); diff --git a/sbin/isakmpd/timer.c b/sbin/isakmpd/timer.c index 180ccc823a0..9faca130604 100644 --- a/sbin/isakmpd/timer.c +++ b/sbin/isakmpd/timer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: timer.c,v 1.12 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: timer.c,v 1.13 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: timer.c,v 1.13 2000/02/20 19:58:42 niklas Exp $ */ /* @@ -56,7 +56,8 @@ timer_next_event(struct timeval **timeout) if (timercmp(&now, &TAILQ_FIRST(&events)->expiration, >=)) timerclear(*timeout); else - timersub(&TAILQ_FIRST(&events)->expiration, &now, *timeout); + timersub(&TAILQ_FIRST(&events)->expiration, &now, + *timeout); } else *timeout = 0; } @@ -104,8 +105,8 @@ timer_add_event(char *name, void (*func)(void *), void *arg, arg, n->name, n->arg, expiration->tv_sec - now.tv_sec)); TAILQ_INSERT_BEFORE(n, ev, link); } else { - LOG_DBG((LOG_TIMER, 10, "timer_add_event: event %s(%p) added last, " - "expiration in %lds", name, arg, + LOG_DBG((LOG_TIMER, 10, "timer_add_event: event %s(%p) added " + "last, expiration in %lds", name, arg, expiration->tv_sec - now.tv_sec)); TAILQ_INSERT_TAIL(&events, ev, link); } diff --git a/sbin/isakmpd/timer.h b/sbin/isakmpd/timer.h index a107107e69e..2e890a37cec 100644 --- a/sbin/isakmpd/timer.h +++ b/sbin/isakmpd/timer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: timer.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: timer.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: timer.h,v 1.6 1999/04/11 22:35:55 ho Exp $ */ /* @@ -48,7 +48,7 @@ extern void timer_init(void); extern void timer_next_event(struct timeval **); extern void timer_handle_expirations(void); extern struct event *timer_add_event(char *, void (*) (void *), void *, - struct timeval *); + struct timeval *); extern void timer_remove_event(struct event *); extern void timer_report(void); diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c index 376ca492d2f..e72b64d464f 100644 --- a/sbin/isakmpd/udp.c +++ b/sbin/isakmpd/udp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp.c,v 1.70 2004/05/23 16:14:37 deraadt Exp $ */ +/* $OpenBSD: udp.c,v 1.71 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */ /* @@ -137,7 +137,8 @@ udp_make(struct sockaddr *laddr) t = calloc(1, sizeof *t); if (!t) { - log_print("udp_make: malloc (%lu) failed", (unsigned long) sizeof *t); + log_print("udp_make: malloc (%lu) failed", + (unsigned long)sizeof *t); return 0; } s = socket(laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); @@ -153,7 +154,8 @@ udp_make(struct sockaddr *laddr) /* Wildcard address ? */ switch (laddr->sa_family) { case AF_INET: - if (((struct sockaddr_in *)laddr)->sin_addr.s_addr == INADDR_ANY) + if (((struct sockaddr_in *)laddr)->sin_addr.s_addr == + INADDR_ANY) wildcardaddress = 1; break; case AF_INET6: @@ -164,17 +166,17 @@ udp_make(struct sockaddr *laddr) /* * In order to have several bound specific address-port combinations - * with the same port SO_REUSEADDR is needed. - * If this is a wildcard socket and we are not listening there, but only - * sending from it make sure it is entirely reuseable with SO_REUSEPORT. + * with the same port SO_REUSEADDR is needed. If this is a wildcard + * socket and we are not listening there, but only sending from it + * make sure it is entirely reuseable with SO_REUSEPORT. */ on = 1; if (setsockopt(s, SOL_SOCKET, wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, - (void *) &on, sizeof on) == -1) { - log_error("udp_make: setsockopt (%d, %d, %d, %p, %lu)", s, SOL_SOCKET, - wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, - &on, (unsigned long) sizeof on); + (void *)&on, sizeof on) == -1) { + log_error("udp_make: setsockopt (%d, %d, %d, %p, %lu)", s, + SOL_SOCKET, wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, + &on, (unsigned long)sizeof on); goto err; } t->transport.vtbl = &udp_transport_vtbl; @@ -184,10 +186,10 @@ udp_make(struct sockaddr *laddr) if (sockaddr2text(t->src, &tstr, 0)) log_error("udp_make: bind (%d, %p, %lu)", s, &t->src, - (unsigned long) sizeof t->src); + (unsigned long)sizeof t->src); else { log_error("udp_make: bind (%d, %s, %lu)", s, tstr, - (unsigned long) sizeof t->src); + (unsigned long)sizeof t->src); free(tstr); } goto err; @@ -218,16 +220,18 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr) t = malloc(sizeof *u); if (!t) { - log_error("udp_clone: malloc (%lu) failed", (unsigned long) sizeof *u); + log_error("udp_clone: malloc (%lu) failed", + (unsigned long)sizeof *u); return 0; } - u2 = (struct udp_transport *) t; + u2 = (struct udp_transport *)t; memcpy(u2, u, sizeof *u); u2->src = malloc(sysdep_sa_len(u->src)); if (!u2->src) { - log_error("udp_clone: malloc (%d) failed", sysdep_sa_len(u->src)); + log_error("udp_clone: malloc (%d) failed", + sysdep_sa_len(u->src)); free(t); return 0; } @@ -235,7 +239,8 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr) u2->dst = malloc(sysdep_sa_len(raddr)); if (!u2->dst) { - log_error("udp_clone: malloc (%d) failed", sysdep_sa_len(raddr)); + log_error("udp_clone: malloc (%d) failed", + sysdep_sa_len(raddr)); free(u2->src); free(t); return 