summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2004-05-23 18:17:57 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2004-05-23 18:17:57 +0000
commitac324beccb96daadd14d3f42cd142addde9333a0 (patch)
tree43034f8e22a5dafe63baffa14930ab64d3368ccb /sbin
parent1cc81129a63546cce75f8186e7296f4defe4317a (diff)
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/field.c10
-rw-r--r--sbin/isakmpd/field.h12
-rw-r--r--sbin/isakmpd/hash.c30
-rw-r--r--sbin/isakmpd/if.c21
-rw-r--r--sbin/isakmpd/ike_aggressive.c16
-rw-r--r--sbin/isakmpd/ike_aggressive.h6
-rw-r--r--sbin/isakmpd/ike_auth.c209
-rw-r--r--sbin/isakmpd/ike_main_mode.c15
-rw-r--r--sbin/isakmpd/ike_main_mode.h6
-rw-r--r--sbin/isakmpd/ipsec.c604
-rw-r--r--sbin/isakmpd/ipsec.h32
-rw-r--r--sbin/isakmpd/isakmp_cfg.c313
-rw-r--r--sbin/isakmpd/isakmp_cfg.h6
-rw-r--r--sbin/isakmpd/isakmp_doi.c31
-rw-r--r--sbin/isakmpd/isakmpd.c53
-rw-r--r--sbin/isakmpd/key.c41
-rw-r--r--sbin/isakmpd/log.c75
-rw-r--r--sbin/isakmpd/log.h44
-rw-r--r--sbin/isakmpd/math_2n.c93
-rw-r--r--sbin/isakmpd/math_ec2n.c30
-rw-r--r--sbin/isakmpd/math_ec2n.h24
-rw-r--r--sbin/isakmpd/math_group.c120
-rw-r--r--sbin/isakmpd/message.c744
-rw-r--r--sbin/isakmpd/message.h58
-rw-r--r--sbin/isakmpd/monitor.c222
-rw-r--r--sbin/isakmpd/monitor_fdpass.c8
-rw-r--r--sbin/isakmpd/pf_key_v2.h17
-rw-r--r--sbin/isakmpd/policy.c85
-rw-r--r--sbin/isakmpd/prf.c26
-rw-r--r--sbin/isakmpd/sa.c45
-rw-r--r--sbin/isakmpd/sa.h32
-rw-r--r--sbin/isakmpd/timer.c9
-rw-r--r--sbin/isakmpd/timer.h4
-rw-r--r--sbin/isakmpd/udp.c176
-rw-r--r--sbin/isakmpd/ui.c10
-rw-r--r--sbin/isakmpd/util.c53
-rw-r--r--sbin/isakmpd/x509.c183
-rw-r--r--sbin/isakmpd/x509.h5
38 files changed, 1852 insertions, 1616 deletions
diff --git a/sbin/isakmpd/field.c b/sbin/isakmpd/field.c
index 2f54a1db74d..1618ca690aa 100644
--- a/sbin/isakmpd/field.c
+++ b/sbin/isakmpd/field.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: field.c,v 1.14 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: field.c,v 1.15 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: field.c,v 1.11 2000/02/20 19:58:37 niklas Exp $ */
/*
@@ -62,7 +62,7 @@ static char *(*decode_field[]) (u_int8_t *, size_t, struct constant_map **) =
static char *
field_debug_raw(u_int8_t *buf, size_t len, struct constant_map **maps)
{
- char *retval, *p;
+ char *retval, *p;
if (len == 0)
return 0;
@@ -189,7 +189,7 @@ field_debug_cst(u_int8_t *buf, size_t len, struct constant_map **maps)
void
field_dump_field(struct field *f, u_int8_t *buf)
{
- char *value;
+ char *value;
value = decode_field[(int) f->type] (buf + f->offset, f->len, f->maps);
if (value) {
@@ -238,14 +238,14 @@ field_set_num(struct field *f, u_int8_t *buf, u_int32_t val)
/* Stash BUF's raw field F into VAL. */
void
-field_get_raw(struct field * f, u_int8_t * buf, u_int8_t * val)
+field_get_raw(struct field *f, u_int8_t *buf, u_int8_t *val)
{
memcpy(val, buf + f->offset, f->len);
}
/* Stash the buffer VAL into BUF's field F. */
void
-field_set_raw(struct field * f, u_int8_t * buf, u_int8_t * val)
+field_set_raw(struct field *f, u_int8_t *buf, u_int8_t *val)
{
memcpy(buf + f->offset, val, f->len);
}
diff --git a/sbin/isakmpd/field.h b/sbin/isakmpd/field.h
index 9021ba3693c..428d417674a 100644
--- a/sbin/isakmpd/field.h
+++ b/sbin/isakmpd/field.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: field.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: field.h,v 1.6 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: field.h,v 1.3 1998/08/02 20:25:01 niklas Exp $ */
/*
@@ -35,12 +35,12 @@
#include <sys/types.h>
struct field {
- char *name;
- int offset;
- size_t len;
+ char *name;
+ int offset;
+ size_t len;
enum {
- raw, num, mask, ign, cst
- } type;
+ raw, num, mask, ign, cst
+ } type;
struct constant_map **maps;
};
diff --git a/sbin/isakmpd/hash.c b/sbin/isakmpd/hash.c
index bf77af07836..517b8e12f0d 100644
--- a/sbin/isakmpd/hash.c
+++ b/sbin/isakmpd/hash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hash.c,v 1.15 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: hash.c,v 1.16 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: hash.c,v 1.10 1999/04/17 23:20:34 niklas Exp $ */
/*
@@ -45,12 +45,12 @@
#include "hash.h"
#include "log.h"
-void hmac_init(struct hash *, unsigned char *, unsigned int);
-void hmac_final(unsigned char *, struct hash *);
+void hmac_init(struct hash *, unsigned char *, unsigned int);
+void hmac_final(unsigned char *, struct hash *);
/* Temporary hash contexts. */
static union {
- MD5_CTX md5ctx;
+ MD5_CTX md5ctx;
SHA1_CTX sha1ctx;
} Ctx, Ctx2;
@@ -61,19 +61,19 @@ static unsigned char digest[HASH_MAX];
static struct hash hashes[] = {
{
- HASH_MD5, 5, MD5_SIZE, (void *) &Ctx.md5ctx, digest,
- sizeof(MD5_CTX), (void *) &Ctx2.md5ctx,
- (void (*) (void *)) MD5Init,
- (void (*) (void *, unsigned char *, unsigned int)) MD5Update,
- (void (*) (unsigned char *, void *)) MD5Final,
+ HASH_MD5, 5, MD5_SIZE, (void *)&Ctx.md5ctx, digest,
+ sizeof(MD5_CTX), (void *)&Ctx2.md5ctx,
+ (void (*)(void *))MD5Init,
+ (void (*)(void *, unsigned char *, unsigned int))MD5Update,
+ (void (*)(unsigned char *, void *))MD5Final,
hmac_init,
hmac_final
}, {
- HASH_SHA1, 6, SHA1_SIZE, (void *) &Ctx.sha1ctx, digest,
- sizeof(SHA1_CTX), (void *) &Ctx2.sha1ctx,
- (void (*) (void *)) SHA1Init,
- (void (*) (void *, unsigned char *, unsigned int)) SHA1Update,
- (void (*) (unsigned char *, void *)) SHA1Final,
+ HASH_SHA1, 6, SHA1_SIZE, (void *)&Ctx.sha1ctx, digest,
+ sizeof(SHA1_CTX), (void *)&Ctx2.sha1ctx,
+ (void (*)(void *))SHA1Init,
+ (void (*)(void *, unsigned char *, unsigned int))SHA1Update,
+ (void (*)(unsigned char *, void *))SHA1Final,
hmac_init,
hmac_final
},
@@ -82,7 +82,7 @@ static struct hash hashes[] = {
struct hash *
hash_get(enum hashes hashtype)
{
- size_t i;
+ size_t i;
LOG_DBG((LOG_CRYPTO, 60, "hash_get: requested algorithm %d", hashtype));
diff --git a/sbin/isakmpd/if.c b/sbin/isakmpd/if.c
index f6488779cf7..697b90a4a4a 100644
--- a/sbin/isakmpd/if.c
+++ b/sbin/isakmpd/if.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if.c,v 1.20 2004/05/23 16:14:37 deraadt Exp $ */
+/* $OpenBSD: if.c,v 1.21 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: if.c,v 1.12 1999/10/01 13:45:20 niklas Exp $ */
/*
@@ -74,24 +74,27 @@ siocgifconf(struct ifconf *ifcp)
buf = 0;
while (1) {
/*
- * Allocate a larger buffer each time around the loop and get the
- * network interfaces configurations into it.
+ * Allocate a larger buffer each time around the loop and get
+ * the network interfaces configurations into it.
*/
new_buf = realloc(buf, len);
if (!new_buf) {
- log_error("siocgifconf: realloc (%p, %d) failed", buf, len);
+ log_error("siocgifconf: realloc (%p, %d) failed", buf,
+ len);
goto err;
}
ifcp->ifc_len = len;
ifcp->ifc_buf = buf = new_buf;
if (ioctl(s, SIOCGIFCONF, ifcp) == -1) {
- log_error("siocgifconf: ioctl (%d, SIOCGIFCONF, ...) failed", s);
+ log_error("siocgifconf: ioctl (%d, SIOCGIFCONF, ...) "
+ "failed", s);
goto err;
}
/*
- * If there is place for another ifreq we can be sure that the buffer
- * was big enough, otherwise double the size and try again.
+ * If there is place for another ifreq we can be sure that the
+ * buffer was big enough, otherwise double the size and try
+ * again.
*/
if (len - ifcp->ifc_len >= sizeof(struct ifreq))
break;
@@ -122,7 +125,7 @@ if_map(int (*func)(char *, struct sockaddr *, void *), void *arg)
return -1;
for (ifa = ifap; ifa; ifa = ifa->ifa_next)
- if ((*func) (ifa->ifa_name, ifa->ifa_addr, arg) == -1)
+ if ((*func)(ifa->ifa_name, ifa->ifa_addr, arg) == -1)
err = -1;
freeifaddrs(ifap);
#else
@@ -136,7 +139,7 @@ if_map(int (*func)(char *, struct sockaddr *, void *), void *arg)
limit = ifc.ifc_buf + ifc.ifc_len;
for (p = ifc.ifc_buf; p < limit; p += len) {
- ifrp = (struct ifreq *) p;
+ ifrp = (struct ifreq *)p;
if ((*func)(ifrp->ifr_name, &ifrp->ifr_addr, arg) == -1)
err = -1;
len = sizeof ifrp->ifr_name +
diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c
index a7d58fc3b9e..6ff93cd72f7 100644
--- a/sbin/isakmpd/ike_aggressive.c
+++ b/sbin/isakmpd/ike_aggressive.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_aggressive.c,v 1.6 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ike_aggressive.c,v 1.7 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */
/*
@@ -65,13 +65,13 @@ static int initiator_send_AUTH(struct message *);
static int responder_recv_SA_KE_NONCE_ID(struct message *);
static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *);
-int (*ike_aggressive_initiator[]) (struct message *) = {
+int (*ike_aggressive_initiator[])(struct message *) = {
initiator_send_SA_KE_NONCE_ID,
initiator_recv_SA_KE_NONCE_ID_AUTH,
initiator_send_AUTH
};
-int (*ike_aggressive_responder[]) (struct message *) = {
+int (*ike_aggressive_responder[])(struct message *) = {
responder_recv_SA_KE_NONCE_ID,
responder_send_SA_KE_NONCE_ID_AUTH,
ike_phase_1_recv_AUTH
@@ -79,7 +79,7 @@ int (*ike_aggressive_responder[]) (struct message *) = {
/* Offer a set of transforms to the responder in the MSG message. */
static int
-initiator_send_SA_KE_NONCE_ID(struct message * msg)
+initiator_send_SA_KE_NONCE_ID(struct message *msg)
{
if (ike_phase_1_initiator_send_SA(msg))
return -1;
@@ -92,7 +92,7 @@ initiator_send_SA_KE_NONCE_ID(struct message * msg)
/* Figure out what transform the responder chose. */
static int
-initiator_recv_SA_KE_NONCE_ID_AUTH(struct message * msg)
+initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *msg)
{
if (ike_phase_1_initiator_recv_SA(msg))
return -1;
@@ -104,7 +104,7 @@ initiator_recv_SA_KE_NONCE_ID_AUTH(struct message * msg)
}
static int
-initiator_send_AUTH(struct message * msg)
+initiator_send_AUTH(struct message *msg)
{
msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
@@ -129,7 +129,7 @@ initiator_send_AUTH(struct message * msg)
* handle. Also accept initiator's public DH value, nonce and ID.
*/
static int
-responder_recv_SA_KE_NONCE_ID(struct message * msg)
+responder_recv_SA_KE_NONCE_ID(struct message *msg)
{
if (ike_phase_1_responder_recv_SA(msg))
return -1;
@@ -145,7 +145,7 @@ responder_recv_SA_KE_NONCE_ID(struct message * msg)
* to the initiator.
*/
static int
-responder_send_SA_KE_NONCE_ID_AUTH(struct message * msg)
+responder_send_SA_KE_NONCE_ID_AUTH(struct message *msg)
{
/* Add the SA payload with the transform that was chosen. */
if (ike_phase_1_responder_send_SA(msg))
diff --git a/sbin/isakmpd/ike_aggressive.h b/sbin/isakmpd/ike_aggressive.h
index 4356cdeac57..f2af5244e90 100644
--- a/sbin/isakmpd/ike_aggressive.h
+++ b/sbin/isakmpd/ike_aggressive.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_aggressive.h,v 1.4 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ike_aggressive.h,v 1.5 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: ike_aggressive.h,v 1.1 1999/04/16 21:24:43 niklas Exp $ */
/*
@@ -34,7 +34,7 @@
struct message;
-extern int (*ike_aggressive_initiator[]) (struct message * msg);
-extern int (*ike_aggressive_responder[]) (struct message * msg);
+extern int (*ike_aggressive_initiator[])(struct message *msg);
+extern int (*ike_aggressive_responder[])(struct message *msg);
#endif /* _IKE_AGGRESSIVE_H_ */
diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index b5901acdf0f..560527b057c 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_auth.c,v 1.86 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ike_auth.c,v 1.87 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
/*
@@ -139,17 +139,17 @@ ike_auth_get(u_int16_t id)
static void *
ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
{
- char *key, *buf;
+ char *key, *buf;
#if defined (USE_X509) || defined (USE_KEYNOTE)
- char *keyfile;
+ char *keyfile;
#if defined (USE_X509)
#if defined (USE_PRIVSEP)
- FILE *keyfp;
+ FILE *keyfp;
#else
- BIO *keyh;
+ BIO *keyh;
#endif
- RSA *rsakey;
- size_t fsize;
+ RSA *rsakey;
+ size_t fsize;
#endif
#endif
@@ -171,14 +171,14 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
*keylen = (strlen(key) - 1) / 2;
buf = malloc(*keylen);
if (!buf) {
- log_error("ike_auth_get_key: malloc (%lu) failed",
- (unsigned long) *keylen);
+ log_error("ike_auth_get_key: malloc (%lu) "
+ "failed", (unsigned long) *keylen);
return 0;
}
- if (hex2raw(key + 2, (unsigned char *) buf, *keylen)) {
+ if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) {
free(buf);
- log_print("ike_auth_get_key: invalid hex key %s",
- key);
+ log_print("ike_auth_get_key: invalid hex key "
+ "%s", key);
return 0;
}
key = buf;
@@ -196,8 +196,8 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
case IKE_AUTH_RSA_SIG:
#if defined (USE_X509) || defined (USE_KEYNOTE)
#if defined (USE_KEYNOTE)
- if (local_id &&
- (keyfile = conf_get_str("KeyNote", "Credential-directory")) != 0) {
+ if (local_id && (keyfile = conf_get_str("KeyNote",
+ "Credential-directory")) != 0) {
struct stat sb;
struct keynote_deckey dc;
char *privkeyfile, *buf2;
@@ -208,12 +208,12 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
sizeof PRIVATE_KEY_FILE + sizeof "//" - 1;
privkeyfile = calloc(pkflen, sizeof(char));
if (!privkeyfile) {
- log_print("ike_auth_get_key: failed to allocate %d bytes",
- pkflen);
+ log_print("ike_auth_get_key: failed to "
+ "allocate %d bytes", pkflen);
return 0;
}
- snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile, local_id,
- PRIVATE_KEY_FILE);
+ snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile,
+ local_id, PRIVATE_KEY_FILE);
keyfile = privkeyfile;
if (monitor_stat(keyfile, &sb) < 0) {
@@ -224,15 +224,15 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
fd = monitor_open(keyfile, O_RDONLY, 0);
if (fd < 0) {
- log_print("ike_auth_get_key: failed opening \"%s\"",
- keyfile);
+ log_print("ike_auth_get_key: failed opening "
+ "\"%s\"", keyfile);
free(keyfile);
return 0;
}
buf = calloc(size + 1, sizeof(char));
if (!buf) {
- log_print("ike_auth_get_key: failed allocating %lu bytes",
- (unsigned long) size + 1);
+ log_print("ike_auth_get_key: failed allocating"
+ " %lu bytes", (unsigned long)size + 1);
free(keyfile);
return 0;
}
@@ -240,7 +240,7 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
free(buf);
log_print("ike_auth_get_key: "
"failed reading %lu bytes from \"%s\"",
- (unsigned long) size, keyfile);
+ (unsigned long)size, keyfile);
free(keyfile);
return 0;
}
@@ -252,16 +252,17 @@ ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen)
if (kn_decode_key(&dc, buf2, KEYNOTE_PRIVATE_KEY) == -1) {
free(buf2);
- log_print("ike_auth_get_key: failed decoding key in \"%s\"",
- keyfile);
+ log_print("ike_auth_get_key: failed decoding "
+ "key in \"%s\"", keyfile);
free(keyfile);
return 0;
}
free(buf2);
if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) {
- log_print("ike_auth_get_key: wrong algorithm type %d in \"%s\"",
- dc.dec_algorithm, keyfile);
+ log_print("ike_auth_get_key: wrong algorithm "
+ "type %d in \"%s\"", dc.dec_algorithm,
+ keyfile);
free(keyfile);
kn_free_key(&dc);
return 0;
@@ -281,7 +282,8 @@ ignorekeynote:
#if defined (USE_PRIVSEP)
keyfp = monitor_fopen(keyfile, "r");
if (!keyfp) {
- log_print("ike_auth_get_key: failed opening \"%s\"", keyfile);
+ log_print("ike_auth_get_key: failed opening \"%s\"",
+ keyfile);
return 0;
}
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
@@ -293,14 +295,13 @@ ignorekeynote:
#else
keyh = BIO_new(BIO_s_file());
if (keyh == NULL) {
- log_print("ike_auth_get_key: "
- "BIO_new (BIO_s_file ()) failed");
+ log_print("ike_auth_get_key: BIO_new (BIO_s_file ())"
+ "failed");
return 0;
}
if (BIO_read_filename(keyh, keyfile) == -1) {
- log_print("ike_auth_get_key: "
- "BIO_read_filename (keyh, \"%s\") failed",
- keyfile);
+ log_print("ike_auth_get_key: BIO_read_filename (keyh,"
+ "\"%s\") failed", keyfile);
BIO_free(keyh);
return 0;
}
@@ -348,8 +349,9 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
util_ntoa((char **) &buf,
- exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6,
- exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
+ exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET :
+ AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF -
+ ISAKMP_GEN_SZ);
if (!buf)
return 0;
break;
@@ -359,14 +361,16 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF +
ISAKMP_GEN_SZ + 1, sizeof(char));
if (!buf) {
- log_print("pre_shared_gen_skeyid: malloc (%lu) failed",
- (unsigned long) exchange->id_i_len -
+ log_print("pre_shared_gen_skeyid: malloc (%lu"
+ ") failed",
+ (unsigned long)exchange->id_i_len -
ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
return 0;
}
memcpy(buf,
exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
- exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
+ exchange->id_i_len - ISAKMP_ID_DATA_OFF +
+ ISAKMP_GEN_SZ);
break;
/* XXX Support more ID types ? */
@@ -392,7 +396,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE;
if (!exchange->recv_key) {
log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
- (unsigned long) keylen);
+ (unsigned long)keylen);
free(key);
return 0;
}
@@ -408,7 +412,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
skeyid = malloc(*sz);
if (!skeyid) {
log_error("pre_shared_gen_skeyid: malloc (%lu) failed",
- (unsigned long) *sz);
+ (unsigned long)*sz);
prf_free(prf);
return 0;
}
@@ -439,8 +443,9 @@ sig_gen_skeyid(struct exchange *exchange, size_t *sz)
LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d",
ie->prf_type, ie->hash->type));
- LOG_DBG_BUF((LOG_NEGOTIATION, 80, "sig_gen_skeyid: SKEYID initialized with",
- (u_int8_t *) key, exchange->nonce_i_len + exchange->nonce_r_len));
+ LOG_DBG_BUF((LOG_NEGOTIATION, 80,
+ "sig_gen_skeyid: SKEYID initialized with",
+ (u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len));
prf = prf_alloc(ie->prf_type, ie->hash->type, key,
exchange->nonce_i_len + exchange->nonce_r_len);
@@ -452,14 +457,14 @@ sig_gen_skeyid(struct exchange *exchange, size_t *sz)
skeyid = malloc(*sz);
if (!skeyid) {
log_error("sig_gen_skeyid: malloc (%lu) failed",
- (unsigned long) *sz);
+ (unsigned long)*sz);
prf_free(prf);
return 0;
}
LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu",
(unsigned long) ie->g_x_len));
- LOG_DBG_BUF((LOG_NEGOTIATION, 80, "sig_gen_skeyid: SKEYID fed with g^xy",
- ie->g_xy, ie->g_x_len));
+ LOG_DBG_BUF((LOG_NEGOTIATION, 80,
+ "sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_x_len));
prf->Init(prf->prfctx);
prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len);
@@ -532,7 +537,7 @@ pre_shared_decode_hash(struct message *msg)
*hash_p = malloc(hashsize);
if (!*hash_p) {
log_error("pre_shared_decode_hash: malloc (%lu) failed",
- (unsigned long) hashsize);
+ (unsigned long)hashsize);
return -1;
}
memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize);
@@ -576,8 +581,9 @@ rsa_sig_decode_hash(struct message *msg)
return -1;
}
/*
- * XXX Assume we should use the same kind of certification as the remote...
