ike_phase_1.c: Merge with EOM 1.5

x509.c: Merge with EOM 1.16

author: niklas
Start stab at supporting other IDs than IPV4_ADDR in main mode

2 files changed, 78 insertions, 46 deletions

diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c
index 87d72b6f7eb..179f87ca429 100644
--- a/sbin/isakmpd/ike_phase_1.c
+++ b/sbin/isakmpd/ike_phase_1.c
@@ -1,5 +1,5 @@
-/*	$OpenBSD: ike_phase_1.c,v 1.3 1999/05/02 19:16:41 niklas Exp $	*/
-/*	$EOM: ike_phase_1.c,v 1.4 1999/05/02 12:50:27 niklas Exp $	*/
+/*	$OpenBSD: ike_phase_1.c,v 1.4 1999/07/07 22:15:42 niklas Exp $	*/
+/*	$EOM: ike_phase_1.c,v 1.5 1999/06/15 11:21:21 niklas Exp $	*/
 
 /*
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -755,18 +755,27 @@ ike_phase_1_send_ID (struct message *msg)
   struct exchange *exchange = msg->exchange;
   u_int8_t *buf;
   char header[80];
-  size_t sz;
+  ssize_t sz;
   struct sockaddr *src;
   int src_len;
   int initiator = exchange->initiator;
   u_int8_t **id;
   size_t *id_len;
+  char *my_id = 0;
+  u_int8_t id_type;
 
   /* Choose the right fields to fill-in.  */
   id = initiator ? &exchange->id_i : &exchange->id_r;
   id_len = initiator ? &exchange->id_i_len : &exchange->id_r_len;
 
-  sz = ISAKMP_ID_DATA_OFF + 4;
+  if (exchange->name)
+    my_id = conf_get_str (exchange->name, "ID");
+
+  sz = my_id ? ipsec_id_size (my_id, &id_type) : sizeof (in_addr_t);
+  if (sz == -1)
+    return -1;
+
+  sz += ISAKMP_ID_DATA_OFF;
   buf = malloc (sz);
   if (!buf)
     {
@@ -774,14 +783,39 @@ ike_phase_1_send_ID (struct message *msg)
       return -1;
     }
 
-  msg->transport->vtbl->get_src (msg->transport, &src, &src_len);
-  /* XXX Assumes IPv4.  */
-  SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR);
   SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0);
   SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0);
-  /* Already in network byteorder.  */
-  memcpy (buf + ISAKMP_ID_DATA_OFF,
-	  &((struct sockaddr_in *)src)->sin_addr.s_addr, sizeof (in_addr_t));
+  if (my_id)
+    {
+      SET_ISAKMP_ID_TYPE (buf, id_type);
+      switch (id_type)
+	{
+#ifdef notyet
+	case IPSEC_ID_IPV4_ADDR:
+	  /* XXX not implemented yet.  */
+	  break;
+#endif
+	case IPSEC_ID_FQDN:
+	case IPSEC_ID_USER_FQDN:
+	  memcpy (buf + ISAKMP_ID_DATA_OFF, conf_get_str (my_id, "Name"), sz);
+	  break;
+	default:
+	  log_print ("ike_phase_1_send_ID: unsupported ID type %d", id_type);
+	  free (buf);
+	  return -1;
+	}
+    }
+  else
+    {
+      msg->transport->vtbl->get_src (msg->transport, &src, &src_len);
+      /* XXX Assumes IPv4.  */
+      SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR);
+      /* Already in network byteorder.  */
+      memcpy (buf + ISAKMP_ID_DATA_OFF,
+	      &((struct sockaddr_in *)src)->sin_addr.s_addr,
+	      sizeof (in_addr_t));
+    }
+
   if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, buf, sz, 1))
     {
       free (buf);
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index fee5b62c1c7..548f22cf31f 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,5 +1,5 @@
-/*	$OpenBSD: x509.c,v 1.10 1999/06/05 19:04:32 niklas Exp $	*/
-/*	$EOM: x509.c,v 1.15 1999/06/05 18:59:08 niklas Exp $	*/
+/*	$OpenBSD: x509.c,v 1.11 1999/07/07 22:15:42 niklas Exp $	*/
+/*	$EOM: x509.c,v 1.16 1999/06/15 11:21:19 niklas Exp $	*/
 