0; @@ -256,12 +261,12 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr) static struct transport * udp_bind(const struct sockaddr *addr) { - struct sockaddr *src = malloc(sysdep_sa_len((struct sockaddr *) addr)); + struct sockaddr *src = malloc(sysdep_sa_len((struct sockaddr *)addr)); if (!src) return 0; - memcpy(src, addr, sysdep_sa_len((struct sockaddr *) addr)); + memcpy(src, addr, sysdep_sa_len((struct sockaddr *)addr)); return udp_make(src); } @@ -317,8 +322,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) * in the IP stack. */ if (if_addr->sa_family == AF_INET && - (((struct sockaddr_in *) if_addr)->sin_addr.s_addr == INADDR_ANY || - (((struct sockaddr_in *) if_addr)->sin_addr.s_addr == INADDR_NONE))) + (((struct sockaddr_in *)if_addr)->sin_addr.s_addr == INADDR_ANY || + (((struct sockaddr_in *)if_addr)->sin_addr.s_addr == INADDR_NONE))) return 0; /* @@ -329,13 +334,13 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) if (sysdep_sa_len(if_addr) > sizeof saddr_st) return 0; memcpy(saddr, if_addr, sysdep_sa_len(if_addr)); - switch (saddr->sa_family) { /* Add the port number to the sockaddr. */ + switch (saddr->sa_family) { /* Add the port number to the sockaddr. */ case AF_INET: - ((struct sockaddr_in *) saddr)->sin_port = + ((struct sockaddr_in *)saddr)->sin_port = htons(strtol(port, &ep, 10)); break; case AF_INET6: - ((struct sockaddr_in6 *) saddr)->sin6_port = + ((struct sockaddr_in6 *)saddr)->sin6_port = htons(strtol(port, &ep, 10)); break; } @@ -353,7 +358,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) } strlcpy(flags_ifr.ifr_name, ifname, sizeof flags_ifr.ifr_name); if (ioctl(s, SIOCGIFFLAGS, (caddr_t) & flags_ifr) == -1) { - log_error("udp_bind_if: ioctl (%d, SIOCGIFFLAGS, ...) failed", s); + log_error("udp_bind_if: ioctl (%d, SIOCGIFFLAGS, ...) failed", + s); return -1; } close(s); @@ -372,10 +378,10 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) } switch (if_addr->sa_family) { case AF_INET: - ((struct sockaddr_in *) if_addr)->sin_port = htons(lport); + ((struct sockaddr_in *)if_addr)->sin_port = htons(lport); break; case AF_INET6: - ((struct sockaddr_in6 *) if_addr)->sin6_port = htons(lport); + ((struct sockaddr_in6 *)if_addr)->sin6_port = htons(lport); break; default: log_print("udp_bind_if: unsupported protocol family %d", @@ -394,8 +400,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) for (address = TAILQ_FIRST(&listen_on->fields); address; address = TAILQ_NEXT(address, link)) { if (text2sockaddr(address->field, port, &addr)) { - log_print("udp_bind_if: invalid address %s in \"Listen-on\"", - address->field); + log_print("udp_bind_if: invalid address %s " + "in \"Listen-on\"", address->field); continue; } /* If found, take the easy way out. */ @@ -408,10 +414,10 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) conf_free_list(listen_on); /* - * If address is zero then we did not find the address among the ones - * we should listen to. - * XXX We do not discover if we do not find our listen addresses... - * Maybe this should be the other way round. + * If address is zero then we did not find the address among + * the ones we should listen to. + * XXX We do not discover if we do not find our listen + * addresses... Maybe this should be the other way round. */ if (!address) return 0; @@ -425,7 +431,7 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) free(addr_str); return -1; } - LIST_INSERT_HEAD(&udp_listen_list, (struct udp_transport *) t, link); + LIST_INSERT_HEAD(&udp_listen_list, (struct udp_transport *)t, link); return 0; } @@ -453,7 +459,8 @@ udp_create(char *name) return 0; } if (text2sockaddr(addr_str, port_str, &dst)) { - log_print("udp_create: address \"%s\" not understood", addr_str); + log_print("udp_create: address \"%s\" not understood", + addr_str); return 0; } addr_str = conf_get_str(name, "Local-address"); @@ -474,15 +481,16 @@ udp_create(char *name) } } if (text2sockaddr(addr_str, port_str, &addr)) { - log_print("udp_create: address \"%s\" not understood", addr_str); + log_print("udp_create: address \"%s\" not understood", + addr_str); rv = 0; goto ret; } u = udp_listen_lookup(addr); free(addr); if (!u) { - log_print("udp_create: %s:%s must exist as a listener too", addr_str, - port_str); + log_print("udp_create: %s:%s must exist as a listener too", + addr_str, port_str); rv = 0; goto ret; } @@ -494,9 +502,9 @@ ret: } void -udp_remove(struct transport * t) +udp_remove(struct transport *t) { - struct udp_transport *u = (struct udp_transport *) t; + struct udp_transport *u = (struct udp_transport *)t; if (u->src) free(u->src); @@ -517,9 +525,9 @@ udp_remove(struct transport * t) /* Report transport-method specifics of the T transport. */ void -udp_report(struct transport * t) +udp_report(struct transport *t) { - struct udp_transport *u = (struct udp_transport *) t; + struct udp_transport *u = (struct udp_transport *)t; char *src, *dst; if (sockaddr2text(u->src, &src, 0)) @@ -564,8 +572,8 @@ udp_reinit(void) /* Re-probe interface list. */ if (if_map(udp_bind_if, port) == -1) - log_print("udp_init: Could not