- * moreover, just use the first CERT payload to decide what to use.
+ * XXX Assume we should use the same kind of certification as the
+ * remote... moreover, just use the first CERT payload to decide what
+ * to use.
*/
p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_CERT]);
if (!p)
@@ -596,7 +602,8 @@ rsa_sig_decode_hash(struct message *msg)
*/
exchange->policy_id = kn_init();
if (exchange->policy_id == -1) {
- log_print("rsa_sig_decode_hash: failed to initialize policy session");
+ log_print("rsa_sig_decode_hash: failed to initialize policy "
+ "session");
return -1;
}
#endif /* USE_POLICY || USE_KEYNOTE */
@@ -606,8 +613,8 @@ rsa_sig_decode_hash(struct message *msg)
if (handler->id == ISAKMP_CERTENC_X509_SIG) {
cert = handler->cert_get(rawcert, rawcertlen);
if (!cert)
- LOG_DBG((LOG_CRYPTO, 50,
- "rsa_sig_decode_hash: certificate malformed"));
+ LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:"
+ " certificate malformed"));
else {
if (!handler->cert_get_key(cert, &key)) {
log_print("rsa_sig_decode_hash: "
@@ -616,8 +623,8 @@ rsa_sig_decode_hash(struct message *msg)
} else {
found++;
LOG_DBG((LOG_CRYPTO, 40,
- "rsa_sig_decode_hash: using cert of type %d",
- handler->id));
+ "rsa_sig_decode_hash: using cert "
+ "of type %d", handler->id));
exchange->recv_cert = cert;
exchange->recv_certtype = handler->id;
#if defined (USE_POLICY)
@@ -661,27 +668,31 @@ rsa_sig_decode_hash(struct message *msg)
}
if (!handler->cert_validate(cert)) {
handler->cert_free(cert);
- log_print("rsa_sig_decode_hash: received CERT can't be validated");
+ log_print("rsa_sig_decode_hash: received CERT can't "
+ "be validated");
continue;
}
if (GET_ISAKMP_CERT_ENCODING(p->p) == ISAKMP_CERTENC_X509_SIG) {
if (!handler->cert_get_subjects(cert, &n, &id_cert,
&id_cert_len)) {
handler->cert_free(cert);
- log_print("rsa_sig_decode_hash: can not get subject from CERT");
+ log_print("rsa_sig_decode_hash: can not get "
+ "subject from CERT");
continue;
}
id_found = 0;
for (i = 0; i < n; i++)
if (id_cert_len[i] == id_len &&
id[0] == id_cert[i][0] &&
- memcmp(id + 4, id_cert[i] + 4, id_len - 4) == 0) {
+ memcmp(id + 4, id_cert[i] + 4, id_len - 4)
+ == 0) {
id_found++;
break;
}
if (!id_found) {
handler->cert_free(cert);
- log_print("rsa_sig_decode_hash: no CERT subject match the ID");
+ log_print("rsa_sig_decode_hash: no CERT "
+ "subject match the ID");
free(id_cert);
continue;
}
@@ -689,7 +700,8 @@ rsa_sig_decode_hash(struct message *msg)
}
if (!handler->cert_get_key(cert, &key)) {
handler->cert_free(cert);
- log_print("rsa_sig_decode_hash: decoding payload CERT failed");
+ log_print("rsa_sig_decode_hash: decoding payload CERT "
+ "failed");
continue;
}
/* We validated the cert, cache it for later use. */
@@ -711,7 +723,8 @@ rsa_sig_decode_hash(struct message *msg)
KEYNOTE_PUBLIC_KEY);
if (pp == NULL) {
kn_free_key(&dc);
- log_print("rsa_sig_decode_hash: failed to ASCII-encode key");
+ log_print("rsa_sig_decode_hash: failed to "
+ "ASCII-encode key");
return -1;
}
dclen = strlen(pp) + sizeof "rsa-hex:";
@@ -719,8 +732,8 @@ rsa_sig_decode_hash(struct message *msg)
if (!exchange->keynote_key) {
free(pp);
kn_free_key(&dc);
- log_print("rsa_sig_decode_hash: failed to allocate %d bytes",
- dclen);
+ log_print("rsa_sig_decode_hash: failed to "
+ "allocate %d bytes", dclen);
return -1;
}
snprintf(exchange->keynote_key, dclen, "rsa-hex:%s", pp);
@@ -743,7 +756,8 @@ rsa_sig_decode_hash(struct message *msg)
if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0)
found++;
else
- log_print("rsa_sig_decode_hash: KEY to RSA key conversion failed");
+ log_print("rsa_sig_decode_hash: KEY to RSA key "
+ "conversion failed");
if (rawkey)
free(rawkey);
@@ -753,7 +767,8 @@ rsa_sig_decode_hash(struct message *msg)
#if defined (USE_RAWKEY)
/* If we still have not found a key, try to read it from a file. */
if (!found)
- if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key) != -1)
+ if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key)
+ != -1)
found++;
#endif
@@ -796,7 +811,7 @@ rsa_sig_decode_hash(struct message *msg)
free(*hash_p);
*hash_p = 0;
log_print("rsa_sig_decode_hash: len %lu != hashsize %lu",
- (unsigned long) len, (unsigned long) hashsize);
+ (unsigned long)len, (unsigned long)hashsize);
return -1;
}
snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c",
@@ -852,22 +867,25 @@ rsa_sig_encode_hash(struct message *msg)
/* We may have been provided these by the kernel */
buf = (u_int8_t *) conf_get_str(exchange->name, "Credentials");
- if (buf &&
- (idtype = conf_get_num(exchange->name, "Credential_Type", -1) != -1)) {
+ if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", -1)
+ != -1)) {
exchange->sent_certtype = idtype;
handler = cert_get(idtype);
if (!handler) {
- log_print("rsa_sig_encode_hash: cert_get (%d) failed", idtype);
+ log_print("rsa_sig_encode_hash: cert_get (%d) failed",
+ idtype);
return -1;
}
- exchange->sent_cert = handler->cert_from_printable((char *) buf);
+ exchange->sent_cert = handler->cert_from_printable((char *)buf);
if (!exchange->sent_cert) {
- log_print("rsa_sig_encode_hash: failed to retrieve certificate");
+ log_print("rsa_sig_encode_hash: failed to retrieve "
+ "certificate");
return -1;
}
handler->cert_serialize(exchange->sent_cert, &data, &datalen);
if (!data) {
- log_print("rsa_sig_encode_hash: cert serialization failed");
+ log_print("rsa_sig_encode_hash: cert serialization "
+ "failed");
return -1;
}
goto aftercert; /* Skip all the certificate discovery */
@@ -881,7 +899,8 @@ rsa_sig_encode_hash(struct message *msg)
idtype = ISAKMP_CERTENC_X509_SIG;
handler = cert_get(idtype);
if (!handler) {
- log_print("rsa_sig_encode_hash: cert_get(%d) failed", idtype);
+ log_print("rsa_sig_encode_hash: cert_get(%d) failed",
+ idtype);
return -1;
}
}
@@ -890,11 +909,12 @@ rsa_sig_encode_hash(struct message *msg)
idtype = ISAKMP_CERTENC_X509_SIG;
handler = cert_get(idtype);
if (!handler) {
- log_print("rsa_sig_encode_hash: cert_get(%d) failed",
- idtype);
+ log_print("rsa_sig_encode_hash: cert_get(%d) "
+ "failed", idtype);
return -1;
}
- if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) {
+ if (handler->cert_obtain(id, id_len, 0, &data,
+ &datalen) == 0) {
LOG_DBG((LOG_MISC, 10,
"rsa_sig_encode_hash: no certificate to send"));
goto skipcert;
@@ -910,8 +930,8 @@ rsa_sig_encode_hash(struct message *msg)
exchange->sent_cert = handler->cert_get(data, datalen);
if (!exchange->sent_cert) {
free(data);
- log_print("rsa_sig_encode_hash: failed to get certificate from wire "
- "encoding");
+ log_print("rsa_sig_encode_hash: failed to get certificate "
+ "from wire encoding");
return -1;
}
aftercert:
@@ -935,17 +955,18 @@ skipcert:
/* Again, we may have these from the kernel */
buf = (u_int8_t *) conf_get_str(exchange->name, "PKAuthentication");
if (buf) {
- key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, (char *) buf,
- &data, &datalen);
+ key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE,
+ (char *)buf, &data, &datalen);
if (!data) {
- log_print("rsa_sig_encode_hash: badly formatted RSA private key");
+ log_print("rsa_sig_encode_hash: badly formatted RSA "
+ "private key");
return 0;
}
- sent_key = key_internalize(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE,
- data, datalen);
+ sent_key = key_internalize(ISAKMP_KEY_RSA,
+ ISAKMP_KEYTYPE_PRIVATE, data, datalen);
if (!sent_key) {
- log_print("rsa_sig_encode_hash: bad RSA private key from dynamic "
- "SA acquisition subsystem");
+ log_print("rsa_sig_encode_hash: bad RSA private key "
+ "from dynamic SA acquisition subsystem");
return 0;
}
} else {
@@ -953,7 +974,7 @@ skipcert:
switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) {
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
- util_ntoa((char **) &buf2,
+ util_ntoa((char **)&buf2,
id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] ==
IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6,
id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ);
@@ -963,12 +984,12 @@ skipcert:
case IPSEC_ID_FQDN:
case IPSEC_ID_USER_FQDN:
- buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1,
- sizeof(char));
+ buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF +
+ ISAKMP_GEN_SZ + 1, sizeof(char));
if (!buf2) {
- log_print("rsa_sig_encode_hash: malloc (%lu) failed",
- (unsigned long) id_len - ISAKMP_ID_DATA_OFF +
- ISAKMP_GEN_SZ + 1);
+ log_print("rsa_sig_encode_hash: malloc (%lu) "
+ "failed", (unsigned long)id_len -
+ ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1);
return 0;
}
memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
@@ -982,7 +1003,7 @@ skipcert:
}
sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name,
- (char *) buf2, 0);
+ (char *)buf2, 0);
free(buf2);
/* Did we find a key? */
@@ -1001,7 +1022,7 @@ skipcert:
buf = malloc(hashsize);
if (!buf) {
log_error("rsa_sig_encode_hash: malloc (%lu) failed",
- (unsigned long) hashsize);
+ (unsigned long)hashsize);
return -1;
}
if (ike_auth_hash(exchange, buf) == -1) {
@@ -1113,7 +1134,7 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)
fstr = CONF_DFLT_PUBKEY_DIR;
if (snprintf(filename, sizeof filename, "%s/", fstr) >
- (int) sizeof filename - 1)
+ (int)sizeof filename - 1)
return -1;
fstr = ipsec_id_string(id, id_len);
@@ -1130,8 +1151,8 @@ get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa)
#if defined (USE_PRIVSEP)
keyfp = monitor_fopen(filename, "r");
if (!keyfp) {
- log_error("get_raw_key_from_file: monitor_fopen (\"%s\", \"r\") "
- "failed", filename);
+ log_error("get_raw_key_from_file: monitor_fopen "
+ "(\"%s\", \"r\") failed", filename);
return -1;
}
*rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL);
diff --git a/sbin/isakmpd/ike_main_mode.c b/sbin/isakmpd/ike_main_mode.c
index cff96457079..53e18c486c4 100644
--- a/sbin/isakmpd/ike_main_mode.c
+++ b/sbin/isakmpd/ike_main_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_main_mode.c,v 1.13 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ike_main_mode.c,v 1.14 2004/05/23 18:17:55 hshoexer Exp $ */
/* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */
/*
@@ -62,7 +62,7 @@ static int initiator_send_ID_AUTH(struct message *);
static int responder_send_ID_AUTH(struct message *);
static int responder_send_KE_NONCE(struct message *);
-int (*ike_main_mode_initiator[]) (struct message *) = {
+int (*ike_main_mode_initiator[]) (struct message *) = {
ike_phase_1_initiator_send_SA,
ike_phase_1_initiator_recv_SA,
ike_phase_1_initiator_send_KE_NONCE,
@@ -71,7 +71,7 @@ int (*ike_main_mode_initiator[]) (struct message *) = {
ike_phase_1_recv_ID_AUTH
};
-int (*ike_main_mode_responder[]) (struct message *) = {
+int (*ike_main_mode_responder[]) (struct message *) = {
ike_phase_1_responder_recv_SA,
ike_phase_1_responder_send_SA,
ike_phase_1_recv_KE_NONCE,
@@ -81,7 +81,7 @@ int (*ike_main_mode_responder[]) (struct message *) = {
};
static int
-initiator_send_ID_AUTH(struct message * msg)
+initiator_send_ID_AUTH(struct message *msg)
{
msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
@@ -96,7 +96,7 @@ initiator_send_ID_AUTH(struct message * msg)
/* Send our public DH value and a nonce to the initiator. */
int
-responder_send_KE_NONCE(struct message * msg)
+responder_send_KE_NONCE(struct message *msg)
{
/* XXX Should we really just use the initiator's nonce size? */
if (ike_phase_1_send_KE_NONCE(msg, msg->exchange->nonce_i_len))
@@ -107,14 +107,13 @@ responder_send_KE_NONCE(struct message * msg)
* on a roundtrip over the wire.
*/
message_register_post_send(msg,
- (void (*) (struct message *))
- ike_phase_1_post_exchange_KE_NONCE);
+ (void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE);
return 0;
}
static int
-responder_send_ID_AUTH(struct message * msg)
+responder_send_ID_AUTH(struct message *msg)
{
msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
diff --git a/sbin/isakmpd/ike_main_mode.h b/sbin/isakmpd/ike_main_mode.h
index 0ad9e532f97..3e0d17382fa 100644
--- a/sbin/isakmpd/ike_main_mode.h
+++ b/sbin/isakmpd/ike_main_mode.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_main_mode.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ike_main_mode.h,v 1.6 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: ike_main_mode.h,v 1.1 1998/07/25 11:22:07 niklas Exp $ */
/*
@@ -34,7 +34,7 @@
struct message;
-extern int (*ike_main_mode_initiator[]) (struct message * msg);
-extern int (*ike_main_mode_responder[]) (struct message * msg);
+extern int (*ike_main_mode_initiator[]) (struct message *msg);
+extern int (*ike_main_mode_responder[]) (struct message *msg);
#endif /* _IKE_MAIN_MODE_H_ */
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 2a224c0b694..9956787cea0 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.90 2004/05/19 14:30:26 ho Exp $ */
+/* $OpenBSD: ipsec.c,v 1.91 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -104,9 +104,8 @@ static void ipsec_free_proto_data(void *);
static void ipsec_free_sa_data(void *);
static struct keystate *ipsec_get_keystate(struct message *);
static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *);
-static int
-ipsec_handle_leftover_payload(struct message *, u_int8_t,
- struct payload *);
+static int ipsec_handle_leftover_payload(struct message *, u_int8_t,
+ struct payload *);
static int ipsec_informational_post_hook(struct message *);
static int ipsec_informational_pre_hook(struct message *);
static int ipsec_initiator(struct message *);
@@ -116,11 +115,11 @@ static void ipsec_setup_situation(u_int8_t *);
static int ipsec_set_network(u_int8_t *, u_int8_t *, struct ipsec_sa *);
static size_t ipsec_situation_size(void);
static u_int8_t ipsec_spi_size(u_int8_t);
-static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, void *);
+static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t,
+ void *);
static int ipsec_validate_exchange(u_int8_t);
-static int
-ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
- size_t, struct exchange *);
+static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
+ size_t, struct exchange *);
static int ipsec_validate_key_information(u_int8_t *, size_t);
static int ipsec_validate_notification(u_int16_t);
static int ipsec_validate_proto(u_int8_t);
@@ -163,7 +162,7 @@ static struct doi ipsec_doi = {
ipsec_decode_ids
};
-int16_t script_quick_mode[] = {
+int16_t script_quick_mode[] = {
ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */
ISAKMP_PAYLOAD_SA,
ISAKMP_PAYLOAD_NONCE,
@@ -176,7 +175,7 @@ int16_t script_quick_mode[] = {
EXCHANGE_SCRIPT_END
};
-int16_t script_new_group_mode[] = {
+int16_t script_new_group_mode[] = {
ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */
ISAKMP_PAYLOAD_SA,
EXCHANGE_SCRIPT_SWITCH,
@@ -223,7 +222,8 @@ ipsec_sa_check(struct sa *sa, void *v_arg)
for (proto = TAILQ_FIRST(&sa->protos); proto;
proto = TAILQ_NEXT(proto, link))
if ((arg->proto == 0 || proto->proto == arg->proto) &&
- memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi) == 0)
+ memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi)
+ == 0)
return 1;
return 0;
}
@@ -279,7 +279,7 @@ ipsec_sa_check_flow(struct sa * sa, void *v_arg)
* the final message.
*/
static void
-ipsec_finalize_exchange(struct message * msg)
+ipsec_finalize_exchange(struct message *msg)
{
struct sa *isakmp_sa = msg->isakmp_sa;
struct ipsec_sa *isa;
@@ -319,7 +319,8 @@ ipsec_finalize_exchange(struct message * msg)
switch (exchange->type) {
case IKE_EXCH_QUICK_MODE:
/*
- * Tell the application(s) about the SPIs and key material.
+ * Tell the application(s) about the SPIs and key
+ * material.
*/
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
@@ -341,8 +342,8 @@ ipsec_finalize_exchange(struct message * msg)
* Responder is source, initiator is
* destination.
*/
- if (ipsec_set_network(ie->id_cr, ie->id_ci,
- isa)) {
+ if (ipsec_set_network(ie->id_cr,
+ ie->id_ci, isa)) {
log_print("ipsec_finalize_exchange: "
"ipsec_set_network failed");
return;
@@ -354,12 +355,14 @@ ipsec_finalize_exchange(struct message * msg)
proto = TAILQ_NEXT(proto, link)) {
if (sysdep_ipsec_set_spi(sa, proto,
0, isakmp_sa) ||
- (last_proto && sysdep_ipsec_group_spis(sa,
- last_proto, proto, 0)) ||
+ (last_proto &&
+ sysdep_ipsec_group_spis(sa,
+ last_proto, proto, 0)) ||
sysdep_ipsec_set_spi(sa, proto,
- 1, isakmp_sa) ||
- (last_proto && sysdep_ipsec_group_spis(sa,
- last_proto, proto, 1)))
+ 1, isakmp_sa) ||
+ (last_proto &&
+ sysdep_ipsec_group_spis(sa,
+ last_proto, proto, 1)))
/*
* XXX Tear down this
* exchange.