 /*
  * Copyright (c) 1998 Niels Provos.  All rights reserved.
@@ -154,6 +154,9 @@ x509_cert_obtain (struct exchange *exchange, void *data, u_int8_t **cert,
   char *certfile;
   int fd, res = 0;
   struct stat st;
+  u_int8_t *id_cert, *asn, *id;
+  size_t id_len;
+  u_int32_t id_cert_len;
 
   if (aca)
     log_debug (LOG_CRYPTO, 60, "x509_cert_obtain: (%s) %s, (%s) %s",
@@ -202,35 +205,29 @@ x509_cert_obtain (struct exchange *exchange, void *data, u_int8_t **cert,
       goto done;
     }
 
-  {
-    /* 
-     * XXX We assume IPv4 here and a certificate with an extension
-     * type of subjectAltName at the end.  This can go once the saved
-     * certificate is only used with one host with a fixed IP address.
-     */
-    u_int8_t *id_cert, *asn, *id;
-    size_t id_len;
-    u_int32_t id_cert_len;
-
-    id = exchange->initiator ? exchange->id_i : exchange->id_r;
-    id_len = exchange->initiator ? exchange->id_i_len : exchange->id_r_len;
-
-    /* XXX We need our ID to set that in the cert.  */
-    if (id) 
-      {
-	/* XXX How to get to the address?  */
-	id += 4; id_len -= 4;
-	
-	/* Get offset into data structure where the IP is saved.  */
-	asn = *cert;
-	id_cert_len = asn_get_data_len (0, &asn, &id_cert);
-	asn = id_cert;
-	id_cert_len = asn_get_data_len (0, &asn, &id_cert);
-	id_cert += id_cert_len - 4;
-	memcpy (id_cert, id, 4); 
-      }
-  }
- 
+  /* 
+   * XXX We assume IPv4 here and a certificate with an extension
+   * type of subjectAltName at the end.  This can go once the saved
+   * certificate is only used with one host with a fixed IP address.
+   */
+  id = exchange->initiator ? exchange->id_i : exchange->id_r;
+  id_len = exchange->initiator ? exchange->id_i_len : exchange->id_r_len;
+
+  /* XXX We need our ID to set that in the cert.  */
+  if (id) 
+    {
+      id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+      id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+
+      /* Get offset into data structure where the IP is saved.  */
+      asn = *cert;
+      id_cert_len = asn_get_data_len (0, &asn, &id_cert);
+      asn = id_cert;
+      id_cert_len = asn_get_data_len (0, &asn, &id_cert);
+      id_cert += id_cert_len - 4;
+      memcpy (id_cert, id, 4); 
+    }
+
   res = 1;
 
  done:
@@ -293,14 +290,15 @@ x509_cert_get_subject (u_int8_t *asn, u_int32_t asnlen,
       goto fail;
     }
 
-  /* XXX 4 bytes for IPV4 address.  */
-  *subject = malloc (4);
+  /* XXX IPV4 address.  */
+  *subject = malloc (sizeof (in_addr_t));
   if (!*subject)
     {
-      log_error ("x509_cert_get_subject: malloc (4) failed");
+      log_error ("x509_cert_get_subject: malloc (%d) failed",
+		 sizeof (in_addr_t));
       goto fail;
     }
-  *subjectlen = 4;
+  *subjectlen = sizeof (in_addr_t);
   memcpy (*subject, cert.extension.val + 4, *subjectlen);
 
   x509_free_certificate (&cert);
@@ -312,7 +310,7 @@ x509_cert_get_subject (u_int8_t *asn, u_int32_t asnlen,
 }
 
 /*
- * Initalizes the struct x509_attribval from a AtributeValueAssertion.
+ * Initalizes the struct x509_attribval from a AttributeValueAssertion.
  * XXX Error checking.
  */
 void