bind the ISAKMP UDP port %s on all " - "interfaces", port); + log_print("udp_init: Could not bind the ISAKMP UDP port %s " + "on all interfaces", port); /* * Release listening transports for local addresses that no @@ -607,8 +615,8 @@ udp_init(void) /* Bind the ISAKMP UDP port on all network interfaces we have. */ if (if_map(udp_bind_if, port) == -1) - log_fatal("udp_init: Could not bind the ISAKMP UDP port %s on all " - "interfaces", port); + log_fatal("udp_init: Could not bind the ISAKMP UDP port %s " + "on all interfaces", port); /* Only listen to the specified address if Listen-on is configured */ listen_on = conf_get_list("General", "Listen-on"); @@ -624,48 +632,50 @@ udp_init(void) */ lport = strtol(port, &ep, 10); if (*ep != '\0' || lport < (long) 0 || lport > (long) USHRT_MAX) { - log_print("udp_init: port string \"%s\" not convertible to in_port_t", - port); + log_print("udp_init: port string \"%s\" not convertible to " + "in_port_t", port); return; } /* - * Bind to INADDR_ANY in case of new addresses popping up. - * Packet reception on this transport is taken as a hint to reprobe the + * Bind to INADDR_ANY in case of new addresses popping up. Packet + * reception on this transport is taken as a hint to reprobe the * interface list. */ if (!bind_family || (bind_family & BIND_FAMILY_INET4)) { memset(&dflt_stor, 0, sizeof dflt_stor); dflt->sin_family = AF_INET; #if !defined (LINUX_IPSEC) - ((struct sockaddr_in *) dflt)->sin_len = sizeof(struct sockaddr_in); + ((struct sockaddr_in *)dflt)->sin_len = + sizeof(struct sockaddr_in); #endif - ((struct sockaddr_in *) dflt)->sin_port = htons(lport); + ((struct sockaddr_in *)dflt)->sin_port = htons(lport); - default_transport = udp_bind((struct sockaddr *) & dflt_stor); + default_transport = udp_bind((struct sockaddr *)&dflt_stor); if (!default_transport) { log_error("udp_init: could not allocate default " "IPv4 ISAKMP UDP port"); return; } LIST_INSERT_HEAD(&udp_listen_list, - (struct udp_transport *) default_transport, link); + (struct udp_transport *)default_transport, link); } if (!bind_family || (bind_family & BIND_FAMILY_INET6)) { memset(&dflt_stor, 0, sizeof dflt_stor); dflt->sin_family = AF_INET6; #if !defined (LINUX_IPSEC) - ((struct sockaddr_in6 *) dflt)->sin6_len = sizeof(struct sockaddr_in6); + ((struct sockaddr_in6 *)dflt)->sin6_len = + sizeof(struct sockaddr_in6); #endif - ((struct sockaddr_in6 *) dflt)->sin6_port = htons(lport); + ((struct sockaddr_in6 *)dflt)->sin6_port = htons(lport); - default_transport6 = udp_bind((struct sockaddr *) & dflt_stor); + default_transport6 = udp_bind((struct sockaddr *)&dflt_stor); if (!default_transport6) { log_error("udp_init: could not allocate default " "IPv6 ISAKMP UDP port"); return; } LIST_INSERT_HEAD(&udp_listen_list, - (struct udp_transport *) default_transport6, link); + (struct udp_transport *)default_transport6, link); } } @@ -674,9 +684,9 @@ udp_init(void) * as the number of file descriptors to check. */ static int -udp_fd_set(struct transport * t, fd_set * fds, int bit) +udp_fd_set(struct transport *t, fd_set *fds, int bit) { - struct udp_transport *u = (struct udp_transport *) t; + struct udp_transport *u = (struct udp_transport *)t; if (bit) FD_SET(u->s, fds); @@ -688,9 +698,9 @@ udp_fd_set(struct transport * t, fd_set * fds, int bit) /* Check if transport T's socket is set in FDS. */ static int -udp_fd_isset(struct transport * t, fd_set * fds) +udp_fd_isset(struct transport *t, fd_set *fds) { - struct udp_transport *u = (struct udp_transport *) t; + struct udp_transport *u = (struct udp_transport *)t; return FD_ISSET(u->s, fds); } @@ -713,8 +723,8 @@ udp_handle_message(struct transport * t) n = recvfrom(u->s, buf, UDP_SIZE, 0, (struct sockaddr *) & from, &len); if (n == -1) { - log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, UDP_SIZE, 0, - &from, &len); + log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, + UDP_SIZE, 0, &from, &len); return; } /* @@ -725,9 +735,9 @@ udp_handle_message(struct transport * t) udp_reinit(); /* - * As we don't know the actual destination address of the packet, - * we can't really deal with it. So, just ignore it and hope we - * catch the retransmission. + * As we don't know the actual destination address of the + * packet, we can't really deal with it. So, just ignore it + * and hope we catch the retransmission. */ return; } @@ -735,14 +745,14 @@ udp_handle_message(struct transport * t) * Make a specialized UDP transport structure out of the incoming * transport and the address information we got from recvfrom(2). */ - t = udp_clone(u, (struct sockaddr *) & from); + t = udp_clone(u, (struct sockaddr *)&from); if (!t) return; msg = message_alloc(t, buf, n); if (!msg) { - log_error("failed to allocate message structure, dropping packet " - "received on transport %p", u); + log_error("failed to allocate message structure, dropping " + "packet received on transport %p", u); return; } message_recv(msg); @@ -750,9 +760,9 @@ udp_handle_message(struct transport * t) /* Physically send the message MSG over its associated transport. */ static int -udp_send_message(struct