@@ -379,11 +382,14 @@ ipsec_finalize_exchange(struct message * msg)
mask2 = 0;
LOG_DBG((LOG_EXCHANGE, 50,
- "ipsec_finalize_exchange: "
- "src %s %s dst %s %s tproto %u sport %u dport %u",
- addr1 ? addr1 : "<??\?>", mask1 ? mask1 : "<??\?>",
- addr2 ? addr2 : "<??\?>", mask2 ? mask2 : "<??\?>",
- isa->tproto, ntohs(isa->sport), ntohs(isa->dport)));
+ "ipsec_finalize_exchange: src %s %s "
+ "dst %s %s tproto %u sport %u dport %u",
+ addr1 ? addr1 : "<??\?>",
+ mask1 ? mask1 : "<??\?>",
+ addr2 ? addr2 : "<??\?>",
+ mask2 ? mask2 : "<??\?>",
+ isa->tproto, ntohs(isa->sport),
+ ntohs(isa->dport)));
if (addr1)
free(addr1);
@@ -397,8 +403,9 @@ ipsec_finalize_exchange(struct message * msg)
#endif /* USE_DEBUG */
/*
- * If this is not an SA acquired by the kernel, it needs
- * to have a SPD entry (a.k.a. flow) set up.
+ * If this is not an SA acquired by the
+ * kernel, it needs to have a SPD entry
+ * (a.k.a. flow) set up.
*/
if (!(sa->flags & SA_FLAG_ONDEMAND) &&
sysdep_ipsec_enable_sa(sa, isakmp_sa))
@@ -409,7 +416,8 @@ ipsec_finalize_exchange(struct message * msg)
* Mark elder SAs with the same flow
* information as replaced.
*/
- while ((old_sa = sa_find(ipsec_sa_check_flow, sa)) != 0)
+ while ((old_sa = sa_find(ipsec_sa_check_flow,
+ sa)) != 0)
sa_mark_replaced(old_sa);
}
break;
@@ -421,14 +429,14 @@ ipsec_finalize_exchange(struct message * msg)
static int
ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
{
- int id;
+ int id;
/* Set source address/mask. */
id = GET_ISAKMP_ID_TYPE(src_id);
switch (id) {
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV4_ADDR_SUBNET:
- isa->src_net = (struct sockaddr *) calloc(1,
+ isa->src_net = (struct sockaddr *)calloc(1,
sizeof(struct sockaddr_in));
if (!isa->src_net)
goto memfail;
@@ -437,7 +445,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
isa->src_net->sa_len = sizeof(struct sockaddr_in);
#endif
- isa->src_mask = (struct sockaddr *) calloc(1,
+ isa->src_mask = (struct sockaddr *)calloc(1,
sizeof(struct sockaddr_in));
if (!isa->src_mask)
goto memfail;
@@ -449,7 +457,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV6_ADDR:
case IPSEC_ID_IPV6_ADDR_SUBNET:
- isa->src_net = (struct sockaddr *) calloc(1,
+ isa->src_net = (struct sockaddr *)calloc(1,
sizeof(struct sockaddr_in6));
if (!isa->src_net)
goto memfail;
@@ -458,7 +466,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
isa->src_net->sa_len = sizeof(struct sockaddr_in6);
#endif
- isa->src_mask = (struct sockaddr *) calloc(1,
+ isa->src_mask = (struct sockaddr *)calloc(1,
sizeof(struct sockaddr_in6));
if (!isa->src_mask)
goto memfail;
@@ -492,21 +500,22 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
break;
case IPSEC_ID_IPV4_ADDR_SUBNET:
case IPSEC_ID_IPV6_ADDR_SUBNET:
- memcpy(sockaddr_addrdata(isa->src_mask), src_id + ISAKMP_ID_DATA_OFF +
- sockaddr_addrlen(isa->src_net), sockaddr_addrlen(isa->src_mask));
+ memcpy(sockaddr_addrdata(isa->src_mask), src_id +
+ ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->src_net),
+ sockaddr_addrlen(isa->src_mask));
break;
}
memcpy(&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
- IPSEC_ID_PORT_LEN);
+ IPSEC_ID_PORT_LEN);
/* Set destination address. */
id = GET_ISAKMP_ID_TYPE(dst_id);
switch (id) {
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV4_ADDR_SUBNET:
- isa->dst_net =
- (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in));
+ isa->dst_net = (struct sockaddr *)calloc(1,
+ sizeof(struct sockaddr_in));
if (!isa->dst_net)
goto memfail;
isa->dst_net->sa_family = AF_INET;
@@ -514,8 +523,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
isa->dst_net->sa_len = sizeof(struct sockaddr_in);
#endif
- isa->dst_mask =
- (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in));
+ isa->dst_mask = (struct sockaddr *)calloc(1,
+ sizeof(struct sockaddr_in));
if (!isa->dst_mask)
goto memfail;
isa->dst_mask->sa_family = AF_INET;
@@ -526,8 +535,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV6_ADDR:
case IPSEC_ID_IPV6_ADDR_SUBNET:
- isa->dst_net =
- (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in6));
+ isa->dst_net = (struct sockaddr *)calloc(1,
+ sizeof(struct sockaddr_in6));
if (!isa->dst_net)
goto memfail;
isa->dst_net->sa_family = AF_INET6;
@@ -535,8 +544,8 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
isa->dst_net->sa_len = sizeof(struct sockaddr_in6);
#endif
- isa->dst_mask =
- (struct sockaddr *) calloc(1, sizeof(struct sockaddr_in6));
+ isa->dst_mask = (struct sockaddr *)calloc(1,
+ sizeof(struct sockaddr_in6));
if (!isa->dst_mask)
goto memfail;
isa->dst_mask->sa_family = AF_INET6;
@@ -548,27 +557,27 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
/* Net */
memcpy(sockaddr_addrdata(isa->dst_net), dst_id + ISAKMP_ID_DATA_OFF,
- sockaddr_addrlen(isa->dst_net));
+ sockaddr_addrlen(isa->dst_net));
/* Mask */
switch (id) {
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
memset(sockaddr_addrdata(isa->dst_mask), 0xff,
- sockaddr_addrlen(isa->dst_mask));
+ sockaddr_addrlen(isa->dst_mask));
break;
case IPSEC_ID_IPV4_ADDR_SUBNET:
case IPSEC_ID_IPV6_ADDR_SUBNET:
- memcpy(sockaddr_addrdata(isa->dst_mask), dst_id + ISAKMP_ID_DATA_OFF +
- sockaddr_addrlen(isa->dst_net),
- sockaddr_addrlen(isa->dst_mask));
+ memcpy(sockaddr_addrdata(isa->dst_mask), dst_id +
+ ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->dst_net),
+ sockaddr_addrlen(isa->dst_mask));
break;
}
- memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF,
- IPSEC_ID_PROTO_LEN);
+ memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF +
+ IPSEC_ID_PROTO_OFF, IPSEC_ID_PROTO_LEN);
memcpy(&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
- IPSEC_ID_PORT_LEN);
+ IPSEC_ID_PORT_LEN);
return 0;
memfail:
@@ -612,7 +621,8 @@ ipsec_free_exchange_data(void *vie)
if (ie->group)
group_free(ie->group);
#ifdef USE_ISAKMP_CFG
- for (attr = LIST_FIRST(&ie->attrs); attr; attr = LIST_FIRST(&ie->attrs)) {
+ for (attr = LIST_FIRST(&ie->attrs); attr;
+ attr = LIST_FIRST(&ie->attrs)) {
LIST_REMOVE(attr, link);
if (attr->length)
free(attr->value);
@@ -689,7 +699,7 @@ ipsec_get_keystate(struct message * msg)
ks = malloc(sizeof *ks);
if (!ks) {
log_error("ipsec_get_keystate: malloc (%lu) failed",
- (unsigned long) sizeof *ks);
+ (unsigned long) sizeof *ks);
return 0;
}
memcpy(ks, msg->exchange->keystate, sizeof *ks);
@@ -702,45 +712,43 @@ ipsec_get_keystate(struct message * msg)
*/
if (!msg->isakmp_sa->keystate) {
log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p",
- msg->isakmp_sa);
+ msg->isakmp_sa);
return 0;
}
ks = crypto_clone_keystate(msg->isakmp_sa->keystate);
if (!ks)
return 0;
- hash = hash_get(((struct ipsec_sa *) msg->isakmp_sa->data)->hash);
+ hash = hash_get(((struct ipsec_sa *)msg->isakmp_sa->data)->hash);
hash->Init(hash->ctx);
LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV",
- ks->riv, ks->xf->blocksize));
+ ks->riv, ks->xf->blocksize));
hash->Update(hash->ctx, ks->riv, ks->xf->blocksize);
LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID",
- ((u_int8_t *) msg->iov[0].iov_base)
- + ISAKMP_HDR_MESSAGE_ID_OFF,
- ISAKMP_HDR_MESSAGE_ID_LEN));
- hash->Update(hash->ctx,
((u_int8_t *) msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF,
- ISAKMP_HDR_MESSAGE_ID_LEN);
+ ISAKMP_HDR_MESSAGE_ID_LEN));
+ hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) +
+ ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN);
hash->Final(hash->digest, hash->ctx);
crypto_init_iv(ks, hash->digest, ks->xf->blocksize);
LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV",
- hash->digest, ks->xf->blocksize));
+ hash->digest, ks->xf->blocksize));
return ks;
}
static void
-ipsec_setup_situation(u_int8_t * buf)
+ipsec_setup_situation(u_int8_t *buf)
{
SET_IPSEC_SIT_SIT(buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY);
}
-static size_t
+static size_t
ipsec_situation_size(void)
{
return IPSEC_SIT_SIT_LEN;
}
-static u_int8_t
+static u_int8_t
ipsec_spi_size(u_int8_t proto)
{
return IPSEC_SPI_SIZE;
@@ -748,13 +756,13 @@ ipsec_spi_size(u_int8_t proto)
static int
ipsec_validate_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
- void *vmsg)
+ void *vmsg)
{
struct message *msg = vmsg;
if ((msg->exchange->phase == 1
- && (type < IKE_ATTR_ENCRYPTION_ALGORITHM
- || type > IKE_ATTR_GROUP_ORDER))
+ && (type < IKE_ATTR_ENCRYPTION_ALGORITHM
+ || type > IKE_ATTR_GROUP_ORDER))
|| (msg->exchange->phase == 2
&& (type < IPSEC_ATTR_SA_LIFE_TYPE
|| type > IPSEC_ATTR_ECN_TUNNEL)))
@@ -769,39 +777,41 @@ ipsec_validate_exchange(u_int8_t exch)
}
static int
-ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf,
- size_t sz, struct exchange * exchange)
+ipsec_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf,
+ size_t sz, struct exchange *exchange)
{
u_int8_t proto = GET_IPSEC_ID_PROTO(extra);
u_int16_t port = GET_IPSEC_ID_PORT(extra);
LOG_DBG((LOG_MESSAGE, 40,
- "ipsec_validate_id_information: proto %d port %d type %d",
- proto, port, type));
+ "ipsec_validate_id_information: proto %d port %d type %d",
+ proto, port, type));
if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_KEY_ID)
return -1;
switch (type) {
case IPSEC_ID_IPV4_ADDR:
- LOG_DBG_BUF((LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4",
- buf, sizeof(struct in_addr)));
+ LOG_DBG_BUF((LOG_MESSAGE, 40,
+ "ipsec_validate_id_information: IPv4", buf,
+ sizeof(struct in_addr)));
break;
case IPSEC_ID_IPV6_ADDR:
- LOG_DBG_BUF((LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6",
- buf, sizeof(struct in6_addr)));
+ LOG_DBG_BUF((LOG_MESSAGE, 40,
+ "ipsec_validate_id_information: IPv6", buf,
+ sizeof(struct in6_addr)));
break;
case IPSEC_ID_IPV4_ADDR_SUBNET:
LOG_DBG_BUF((LOG_MESSAGE, 40,
- "ipsec_validate_id_information: IPv4 network/netmask",
- buf, 2 * sizeof(struct in_addr)));
+ "ipsec_validate_id_information: IPv4 network/netmask",
+ buf, 2 * sizeof(struct in_addr)));
break;
case IPSEC_ID_IPV6_ADDR_SUBNET:
LOG_DBG_BUF((LOG_MESSAGE, 40,
- "ipsec_validate_id_information: IPv6 network/netmask",
- buf, 2 * sizeof(struct in6_addr)));
+ "ipsec_validate_id_information: IPv6 network/netmask",
+ buf, 2 * sizeof(struct in6_addr)));
break;
default:
@@ -818,8 +828,8 @@ ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf,
#ifdef notyet
return -1;
#else
- log_print("ipsec_validate_id_information: "
- "dubious ID information accepted");
+ log_print("ipsec_validate_id_information: dubious ID "
+ "information accepted");
#endif
}
/* XXX More checks? */
@@ -828,7 +838,7 @@ ipsec_validate_id_information(u_int8_t type, u_int8_t * extra, u_int8_t * buf,
}
static int
-ipsec_validate_key_information(u_int8_t * buf, size_t sz)
+ipsec_validate_key_information(u_int8_t *buf, size_t sz)
{
/* XXX Not implemented yet. */
return 0;
@@ -838,21 +848,22 @@ static int
ipsec_validate_notification(u_int16_t type)
{
return type < IPSEC_NOTIFY_RESPONDER_LIFETIME
- || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0;
+ || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0;
}
static int
ipsec_validate_proto(u_int8_t proto)
{
- return proto < IPSEC_PROTO_IPSEC_AH || proto > IPSEC_PROTO_IPCOMP ? -1 : 0;
+ return proto < IPSEC_PROTO_IPSEC_AH
+ || proto > IPSEC_PROTO_IPCOMP ? -1 : 0;
}
static int
-ipsec_validate_situation(u_int8_t * buf, size_t * sz, size_t len)
+ipsec_validate_situation(u_int8_t *buf, size_t *sz, size_t len)
{
if (len < IPSEC_SIT_SIT_OFF + IPSEC_SIT_SIT_LEN) {
log_print("ipsec_validate_situation: payload too short: %u",
- (unsigned int) len);
+ (unsigned int) len);
return -1;
}
/* Currently only "identity only" situations are supported. */
@@ -869,41 +880,42 @@ ipsec_validate_transform_id(u_int8_t proto, u_int8_t transform_id)
{
switch (proto) {
/*
- * As no unexpected protocols can occur, we just tie the default case
- * to the first case, in orer to silence a GCC warning.
+ * As no unexpected protocols can occur, we just tie the
+ * default case to the first case, in orer to silence a GCC
+ * warning.
*/
default:
case ISAKMP_PROTO_ISAKMP:
- return transform_id != IPSEC_TRANSFORM_KEY_IKE;
- case IPSEC_PROTO_IPSEC_AH:
- return
- transform_id < IPSEC_AH_MD5 || transform_id > IPSEC_AH_DES ? -1 : 0;
+ return transform_id != IPSEC_TRANSFORM_KEY_IKE;
+ case IPSEC_PROTO_IPSEC_AH:
+ return transform_id < IPSEC_AH_MD5
+ || transform_id > IPSEC_AH_DES ? -1 : 0;
case IPSEC_PROTO_IPSEC_ESP:
return transform_id < IPSEC_ESP_DES_IV64
- || (transform_id > IPSEC_ESP_AES_128_CTR
- && transform_id < IPSEC_ESP_AES_MARS)
- || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
+ || (transform_id > IPSEC_ESP_AES_128_CTR
+ && transform_id < IPSEC_ESP_AES_MARS)
+ || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
case IPSEC_PROTO_IPCOMP:
return transform_id < IPSEC_IPCOMP_OUI
- || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0;
+ || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0;
}
}
static int
-ipsec_initiator(struct message * msg)
+ipsec_initiator(struct message *msg)
{
struct exchange *exchange = msg->exchange;
- int (**script) (struct message *) = 0;
+ int (**script)(struct message *) = 0;
/* Check that the SA is coherent with the IKE rules. */
if (exchange->type != ISAKMP_EXCH_TRANSACTION
- && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
- && exchange->type != ISAKMP_EXCH_AGGRESSIVE
- && exchange->type != ISAKMP_EXCH_INFO)
- || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE
- && exchange->type != ISAKMP_EXCH_INFO))) {
- log_print("ipsec_initiator: unsupported exchange type %d in phase %d",
- exchange->type, exchange->phase);
+ && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
+ && exchange->type != ISAKMP_EXCH_AGGRESSIVE
+ && exchange->type != ISAKMP_EXCH_INFO)
+ || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE
+ && exchange->type != ISAKMP_EXCH_INFO))) {
+ log_print("ipsec_initiator: unsupported exchange type %d "
+ "in phase %d", exchange->type, exchange->phase);
return -1;
}
switch (exchange->type) {
@@ -945,15 +957,15 @@ ipsec_initiator(struct message * msg)
* or 4-octet otherwise.
*/
static void
-ipsec_delete_spi_list(struct sockaddr * addr, u_int8_t proto,
- u_int8_t * spis, int nspis, char *type)
+ipsec_delete_spi_list(struct sockaddr *addr, u_int8_t proto, u_int8_t *spis,
+ int nspis, char *type)
{
struct sa *sa;
int i;
for (i = 0; i < nspis; i++) {
if (proto == ISAKMP_PROTO_ISAKMP) {
- u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN;
+ u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN;
/*
* This really shouldn't happen in IPSEC DOI
@@ -962,46 +974,47 @@ ipsec_delete_spi_list(struct sockaddr * addr, u_int8_t proto,
*/
sa = sa_lookup_isakmp_sa(addr, spi);
} else {
- u_int32_t spi = ((u_int32_t *) spis)[i];
+ u_int32_t spi = ((u_int32_t *)spis)[i];
sa = ipsec_sa_lookup(addr, spi, proto);
}
if (sa == NULL) {
- LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: "
- "could not locate SA (SPI %08x, proto %u)",
- ((u_int32_t *) spis)[i], proto));
+ LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: could "
+ "not locate SA (SPI %08x, proto %u)",
+ ((u_int32_t *)spis)[i], proto));
continue;
}
/* Delete the SA and search for the next */
LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: "
- "%s made us delete SA %p (%d references) for proto %d",
- type, sa, sa->refcnt, proto));
+ "%s made us delete SA %p (%d references) for proto %d",
+ type, sa, sa->refcnt, proto));
sa_free(sa);
}
}
static int
-ipsec_responder(struct message * msg)
+ipsec_responder(struct message *msg)
{
struct exchange *exchange = msg->exchange;
- int (**script) (struct message *) = 0;
+ int (**script)(struct message *) = 0;
struct payload *p;
u_int16_t type;
/* Check that a new exchange is coherent with the IKE rules. */
if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION
- && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
- && exchange->type != ISAKMP_EXCH_AGGRESSIVE
- && exchange->type != ISAKMP_EXCH_INFO)
- || (exchange->phase == 2 && exchange->type == ISAKMP_EXCH_ID_PROT))) {
- message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0);
+ && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
+ && exchange->type != ISAKMP_EXCH_AGGRESSIVE
+ && exchange->type != ISAKMP_EXCH_INFO)
+ || (exchange->phase == 2 && exchange->type ==
+ ISAKMP_EXCH_ID_PROT))) {
+ message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE,
+ 0, 1, 0);
return -1;
}
- LOG_DBG((LOG_MISC, 30,
- "ipsec_responder: phase %d exchange %d step %d", exchange->phase,
- exchange->type, exchange->step));
+ LOG_DBG((LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d",
+ exchange->phase, exchange->type, exchange->step));
switch (exchange->type) {
case ISAKMP_EXCH_ID_PROT:
script = ike_main_mode_responder;
@@ -1021,18 +1034,18 @@ ipsec_responder(struct message * msg)
case ISAKMP_EXCH_INFO:
for (p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p;
- p = TAILQ_NEXT(p, link)) {
+ p = TAILQ_NEXT(p, link)) {
type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p);
LOG_DBG((LOG_EXCHANGE, 10,
- "ipsec_responder: got NOTIFY of type %s",
- constant_name(isakmp_notify_cst, type)));
+ "ipsec_responder: got NOTIFY of type %s",
+ constant_name(isakmp_notify_cst, type)));
p->flags |= PL_MARK;
}
/*
- * If any DELETEs are in here, let the logic of leftover payloads deal
- * with them.
+ * If any DELETEs are in here, let the logic of leftover
+ * payloads deal with them.
*/
return 0;
@@ -1042,7 +1055,8 @@ ipsec_responder(struct message * msg)
break;
default:
- message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0);
+ message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE,
+ 0, 1, 0);
return -1;
}
@@ -1051,7 +1065,8 @@ ipsec_responder(struct message * msg)
return script[exchange->step] (msg);
/*
- * XXX So far we don't accept any proposals for exchanges we don't support.
