src - OpenBSD base system

diff options


context:
space:
mode:

author	Hakan Olsson <ho@cvs.openbsd.org>	2001-07-01 14:17:07 +0000
committer	Hakan Olsson <ho@cvs.openbsd.org>	2001-07-01 14:17:07 +0000
commit	65416774560fe0dffbe7f1e591bd2da6fb3f1fa6 (patch)
tree	660d87c06e48b364982691472aea2a6e95f2ebde /sbin/isakmpd/ipsec.c
parent	666e04f8398af93fe2d7901c05434a7190afc819 (diff)

Teach ipsec_decode_ids about IPv6. More error checking, some better log msgs.

Diffstat (limited to 'sbin/isakmpd/ipsec.c')

-rw-r--r--

sbin/isakmpd/ipsec.c

1 files changed, 65 insertions, 26 deletions

diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 0c81dc59958..fc98b78eaae 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsec.c,v 1.50 2001/06/29 19:08:11 ho Exp $ */

+/* $OpenBSD: ipsec.c,v 1.51 2001/07/01 14:17:06 ho Exp $ */

/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */

@@ -113,7 +113,7 @@ static int ipsec_initiator (struct message *);

static void ipsec_proto_init (struct proto *, char *);

static int ipsec_responder (struct message *);

static void ipsec_setup_situation (u_int8_t *);

-static void ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *);

+static int ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *);

static size_t ipsec_situation_size (void);

static u_int8_t ipsec_spi_size (u_int8_t);

static int ipsec_validate_attribute (u_int16_t, u_int8_t *, u_int16_t, void *);

@@ -336,11 +336,25 @@ ipsec_finalize_exchange (struct message *msg)

isa = sa->data;

if (exchange->initiator)

+ {

/* Initiator is source, responder is destination. */

- ipsec_set_network (ie->id_ci, ie->id_cr, isa);

+ if (ipsec_set_network (ie->id_ci, ie->id_cr, isa))

+ {

+ log_error ("ipsec_finalize_exchange: "

+ "ipsec_set_network failed");

+ return;

+ }

else

- /* Responder is source, initiator is destination. */

- ipsec_set_network (ie->id_cr, ie->id_ci, isa);

+ {

+ /* Responder is source, initiator is destination. */

+ if (ipsec_set_network (ie->id_cr, ie->id_ci, isa))

+ {

+ log_error ("ipsec_finalize_exchange: "

+ "ipsec_set_network failed");

+ return;

+ }

#ifdef USE_DEBUG

if (sockaddr2text (isa->src_net, &addr1, 0))

@@ -354,7 +368,7 @@ ipsec_finalize_exchange (struct message *msg)

LOG_DBG ((LOG_EXCHANGE, 50,

"ipsec_finalize_exchange: "

- "src %x %x dst %x %x tproto %u sport %u dport %u",

+ "src %s %s dst %s %s tproto %u sport %u dport %u",

addr1 ? addr1 : "<???>" , mask1 ? mask1 : "<???>",

addr2 ? addr2 : "<???>" , mask2 ? mask2 : "<???>",

ntohs (isa->tproto), isa->sport, ntohs (isa->dport)));

@@ -389,7 +403,7 @@ ipsec_finalize_exchange (struct message *msg)

}

/* Set the client addresses in ISA from SRC_ID and DST_ID. */

-static void

+static int

ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)

{

int id;

@@ -402,12 +416,15 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)

case IPSEC_ID_IPV4_ADDR_SUBNET:

isa->src_net =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));

- /* XXX this may fail ! */

+ if (!isa->src_net)

+ return -1;

isa->src_net->sa_family = AF_INET;

isa->src_net->sa_len = sizeof (struct sockaddr_in);

isa->src_mask =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));

- /* XXX this may fail ! */

+ if (!isa->src_mask)

+ return -1;

isa->src_mask->sa_family = AF_INET;

isa->src_mask->sa_len = sizeof (struct sockaddr_in);

break;

@@ -416,12 +433,15 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)

case IPSEC_ID_IPV6_ADDR_SUBNET:

isa->src_net =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));

- /* XXX this may fail ! */

+ if (!isa->src_net)

+ return -1;

isa->src_net->sa_family = AF_INET6;

isa->src_net->sa_len = sizeof (struct sockaddr_in6);

isa->src_mask =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));

- /* XXX this may fail ! */

+ if (!isa->src_mask)

+ return -1;

isa->src_mask->sa_family = AF_INET6;

isa->src_mask->sa_len = sizeof (struct sockaddr_in6);

break;