message * msg) +udp_send_message(struct message *msg) { - struct udp_transport *u = (struct udp_transport *) msg->transport; + struct udp_transport *u = (struct udp_transport *)msg->transport; ssize_t n; struct msghdr m; @@ -781,9 +791,9 @@ udp_send_message(struct message * msg) * to by DST. */ static void -udp_get_dst(struct transport * t, struct sockaddr ** dst) +udp_get_dst(struct transport *t, struct sockaddr **dst) { - *dst = ((struct udp_transport *) t)->dst; + *dst = ((struct udp_transport *)t)->dst; } /* @@ -791,33 +801,35 @@ udp_get_dst(struct transport * t, struct sockaddr ** dst) * to by SRC. Put its length into SRC_LEN. */ static void -udp_get_src(struct transport * t, struct sockaddr ** src) +udp_get_src(struct transport *t, struct sockaddr **src) { - *src = ((struct udp_transport *) t)->src; + *src = ((struct udp_transport *)t)->src; } static char * -udp_decode_ids(struct transport * t) +udp_decode_ids(struct transport *t) { static char result[1024]; char idsrc[256], iddst[256]; #ifdef HAVE_GETNAMEINFO - if (getnameinfo(((struct udp_transport *) t)->src, - sysdep_sa_len(((struct udp_transport *) t)->src), + if (getnameinfo(((struct udp_transport *)t)->src, + sysdep_sa_len(((struct udp_transport *)t)->src), idsrc, sizeof idsrc, NULL, 0, NI_NUMERICHOST) != 0) { log_print("udp_decode_ids: getnameinfo () failed for 'src'"); strlcpy(idsrc, "<error>", 256); } - if (getnameinfo(((struct udp_transport *) t)->dst, - sysdep_sa_len(((struct udp_transport *) t)->dst), + if (getnameinfo(((struct udp_transport *)t)->dst, + sysdep_sa_len(((struct udp_transport *)t)->dst), iddst, sizeof iddst, NULL, 0, NI_NUMERICHOST) != 0) { log_print("udp_decode_ids: getnameinfo () failed for 'dst'"); strlcpy(iddst, "<error>", 256); } #else - strlcpy(idsrc, inet_ntoa(((struct udp_transport *) t)->src.sin_addr), 256); - strlcpy(iddst, inet_ntoa(((struct udp_transport *) t)->dst.sin_addr), 256); + strlcpy(idsrc, inet_ntoa(((struct udp_transport *)t)->src.sin_addr), + 256); + strlcpy(iddst, inet_ntoa(((struct udp_transport *)t)->dst.sin_addr), + 256); #endif /* HAVE_GETNAMEINFO */ snprintf(result, sizeof result, "src: %s dst: %s", idsrc, iddst); diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c index acba4404bc3..6a091c224ac 100644 --- a/sbin/isakmpd/ui.c +++ b/sbin/isakmpd/ui.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui.c,v 1.39 2004/05/13 06:56:34 ho Exp $ */ +/* $OpenBSD: ui.c,v 1.40 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */ /* @@ -114,7 +114,7 @@ ui_init(void) static void ui_connect(char *cmd) { - char name[81]; + char name[81]; if (sscanf(cmd, "c %80s", name) != 1) { log_print("ui_connect: command \"%s\" malformed", cmd); @@ -478,7 +478,7 @@ ui_handler(void) buf = malloc(sz); if (!buf) { log_print("ui_handler: malloc (%lu) failed", - (unsigned long) sz); + (unsigned long)sz); return; } p = buf; @@ -489,7 +489,7 @@ ui_handler(void) new_buf = realloc(buf, sz * 2); if (!new_buf) { log_print("ui_handler: realloc (%p, %lu) failed", buf, - (unsigned long) sz * 2); + (unsigned long)sz * 2); free(buf); buf = 0; return; @@ -502,7 +502,7 @@ ui_handler(void) n = read(ui_socket, p, resid); if (n == -1) { log_error("ui_handler: read (%d, %p, %lu)", ui_socket, p, - (unsigned long) resid); + (unsigned long)resid); return; } if (!n) diff --git a/sbin/isakmpd/util.c b/sbin/isakmpd/util.c index 3209e116aef..2fdf6852ee2 100644 --- a/sbin/isakmpd/util.c +++ b/sbin/isakmpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.38 2004/05/23 16:14:22 deraadt Exp $ */ +/* $OpenBSD: util.c,v 1.39 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: util.c,v 1.23 2000/11/23 12:22:08 niklas Exp $ */ /* @@ -240,7 +240,7 @@ hex2raw(char *s, u_int8_t *buf, size_t sz) } int -text2sockaddr(char *address, char *port, struct sockaddr ** sa) +text2sockaddr(char *address, char *port, struct sockaddr **sa) { #ifdef HAVE_GETNAMEINFO struct addrinfo *ai, hints; @@ -287,7 +287,7 @@ text2sockaddr(char *address, char *port, struct sockaddr ** sa) sp = getservbyname(port, "udp"); if (!sp) { lport = strtol(port, &ep, 10); - if (ep == port || lport < 0 || lport > (long) USHRT_MAX) { + if (ep == port || lport < 0 || lport > (long)USHRT_MAX) { free(*sa); return -1; } @@ -295,9 +295,9 @@ text2sockaddr(char *address, char *port, struct sockaddr ** sa) } else lport = sp->s_port; if ((*sa)->sa_family == AF_INET) - ((struct sockaddr_in *) *sa)->sin_port = lport; + ((struct sockaddr_in *)*sa)->sin_port = lport; else - ((struct sockaddr_in6 *) *sa)->sin6_port = lport; + ((struct sockaddr_in6 *)*sa)->sin6_port = lport; return 0; #endif } @@ -321,9 +321,11 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) switch (sa->sa_family) { case AF_INET: case AF_INET6: - if (inet_ntop(sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1) == NULL) { - log_error("sockaddr2text: inet_ntop (%d, %p, %p, %d) failed", - sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1); + if (inet_ntop(sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1) + == NULL) { + log_error("sockaddr2text: inet_ntop (%d, %p, %p, %d) " + "failed", sa->sa_family, sa->sa_data, buf, + NI_MAXHOST - 1); return -1; } buf[NI_MAXHOST - 1] = '\0'; @@ -331,7 +333,7 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) default: log_print("sockaddr2text: unsupported protocol family %d\n", - sa->sa_family); + sa->sa_family); return -1; } #endif @@ -356,8 +358,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) return -1; } val = strtol(token, &ep, 10); - if (ep == token || val < (long) 0 || - val > (long) UCHAR_MAX) { + if (ep == token || val < (long)0 || + val > (long)UCHAR_MAX) { free(*address); return -1; } @@ -370,8 +372,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) case AF_INET6: /* - * XXX In the algorithm below there are some magic numbers we - * probably could give explaining names. + * XXX In the algorithm below there are some magic + * numbers we probably could give explaining names. */ addrlen = sizeof "0000:0000:0000:0000:0000:0000:0000:0000"; *address = malloc(addrlen); @@ -379,7 +381,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag) return -1; for (i = 0, j = 0; i < 8; i++) { - snprintf((*address) + j, addrlen - j, "%02x%02x", + snprintf((*address) + j, addrlen - j, + "%02x%02x", ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i], ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i + 1]); j += 4; @@ -406,9 +409,9 @@ sockaddr_addrlen(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET6: - return sizeof((struct sockaddr_in6 *) sa)->sin6_addr.s6_addr; + return sizeof((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr; case AF_INET: - return sizeof((struct sockaddr_in *) sa)->sin_addr.s_addr; + return sizeof((struct sockaddr_in *)sa)->sin_addr.s_addr; default: log_print("sockaddr_addrlen: unsupported protocol family %d", sa->sa_family); @@ -421,9 +424,9 @@ sockaddr_addrdata(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET6: - return (u_int8_t *) & ((struct sockaddr_in6 *) sa)->sin6_addr.s6_addr; + return (u_int8_t *)&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr; case AF_INET: - return (u_int8_t *) & ((struct sockaddr_in *) sa)->sin_addr.s_addr; + return (u_int8_t *)&((struct sockaddr_in *)sa)->sin_addr.s_addr; default: log_print("sockaddr_addrdata: unsupported protocol family %d", sa->sa_family); @@ -436,9 +439,9 @@ sockaddr_port(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET6: - return ((struct sockaddr_in6 *) sa)->sin6_port; + return ((struct sockaddr_in6 *)sa)->sin6_port; case AF_INET: - return ((struct sockaddr_in *) sa)->sin_port; + return ((struct sockaddr_in *)sa)->sin_port; default: log_print("sockaddr_port: unsupported protocol family %d", sa->sa_family); @@ -472,8 +475,8 @@ util_ntoa(char **buf, int af, u_int8_t *addr) memcpy(sockaddr_addrdata(sfrom), addr, sockaddr_addrlen(sfrom)); if (sockaddr2text(sfrom, buf, 0)) { - log_print("util_ntoa: " - "could not make printable address out of sockaddr %p", sfrom); + log_print("util_ntoa: could not make printable address out " + "of sockaddr %p", sfrom); *buf = 0; } } @@ -499,13 +502,13 @@ check_file_secrecy(char *name, size_t *file_size) return -1; } if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) { - log_print("conf_file_secrecy: not loading %s - too open permissions", - name); + log_print("conf_file_secrecy: not loading %s - too open " + "permissions", name); errno = EPERM; return -1; } if (file_size) - *file_size = (size_t) st.st_size; + *file_size = (size_t)st.st_size; return 0; } diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index dda7dda0197..718c6ddbc8e 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.88 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: x509.c,v 1.89 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -107,11 +107,11 @@ LIST_HEAD(x509_list, x509_hash) * x509_tab = 0; int x509_generate_kn(int id, X509 *cert) { - char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s\"\n" - "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; + char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s" + "\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n"; char *ikey, *skey, *buf, isname[256], subname[256]; char *fmt2 = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n" - "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; + "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; X509_NAME *issuer, *subject; struct keynote_deckey dc; X509_STORE_CTX csc; @@ -144,14 +144,17 @@ x509_generate_kn(int id, X509 *cert) ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (keynote_errno == ERROR_MEMORY) { - log_print("x509_generate_kn: failed to get memory for public key"); + log_print("x509_generate_kn: failed to get memory for " + "public key"); RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key")); + LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " + "subject key")); return 0; } if (!ikey) { RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key")); + LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " + "subject key")); return 0; } RSA_free(key); @@ -162,8 +165,8 @@ x509_generate_kn(int id, X509 *cert) X509_LU_X509) { X509_STORE_CTX_cleanup(&csc); X509_STORE_CTX_init(&csc, x509_certs, cert, NULL); - if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) != - X509_LU_X509) { + if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) + != X509_LU_X509) { X509_STORE_CTX_cleanup(&csc); LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: no certificate found for issuer")); @@ -192,16 +195,19 @@ x509_generate_kn(int id, X509 *cert) skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (keynote_errno == ERROR_MEMORY) { - log_error("x509_generate_kn: failed to get memory for public key"); + log_error("x509_generate_kn: failed to get memory for public " + "key"); free(ikey); RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key")); + LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " + "key")); return 0; } if (!skey) { free(ikey); RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key")); + LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " + "key")); return 0; } RSA_free(key); @@ -246,7 +252,8 @@ x509_generate_kn(int id, X509 *cert) if ((tm->length < 10) || (tm->length > 13)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length " - "of NotValidBefore time field (%d)", tm->length)); + "of NotValidBefore time field (%d)", + tm->length)); free(ikey); free(skey); free(buf); @@ -272,14 +279,17 @@ x509_generate_kn(int id, X509 *cert) } /* Stupid UTC tricks. */ if (tm->data[0] < '5') - snprintf(before, sizeof before, "20%s", tm->data); + snprintf(before, sizeof before, "20%s", + tm->data); else - snprintf(before, sizeof before, "19%s", tm->data); + snprintf(before, sizeof before, "19%s", + tm->data); } else { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " - "NotValidBefore time field (%d)", tm->length)); + "NotValidBefore time field (%d)", + tm->length)); free(ikey); free(skey); free(buf); @@ -379,7 +389,8 @@ x509_generate_kn(int id, X509 *cert) if ((tm->length < 12) || (tm->length > 15)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " - "NotValidAfter time field (%d)", tm->length)); + "NotValidAfter time field (%d)", + tm->length)); free(ikey); free(skey); free(buf); @@ -414,7 +425,8 @@ x509_generate_kn(int id, X509 *cert) after[14] = '\0'; /* This will overwrite trailing 'Z' */ } - snprintf(buf, buf_len, fmt, skey, ikey, timecomp, before, timecomp2, after); + snprintf(buf, buf_len, fmt, skey, ikey, timecomp, before, timecomp2, + after); free(ikey); free(skey); @@ -445,8 +457,8 @@ x509_generate_kn(int id, X509 *cert) log_error("x509_generate_kn: malloc (%d) failed", buf_len); return 0; } - snprintf(buf, buf_len, fmt2, isname, subname, timecomp, before, timecomp2, - after); + snprintf(buf, buf_len, fmt2, isname, subname, timecomp, before, + timecomp2, after); if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) { LOG_DBG((LOG_POLICY, 30, @@ -454,7 +466,8 @@ x509_generate_kn(int id, X509 *cert) free(buf); return 0; } - LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s", buf)); + LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s", + buf)); free(buf); return 1; @@ -492,7 +505,7 @@ x509_hash_init(void) if (x509_tab) { for (i = 0; i <= bucket_mask; i++) for (certh = LIST_FIRST(&x509_tab[i]); certh; - certh = LIST_FIRST(&x509_tab[i])) { + certh = LIST_FIRST(&x509_tab[i])) { LIST_REMOVE(certh, link); free(certh); } @@ -501,7 +514,7 @@ x509_hash_init(void) x509_tab = malloc((bucket_mask + 1) * sizeof(struct x509_list)); if (!x509_tab) log_fatal("x509_hash_init: malloc (%lu) failed", - (bucket_mask + 1) * (unsigned long) sizeof(struct x509_list)); + (bucket_mask + 1) * (unsigned long)sizeof(struct x509_list)); for (i = 0; i <= bucket_mask; i++) { LIST_INIT(&x509_tab[i]); } @@ -524,7 +537,8 @@ x509_hash_find(u_int8_t *id, size_t len) id_found = 0; for (i = 0; i < n; i++) { LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", id, len)); - LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i], clen[i])); + LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i], + clen[i])); /* * XXX This identity predicate needs to be * understood. @@ -566,7 +580,7 @@ x509_hash_enter(X509 *cert) if (!certh) { cert_free_subjects(n, id, len); log_error("x509_hash_enter: calloc (1, %lu) failed", - (unsigned long) sizeof *certh); + (unsigned long)sizeof *certh); return 0; } certh->cert = cert; @@ -574,7 +588,8 @@ x509_hash_enter(X509 *cert) bucket = x509_hash(id[i], len[i]); LIST_INSERT_HEAD(&x509_tab[bucket], certh, link); - LOG_DBG((LOG_CRYPTO, 70, "x509_hash_enter: cert %p added to bucket %d", + LOG_DBG((LOG_CRYPTO, 70, + "x509_hash_enter: cert %p added to bucket %d", cert, bucket)); } cert_free_subjects(n, id, len); @@ -609,8 +624,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash) dir = monitor_opendir(name); if (!dir) { LOG_DBG((LOG_CRYPTO, 10, - "x509_read_from_dir: opendir (\"%s\") failed: " - "%s", name, strerror(errno))); + "x509_read_from_dir: opendir (\"%s\") failed: %s", + name, strerror(errno))); return 0; } strlcpy(fullname, name, sizeof fullname); @@ -631,7 +646,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash) continue; } - LOG_DBG((LOG_CRYPTO, 60, "x509_read_from_dir: reading certificate %s", + LOG_DBG((LOG_CRYPTO, 60, + "x509_read_from_dir: reading certificate %s", file->d_name)); #if defined (USE_PRIVSEP) @@ -651,7 +667,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash) #else certh = BIO_new(BIO_s_file()); if (!certh) { - log_error("x509_read_from_dir: BIO_new (BIO_s_file ()) failed"); + log_error("x509_read_from_dir: BIO_new (BIO_s_file " + "()) failed"); continue; } if (BIO_read_filename(certh, fullname) == -1) { @@ -669,20 +686,20 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash) BIO_free(certh); #endif /* USE_PRIVSEP */ if (cert == NULL) { - log_print("x509_read_from_dir: PEM_read_bio_X509 failed for %s", - file->d_name); + log_print("x509_read_from_dir: PEM_read_bio_X509 " + "failed for %s", file->d_name); continue; } if (!X509_STORE_add_cert(ctx, cert)) { /* * This is actually expected if we have several - * certificates only differing in subjectAltName, which - * is not an something that is strange. Consider - * multi-homed machines. + * certificates only differing in subjectAltName, + * which is not an something that is strange. + * Consider multi-homed machines. */ LOG_DBG((LOG_CRYPTO, 50, - "x509_read_from_dir: X509_STORE_add_cert failed for %s", - file->d_name)); + "x509_read_from_dir: X509_STORE_add_cert failed " + "for %s", file->d_name)); } if (hash) if (!x509_hash_enter(cert)) @@ -717,13 +734,13 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) log_print("x509_read_crls_from_dir: directory name too long"); return 0; } - LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs from %s", - name)); + LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs " + "from %s", name)); dir = monitor_opendir(name); if (!dir) { - LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir (\"%s\") " - "failed: %s", name, strerror(errno))); + LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir " + "(\"%s\") failed: %s", name, strerror(errno))); return 0; } strlcpy(fullname, name, sizeof fullname); @@ -739,12 +756,13 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) } else { struct stat sb; - if (monitor_stat(fullname, &sb) == -1 || !(sb.st_mode & S_IFREG)) + if (monitor_stat(fullname, &sb) == -1 || + !(sb.st_mode & S_IFREG)) continue; } - LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading CRL %s", - file->d_name)); + LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading " + "CRL %s", file->d_name)); #if defined (USE_PRIVSEP) crlfp = monitor_fopen(fullname, "r"); @@ -765,7 +783,8 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) if (BIO_read_filename(crlh, fullname) == -1) { BIO_free(crlh); log_error("x509_read_crls_from_dir: " - "BIO_read_filename (crlh, \"%s\") failed", fullname); + "BIO_read_filename (crlh, \"%s\") failed", + fullname); continue; } crl = PEM_read_bio_X509_CRL(crlh, NULL, NULL, NULL); @@ -774,7 +793,8 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) #endif /* USE_PRIVSEP */ if (crl == NULL) { log_print("x509_read_crls_from_dir: " - "PEM_read_bio_X509_CRL failed for %s", file->d_name); + "PEM_read_bio_X509_CRL failed for %s", + file->d_name); continue; } if (!X509_STORE_add_crl(ctx, crl)) { @@ -783,11 +803,12 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) continue; } /* - * XXX This is to make x509_cert_validate set this (and another) flag - * XXX when validating certificates. Currently, OpenSSL defaults to - * XXX reject an otherwise valid certificate (chain) if these flags - * XXX are set but there are no CRLs to check. The current workaround - * XXX is to only set the flags if we actually loaded some CRL data. + * XXX This is to make x509_cert_validate set this (and + * XXX another) flag when validating certificates. Currently, + * XXX OpenSSL defaults to reject an otherwise valid + * XXX certificate (chain) if these flags are set but there + * XXX are no CRLs to check. The current workaround is to only + * XXX set the flags if we actually loaded some CRL data. */ X509_STORE_set_flags(ctx, X509_V_FLAG_CRL_CHECK); } @@ -802,7 +823,7 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name) int x509_cert_init(void) { - char *dirname; + char *dirname; x509_hash_init(); @@ -856,7 +877,7 @@ x509_crl_init(void) * support it. */ #if OPENSSL_VERSION_NUMBER >= 0x00907000L - char *dirname; + char *dirname; dirname = conf_get_str("X509-certificates", "CRL-directory"); if (!dirname) { log_print("x509_crl_init: no CRL-directory"); @@ -940,10 +961,10 @@ x509_cert_validate(void *scert) int x509_cert_insert(int id, void *scert) { - X509 *cert; - int res; + X509 *cert; + int res; - cert = X509_dup((X509 *) scert); + cert = X509_dup((X509 *)scert); if (!cert) { log_print("x509_cert_insert: X509_dup failed"); return 0; @@ -998,7 +1019,8 @@ x509_certreq_validate(u_int8_t *asn, u_int32_t len) if (!asn_template_clone(&name, 1) || (asn = asn_decode_sequence(asn, len, &name)) == 0) { - log_print("x509_certreq_validate: can not decode 'acceptable CA' info"); + log_print("x509_certreq_validate: can not decode 'acceptable " + "CA' info"); res = 0; } asn_free(&name); @@ -1021,13 +1043,14 @@ x509_certreq_decode(u_int8_t *asn, u_int32_t len) if (!asn_template_clone(&aca, 1) || (asn = asn_decode_sequence(asn, len, &aca)) == 0) { - log_print("x509_certreq_decode: can not decode 'acceptable CA' info"); + log_print("x509_certreq_decode: can not decode 'acceptable " + "CA' info"); goto fail; } memset(&naca, 0, sizeof(naca)); - tmp = asn_decompose("aca.RelativeDistinguishedName.AttributeValueAssertion", - &aca); + tmp = asn_decompose("aca.RelativeDistinguishedName." + "AttributeValueAssertion", &aca); if (!tmp) goto fail; x509_get_attribval(tmp, &naca.name1); @@ -1146,7 +1169,8 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len) if (!subjectaltname || !subjectaltname->value || !subjectaltname->value->data || subjectaltname->value->length < 4) { - log_print("x509_cert_subjectaltname: invalid subjectaltname extension"); + log_print("x509_cert_subjectaltname: invalid " + "subjectaltname extension"); return 0; } /* SSL does not handle unknown ASN stuff well, do it by hand. */ @@ -1156,7 +1180,8 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len) sandata += 4; if (sanlen + 4 != subjectaltname->value->length) { - log_print("x509_cert_subjectaltname: subjectaltname invalid length"); + log_print("x509_cert_subjectaltname: subjectaltname invalid " + "length"); return 0; } *len = sanlen; @@ -1181,8 +1206,9 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, *id_len = 0; /* - * XXX There can be a collection of subjectAltNames, but for now - * I only return the subjectName and a single subjectAltName, if present. + * XXX There can be a collection of subjectAltNames, but for now I + * only return the subjectName and a single subjectAltName, if + * present. */ type = x509_cert_subjectaltname(cert, &altname, &altlen); if (!type) { @@ -1194,13 +1220,13 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, *id = calloc(*cnt, sizeof **id); if (!*id) { log_print("x509_cert_get_subject: malloc (%lu) failed", - *cnt * (unsigned long) sizeof **id); + *cnt * (unsigned long)sizeof **id); goto fail; } *id_len = malloc(*cnt * sizeof **id_len); if (!*id_len) { log_print("x509_cert_get_subject: malloc (%lu) failed", - *cnt * (unsigned long) sizeof **id_len); + *cnt * (unsigned long)sizeof **id_len); goto fail; } /* Stash the subjectName into the first slot. */ @@ -1209,10 +1235,12 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, goto fail; (*id_len)[0] = - ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) - ISAKMP_GEN_SZ; + ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) - + ISAKMP_GEN_SZ; (*id)[0] = malloc((*id_len)[0]); if (!(*id)[0]) { - log_print("x509_cert_get_subject: malloc (%d) failed", (*id_len)[0]); + log_print("x509_cert_get_subject: malloc (%d) failed", + (*id_len)[0]); goto fail; } SET_ISAKMP_ID_TYPE((*id)[0] - ISAKMP_GEN_SZ, IPSEC_ID_DER_ASN1_DN); @@ -1238,8 +1266,8 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, case X509v3_IP_ADDR: /* - * XXX I dislike the numeric constants, but I don't know what we - * should use otherwise. + * XXX I dislike the numeric constants, but I don't + * know what we should use otherwise. */ switch (altlen) { case 4: @@ -1251,8 +1279,8 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, break; default: - log_print("x509_cert_get_subject: " - "invalid subjectAltName IPaddress length %d ", + log_print("x509_cert_get_subject: invalid " + "subjectAltName IPaddress length %d ", altlen); goto fail; } @@ -1304,9 +1332,9 @@ x509_cert_get_key(void *scert, void *keyp) X509_free(cert); return 0; } - *(RSA **) keyp = RSAPublicKey_dup(key->pkey.rsa); + *(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa); - return *(RSA **) keyp == NULL ? 0 : 1; + return *(RSA **)keyp == NULL ? 0 : 1; } void * @@ -1320,13 +1348,13 @@ x509_serialize(void *scert, u_int8_t **data, u_int32_t *datalen) { u_int8_t *p; - *datalen = i2d_X509((X509 *) scert, NULL); + *datalen = i2d_X509((X509 *)scert, NULL); *data = p = malloc(*datalen); if (!p) { log_error("x509_serialize: malloc (%d) failed", *datalen); return; } - *datalen = i2d_X509((X509 *) scert, &p); + *datalen = i2d_X509((X509 *)scert, &p); } /* From cert to printable */ @@ -1344,7 +1372,8 @@ x509_printable(void *cert) s = malloc(datalen * 2 + 1); if (!s) { free(data); - log_error("x509_printable: malloc (%d) failed", datalen * 2 + 1); + log_error("x509_printable: malloc (%d) failed", + datalen * 2 + 1); return 0; } for (i = 0; i < datalen; i++) diff --git a/sbin/isakmpd/x509.h b/sbin/isakmpd/x509.h index 3ed64feff86..adba74e8c0b 100644 --- a/sbin/isakmpd/x509.h +++ b/sbin/isakmpd/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.20 2004/04/15 18:39:27 deraadt Exp $ */ +/* $OpenBSD: x509.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ /* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -68,7 +68,8 @@ int x509_cert_get_key(void *, void *); int x509_cert_get_subjects(void *, int *, u_int8_t ***, u_int32_t **); int x509_cert_init(void); int x509_crl_init(void); -int x509_cert_obtain(u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *); +int x509_cert_obtain(u_int8_t *, size_t, void *, u_int8_t **, + u_int32_t *); int x509_cert_validate(void *); void x509_free_aca(void *); void *x509_cert_dup(void *); |