+ * XXX So far we don't accept any proposals for exchanges we don't
+ * support.
*/
if (TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_SA])) {
message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
@@ -1085,8 +1100,8 @@ from_ike_crypto(u_int16_t crypto)
* VMSG is a pointer to the current message.
*/
int
-ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value,
- u_int16_t len, void *vmsg)
+ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
+ void *vmsg)
{
struct message *msg = vmsg;
@@ -1100,9 +1115,9 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value,
return !ike_auth_get(decode_16(value));
case IKE_ATTR_GROUP_DESCRIPTION:
return (decode_16(value) < IKE_GROUP_DESC_MODP_768
- || decode_16(value) > IKE_GROUP_DESC_MODP_1536)
- && (decode_16(value) < IKE_GROUP_DESC_MODP_2048
- || decode_16(value) > IKE_GROUP_DESC_MODP_8192);
+ || decode_16(value) > IKE_GROUP_DESC_MODP_1536)
+ && (decode_16(value) < IKE_GROUP_DESC_MODP_2048
+ || decode_16(value) > IKE_GROUP_DESC_MODP_8192);
case IKE_ATTR_GROUP_TYPE:
return 1;
case IKE_ATTR_GROUP_PRIME:
@@ -1117,15 +1132,15 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value,
return 1;
case IKE_ATTR_LIFE_TYPE:
return decode_16(value) < IKE_DURATION_SECONDS
- || decode_16(value) > IKE_DURATION_KILOBYTES;
+ || decode_16(value) > IKE_DURATION_KILOBYTES;
case IKE_ATTR_LIFE_DURATION:
return len != 2 && len != 4;
case IKE_ATTR_PRF:
return 1;
case IKE_ATTR_KEY_LENGTH:
/*
- * Our crypto routines only allows key-lengths which are multiples
- * of an octet.
+ * Our crypto routines only allows key-lengths which
+ * are multiples of an octet.
*/
return decode_16(value) % 8 != 0;
case IKE_ATTR_FIELD_SIZE:
@@ -1137,20 +1152,20 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value,
switch (type) {
case IPSEC_ATTR_SA_LIFE_TYPE:
return decode_16(value) < IPSEC_DURATION_SECONDS
- || decode_16(value) > IPSEC_DURATION_KILOBYTES;
+ || decode_16(value) > IPSEC_DURATION_KILOBYTES;
case IPSEC_ATTR_SA_LIFE_DURATION:
return len != 2 && len != 4;
case IPSEC_ATTR_GROUP_DESCRIPTION:
return (decode_16(value) < IKE_GROUP_DESC_MODP_768
- || decode_16(value) > IKE_GROUP_DESC_MODP_1536)
- && (decode_16(value) < IKE_GROUP_DESC_MODP_2048
- || IKE_GROUP_DESC_MODP_8192 < decode_16(value));
+ || decode_16(value) > IKE_GROUP_DESC_MODP_1536)
+ && (decode_16(value) < IKE_GROUP_DESC_MODP_2048
+ || IKE_GROUP_DESC_MODP_8192 < decode_16(value));
case IPSEC_ATTR_ENCAPSULATION_MODE:
return decode_16(value) < IPSEC_ENCAP_TUNNEL
- || decode_16(value) > IPSEC_ENCAP_TRANSPORT;
+ || decode_16(value) > IPSEC_ENCAP_TRANSPORT;
case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
return decode_16(value) < IPSEC_AUTH_HMAC_MD5
- || decode_16(value) > IPSEC_AUTH_HMAC_RIPEMD;
+ || decode_16(value) > IPSEC_AUTH_HMAC_RIPEMD;
case IPSEC_ATTR_KEY_LENGTH:
/*
* XXX Blowfish needs '0'. Others appear to disregard
@@ -1177,8 +1192,8 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t * value,
* in human-readable form. VMSG is a pointer to the current message.
*/
int
-ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
- void *vmsg)
+ipsec_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
+ void *vmsg)
{
struct message *msg = vmsg;
char val[20];
@@ -1192,9 +1207,8 @@ ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
snprintf(val, sizeof val, "unrepresentable");
LOG_DBG((LOG_MESSAGE, 50, "Attribute %s value %s",
- constant_name(msg->exchange->phase == 1
- ? ike_attr_cst : ipsec_attr_cst, type),
- val));
+ constant_name(msg->exchange->phase == 1 ? ike_attr_cst :
+ ipsec_attr_cst, type), val));
return 0;
}
#endif
@@ -1205,8 +1219,8 @@ ipsec_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
* current message, SA and protocol.
*/
int
-ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
- void *vida)
+ipsec_decode_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
+ void *vida)
{
struct ipsec_decode_arg *ida = vida;
struct message *msg = ida->msg;
@@ -1222,7 +1236,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
switch (type) {
case IKE_ATTR_ENCRYPTION_ALGORITHM:
/* XXX Errors possible? */
- exchange->crypto = crypto_get(from_ike_crypto(decode_16(value)));
+ exchange->crypto = crypto_get(from_ike_crypto(
+ decode_16(value)));
break;
case IKE_ATTR_HASH_ALGORITHM:
/* XXX Errors possible? */
@@ -1261,7 +1276,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
sa->seconds = decode_32(value);
break;
default:
- log_print("ipsec_decode_attribute: unreasonable lifetime");
+ log_print("ipsec_decode_attribute: "
+ "unreasonable lifetime");
}
break;
case IKE_DURATION_KILOBYTES:
@@ -1273,11 +1289,13 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
sa->kilobytes = decode_32(value);
break;
default:
- log_print("ipsec_decode_attribute: unreasonable lifetime");
+ log_print("ipsec_decode_attribute: "
+ "unreasonable lifetime");
}
break;
default:
- log_print("ipsec_decode_attribute: unknown lifetime type");
+ log_print("ipsec_decode_attribute: unknown "
+ "lifetime type");
}
break;
case IKE_ATTR_PRF:
@@ -1306,7 +1324,8 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
sa->seconds = decode_32(value);
break;
default:
- log_print("ipsec_decode_attribute: unreasonable lifetime");
+ log_print("ipsec_decode_attribute: "
+ "unreasonable lifetime");
}
break;
case IPSEC_DURATION_KILOBYTES:
@@ -1318,11 +1337,13 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
sa->kilobytes = decode_32(value);
break;
default:
- log_print("ipsec_decode_attribute: unreasonable lifetime");
+ log_print("ipsec_decode_attribute: "
+ "unreasonable lifetime");
}
break;
default:
- log_print("ipsec_decode_attribute: unknown lifetime type");
+ log_print("ipsec_decode_attribute: unknown "
+ "lifetime type");
}
break;
case IPSEC_ATTR_GROUP_DESCRIPTION:
@@ -1362,14 +1383,14 @@ ipsec_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
* processed.
*/
void
-ipsec_decode_transform(struct message * msg, struct sa * sa,
- struct proto * proto, u_int8_t * buf)
+ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto,
+ u_int8_t *buf)
{
struct ipsec_exch *ie = msg->exchange->data;
struct ipsec_decode_arg ida;
LOG_DBG((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen",
- GET_ISAKMP_TRANSFORM_NO(buf)));
+ GET_ISAKMP_TRANSFORM_NO(buf)));
ida.msg = msg;
ida.sa = sa;
@@ -1381,8 +1402,8 @@ ipsec_decode_transform(struct message * msg, struct sa * sa,
/* Extract the attributes and stuff them into the SA. */
attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- ipsec_decode_attribute, &ida);
+ GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ ipsec_decode_attribute, &ida);
/*
* If no pseudo-random function was negotiated, it's HMAC.
@@ -1397,7 +1418,7 @@ ipsec_decode_transform(struct message * msg, struct sa * sa,
* of the IKE security association SA.
*/
static void
-ipsec_delete_spi(struct sa * sa, struct proto * proto, int incoming)
+ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming)
{
if (sa->phase == 1)
return;
@@ -1410,7 +1431,7 @@ ipsec_delete_spi(struct sa * sa, struct proto * proto, int incoming)
* PEER is non-zero when the value is our peer's, and zero when it is ours.
*/
static int
-ipsec_g_x(struct message * msg, int peer, u_int8_t * buf)
+ipsec_g_x(struct message *msg, int peer, u_int8_t *buf)
{
struct exchange *exchange = msg->exchange;
struct ipsec_exch *ie = exchange->data;
@@ -1421,18 +1442,20 @@ ipsec_g_x(struct message * msg, int peer, u_int8_t * buf)
g_x = initiator ? &ie->g_xi : &ie->g_xr;
*g_x = malloc(ie->g_x_len);
if (!*g_x) {
- log_error("ipsec_g_x: malloc (%lu) failed", (unsigned long) ie->g_x_len);
+ log_error("ipsec_g_x: malloc (%lu) failed",
+ (unsigned long)ie->g_x_len);
return -1;
}
memcpy(*g_x, buf, ie->g_x_len);
- snprintf(header, sizeof header, "ipsec_g_x: g^x%c", initiator ? 'i' : 'r');
+ snprintf(header, sizeof header, "ipsec_g_x: g^x%c",
+ initiator ? 'i' : 'r');
LOG_DBG_BUF((LOG_MISC, 80, header, *g_x, ie->g_x_len));
return 0;
}
/* Generate our DH value. */
int
-ipsec_gen_g_x(struct message * msg)
+ipsec_gen_g_x(struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct ipsec_exch *ie = exchange->data;
@@ -1441,11 +1464,11 @@ ipsec_gen_g_x(struct message * msg)
buf = malloc(ISAKMP_KE_SZ + ie->g_x_len);
if (!buf) {
log_error("ipsec_gen_g_x: malloc (%lu) failed",
- ISAKMP_KE_SZ + (unsigned long) ie->g_x_len);
+ ISAKMP_KE_SZ + (unsigned long)ie->g_x_len);
return -1;
}
if (message_add_payload(msg, ISAKMP_PAYLOAD_KEY_EXCH, buf,
- ISAKMP_KE_SZ + ie->g_x_len, 1)) {
+ ISAKMP_KE_SZ + ie->g_x_len, 1)) {
free(buf);
return -1;
}
@@ -1459,7 +1482,7 @@ ipsec_gen_g_x(struct message * msg)
/* Save the peer's DH value. */
int
-ipsec_save_g_x(struct message * msg)
+ipsec_save_g_x(struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct ipsec_exch *ie = exchange->data;
@@ -1483,7 +1506,7 @@ ipsec_save_g_x(struct message * msg)
* size where SZ points. NB! A zero return is OK if *SZ is zero.
*/
static u_int8_t *
-ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg)
+ipsec_get_spi(size_t *sz, u_int8_t proto, struct message *msg)
{
struct sockaddr *dst, *src;
struct transport *transport = msg->transport;
@@ -1496,7 +1519,8 @@ ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg)
transport->vtbl->get_src(transport, &dst);
/* The peer is the source. */
transport->vtbl->get_dst(transport, &src);
- return sysdep_ipsec_get_spi(sz, proto, src, dst, msg->exchange->seq);
+ return sysdep_ipsec_get_spi(sz, proto, src, dst,
+ msg->exchange->seq);
}
}
@@ -1507,8 +1531,8 @@ ipsec_get_spi(size_t * sz, u_int8_t proto, struct message * msg)
* 0.
*/
int
-ipsec_handle_leftover_payload(struct message * msg, u_int8_t type,
- struct payload * payload)
+ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
+ struct payload *payload)
{
u_int32_t spisz, nspis;
struct sockaddr *dst;
@@ -1523,22 +1547,24 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type,
spisz = GET_ISAKMP_DELETE_SPI_SZ(payload->p);
if (nspis == 0) {
- LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: message "
- "specified zero SPIs, ignoring"));
+ LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: "
+ "message specified zero SPIs, ignoring"));
return -1;
}
/* verify proper SPI size */
- if ((proto == ISAKMP_PROTO_ISAKMP && spisz != ISAKMP_HDR_COOKIES_LEN)
- || (proto != ISAKMP_PROTO_ISAKMP && spisz != sizeof(u_int32_t))) {
- log_print("ipsec_handle_leftover_payload: "
- "invalid SPI size %d for proto %d in DELETE payload",
- spisz, proto);
+ if ((proto == ISAKMP_PROTO_ISAKMP && spisz !=
+ ISAKMP_HDR_COOKIES_LEN)
+ || (proto != ISAKMP_PROTO_ISAKMP && spisz !=
+ sizeof(u_int32_t))) {
+ log_print("ipsec_handle_leftover_payload: invalid SPI "
+ "size %d for proto %d in DELETE payload",
+ spisz, proto);
return -1;
}
spis = (u_int8_t *) malloc(nspis * spisz);
if (!spis) {
- log_error("ipsec_handle_leftover_payload: malloc (%d) failed",
- nspis * spisz);
+ log_error("ipsec_handle_leftover_payload: malloc "
+ "(%d) failed", nspis * spisz);
return -1;
}
/* extract SPI and get dst address */
@@ -1559,35 +1585,40 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type,
* - this is not an AGGRESSIVE mode exchange
* - it is protected by an ISAKMP SA
*
- * XXX Instead of the first condition above, we could permit this
- * XXX only for phase 2. In the last packet of main-mode, this
- * XXX payload, while encrypted, is not part of the hash digest.
- * XXX As we currently send our own INITIAL-CONTACTs at this point,
- * XXX this too would need to be changed.
+ * XXX Instead of the first condition above, we could
+ * XXX permit this only for phase 2. In the last
+ * XXX packet of main-mode, this payload, while
+ * XXX encrypted, is not part of the hash digest. As
+ * XXX we currently send our own INITIAL-CONTACTs at
+ * XXX this point, this too would need to be changed.
*/
if (msg->exchange->type == ISAKMP_EXCH_AGGRESSIVE) {
- log_print("ipsec_handle_leftover_payload: got INITIAL-CONTACT "
- "in AGGRESSIVE mode");
+ log_print("ipsec_handle_leftover_payload: got "
+ "INITIAL-CONTACT in AGGRESSIVE mode");
return -1;
}
- if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT) == 0) {
- log_print("ipsec_handle_leftover_payload: got INITIAL-CONTACT "
- "without ISAKMP SA");
+ if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT)
+ == 0) {
+ log_print("ipsec_handle_leftover_payload: got "
+ "INITIAL-CONTACT without ISAKMP SA");
return -1;
}
/*
- * Find out who is sending this and then delete every SA that is
- * ready. Exchanges will timeout themselves and then the
- * non-ready SAs will disappear too.
+ * Find out who is sending this and then delete every
+ * SA that is ready. Exchanges will timeout
+ * themselves and then the non-ready SAs will
+ * disappear too.
*/
msg->transport->vtbl->get_dst(msg->transport, &dst);
- while ((sa = sa_lookup_by_peer(dst, sysdep_sa_len(dst))) != 0) {
+ while ((sa = sa_lookup_by_peer(dst, sysdep_sa_len(dst)))
+ != 0) {
/*
- * Don't delete the current SA -- we received the
- * notification over it, so it's obviously still
- * active. We temporarily need to remove the SA
- * from the list to avoid an endless loop, but
- * keep a reference so it won't disappear meanwhile.
+ * Don't delete the current SA -- we received
+ * the notification over it, so it's obviously
+ * still active. We temporarily need to remove
+ * the SA from the list to avoid an endless
+ * loop, but keep a reference so it won't
+ * disappear meanwhile.
*/
if (sa == msg->isakmp_sa) {
sa_reference(sa);
@@ -1615,7 +1646,7 @@ ipsec_handle_leftover_payload(struct message * msg, u_int8_t type,
/* Return the encryption keylength in octets of the ESP protocol PROTO. */
int
-ipsec_esp_enckeylength(struct proto * proto)
+ipsec_esp_enckeylength(struct proto *proto)
{
struct ipsec_proto *iproto = proto->data;
@@ -1643,7 +1674,7 @@ ipsec_esp_enckeylength(struct proto * proto)
/* Return the authentication keylength in octets of the ESP protocol PROTO. */
int
-ipsec_esp_authkeylength(struct proto * proto)
+ipsec_esp_authkeylength(struct proto *proto)
{
struct ipsec_proto *iproto = proto->data;
@@ -1666,7 +1697,7 @@ ipsec_esp_authkeylength(struct proto * proto)
/* Return the authentication keylength in octets of the AH protocol PROTO. */
int
-ipsec_ah_keylength(struct proto * proto)
+ipsec_ah_keylength(struct proto *proto)
{
switch (proto->id) {
case IPSEC_AH_MD5:
@@ -1687,11 +1718,12 @@ ipsec_ah_keylength(struct proto * proto)
/* Return the total keymaterial length of the protocol PROTO. */
int
-ipsec_keymat_length(struct proto * proto)
+ipsec_keymat_length(struct proto *proto)
{
switch (proto->proto) {
case IPSEC_PROTO_IPSEC_ESP:
- return ipsec_esp_enckeylength(proto) + ipsec_esp_authkeylength(proto);
+ return ipsec_esp_enckeylength(proto)
+ + ipsec_esp_authkeylength(proto);
case IPSEC_PROTO_IPSEC_AH:
return ipsec_ah_keylength(proto);
default:
@@ -1842,8 +1874,8 @@ ipsec_get_id(char *section, int *id, struct sockaddr **addr,
* we cannot fit the information in the supplied buffer.
*/
static void
-ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len,
- int isakmpform)
+ipsec_decode_id(char *buf, size_t size, u_int8_t *id, size_t id_len,
+ int isakmpform)
{
int id_type;
char *addr = 0, *mask = 0;
@@ -1864,29 +1896,30 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len,
case IPSEC_ID_IPV4_ADDR:
util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF);
snprintf(buf, size, "%08x: %s",
- decode_32(id + ISAKMP_ID_DATA_OFF), addr);
+ decode_32(id + ISAKMP_ID_DATA_OFF), addr);
break;
case IPSEC_ID_IPV4_ADDR_SUBNET:
util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF);
util_ntoa(&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4);
snprintf(buf, size, "%08x/%08x: %s/%s",
- decode_32(id + ISAKMP_ID_DATA_OFF),
+ decode_32(id + ISAKMP_ID_DATA_OFF),
decode_32(id + ISAKMP_ID_DATA_OFF + 4), addr, mask);
break;
case IPSEC_ID_IPV6_ADDR:
util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
- snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp, *(idp + 1),
- *(idp + 2), *(idp + 3), addr);
+ snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp,
+ *(idp + 1), *(idp + 2), *(idp + 3), addr);
break;
case IPSEC_ID_IPV6_ADDR_SUBNET:
util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF +
- sizeof(struct in6_addr));
- snprintf(buf, size, "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s",
- *idp, *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4),
+ sizeof(struct in6_addr));
+ snprintf(buf, size,
+ "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s", *idp,
+ *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4),
*(idp + 5), *(idp + 6), *(idp + 7), addr, mask);
break;
@@ -1902,7 +1935,7 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len,
#ifdef USE_X509
case IPSEC_ID_DER_ASN1_DN:
addr = x509_DN_string(id + ISAKMP_ID_DATA_OFF,
- id_len - ISAKMP_ID_DATA_OFF);
+ id_len - ISAKMP_ID_DATA_OFF);
if (!addr) {
snprintf(buf, size, "unparsable ASN1 DN ID");
return;
@@ -1923,9 +1956,9 @@ ipsec_decode_id(char *buf, size_t size, u_int8_t * id, size_t id_len,
free(mask);
}
-char *
-ipsec_decode_ids(char *fmt, u_int8_t * id1, size_t id1_len,
- u_int8_t * id2, size_t id2_len, int isakmpform)
+char *
+ipsec_decode_ids(char *fmt, u_int8_t *id1, size_t id1_len, u_int8_t *id2,
+ size_t id2_len, int isakmpform)
{
static char result[1024];
char s_id1[256], s_id2[256];
@@ -1942,8 +1975,8 @@ ipsec_decode_ids(char *fmt, u_int8_t * id1, size_t id1_len,
* ISAKMP ID payload. Ths payload size should be stashed in SZ.
* The caller is responsible for freeing the payload.