@@ -459,25 +479,32 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)

case IPSEC_ID_IPV4_ADDR_SUBNET:

isa->dst_net =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));

- /* XXX this may fail ! */

+ if (!isa->dst_net)

+ return -1;

isa->dst_net->sa_family = AF_INET;

isa->dst_net->sa_len = sizeof (struct sockaddr_in);

isa->dst_mask =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));

- /* XXX this may fail ! */

+ if (!isa->dst_mask)

+ return -1;

isa->dst_mask->sa_family = AF_INET;

isa->dst_mask->sa_len = sizeof (struct sockaddr_in);

break;

case IPSEC_ID_IPV6_ADDR:

case IPSEC_ID_IPV6_ADDR_SUBNET:

isa->dst_net =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));

- /* XXX this may fail ! */

+ if (!isa->dst_net)

+ return -1;

isa->dst_net->sa_family = AF_INET6;

isa->dst_net->sa_len = sizeof (struct sockaddr_in6);

isa->dst_mask =

(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));

- /* XXX this may fail ! */

+ if (!isa->dst_mask)

+ return -1;

isa->dst_mask->sa_family = AF_INET6;

isa->dst_mask->sa_len = sizeof (struct sockaddr_in6);

break;

@@ -506,6 +533,7 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)

IPSEC_ID_PROTO_LEN);

memcpy (&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,

IPSEC_ID_PORT_LEN);

+ return 0;

}

/* Free the DOI-specific exchange data pointed to by VIE. */

@@ -1238,7 +1266,7 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,

sa->seconds = decode_32 (value);

break;

default:

- /* XXX Log. */

+ log_print ("ipsec_decode_attribute: unreasonable lifetime");

}

break;

case IKE_DURATION_KILOBYTES:

@@ -1251,11 +1279,11 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,

sa->kilobytes = decode_32 (value);

break;

default:

- /* XXX Log. */

+ log_print ("ipsec_decode_attribute: unreasonable lifetime");

}

break;

default:

- /* XXX Log! */

+ log_print ("ipsec_decode_attribute: unknown lifetime type");

}

break;

case IKE_ATTR_PRF:

@@ -1289,7 +1317,7 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,

sa->seconds = decode_32 (value);

break;

default:

- /* XXX Log. */

+ log_print ("ipsec_decode_attribute: unreasonable lifetime");

}

break;

case IPSEC_DURATION_KILOBYTES:

@@ -1302,11 +1330,11 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,

sa->kilobytes = decode_32 (value);

break;

default:

- /* XXX Log. */

+ log_print ("ipsec_decode_attribute: unreasonable lifetime");

}

break;

default:

- /* XXX Log! */

+ log_print ("ipsec_decode_attribute: unknown lifetime type");

}

break;

case IPSEC_ATTR_GROUP_DESCRIPTION:

@@ -1791,6 +1819,7 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,

{

int id_type;

char *addr = 0, *mask = 0;

+ u_int32_t *idp;

if (id)

{

@@ -1802,6 +1831,7 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,

}

id_type = GET_ISAKMP_ID_TYPE (id);

+ idp = (u_int32_t *)(id + ISAKMP_ID_DATA_OFF);

switch (id_type)

{

case IPSEC_ID_IPV4_ADDR:

@@ -1814,11 +1844,20 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,

util_ntoa (&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4);

snprintf (buf, size, "%08x/%08x: %s/%s",

decode_32 (id + ISAKMP_ID_DATA_OFF),

- decode_32 (id + ISAKMP_ID_DATA_OFF + 4),

- addr, mask);

+ decode_32 (id + ISAKMP_ID_DATA_OFF + 4), addr, mask);

break;

case IPSEC_ID_IPV6_ADDR:

- /* XXX */

+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);

+ snprintf (buf, size, "%08x%08x%08x%08x: %s", *idp, *(idp + 1),

+ *(idp + 2), *(idp + 3), addr);

+ break;

+ case IPSEC_ID_IPV6_ADDR_SUBNET:

+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);

+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF +

+ sizeof (struct in6_addr));

+ snprintf (buf, size, "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s",

+ *idp, *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4),

+ *(idp + 5), *(idp + 6), *(idp + 7), addr, mask);

break;

case IPSEC_ID_FQDN:

@@ -1830,12 +1869,12 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,

buf[id_len] = '\0';

break;

default:

- snprintf (buf, size, "<type unknown: %x>", id_type);

+ snprintf (buf, size, "<id type unknown: %x>", id_type);

break;

}

else

- snprintf (buf, size, "<no id>");

+ snprintf (buf, size, "<no ipsec id>");

if (addr)

free (addr);

if (mask)