*/
-u_int8_t *
-ipsec_build_id(char *section, size_t * sz)
+u_int8_t *
+ipsec_build_id(char *section, size_t *sz)
{
struct sockaddr *addr, *mask;
u_int8_t *p;
@@ -1963,17 +1996,18 @@ ipsec_build_id(char *section, size_t * sz)
p = malloc(*sz);
if (!p) {
- log_print("ipsec_build_id: malloc(%lu) failed", (unsigned long) *sz);
+ log_print("ipsec_build_id: malloc(%lu) failed",
+ (unsigned long)*sz);
return 0;
}
SET_ISAKMP_ID_TYPE(p, id);
- SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *) "\000\000\000");
+ SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *)"\000\000\000");
memcpy(p + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(addr),
- sockaddr_addrlen(addr));
+ sockaddr_addrlen(addr));
if (subnet)
memcpy(p + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(addr),
- sockaddr_addrdata(mask), sockaddr_addrlen(mask));
+ sockaddr_addrdata(mask), sockaddr_addrlen(mask));
SET_IPSEC_ID_PROTO(p + ISAKMP_ID_DOI_DATA_OFF, tproto);
SET_IPSEC_ID_PORT(p + ISAKMP_ID_DOI_DATA_OFF, port);
@@ -1985,7 +2019,7 @@ ipsec_build_id(char *section, size_t * sz)
* copy an ISAKMPD id
*/
int
-ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len)
+ipsec_clone_id(u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len)
{
if (*did)
free(*did);
@@ -1998,7 +2032,8 @@ ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len)
*did = malloc(id_len);
if (!*did) {
*did_len = 0;
- log_error("ipsec_clone_id: malloc(%lu) failed", (unsigned long) id_len);
+ log_error("ipsec_clone_id: malloc(%lu) failed",
+ (unsigned long)id_len);
return -1;
}
*did_len = id_len;
@@ -2013,13 +2048,13 @@ ipsec_clone_id(u_int8_t ** did, size_t * did_len, u_int8_t * id, size_t id_len)
* XXX I want to fix this later.
*/
void
-ipsec_proto_init(struct proto * proto, char *section)
+ipsec_proto_init(struct proto *proto, char *section)
{
struct ipsec_proto *iproto = proto->data;
if (proto->sa->phase == 2 && section)
- iproto->replay_window
- = conf_get_num(section, "ReplayWindow", DEFAULT_REPLAY_WINDOW);
+ iproto->replay_window = conf_get_num(section, "ReplayWindow",
+ DEFAULT_REPLAY_WINDOW);
}
/*
@@ -2027,9 +2062,9 @@ ipsec_proto_init(struct proto * proto, char *section)
* the first contact we have made to our peer.
*/
int
-ipsec_initial_contact(struct message * msg)
+ipsec_initial_contact(struct message *msg)
{
- u_int8_t *buf;
+ u_int8_t *buf;
if (ipsec_contacted(msg))
return 0;
@@ -2037,7 +2072,7 @@ ipsec_initial_contact(struct message * msg)
buf = malloc(ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN);
if (!buf) {
log_error("ike_phase_1_initial_contact: malloc (%d) failed",
- ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN);
+ ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN);
return -1;
}
SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC);
@@ -2045,9 +2080,9 @@ ipsec_initial_contact(struct message * msg)
SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN);
SET_ISAKMP_NOTIFY_MSG_TYPE(buf, IPSEC_NOTIFY_INITIAL_CONTACT);
memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies,
- ISAKMP_HDR_COOKIES_LEN);
+ ISAKMP_HDR_COOKIES_LEN);
if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf,
- ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) {
+ ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) {
free(buf);
return -1;
}
@@ -2075,7 +2110,7 @@ addr_cmp(const void *a, const void *b)
* is unimportant, if this is to scale.
*/
static int
-ipsec_add_contact(struct message * msg)
+ipsec_add_contact(struct message *msg)
{
struct contact *new_contacts;
struct sockaddr *dst, *addr;
@@ -2085,8 +2120,8 @@ ipsec_add_contact(struct message * msg)
cnt = contact_limit ? 2 * contact_limit : 64;
new_contacts = realloc(contacts, cnt * sizeof contacts[0]);
if (!new_contacts) {
- log_error("ipsec_add_contact: realloc (%p, %lu) failed", contacts,
- cnt * (unsigned long) sizeof contacts[0]);
+ log_error("ipsec_add_contact: realloc (%p, %lu) failed",
+ contacts, cnt * (unsigned long) sizeof contacts[0]);
return -1;
}
contact_limit = cnt;
@@ -2095,7 +2130,8 @@ ipsec_add_contact(struct message * msg)
msg->transport->vtbl->get_dst(msg->transport, &dst);
addr = malloc(sysdep_sa_len(dst));
if (!addr) {
- log_error("ipsec_add_contact: malloc (%d) failed", sysdep_sa_len(dst));
+ log_error("ipsec_add_contact: malloc (%d) failed",
+ sysdep_sa_len(dst));
return -1;
}
memcpy(addr, dst, sysdep_sa_len(dst));
@@ -2112,32 +2148,30 @@ ipsec_add_contact(struct message * msg)
/* Return true if the recipient of MSG has already been contacted. */
static int
-ipsec_contacted(struct message * msg)
+ipsec_contacted(struct message *msg)
{
struct contact contact;
msg->transport->vtbl->get_dst(msg->transport, &contact.addr);
contact.len = sysdep_sa_len(contact.addr);
- return contacts
- ? (bsearch(&contact, contacts, contact_cnt, sizeof *contacts, addr_cmp)
- != 0)
- : 0;
+ return contacts ? (bsearch(&contact, contacts, contact_cnt,
+ sizeof *contacts, addr_cmp) != 0) : 0;
}
/* Add a HASH for to MSG. */
-u_int8_t *
-ipsec_add_hash_payload(struct message * msg, size_t hashsize)
+u_int8_t *
+ipsec_add_hash_payload(struct message *msg, size_t hashsize)
{
- u_int8_t *buf;
+ u_int8_t *buf;
buf = malloc(ISAKMP_HASH_SZ + hashsize);
if (!buf) {
log_error("ipsec_add_hash_payload: malloc (%lu) failed",
- ISAKMP_HASH_SZ + (unsigned long) hashsize);
+ ISAKMP_HASH_SZ + (unsigned long) hashsize);
return 0;
}
if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf,
- ISAKMP_HASH_SZ + hashsize, 1)) {
+ ISAKMP_HASH_SZ + hashsize, 1)) {
free(buf);
return 0;
}
@@ -2146,7 +2180,7 @@ ipsec_add_hash_payload(struct message * msg, size_t hashsize)
/* Fill in the HASH payload of MSG. */
int
-ipsec_fill_in_hash(struct message * msg)
+ipsec_fill_in_hash(struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct sa *isakmp_sa = msg->isakmp_sa;
@@ -2170,37 +2204,40 @@ ipsec_fill_in_hash(struct message * msg)
buf = payload->p;
/* Allocate the prf and start calculating our HASH(1). */
- LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", isa->skeyid_a,
- isa->skeyid_len));
- prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len);
+ LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a",
+ isa->skeyid_a, isa->skeyid_len));
+ prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
+ isa->skeyid_len);
if (!prf)
return -1;
prf->Init(prf->prfctx);
LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: message_id",
- exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
- prf->Update(prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
+ exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
+ prf->Update(prf->prfctx, exchange->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN);
/* Loop over all payloads after HASH(1). */
for (i = 2; i < msg->iovlen; i++) {
/* XXX Misleading payload type printouts. */
snprintf(header, sizeof header,
- "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1);
+ "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1);
LOG_DBG_BUF((LOG_MISC, 90, header, msg->iov[i].iov_base,
- msg->iov[i].iov_len));
- prf->Update(prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len);
+ msg->iov[i].iov_len));
+ prf->Update(prf->prfctx, msg->iov[i].iov_base,
+ msg->iov[i].iov_len);
}
prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx);
prf_free(prf);
- LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)",
- buf + ISAKMP_HASH_DATA_OFF, hash->hashsize));
+ LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf +
+ ISAKMP_HASH_DATA_OFF, hash->hashsize));
return 0;
}
/* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */
static int
-ipsec_informational_pre_hook(struct message * msg)
+ipsec_informational_pre_hook(struct message *msg)
{
struct sa *isakmp_sa = msg->isakmp_sa;
struct ipsec_sa *isa;
@@ -2217,7 +2254,7 @@ ipsec_informational_pre_hook(struct message * msg)
* Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by.
*/
static int
-ipsec_informational_post_hook(struct message * msg)
+ipsec_informational_post_hook(struct message *msg)
{
if (!msg->isakmp_sa)
return 0;
@@ -2225,13 +2262,14 @@ ipsec_informational_post_hook(struct message * msg)
}
ssize_t
-ipsec_id_size(char *section, u_int8_t * id)
+ipsec_id_size(char *section, u_int8_t *id)
{
- char *type, *data;
+ char *type, *data;
type = conf_get_str(section, "ID-type");
if (!type) {
- log_print("ipsec_id_size: section %s has no \"ID-type\" tag", section);
+ log_print("ipsec_id_size: section %s has no \"ID-type\" tag",
+ section);
return -1;
}
*id = constant_value(ipsec_id_cst, type);
@@ -2251,30 +2289,31 @@ ipsec_id_size(char *section, u_int8_t * id)
case IPSEC_ID_DER_ASN1_GN:
data = conf_get_str(section, "Name");
if (!data) {
- log_print("ipsec_id_size: section %s has no \"Name\" tag", section);
+ log_print("ipsec_id_size: section %s has no \"Name\" tag",
+ section);
return -1;
}
return strlen(data);
}
log_print("ipsec_id_size: unrecognized/unsupported ID-type %d (%s)",
- *id, type);
+ *id, type);
return -1;
}
/*
* Generate a string version of the ID.
*/
-char *
-ipsec_id_string(u_int8_t * id, size_t id_len)
+char *
+ipsec_id_string(u_int8_t *id, size_t id_len)
{
char *buf = 0;
char *addrstr = 0;
size_t len, size;
/*
- * XXX Real ugly way of making the offsets correct. Be aware that id now
- * will point before the actual buffer and cannot be dereferenced without
- * an offset larger than or equal to ISAKM_GEN_SZ.
+ * XXX Real ugly way of making the offsets correct. Be aware that id
+ * now will point before the actual buffer and cannot be dereferenced
+ * without an offset larger than or equal to ISAKM_GEN_SZ.
*/
id -= ISAKMP_GEN_SZ;
@@ -2287,7 +2326,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len)
* estimate.
*/
size = MAX(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
- sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF);
+ sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF);
buf = malloc(size);
if (!buf)
/* XXX Log? */
@@ -2316,7 +2355,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len)
case IPSEC_ID_USER_FQDN:
strlcpy(buf,
GET_ISAKMP_ID_TYPE(id) == IPSEC_ID_FQDN ? "fqdn/" : "ufqdn/",
- size);
+ size);
len = strlen(buf);
memcpy(buf + len, id + ISAKMP_ID_DATA_OFF, id_len);
@@ -2328,7 +2367,7 @@ ipsec_id_string(u_int8_t * id, size_t id_len)
strlcpy(buf, "asn1_dn/", size);
len = strlen(buf);
addrstr = x509_DN_string(id + ISAKMP_ID_DATA_OFF,
- id_len - ISAKMP_ID_DATA_OFF);
+ id_len - ISAKMP_ID_DATA_OFF);
if (!addrstr)
goto fail;
if (size < len + strlen(addrstr) + 1)
@@ -2339,8 +2378,9 @@ ipsec_id_string(u_int8_t * id, size_t id_len)
default:
/* Unknown type. */
- LOG_DBG((LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n",
- GET_ISAKMP_ID_TYPE(id)));
+ LOG_DBG((LOG_MISC, 10,
+ "ipsec_id_string: unknown identity type %d\n",
+ GET_ISAKMP_ID_TYPE(id)));
goto fail;
}
diff --git a/sbin/isakmpd/ipsec.h b/sbin/isakmpd/ipsec.h
index a39184f041a..1b3c9963c1f 100644
--- a/sbin/isakmpd/ipsec.h
+++ b/sbin/isakmpd/ipsec.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.h,v 1.23 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: ipsec.h,v 1.24 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */
/*
@@ -67,8 +67,8 @@ struct ipsec_exch {
u_int8_t pfs;
/*
- * A copy of the initiator SA payload body for later computation of hashes.
- * Phase 1 only.
+ * A copy of the initiator SA payload body for later computation of
+ * hashes. Phase 1 only.
*/
size_t sa_i_b_len;
u_int8_t *sa_i_b;
@@ -144,34 +144,30 @@ struct ipsec_proto {
u_int8_t *keymat[2];
};
-extern u_int8_t *ipsec_add_hash_payload(struct message * msg, size_t);
+extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t);
extern int ipsec_ah_keylength(struct proto *);
extern u_int8_t *ipsec_build_id(char *, size_t *);
extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *);
-extern void
-ipsec_decode_transform(struct message *, struct sa *,
- struct proto *, u_int8_t *);
+extern void ipsec_decode_transform(struct message *, struct sa *,
+ struct proto *, u_int8_t *);
extern int ipsec_esp_authkeylength(struct proto *);
extern int ipsec_esp_enckeylength(struct proto *);
-extern int ipsec_fill_in_hash(struct message * msg);
+extern int ipsec_fill_in_hash(struct message *);
extern int ipsec_gen_g_x(struct message *);
-extern int
-ipsec_get_id(char *, int *, struct sockaddr **,
- struct sockaddr **, u_int8_t *, u_int16_t *);
+extern int ipsec_get_id(char *, int *, struct sockaddr **,
+ struct sockaddr **, u_int8_t *, u_int16_t *);
extern ssize_t ipsec_id_size(char *, u_int8_t *);
extern char *ipsec_id_string(u_int8_t *, size_t);
extern void ipsec_init(void);
-extern int ipsec_initial_contact(struct message * msg);
-extern int
-ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, u_int16_t,
- void *);
+extern int ipsec_initial_contact(struct message *);
+extern int ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *,
+ u_int16_t, void *);
extern int ipsec_keymat_length(struct proto *);
extern int ipsec_save_g_x(struct message *);
extern struct sa *ipsec_sa_lookup(struct sockaddr *, u_int32_t, u_int8_t);
-extern char *
-ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, size_t,
- int);
+extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *,
+ size_t, int);
extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t);
#endif /* _IPSEC_H_ */
diff --git a/sbin/isakmpd/isakmp_cfg.c b/sbin/isakmpd/isakmp_cfg.c
index 9a31de1583a..df6b8f15b10 100644
--- a/sbin/isakmpd/isakmp_cfg.c
+++ b/sbin/isakmpd/isakmp_cfg.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmp_cfg.c,v 1.28 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: isakmp_cfg.c,v 1.29 2004/05/23 18:17:56 hshoexer Exp $ */
/*
* Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
@@ -57,7 +57,7 @@
* Validation script used to test messages for correct content of
* payloads depending on the exchange type.
*/
-int16_t script_transaction[] = {
+int16_t script_transaction[] = {
ISAKMP_PAYLOAD_ATTRIBUTE, /* Initiator -> responder. */
EXCHANGE_SCRIPT_SWITCH,
ISAKMP_PAYLOAD_ATTRIBUTE, /* Responder -> initiator. */
@@ -65,28 +65,26 @@ int16_t script_transaction[] = {
};
static int cfg_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *);
-static int
-cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t,
- u_int32_t, char *, u_int8_t **, u_int16_t *);
+static int cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t,
+ u_int32_t, char *, u_int8_t **, u_int16_t *);
static int cfg_initiator_send_ATTR(struct message *);
static int cfg_initiator_recv_ATTR(struct message *);
static int cfg_responder_recv_ATTR(struct message *);
static int cfg_responder_send_ATTR(struct message *);
u_int8_t *cfg_add_hash(struct message *);
-int
-cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *,
- u_int16_t);
+int cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *,
+ u_int16_t);
int cfg_verify_hash(struct message * msg);
/* Server: SET/ACK Client; REQ/REPLY */
-int (*isakmp_cfg_initiator[]) (struct message *) = {
+int (*isakmp_cfg_initiator[]) (struct message *) = {
cfg_initiator_send_ATTR,
cfg_initiator_recv_ATTR
};
/* Server: REQ/REPLY Client: SET/ACK */
-int (*isakmp_cfg_responder[]) (struct message *) = {
+int (*isakmp_cfg_responder[]) (struct message *) = {
cfg_responder_recv_ATTR,
cfg_responder_send_ATTR
};
@@ -96,7 +94,7 @@ int (*isakmp_cfg_responder[]) (struct message *) = {
* When we are "the client", this starts REQ/REPLY mode
*/
static int
-cfg_initiator_send_ATTR(struct message * msg)
+cfg_initiator_send_ATTR(struct message *msg)
{
struct sa *isakmp_sa = msg->isakmp_sa;
struct ipsec_exch *ie = msg->exchange->data;
@@ -116,9 +114,11 @@ cfg_initiator_send_ATTR(struct message * msg)
}
/* We initiated this exchange, check isakmp_sa for other side. */
if (isakmp_sa->initiator)
- id_string = ipsec_id_string(isakmp_sa->id_r, isakmp_sa->id_r_len);
+ id_string = ipsec_id_string(isakmp_sa->id_r,
+ isakmp_sa->id_r_len);
else
- id_string = ipsec_id_string(isakmp_sa->id_i, isakmp_sa->id_i_len);
+ id_string = ipsec_id_string(isakmp_sa->id_i,
+ isakmp_sa->id_i_len);
if (!id_string) {
log_print("cfg_initiator_send_ATTR: cannot parse ID");
goto fail;
@@ -132,49 +132,50 @@ cfg_initiator_send_ATTR(struct message * msg)
/* SET/ACK mode */
ie->cfg_type = ISAKMP_CFG_SET;
- LOG_DBG((LOG_NEGOTIATION, 10, "cfg_initiator_send_ATTR: SET/ACK mode"));
+ LOG_DBG((LOG_NEGOTIATION, 10,
+ "cfg_initiator_send_ATTR: SET/ACK mode"));
#define ATTRFIND(STR,ATTR4,LEN4,ATTR6,LEN6) do \
{ \
- if ((sa = conf_get_address (id_string, STR)) != NULL) \
- switch (sa->sa_family) \
- { \
- case AF_INET: \
- bit_set (attrbits, ATTR4); \
- attrlen += ISAKMP_ATTR_SZ + LEN4; \
- break; \
- case AF_INET6: \
- bit_set (attrbits, ATTR6); \
- attrlen += ISAKMP_ATTR_SZ + LEN6; \
- break; \
- default: \
- break; \
- } \
- free (sa); \
- } while (0)
+ if ((sa = conf_get_address (id_string, STR)) != NULL) \
+ switch (sa->sa_family) { \
+ case AF_INET: \
+ bit_set (attrbits, ATTR4); \
+ attrlen += ISAKMP_ATTR_SZ + LEN4; \
+ break; \
+ case AF_INET6: \
+ bit_set (attrbits, ATTR6); \
+ attrlen += ISAKMP_ATTR_SZ + LEN6; \
+ break; \
+ default: \
+ break; \
+ } \
+ free (sa); \
+ } while (0)
/*
* XXX We don't simultaneously support IPv4 and IPv6
* addresses.
*/
ATTRFIND("Address", ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS, 4,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16);
ATTRFIND("Netmask", ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK, 4,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16);
ATTRFIND("Nameserver", ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS, 4,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16);
ATTRFIND("WINS-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS, 4,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16);
ATTRFIND("DHCP-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP, 4,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16);
#ifdef notyet
ATTRFIND("Network", ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET, 8,
- ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17);
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17);
#endif
#undef ATTRFIND
if (conf_get_str(id_string, "Lifetime")) {
- bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY);
+ bit_set(attrbits,
+ ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY);
attrlen += ISAKMP_ATTR_SZ + 4;
}
} else {
@@ -184,38 +185,45 @@ cfg_initiator_send_ATTR(struct message * msg)
ie->cfg_type = ISAKMP_CFG_REQUEST;
LOG_DBG((LOG_NEGOTIATION, 10,
- "cfg_initiator_send_ATTR: REQ/REPLY mode"));
+ "cfg_initiator_send_ATTR: REQ/REPLY mode"));
alist = conf_get_list(id_string, "Attributes");
if (alist) {
for (anode = TAILQ_FIRST(&alist->fields); anode;
- anode = TAILQ_NEXT(anode, link)) {
+ anode = TAILQ_NEXT(anode, link)) {
if (strcasecmp(anode->field, "Address") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS);
attrlen += ISAKMP_ATTR_SZ * 2;
- } else if (strcasecmp(anode->field, "Netmask") == 0) {
+ } else if (strcasecmp(anode->field, "Netmask")
+ == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK);
attrlen += ISAKMP_ATTR_SZ * 2;
- } else if (strcasecmp(anode->field, "Nameserver") == 0) {
+ } else if (strcasecmp(anode->field,
+ "Nameserver") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS);
attrlen += ISAKMP_ATTR_SZ * 2;
- } else if (strcasecmp(anode->field, "WINS-server") == 0) {
+ } else if (strcasecmp(anode->field,
+ "WINS-server") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS);
attrlen += ISAKMP_ATTR_SZ * 2;
- } else if (strcasecmp(anode->field, "DHCP-server") == 0) {
+ } else if (strcasecmp(anode->field,
+ "DHCP-server") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP);
attrlen += ISAKMP_ATTR_SZ * 2;
- } else if (strcasecmp(anode->field, "Lifetime") == 0) {
+ } else if (strcasecmp(anode->field,
+ "Lifetime") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY);
attrlen += ISAKMP_ATTR_SZ;
} else {
- log_print("cfg_initiator_send_ATTR: unknown attribute "
- "%.20s in section [%s]", anode->field, id_string);
+ log_print("cfg_initiator_send_ATTR: "
+ "unknown attribute %.20s in "
+ "section [%s]", anode->field,
+ id_string);
}
}
@@ -226,11 +234,11 @@ cfg_initiator_send_ATTR(struct message * msg)
if (attrlen == 0) {
/* No data found. */
log_print("cfg_initiator_send_ATTR: no IKECFG attributes "
- "found for [%s]", id_string);
+ "found for [%s]", id_string);
/*
- * We can continue, but this indicates a configuration error that
- * the user probably will want to correct.
+ * We can continue, but this indicates a configuration error
+ * that the user probably will want to correct.
*/
free(id_string);
return 0;
@@ -239,10 +247,11 @@ cfg_initiator_send_ATTR(struct message * msg)
attrp = calloc(1, attrlen);
if (!attrp) {
log_error("cfg_initiator_send_ATTR: calloc (1, %lu) failed",
- (unsigned long) attrlen);
+ (unsigned long)attrlen);
goto fail;
}
- if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, 1)) {
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen,
+ 1)) {
free(attrp);
goto fail;
}
@@ -322,8 +331,8 @@ cfg_initiator_send_ATTR(struct message * msg)
sa = conf_get_address(id_string, field);
SET_ISAKMP_ATTR_LENGTH_VALUE(attr, length);
- memcpy(attr + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata(sa),
- length);
+ memcpy(attr + ISAKMP_ATTR_VALUE_OFF,
+ sockaddr_addrdata(sa), length);
free(sa);
@@ -346,10 +355,10 @@ fail:
* As "the client", this ends REQ/REPLY.
*/
static int
-cfg_initiator_recv_ATTR(struct message * msg)
+cfg_initiator_recv_ATTR(struct message *msg)
{
- struct payload *attrp
- = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]);
+ struct payload *attrp =
+ TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]);
struct ipsec_exch *ie = msg->exchange->data;
struct sa *isakmp_sa = msg->isakmp_sa;
struct isakmp_cfg_attr *attr;
@@ -371,51 +380,52 @@ cfg_initiator_recv_ATTR(struct message * msg)
case ISAKMP_CFG_ACK:
if (ie->cfg_type != ISAKMP_CFG_SET) {
log_print("cfg_initiator_recv_ATTR: bad packet type ACK");
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 0);
return -1;
}
break;
case ISAKMP_CFG_REPLY:
if (ie->cfg_type != ISAKMP_CFG_REQUEST) {
log_print("cfg_initiator_recv_ATTR: bad packet type REPLY");
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 0);
return -1;
}
break;
default:
- log_print("cfg_initiator_recv_ATTR: "
- "unexpected configuration message type %d",
- attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]);
+ log_print("cfg_initiator_recv_ATTR: unexpected configuration "
+ "message type %d", attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]);
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
return -1;
}
attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(attrp->p)
- - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, ie);
+ GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ cfg_decode_attribute, ie);
switch (ie->cfg_type) {
- case ISAKMP_CFG_ACK:
- {
+ case ISAKMP_CFG_ACK: {
/* SET/ACK -- Server side (ACK from client) */
msg->transport->vtbl->get_src(isakmp_sa->transport, &sa);
if (sockaddr2text(sa, &addr, 0) < 0)
addr = (char *) uk_addr;
for (attr = LIST_FIRST(&ie->attrs); attr;
- attr = LIST_NEXT(attr, link))
- LOG_DBG((LOG_NEGOTIATION, 50, "cfg_initiator_recv_ATTR: "
- "client %s ACKs attribute %s", addr,
- constant_name(isakmp_cfg_attr_cst, attr->type)));
+ attr = LIST_NEXT(attr, link))
+ LOG_DBG((LOG_NEGOTIATION, 50,
+ "cfg_initiator_recv_ATTR: "
+ "client %s ACKs attribute %s", addr,
+ constant_name(isakmp_cfg_attr_cst,
+ attr->type)));
if (addr != uk_addr)
free(addr);
}
break;
- case ISAKMP_CFG_REPLY:
- {
+ case ISAKMP_CFG_REPLY: {
/*
* REQ/REPLY: effect attributes we've gotten
* responses on.
@@ -425,10 +435,12 @@ cfg_initiator_recv_ATTR(struct message * msg)
addr = (char *) uk_addr;
for (attr = LIST_FIRST(&ie->attrs); attr;
- attr = LIST_NEXT(attr, link))
- LOG_DBG((LOG_NEGOTIATION, 50, "cfg_initiator_recv_ATTR: "
- "server %s replied with attribute %s", addr,
- constant_name(isakmp_cfg_attr_cst, attr->type)));
+ attr = LIST_NEXT(attr, link))
+ LOG_DBG((LOG_NEGOTIATION, 50,
+ "cfg_initiator_recv_ATTR: "
+ "server %s replied with attribute %s",
+ addr, constant_name(isakmp_cfg_attr_cst,
+ attr->type)));
if (addr != uk_addr)
free(addr);
@@ -448,10 +460,10 @@ cfg_initiator_recv_ATTR(struct message * msg)
* As "the client", this starts SET/ACK (initiated by the server).
*/
static int
-cfg_responder_recv_ATTR(struct message * msg)
+cfg_responder_recv_ATTR(struct message *msg)
{
- struct payload *attrp
- = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]);
+ struct payload *attrp =
+ TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]);
struct ipsec_exch *ie = msg->exchange->data;
struct sa *isakmp_sa = msg->isakmp_sa;
struct isakmp_cfg_attr *attr;
@@ -473,21 +485,20 @@ cfg_responder_recv_ATTR(struct message * msg)
default:
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
log_print("cfg_responder_recv_ATTR: "
- "unexpected configuration message type %d", ie->cfg_type);
+ "unexpected configuration message type %d", ie->cfg_type);
return -1;
}
attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(attrp->p)
- - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, ie);
+ GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ cfg_decode_attribute, ie);
switch (ie->cfg_type) {
case ISAKMP_CFG_REQUEST:
/* We're done. */
break;
- case ISAKMP_CFG_SET:
- {
+ case ISAKMP_CFG_SET: {
/* SET/ACK -- Client side (SET from server) */
const char *uk_addr = "<unknown>";
@@ -496,17 +507,20 @@ cfg_responder_recv_ATTR(struct message * msg)
addr = (char *) uk_addr;
for (attr = LIST_FIRST(&ie->attrs); attr;
- attr = LIST_NEXT(attr, link))
- LOG_DBG((LOG_NEGOTIATION, 50, "cfg_responder_recv_ATTR: "
- "server %s asks us to SET attribute %s", addr,
- constant_name(isakmp_cfg_attr_cst, attr->type)));
+ attr = LIST_NEXT(attr, link))
+ LOG_DBG((LOG_NEGOTIATION, 50,
+ "cfg_responder_recv_ATTR: "
+ "server %s asks us to SET attribute %s",
+ addr, constant_name(isakmp_cfg_attr_cst,
+ attr->type)));
/*
- * XXX Here's the place to add code to walk through each attribute
- * XXX and send them along to dhclient or whatever. Each attribute
- * XXX that we act upon (such as setting a netmask), should be
- * XXX marked like this for us to send the proper ACK response:
- * XXX attr->attr_used++;
+ * XXX Here's the place to add code to walk through
+ * XXX each attribute and send them along to dhclient
+ * XXX or whatever. Each attribute that we act upon
+ * XXX (such as setting a netmask), should be marked
+ * XXX like this for us to send the proper ACK
+ * XXX response: attr->attr_used++;
*/
if (addr != uk_addr)
@@ -527,7 +541,7 @@ cfg_responder_recv_ATTR(struct message * msg)
* As "the client", this ends SET/ACK mode.
*/
static int
-cfg_responder_send_ATTR(struct message * msg)
+cfg_responder_send_ATTR(struct message *msg)
{
struct ipsec_exch *ie = msg->exchange->data;
struct sa *isakmp_sa = msg->isakmp_sa;
@@ -542,22 +556,25 @@ cfg_responder_send_ATTR(struct message * msg)
}
/* We are responder, check isakmp_sa for other side. */
if (isakmp_sa->initiator ^ (ie->cfg_type == ISAKMP_CFG_REQUEST))
- id_string = ipsec_id_string(isakmp_sa->id_i, isakmp_sa->id_i_len);
+ id_string = ipsec_id_string(isakmp_sa->id_i,
+ isakmp_sa->id_i_len);
else
- id_string = ipsec_id_string(isakmp_sa->id_r, isakmp_sa->id_r_len);
+ id_string = ipsec_id_string(isakmp_sa->id_r,
+ isakmp_sa->id_r_len);
if (!id_string) {
log_print("cfg_responder_send_ATTR: cannot parse client's ID");
return -1;
}
if (cfg_encode_attributes(&ie->attrs, (ie->cfg_type == ISAKMP_CFG_SET ?
- ISAKMP_CFG_ACK : ISAKMP_CFG_REPLY),
- ie->cfg_id, id_string, &attrp, &attrlen)) {
+ ISAKMP_CFG_ACK : ISAKMP_CFG_REPLY), ie->cfg_id, id_string, &attrp,
+ &attrlen)) {
free(id_string);
return -1;
}
free(id_string);
- if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, 1)) {
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen,
+ 1)) {
free(attrp);
return -1;
}
@@ -568,8 +585,8 @@ cfg_responder_send_ATTR(struct message * msg)
return 0;
}
-u_int8_t *
-cfg_add_hash(struct message * msg)
+u_int8_t *
+cfg_add_hash(struct message *msg)
{
struct ipsec_sa *isa = msg->isakmp_sa->data;
struct hash *hash = hash_get(isa->hash);
@@ -578,11 +595,11 @@ cfg_add_hash(struct message * msg)
hashp = malloc(ISAKMP_HASH_SZ + hash->hashsize);
if (!hashp) {
log_error("cfg_add_hash: malloc (%lu) failed",
- ISAKMP_HASH_SZ + (unsigned long) hash->hashsize);
+ ISAKMP_HASH_SZ + (unsigned long)hash->hashsize);
return 0;
}
if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, hashp,
- ISAKMP_HASH_SZ + hash->hashsize, 1)) {
+ ISAKMP_HASH_SZ + hash->hashsize, 1)) {
free(hashp);
return 0;
}
@@ -591,18 +608,19 @@ cfg_add_hash(struct message * msg)
int
cfg_finalize_hash(struct message * msg, u_int8_t * hashp, u_int8_t * data,
- u_int16_t length)
+ u_int16_t length)
{
struct ipsec_sa *isa = msg->isakmp_sa->data;
struct prf *prf;
- prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len);
+ prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
+ isa->skeyid_len);
if (!prf)
return -1;
prf->Init(prf->prfctx);
prf->Update(prf->prfctx, msg->exchange->message_id,
- ISAKMP_HDR_MESSAGE_ID_LEN);
+ ISAKMP_HDR_MESSAGE_ID_LEN);
prf->Update(prf->prfctx, data, length);
prf->Final(hashp + ISAKMP_GEN_SZ, prf->prfctx);
prf_free(prf);
@@ -610,7 +628,7 @@ cfg_finalize_hash(struct message * msg, u_int8_t * hashp, u_int8_t * data,
}
int
-cfg_verify_hash(struct message * msg)
+cfg_verify_hash(struct message *msg)
{
struct payload *hashp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_HASH]);
struct ipsec_sa *isa = msg->isakmp_sa->data;
@@ -620,7 +638,8 @@ cfg_verify_hash(struct message * msg)
if (!hashp) {
log_print("cfg_verify_hash: phase 2 message missing HASH");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 0);
return -1;
}
hash = hashp->p;
@@ -628,26 +647,28 @@ cfg_verify_hash(struct message * msg)
comp_hash = malloc(hash_len - ISAKMP_GEN_SZ);
if (!comp_hash) {
log_error("cfg_verify_hash: malloc (%lu) failed",
- (unsigned long) hash_len - ISAKMP_GEN_SZ);
+ (unsigned long)hash_len - ISAKMP_GEN_SZ);
return -1;
}
/* Verify hash. */
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
- isa->skeyid_len);
+ isa->skeyid_len);
if (!prf) {
free(comp_hash);
return -1;
}
prf->Init(prf->prfctx);
prf->Update(prf->prfctx, msg->exchange->message_id,
- ISAKMP_HDR_MESSAGE_ID_LEN);
+ ISAKMP_HDR_MESSAGE_ID_LEN);
prf->Update(prf->prfctx, hash + hash_len,
- msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len);
+ msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len);
prf->Final(comp_hash, prf->prfctx);
prf_free(prf);
- if (memcmp(hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ) != 0) {
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0);
+ if (memcmp(hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ)
+ != 0) {
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 0);
free(comp_hash);
return -1;
}
@@ -666,7 +687,7 @@ cfg_verify_hash(struct message * msg)
*/
static int
cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
- void *vie)
+ void *vie)
{
struct ipsec_exch *ie = vie;
struct isakmp_cfg_attr *attr;
@@ -676,13 +697,13 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
return 0;
if (type == 0 || type >= ISAKMP_CFG_ATTR_FUTURE_MIN) {
LOG_DBG((LOG_NEGOTIATION, 30,
- "cfg_decode_attribute: invalid attr type %u", type));
+ "cfg_decode_attribute: invalid attr type %u", type));
return -1;
}
attr = calloc(1, sizeof *attr);
if (!attr) {
log_error("cfg_decode_attribute: calloc (1, %lu) failed",
- (unsigned long) sizeof *attr);
+ (unsigned long)sizeof *attr);
return -1;
}
attr->type = type;
@@ -690,7 +711,8 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
if (len) {
attr->value = malloc(len);
if (!attr->value) {
- log_error("cfg_decode_attribute: malloc (%d) failed", len);
+ log_error("cfg_decode_attribute: malloc (%d) failed",
+ len);
free(attr);
/* Should we also deallocate all other values? */
return -1;
@@ -705,9 +727,8 @@ cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
* Encode list of attributes from ie->attrs into a attribute payload.
*/
static int
-cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type,
- u_int32_t cfg_id, char *id_string, u_int8_t ** attrp,
- u_int16_t * len)
+cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type,
+ u_int32_t cfg_id, char *id_string, u_int8_t **attrp, u_int16_t *len)
{
struct isakmp_cfg_attr *attr;
struct sockaddr *sa;
@@ -769,7 +790,7 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type,
*attrp = calloc(1, *len);
if (!*attrp) {
log_error("cfg_encode_attributes: calloc (1, %lu) failed",
- (unsigned long) *len);
+ (unsigned long)*len);
return -1;
}
SET_ISAKMP_ATTRIBUTE_TYPE(*attrp, type);
@@ -853,16 +874,18 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type,
case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS:
sa = conf_get_address(id_string, field);
if (!sa) {
- LOG_DBG((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: "
- "attribute not found: %s", field));
+ LOG_DBG((LOG_NEGOTIATION, 10,
+ "cfg_responder_send_ATTR: "
+ "attribute not found: %s", field));
attr->length = 0;
break;
}
if (sa->sa_family != family) {
- log_print("cfg_responder_send_ATTR: attribute %s - expected %s "
- "got %s data", field,
- (family == AF_INET ? "IPv4" : "IPv6"),
- (sa->sa_family == AF_INET ? "IPv4" : "IPv6"));
+ log_print("cfg_responder_send_ATTR: "
+ "attribute %s - expected %s got %s data",
+ field,
+ (family == AF_INET ? "IPv4" : "IPv6"),
+ (sa->sa_family == AF_INET ? "IPv4" : "IPv6"));
free(sa);
attr->length = 0;
break;
@@ -870,48 +893,56 @@ cfg_encode_attributes(struct isakmp_cfg_attr_head * attrs, u_int32_t type,
/* Temporary limit length for the _SUBNET types. */
if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET)
attr->length = 4;
- else if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET)
+ else if (attr->type ==
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET)
attr->length = 16;
- memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata(sa),
- attr->length);
+ memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF,
+ sockaddr_addrdata(sa), attr->length);
free(sa);
/* _SUBNET types need some extra work. */
if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) {
sa = conf_get_address(id_string, "Netmask");
if (!sa) {
- LOG_DBG((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: "
+ LOG_DBG((LOG_NEGOTIATION, 10,
+ "cfg_responder_send_ATTR: "
"attribute not found: Netmask"));
attr->length = 0;
break;
}
if (sa->sa_family != AF_INET) {
- log_print("cfg_responder_send_ATTR: attribute Netmask - "
- "expected IPv4 got IPv6 data");
+ log_print("cfg_responder_send_ATTR: "
+ "attribute Netmask - expected "
+ "IPv4 got IPv6 data");
free(sa);
attr->length = 0;
break;
}
- memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF + attr->length,
- sockaddr_addrdata(sa), attr->length);
+ memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF +
+ attr->length, sockaddr_addrdata(sa),
+ attr->length);
attr->length = 8;
free(sa);
- } else if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) {
- int prefix = conf_get_num(id_string, "Prefix", -1);
+ } else if (attr->type ==
+ ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) {
+ int prefix = conf_get_num(id_string, "Prefix",
+ -1);
if (prefix == -1) {
log_print("cfg_responder_send_ATTR: "
- "attribute not found: Prefix");
+ "attribute not found: Prefix");
attr->length = 0;
break;
} else if (prefix < -1 || prefix > 128) {
- log_print("cfg_responder_send_ATTR: attribute Prefix - "
- "invalid value %d", prefix);
+ log_print("cfg_responder_send_ATTR: "
+ "attribute Prefix - invalid value %d",
+ prefix);
attr->length = 0;
break;
}
- *(*attrp + off + ISAKMP_ATTR_VALUE_OFF + 16) = (u_int8_t) prefix;
+ *(*attrp + off + ISAKMP_ATTR_VALUE_OFF + 16) =
+ (u_int8_t)prefix;
attr->length = 17;
}
break;
diff --git a/sbin/isakmpd/isakmp_cfg.h b/sbin/isakmpd/isakmp_cfg.h
index 58f9e00f235..169fa29a08d 100644
--- a/sbin/isakmpd/isakmp_cfg.h
+++ b/sbin/isakmpd/isakmp_cfg.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmp_cfg.h,v 1.4 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: isakmp_cfg.h,v 1.5 2004/05/23 18:17:56 hshoexer Exp $ */
/*
* Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
@@ -46,8 +46,8 @@ struct isakmp_cfg_attr {
struct message;
-extern int (*isakmp_cfg_initiator[]) (struct message *);
-extern int (*isakmp_cfg_responder[]) (struct message *);
+extern int (*isakmp_cfg_initiator[])(struct message *);
+extern int (*isakmp_cfg_responder[])(struct message *);
extern int16_t script_transaction[];
#endif /* _ISAKMP_CFG_H_ */
diff --git a/sbin/isakmpd/isakmp_doi.c b/sbin/isakmpd/isakmp_doi.c
index 1ef681f0942..ea279b66fff 100644
--- a/sbin/isakmpd/isakmp_doi.c
+++ b/sbin/isakmpd/isakmp_doi.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmp_doi.c,v 1.19 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: isakmp_doi.c,v 1.20 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: isakmp_doi.c,v 1.42 2000/09/12 16:29:41 ho Exp $ */
/*
@@ -59,13 +59,11 @@ static int isakmp_responder(struct message *);
static void isakmp_setup_situation(u_int8_t *);
static size_t isakmp_situation_size(void);
static u_int8_t isakmp_spi_size(u_int8_t);
-static int
-isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t,
- void *);
+static int isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t,
+ void *);
static int isakmp_validate_exchange(u_int8_t);
-static int
-isakmp_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
- size_t, struct exchange *);
+static int isakmp_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
+ size_t, struct exchange *);
static int isakmp_validate_key_information(u_int8_t *, size_t);
static int isakmp_validate_notification(u_int16_t);
static int isakmp_validate_proto(u_int8_t);
@@ -117,8 +115,8 @@ isakmp_doi_init(void)
#ifdef USE_DEBUG
int
-isakmp_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
- void *vmsg)
+isakmp_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
+ void *vmsg)
{
/* XXX Not implemented yet. */
return 0;
@@ -126,18 +124,18 @@ isakmp_debug_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
#endif /* USE_DEBUG */
static void
-isakmp_finalize_exchange(struct message * msg)
+isakmp_finalize_exchange(struct message *msg)
{
}
static struct keystate *
-isakmp_get_keystate(struct message * msg)
+isakmp_get_keystate(struct message *msg)
{
return 0;
}
static void
-isakmp_setup_situation(u_int8_t * buf)
+isakmp_setup_situation(u_int8_t *buf)
{
/* Nothing to do. */
}
@@ -217,15 +215,15 @@ static int
isakmp_initiator(struct message *msg)
{
if (msg->exchange->type != ISAKMP_EXCH_INFO) {
- log_print("isakmp_initiator: unsupported exchange type %d in phase %d",
- msg->exchange->type, msg->exchange->phase);
+ log_print("isakmp_initiator: unsupported exchange type %d "
+ "in phase %d", msg->exchange->type, msg->exchange->phase);
return -1;
}
return message_send_info(msg);
}
static int
-isakmp_responder(struct message * msg)
+isakmp_responder(struct message *msg)
{
struct payload *p;
@@ -256,7 +254,8 @@ isakmp_responder(struct message * msg)
default:
/* XXX So far we don't accept any proposals. */
if (TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_SA])) {
- message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
+ message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN,
+ 0, 1, 0);
return -1;
}
}
diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index f8dc4d7b7b1..4e8f70b21c2 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmpd.c,v 1.62 2004/05/19 14:30:26 ho Exp $ */
+/* $OpenBSD: isakmpd.c,v 1.63 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */
/*
@@ -157,7 +157,8 @@ parse_args(int argc, char *argv[])
for (cls = 0; cls < LOG_ENDCLASS; cls++)
log_debug_cmd(cls, level);
} else
- log_print("parse_args: -D argument unparseable: %s", optarg);
+ log_print("parse_args: -D argument "
+ "unparseable: %s", optarg);
} else
log_debug_cmd(cls, level);
break;
@@ -197,7 +198,8 @@ parse_args(int argc, char *argv[])
seed = strtoul(optarg, &ep, 0);
srandom(seed);
if (*ep != '\0')
- log_fatal("parse_args: invalid numeric arg to -r (%s)", optarg);
+ log_fatal("parse_args: invalid numeric arg "
+ "to -r (%s)", optarg);
regrand = 1;
break;
@@ -281,7 +283,7 @@ sigusr2(int sig)
}
static int
-phase2_sa_check(struct sa * sa, void *arg)
+phase2_sa_check(struct sa *sa, void *arg)
{
return sa->phase == 2;
}
@@ -290,7 +292,7 @@ static void
daemon_shutdown(void)
{
/* Perform a (protocol-wise) clean shutdown of the daemon. */
- struct sa *sa;
+ struct sa *sa;
if (sigtermed == 1) {
log_print("isakmpd: shutting down...");
@@ -330,7 +332,7 @@ daemon_shutdown_now(int sig)
static void
write_pid_file(void)
{
- FILE *fp;
+ FILE *fp;
/* Ignore errors. This will fail with USE_PRIVSEP. */
unlink(pid_file);
@@ -338,11 +340,12 @@ write_pid_file(void)
fp = monitor_fopen(pid_file, "w");
if (fp != NULL) {
if (fprintf(fp, "%ld\n", (long) getpid()) < 0)
- log_error("write_pid_file: failed to write PID to \"%.100s\"",
- pid_file);
+ log_error("write_pid_file: failed to write PID to "
+ "\"%.100s\"", pid_file);
fclose(fp);
} else
- log_fatal("write_pid_file: fopen (\"%.100s\", \"w\") failed", pid_file);
+ log_fatal("write_pid_file: fopen (\"%.100s\", \"w\") failed",
+ pid_file);
}
int
@@ -430,10 +433,12 @@ main(int argc, char *argv[])
mask_size = howmany(n, NFDBITS) * sizeof(fd_mask);
rfds = (fd_set *) malloc(mask_size);
if (!rfds)
- log_fatal("main: malloc (%lu) failed", (unsigned long) mask_size);
+ log_fatal("main: malloc (%lu) failed",
+ (unsigned long)mask_size);
wfds = (fd_set *) malloc(mask_size);
if (!wfds)
- log_fatal("main: malloc (%lu) failed", (unsigned long) mask_size);
+ log_fatal("main: malloc (%lu) failed",
+ (unsigned long)mask_size);
#if defined (USE_PRIVSEP)
monitor_init_done();
@@ -457,15 +462,17 @@ main(int argc, char *argv[])
rehash_timers();
}
/*
- * and if someone set 'sigtermed' (SIGTERM, SIGINT or via the UI),
- * this indicates we should start a controlled shutdown of the daemon.
+ * and if someone set 'sigtermed' (SIGTERM, SIGINT or via the
+ * UI), this indicates we should start a controlled shutdown
+ * of the daemon.
*
- * Note: Since _one_ message is sent per iteration of this enclosing
- * while-loop, and we want to send a number of DELETE notifications,
- * we must loop atleast this number of times. The daemon_shutdown()
- * function starts by queueing the DELETEs, all other calls just
- * increments the 'sigtermed' variable until it reaches a "safe"
- * value, and the daemon exits.
+ * Note: Since _one_ message is sent per iteration of this
+ * enclosing while-loop, and we want to send a number of
+ * DELETE notifications, we must loop atleast this number of
+ * times. The daemon_shutdown() function starts by queueing
+ * the DELETEs, all other calls just increments the
+ * 'sigtermed' variable until it reaches a "safe" value, and
+ * the daemon exits.
*/
if (sigtermed)
daemon_shutdown();
@@ -478,8 +485,9 @@ main(int argc, char *argv[])
n = ui_socket + 1;
/*
- * XXX Some day we might want to deal with an abstract application
- * class instead, with many instantiations possible.
+ * XXX Some day we might want to deal with an abstract
+ * application class instead, with many instantiations
+ * possible.
*/
if (!app_none && app_socket >= 0) {
FD_SET(app_socket, rfds);
@@ -514,7 +522,8 @@ main(int argc, char *argv[])
transport_send_messages(wfds);
if (FD_ISSET(ui_socket, rfds))
ui_handler();
- if (!app_none && app_socket >= 0 && FD_ISSET(app_socket, rfds))
+ if (!app_none && app_socket >= 0 &&
+ FD_ISSET(app_socket, rfds))
app_handler();
}
timer_handle_expirations();
diff --git a/sbin/isakmpd/key.c b/sbin/isakmpd/key.c
index 168188a8b32..cfd9f7ac6dd 100644
--- a/sbin/isakmpd/key.c
+++ b/sbin/isakmpd/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.16 2004/05/23 16:13:39 deraadt Exp $ */
+/* $OpenBSD: key.c,v 1.17 2004/05/23 18:17:56 hshoexer Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -49,43 +49,45 @@ key_free(int type, int private, void *key)
/* Convert from internal form to serialized */
void
-key_serialize(int type, int private, void *key, u_int8_t **data, size_t *datalenp)
+key_serialize(int type, int private, void *key, u_int8_t **data,
+ size_t *datalenp)
{
u_int8_t *p;
size_t datalen;
switch (type) {
case ISAKMP_KEY_PASSPHRASE:
- *datalenp = strlen((char *) key);
- *data = (u_int8_t *) strdup((char *) key);
+ *datalenp = strlen((char *)key);
+ *data = (u_int8_t *)strdup((char *)key);
break;
case ISAKMP_KEY_RSA:
switch (private) {
case ISAKMP_KEYTYPE_PUBLIC:
- datalen = i2d_RSAPublicKey((RSA *) key, NULL);
+ datalen = i2d_RSAPublicKey((RSA *)key, NULL);
*data = p = malloc(datalen);
if (!p) {
log_error("key_serialize: malloc (%lu) failed",
- (unsigned long) datalen);
+ (unsigned long)datalen);
return;
}
*datalenp = i2d_RSAPublicKey((RSA *) key, &p);
break;
case ISAKMP_KEYTYPE_PRIVATE:
- datalen = i2d_RSAPrivateKey((RSA *) key, NULL);
+ datalen = i2d_RSAPrivateKey((RSA *)key, NULL);
*data = p = malloc(datalen);
if (!p) {
log_error("key_serialize: malloc (%lu) failed",
- (unsigned long) datalen);
+ (unsigned long)datalen);
return;
}
- *datalenp = i2d_RSAPrivateKey((RSA *) key, &p);
+ *datalenp = i2d_RSAPrivateKey((RSA *)key, &p);
break;
}
break;
default:
- log_error("key_serialize: unknown/unsupported key type %d", type);
+ log_error("key_serialize: unknown/unsupported key type %d",
+ type);
break;
}
}
@@ -94,12 +96,12 @@ key_serialize(int type, int private, void *key, u_int8_t **data, size_t *datalen
char *
key_printable(int type, int private, u_int8_t *data, int datalen)
{
- char *s;
- int i;
+ char *s;
+ int i;
switch (type) {
case ISAKMP_KEY_PASSPHRASE:
- return strdup((char *) data);
+ return strdup((char *)data);
case ISAKMP_KEY_RSA:
s = malloc(datalen * 2 + 1);
@@ -114,7 +116,8 @@ key_printable(int type, int private, u_int8_t *data, int datalen)
return s;
default:
- log_error("key_printable: unknown/unsupported key type %d", type);
+ log_error("key_printable: unknown/unsupported key type %d",
+ type);
return 0;
}
}
@@ -125,7 +128,7 @@ key_internalize(int type, int private, u_int8_t *data, int datalen)
{
switch (type) {
case ISAKMP_KEY_PASSPHRASE:
- return strdup((char *) data);
+ return strdup((char *)data);
case ISAKMP_KEY_RSA:
switch (private) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
@@ -170,10 +173,11 @@ key_from_printable(int type, int private, char *key, u_int8_t **data,
break;
case ISAKMP_KEY_RSA:
- datalen = (strlen(key) + 1) / 2; /* Round up, just in case */
+ datalen = (strlen(key) + 1) / 2; /* Round up, just in case */
*data = malloc(datalen);
if (!*data) {
- log_error("key_from_printable: malloc (%d) failed", datalen);
+ log_error("key_from_printable: malloc (%d) failed",
+ datalen);
*datalenp = 0;
return;
}
@@ -181,7 +185,8 @@ key_from_printable(int type, int private, char *key, u_int8_t **data,
break;
default:
- log_error("key_from_printable: unknown/unsupported key type %d", type);
+ log_error("key_from_printable: unknown/unsupported key type %d",
+ type);
*data = NULL;
*datalenp = 0;
break;
diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c
index c48b8771eaa..55ac7c1abc8 100644
--- a/sbin/isakmpd/log.c
+++ b/sbin/isakmpd/log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.43 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: log.c,v 1.44 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */
/*
@@ -135,8 +135,8 @@ log_reinit(void)
for (class = 0; class < LOG_ENDCLASS; class++)
log_debug_cmd(class, level);
else {
- log_print("init: invalid logging class or level: %s",
- logclass->field);
+ log_print("init: invalid logging class or "
+ "level: %s", logclass->field);
continue;
}
} else
@@ -190,13 +190,15 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap,
len = vsnprintf(buffer, sizeof buffer, fmt, ap);
if (len > 0 && len < (int) sizeof buffer - 1 && error)
- snprintf(buffer + len, sizeof buffer - len, ": %s", strerror(errno));
+ snprintf(buffer + len, sizeof buffer - len, ": %s",
+ strerror(errno));
if (log_output) {
gettimeofday(&now, 0);
t = now.tv_sec;
tm = localtime(&t);
if (class >= 0)
- snprintf(nbuf, sizeof nbuf, "%02d%02d%02d.%06ld %s %02d ",
+ snprintf(nbuf, sizeof nbuf,
+ "%02d%02d%02d.%06ld %s %02d ",
tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec,
_log_get_class(class), level);
else /* LOG_PRINT (-1) or LOG_REPORT (-2) */
@@ -215,9 +217,11 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap,
fprintf(log_output, fallback_msg, errno);
/*
- * Close log_output to prevent isakmpd from locking the file.
- * We may need to explicitly close stdout to do this properly.
- * XXX - Figure out how to match two FILE *'s and rewrite.
+ * Close log_output to prevent isakmpd from locking
+ * the file. We may need to explicitly close stdout
+ * to do this properly.
+ * XXX - Figure out how to match two FILE *'s and
+ * rewrite.
*/
if (fileno(log_output) != -1 &&
fileno(stdout) == fileno(log_output))
@@ -232,8 +236,8 @@ _log_print(int error, int syslog_level, const char *fmt, va_list ap,
syslog_level, "%s", buffer);
}
} else
- syslog(class == LOG_REPORT ? LOG_ALERT : syslog_level,
- "%s", buffer);
+ syslog(class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s",
+ buffer);
}
#ifdef USE_DEBUG
@@ -243,7 +247,8 @@ log_debug(int cls, int level, const char *fmt, ...)
va_list ap;
/*
- * If we are not debugging this class, or the level is too low, just return.
+ * If we are not debugging this class, or the level is too low, just
+ * return.
*/
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
@@ -260,7 +265,8 @@ log_debug_buf(int cls, int level, const char *header, const u_int8_t *buf,
char s[73];
/*
- * If we are not debugging this class, or the level is too low, just return.
+ * If we are not debugging this class, or the level is too low, just
+ * return.
*/
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
@@ -292,15 +298,16 @@ log_debug_cmd(int cls, int level)
return;
}
if (level < 0) {
- log_print("log_debug_cmd: invalid debugging level %d for class %d",
- level, cls);
+ log_print("log_debug_cmd: invalid debugging level %d for "
+ "class %d", level, cls);
return;
}
if (level == log_level[cls])
- log_print("log_debug_cmd: log level unchanged for class %d", cls);
+ log_print("log_debug_cmd: log level unchanged for class %d",
+ cls);
else {
- log_print("log_debug_cmd: log level changed from %d to %d for class %d",
- log_level[cls], level, cls);
+ log_print("log_debug_cmd: log level changed from %d to %d "
+ "for class %d", log_level[cls], level, cls);
log_level[cls] = level;
}
}
@@ -325,7 +332,7 @@ log_debug_toggle(void)
void
log_print(const char *fmt, ...)
{
- va_list ap;
+ va_list ap;
va_start(ap, fmt);
_log_print(0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0);
@@ -335,9 +342,9 @@ log_print(const char *fmt, ...)
void
log_verbose(const char *fmt, ...)
{
- va_list ap;
+ va_list ap;
#ifdef USE_DEBUG
- int i;
+ int i;
#endif /* USE_DEBUG */
if (verbose_logging == 0)
@@ -357,7 +364,7 @@ log_verbose(const char *fmt, ...)
void
log_error(const char *fmt, ...)
{
- va_list ap;
+ va_list ap;
va_start(ap, fmt);
_log_print(1, LOG_ERR, fmt, ap, LOG_PRINT, 0);
@@ -367,7 +374,7 @@ log_error(const char *fmt, ...)
void
log_fatal(const char *fmt, ...)
{
- va_list ap;
+ va_list ap;
va_start(ap, fmt);
_log_print(1, LOG_CRIT, fmt, ap, LOG_PRINT, 0);
@@ -458,8 +465,8 @@ void
log_packet_restart(char *newname)
{
if (packet_log) {
- log_print("log_packet_restart: capture already active on file \"%s\"",
- pcaplog_file);
+ log_print("log_packet_restart: capture already active on "
+ "file \"%s\"", pcaplog_file);
return;
}
if (newname)
@@ -482,7 +489,7 @@ log_packet_stop(void)
}
void
-log_packet_iov(struct sockaddr * src, struct sockaddr * dst, struct iovec * iov,
+log_packet_iov(struct sockaddr *src, struct sockaddr *dst, struct iovec *iov,
int iovcnt)
{
struct isakmp_hdr *isakmphdr;
@@ -528,8 +535,10 @@ log_packet_iov(struct sockaddr * src, struct sockaddr * dst, struct iovec * iov,
goto setup_ip4;
case AF_INET:
- hdr.ip.ip4.ip_src.s_addr = ((struct sockaddr_in *) src)->sin_addr.s_addr;
- hdr.ip.ip4.ip_dst.s_addr = ((struct sockaddr_in *) dst)->sin_addr.s_addr;
+ hdr.ip.ip4.ip_src.s_addr =
+ ((struct sockaddr_in *)src)->sin_addr.s_addr;
+ hdr.ip.ip4.ip_dst.s_addr =
+ ((struct sockaddr_in *)dst)->sin_addr.s_addr;
setup_ip4:
hdrlen = sizeof hdr.ip.ip4;
@@ -550,9 +559,11 @@ setup_ip4:
hdr.ip.ip6.ip6_vfc = IPV6_VERSION;
hdr.ip.ip6.ip6_nxt = IPPROTO_UDP;
hdr.ip.ip6.ip6_plen = udp.uh_ulen;
- memcpy(&hdr.ip.ip6.ip6_src, &((struct sockaddr_in6 *) src)->sin6_addr,
+ memcpy(&hdr.ip.ip6.ip6_src,
+ &((struct sockaddr_in6 *)src)->sin6_addr,
sizeof hdr.ip.ip6.ip6_src);
- memcpy(&hdr.ip.ip6.ip6_dst, &((struct sockaddr_in6 *) dst)->sin6_addr,
+ memcpy(&hdr.ip.ip6.ip6_dst,
+ &((struct sockaddr_in6 *)dst)->sin6_addr,
sizeof hdr.ip.ip6.ip6_dst);
break;
}
@@ -641,7 +652,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
sum += phu.pa[i / 2];
sp = (u_int16_t *) u;
- for (i = 0; i < (int) sizeof(struct udphdr); i += 2)
+ for (i = 0; i < (int)sizeof(struct udphdr); i += 2)
sum += *sp++;
sp = d;
@@ -649,7 +660,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
sum += *sp++;
if (tlen & 1)
- sum += htons((*(const char *) sp) << 8);
+ sum += htons((*(const char *)sp) << 8);
while (sum > 0xffff)
sum = (sum & 0xffff) + (sum >> 16);
@@ -662,7 +673,7 @@ udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
static u_int16_t
in_cksum(const u_int16_t *w, int len)
{
- int nleft = len, sum = 0;
+ int nleft = len, sum = 0;
u_int16_t answer;
while (nleft > 1) {
diff --git a/sbin/isakmpd/log.h b/sbin/isakmpd/log.h
index 1efa9e78d0e..dc36f5d144d 100644
--- a/sbin/isakmpd/log.h
+++ b/sbin/isakmpd/log.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.h,v 1.20 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: log.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */
/*
@@ -66,19 +66,18 @@ enum log_classes {
#define LOG_DBG(x) log_debug x
#define LOG_DBG_BUF(x) log_debug_buf x
-extern void
-log_debug(int, int, const char *,...)
-__attribute__((__format__(__printf__, 3, 4)));
- extern void log_debug_buf(int, int, const char *, const u_int8_t *, size_t);
- extern void log_debug_cmd(int, int);
- extern void log_debug_toggle(void);
+extern void log_debug(int, int, const char *,...)
+ __attribute__((__format__(__printf__, 3, 4)));
+extern void log_debug_buf(int, int, const char *, const u_int8_t *, size_t);
+extern void log_debug_cmd(int, int);
+extern void log_debug_toggle(void);
#define PCAP_FILE_DEFAULT "/var/run/isakmpd.pcap"
- extern void log_packet_init(char *);
- extern void log_packet_iov(struct sockaddr *, struct sockaddr *,
+extern void log_packet_init(char *);
+extern void log_packet_iov(struct sockaddr *, struct sockaddr *,
struct iovec *, int);
- extern void log_packet_restart(char *);
- extern void log_packet_stop(void);
+extern void log_packet_restart(char *);
+extern void log_packet_stop(void);
#else /* !USE_DEBUG */
@@ -88,17 +87,16 @@ __attribute__((__format__(__printf__, 3, 4)));
#endif /* USE_DEBUG */
extern FILE *log_current(void);
-extern void
-log_error(const char *,...)
-__attribute__((__format__(__printf__, 1, 2)));
- extern void log_fatal(const char *,...)
- __attribute__((__format__(__printf__, 1, 2)));
- extern void log_print(const char *,...)
- __attribute__((__format__(__printf__, 1, 2)));
- extern void log_verbose(const char *,...)
- __attribute__((__format__(__printf__, 1, 2)));
- extern void log_to(FILE *);
- extern void log_init(int);
- extern void log_reinit(void);
+extern void log_error(const char *,...)
+ __attribute__((__format__(__printf__, 1, 2)));
+extern void log_fatal(const char *,...)
+ __attribute__((__format__(__printf__, 1, 2)));
+extern void log_print(const char *,...)
+ __attribute__((__format__(__printf__, 1, 2)));
+extern void log_verbose(const char *,...)
+ __attribute__((__format__(__printf__, 1, 2)));
+extern void log_to(FILE *);
+extern void log_init(int);
+extern void log_reinit(void);
#endif /* _LOG_H_ */
diff --git a/sbin/isakmpd/math_2n.c b/sbin/isakmpd/math_2n.c
index c5e37b3a27e..78a041e62fe 100644
--- a/sbin/isakmpd/math_2n.c
+++ b/sbin/isakmpd/math_2n.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: math_2n.c,v 1.14 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: math_2n.c,v 1.15 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: math_2n.c,v 1.15 1999/04/20 09:23:30 niklas Exp $ */
/*
@@ -65,7 +65,7 @@ CHUNK_TYPE b2n_mask[CHUNK_BITS] = {
};
/* Convert a hex character to its integer value. */
-static u_int8_t
+static u_int8_t
hex2int(char c)
{
if (c <= '9')
@@ -86,7 +86,7 @@ b2n_random(b2n_ptr n, u_int32_t bits)
/* Get the number of significant bits right */
if (bits & CHUNK_MASK) {
- CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1;
+ CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1;
n->limp[n->chunks - 1] &= m;
}
n->dirty = 1;
@@ -169,7 +169,7 @@ int
b2n_set_ui(b2n_ptr n, unsigned int val)
{
#if CHUNK_BITS < 32
- int i, chunks;
+ int i, chunks;
chunks = (CHUNK_BYTES - 1 + sizeof(val)) / CHUNK_BYTES;
@@ -193,7 +193,7 @@ b2n_set_ui(b2n_ptr n, unsigned int val)
int
b2n_set_str(b2n_ptr n, char *str)
{
- int i, j, w, len, chunks;
+ int i, j, w, len, chunks;
CHUNK_TYPE tmp;
if (strncasecmp(str, "0x", 2))
@@ -216,8 +216,8 @@ b2n_set_str(b2n_ptr n, char *str)
for (w = 0, i = 0; i < chunks; i++) {
tmp = 0;
- for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); j > 0;
- j--) {
+ for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES);
+ j > 0; j--) {
tmp <<= 8;
tmp |= (hex2int(str[w]) << 4) | hex2int(str[w + 1]);
w += 2;
@@ -281,9 +281,10 @@ b2n_snprint(char *buf, size_t sz, b2n_ptr n)
tmp >>= 8;
}
- for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0 && k < sz - 3; j--)
+ for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0
+ && k < sz - 3; j--)
if (flag || (i == n->chunks - 1 && j == 0) ||
- buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') {
+ buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') {
buf[k++] = buffer[2 * j];
buf[k++] = buffer[2 * j + 1];
flag = 1;
@@ -299,7 +300,7 @@ b2n_snprint(char *buf, size_t sz, b2n_ptr n)
u_int32_t
b2n_sigbit(b2n_ptr n)
{
- int i, j;
+ int i, j;
if (!n->dirty)
return n->bits;
@@ -367,8 +368,8 @@ b2n_add(b2n_ptr d, b2n_ptr a, b2n_ptr b)
int
b2n_cmp(b2n_ptr n, b2n_ptr m)
{
- int sn, sm;
- int i;
+ int sn, sm;
+ int i;
sn = b2n_sigbit(n);
sm = b2n_sigbit(m);
@@ -390,7 +391,7 @@ b2n_cmp(b2n_ptr n, b2n_ptr m)
int
b2n_cmp_null(b2n_ptr a)
{
- int i = 0;
+ int i = 0;
do {
if (a->limp[i])
@@ -416,7 +417,7 @@ b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s)
min = s & CHUNK_MASK;
add = (!(bits & CHUNK_MASK) || ((bits & CHUNK_MASK) + min) > CHUNK_MASK)
- ? 1 : 0;
+ ? 1 : 0;
chunks = n->chunks;
if (b2n_resize(d, chunks + maj + add))
return -1;
@@ -448,8 +449,8 @@ b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s)
int
b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s)
{
- int maj, min, size = n->chunks, newsize;
- b2n_ptr tmp;
+ int maj, min, size = n->chunks, newsize;
+ b2n_ptr tmp;
if (!s)
return b2n_set(d, n);
@@ -484,8 +485,8 @@ b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s)
int
b2n_mul(b2n_ptr d, b2n_ptr n, b2n_ptr m)
{
- int i, j;
- b2n_t tmp, tmp2;
+ int i, j;
+ b2n_t tmp, tmp2;
if (!b2n_cmp_null(m) || !b2n_cmp_null(n))
return b2n_set_null(d);
@@ -537,8 +538,8 @@ fail:
int
b2n_square(b2n_ptr d, b2n_ptr n)
{
- int i, j, maj, min, bits, chunk;
- b2n_t t;
+ int i, j, maj, min, bits, chunk;
+ b2n_t t;
maj = b2n_sigbit(n);
min = maj & CHUNK_MASK;
@@ -580,8 +581,8 @@ b2n_square(b2n_ptr d, b2n_ptr n)
int
b2n_div_q(b2n_ptr d, b2n_ptr n, b2n_ptr m)
{
- b2n_t r;
- int rv;
+ b2n_t r;
+ int rv;
b2n_init(r);
rv = b2n_div(d, r, n, m);
@@ -592,8 +593,8 @@ b2n_div_q(b2n_ptr d, b2n_ptr n, b2n_ptr m)
int
b2n_div_r(b2n_ptr r, b2n_ptr n, b2n_ptr m)
{
- b2n_t q;
- int rv;
+ b2n_t q;
+ int rv;
b2n_init(q);
rv = b2n_div(q, r, n, m);
@@ -604,9 +605,9 @@ b2n_div_r(b2n_ptr r, b2n_ptr n, b2n_ptr m)
int
b2n_div(b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m)
{
- int i, j, len, bits;
- u_int32_t sm, sn;
- b2n_t nenn, div, shift, mask;
+ int i, j, len, bits;
+ u_int32_t sm, sn;
+ b2n_t nenn, div, shift, mask;
/* If Teiler > Zaehler, the result is 0 */
if ((sm = b2n_sigbit(m)) > (sn = b2n_sigbit(n))) {
@@ -651,8 +652,8 @@ b2n_div(b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m)
/* The first iteration is done over the relevant bits */
bits = (CHUNK_MASK + sn) & CHUNK_MASK;
for (i = len; i >= 0 && b2n_sigbit(nenn) >= sm; i--)
- for (j = (i == len ? bits : CHUNK_MASK); j >= 0 && b2n_sigbit(nenn) >= sm;
- j--) {
+ for (j = (i == len ? bits : CHUNK_MASK); j >= 0
+ && b2n_sigbit(nenn) >= sm; j--) {
if (nenn->limp[i] & b2n_mask[j]) {
if (b2n_sub(nenn, nenn, shift))
goto fail;
@@ -685,7 +686,7 @@ fail:
int
b2n_mod(b2n_ptr m, b2n_ptr n, b2n_ptr p)
{
- int bits, size;
+ int bits, size;
if (b2n_div_r(m, n, p))
return -1;
@@ -706,7 +707,7 @@ b2n_mod(b2n_ptr m, b2n_ptr n, b2n_ptr p)
int
b2n_gcd(b2n_ptr e, b2n_ptr go, b2n_ptr ho)
{
- b2n_t g, h;
+ b2n_t g, h;
b2n_init(g);
b2n_init(h);
@@ -736,7 +737,7 @@ fail:
int
b2n_mul_inv(b2n_ptr ga, b2n_ptr be, b2n_ptr p)
{
- b2n_t a;
+ b2n_t a;
b2n_init(a);
if (b2n_set_ui(a, 1))
@@ -756,7 +757,7 @@ fail:
int
b2n_div_mod(b2n_ptr ga, b2n_ptr a, b2n_ptr be, b2n_ptr p)
{
- b2n_t s0, s1, s2, q, r0, r1;
+ b2n_t s0, s1, s2, q, r0, r1;
/* There is no multiplicative inverse to Null. */
if (!b2n_cmp_null(be))
@@ -823,8 +824,8 @@ fail:
int
b2n_trace(b2n_ptr ho, b2n_ptr a, b2n_ptr p)
{
- int i, m = b2n_sigbit(p) - 1;
- b2n_t h;
+ int i, m = b2n_sigbit(p) - 1;
+ b2n_t h;
b2n_init(h);
if (b2n_set(h, a))
@@ -856,8 +857,8 @@ fail:
int
b2n_halftrace(b2n_ptr ho, b2n_ptr a, b2n_ptr p)
{
- int i, m = b2n_sigbit(p) - 1;
- b2n_t h;
+ int i, m = b2n_sigbit(p) - 1;
+ b2n_t h;
b2n_init(h);
if (b2n_set(h, a))
@@ -894,8 +895,8 @@ fail:
int
b2n_sqrt(b2n_ptr zo, b2n_ptr b, b2n_ptr ip)
{
- int i, m = b2n_sigbit(ip) - 1;
- b2n_t w, p, temp, z;
+ int i, m = b2n_sigbit(ip) - 1;
+ b2n_t w, p, temp, z;
if (!b2n_cmp_null(b))
return b2n_set_null(z);
@@ -960,7 +961,7 @@ fail:
int
b2n_exp_mod(b2n_ptr d, b2n_ptr b0, u_int32_t e, b2n_ptr p)
{
- b2n_t u, b;
+ b2n_t u, b;
b2n_init(u);
b2n_init(b);
@@ -1005,9 +1006,9 @@ fail:
int
b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0)
{
- int i, carry;
- b2n_ptr a, b;
- b2n_t d;
+ int i, carry;
+ b2n_ptr a, b;
+ b2n_t d;
if (!b2n_cmp_null(a0))
return b2n_set(d0, b0);
@@ -1047,8 +1048,8 @@ b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0)
int
b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b)
{
- int i, carry;
- b2n_t d;
+ int i, carry;
+ b2n_t d;
if (b2n_cmp(a, b) <= 0)
return b2n_set_null(d0);
@@ -1082,7 +1083,7 @@ b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b)
int
b2n_3mul(b2n_ptr d0, b2n_ptr e)
{
- b2n_t d;
+ b2n_t d;
b2n_init(d);
if (b2n_lshift(d, e, 1))
diff --git a/sbin/isakmpd/math_ec2n.c b/sbin/isakmpd/math_ec2n.c
index 5843ba1c8b3..c06b37cb311 100644
--- a/sbin/isakmpd/math_ec2n.c
+++ b/sbin/isakmpd/math_ec2n.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: math_ec2n.c,v 1.10 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: math_ec2n.c,v 1.11 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: math_ec2n.c,v 1.9 1999/04/20 09:23:31 niklas Exp $ */
/*
@@ -98,7 +98,7 @@ ec2ng_set(ec2ng_ptr d, ec2ng_ptr n)
int
ec2np_right(b2n_ptr n, ec2np_ptr p, ec2ng_ptr g)
{
- b2n_t temp;
+ b2n_t temp;
b2n_init(temp);
@@ -134,9 +134,8 @@ fail:
int
ec2np_ison(ec2np_ptr p, ec2ng_ptr g)
{
- int res;
-
- b2n_t x, y, temp;
+ int res;
+ b2n_t x, y, temp;
if (p->inf)
return 1;
@@ -180,7 +179,7 @@ fail:
int
ec2np_find_y(ec2np_ptr p, ec2ng_ptr g)
{
- b2n_t right;
+ b2n_t right;
b2n_init(right);
@@ -217,8 +216,8 @@ fail:
int
ec2np_add(ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g)
{
- b2n_t lambda, temp;
- ec2np_t pn;
+ b2n_t lambda, temp;
+ ec2np_t pn;
/* Check for Neutral Element */
if (b->inf)
@@ -226,7 +225,8 @@ ec2np_add(ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g)
if (a->inf)
return ec2np_set(d, b);
- if (!b2n_cmp(a->x, b->x) && (b2n_cmp(a->y, b->y) || !b2n_cmp_null(a->x))) {
+ if (!b2n_cmp(a->x, b->x) && (b2n_cmp(a->y, b->y) ||
+ !b2n_cmp_null(a->x))) {
d->inf = 1;
if (b2n_set_null(d->x))
return -1;
@@ -303,9 +303,9 @@ fail:
int
ec2np_mul(ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g)
{
- int i, j, bits, start;
- b2n_t h, k;
- ec2np_t q, mina;
+ int i, j, bits, start;
+ b2n_t h, k;
+ ec2np_t q, mina;
if (!b2n_cmp_null(e)) {
d->inf = 1;
@@ -356,10 +356,12 @@ ec2np_mul(ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g)
if (i > 0 || j > 0) {
if (ec2np_add(q, q, q, g))
goto fail;
- if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i] & b2n_mask[j])) {
+ if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i]
+ & b2n_mask[j])) {
if (ec2np_add(q, q, a, g))
goto fail;
- } else if (!(h->limp[i] & b2n_mask[j]) && (k->limp[i] & b2n_mask[j]))
+ } else if (!(h->limp[i] & b2n_mask[j])
+ && (k->limp[i] & b2n_mask[j]))
if (ec2np_add(q, q, mina, g))
goto fail;
}
diff --git a/sbin/isakmpd/math_ec2n.h b/sbin/isakmpd/math_ec2n.h
index 078eb4b19d9..247f84aecc5 100644
--- a/sbin/isakmpd/math_ec2n.h
+++ b/sbin/isakmpd/math_ec2n.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: math_ec2n.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: math_ec2n.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: math_ec2n.h,v 1.4 1999/04/17 23:20:37 niklas Exp $ */
/*
@@ -54,9 +54,9 @@ typedef _ec2n_point ec2np_t[1];
} \
while (0)
-void ec2np_init(ec2np_ptr);
-void ec2np_clear(ec2np_ptr);
-int ec2np_set(ec2np_ptr, ec2np_ptr);
+void ec2np_init(ec2np_ptr);
+void ec2np_clear(ec2np_ptr);
+int ec2np_set(ec2np_ptr, ec2np_ptr);
#define ec2np_set_x_ui(n, y) b2n_set_ui ((n)->x, y)
#define ec2np_set_y_ui(n, x) b2n_set_ui ((n)->y, x)
@@ -72,9 +72,9 @@ typedef struct {
typedef _ec2n_group *ec2ng_ptr;
typedef _ec2n_group ec2ng_t[1];
-void ec2ng_init(ec2ng_ptr);
-void ec2ng_clear(ec2ng_ptr);
-int ec2ng_set(ec2ng_ptr, ec2ng_ptr);
+void ec2ng_init(ec2ng_ptr);
+void ec2ng_clear(ec2ng_ptr);
+int ec2ng_set(ec2ng_ptr, ec2ng_ptr);
#define ec2ng_set_a_ui(n, x) b2n_set_ui ((n)->a, x)
#define ec2ng_set_b_ui(n, x) b2n_set_ui ((n)->b, x)
@@ -85,10 +85,10 @@ int ec2ng_set(ec2ng_ptr, ec2ng_ptr);
/* Functions for computing on the elliptic group. */
-int ec2np_add(ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr);
-int ec2np_find_y(ec2np_ptr, ec2ng_ptr);
-int ec2np_ison(ec2np_ptr, ec2ng_ptr);
-int ec2np_mul(ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr);
-int ec2np_right(b2n_ptr n, ec2np_ptr, ec2ng_ptr);
+int ec2np_add(ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr);
+int ec2np_find_y(ec2np_ptr, ec2ng_ptr);
+int ec2np_ison(ec2np_ptr, ec2ng_ptr);
+int ec2np_mul(ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr);
+int ec2np_right(b2n_ptr n, ec2np_ptr, ec2ng_ptr);
#endif /* _MATH_2N_H_ */
diff --git a/sbin/isakmpd/math_group.c b/sbin/isakmpd/math_group.c
index 124a58b97d1..c723a81d1a4 100644
--- a/sbin/isakmpd/math_group.c
+++ b/sbin/isakmpd/math_group.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: math_group.c,v 1.21 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: math_group.c,v 1.22 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: math_group.c,v 1.25 2000/04/07 19:53:26 niklas Exp $ */
/*
@@ -44,17 +44,17 @@
#include "math_mp.h"
/* We do not want to export these definitions. */
-int modp_getlen(struct group *);
-void modp_getraw(struct group *, math_mp_t, u_int8_t *);
-int modp_setraw(struct group *, math_mp_t, u_int8_t *, int);
-int modp_setrandom(struct group *, math_mp_t);
-int modp_operation(struct group *, math_mp_t, math_mp_t, math_mp_t);
-
-int ec2n_getlen(struct group *);
-void ec2n_getraw(struct group *, ec2np_ptr, u_int8_t *);
-int ec2n_setraw(struct group *, ec2np_ptr, u_int8_t *, int);
-int ec2n_setrandom(struct group *, ec2np_ptr);
-int ec2n_operation(struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr);
+int modp_getlen(struct group *);
+void modp_getraw(struct group *, math_mp_t, u_int8_t *);
+int modp_setraw(struct group *, math_mp_t, u_int8_t *, int);
+int modp_setrandom(struct group *, math_mp_t);
+int modp_operation(struct group *, math_mp_t, math_mp_t, math_mp_t);
+
+int ec2n_getlen(struct group *);
+void ec2n_getraw(struct group *, ec2np_ptr, u_int8_t *);
+int ec2n_setraw(struct group *, ec2np_ptr, u_int8_t *, int);
+int ec2n_setrandom(struct group *, ec2np_ptr);
+int ec2n_operation(struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr);
struct ec2n_group {
ec2np_t gen; /* Generator */
@@ -280,17 +280,17 @@ struct modp_dscr oakley_modp[] =
*/
struct ec2n_dscr oakley_ec2n[] = {
- {OAKLEY_GRP_3, 76, /* This group is also considered insecure
+ { OAKLEY_GRP_3, 76, /* This group is also considered insecure
* (P1363) */
- "0x0800000000000000000000004000000000000001",
- "0x7b",
- "0x00",
- "0x7338f"},
- {OAKLEY_GRP_4, 91,
- "0x020000000000000000000000000000200000000000000001",
- "0x18",
- "0x00",
- "0x1ee9"},
+ "0x0800000000000000000000004000000000000001",
+ "0x7b",
+ "0x00",
+ "0x7338f" },
+ { OAKLEY_GRP_4, 91,
+ "0x020000000000000000000000000000200000000000000001",
+ "0x18",
+ "0x00",
+ "0x1ee9" },
};
#endif /* USE_EC */
@@ -424,7 +424,7 @@ struct group groups[] = {
void
group_init(void)
{
- int i;
+ int i;
for (i = sizeof(groups) / sizeof(groups[0]) - 1; i >= 0; i--)
switch (groups[i].type) {
@@ -442,13 +442,13 @@ group_init(void)
break;
default:
- log_print("Unknown group type %d at index %d in group_init().",
- groups[i].type, i);
+ log_print("Unknown group type %d at index %d in "
+ "group_init().", groups[i].type, i);
break;
}
}
-struct group *
+struct group *
group_get(u_int32_t id)
{
struct group *new, *clone;
@@ -461,7 +461,8 @@ group_get(u_int32_t id)
new = malloc(sizeof *new);
if (!new) {
- log_error("group_get: malloc (%lu) failed", (unsigned long) sizeof *new);
+ log_error("group_get: malloc (%lu) failed",
+ (unsigned long)sizeof *new);
return 0;
}
switch (clone->type) {
@@ -484,7 +485,7 @@ group_get(u_int32_t id)
}
void
-group_free(struct group * grp)
+group_free(struct group *grp)
{
switch (grp->type) {
#ifdef USE_EC
@@ -502,15 +503,15 @@ group_free(struct group * grp)
free(grp);
}
-struct group *
-modp_clone(struct group * new, struct group * clone)
+struct group *
+modp_clone(struct group *new, struct group *clone)
{
struct modp_group *new_grp, *clone_grp = clone->group;
new_grp = malloc(sizeof *new_grp);
if (!new_grp) {
log_print("modp_clone: malloc (%lu) failed",
- (unsigned long) sizeof *new_grp);
+ (unsigned long)sizeof *new_grp);
free(new);
return 0;
}
@@ -542,7 +543,7 @@ modp_clone(struct group * new, struct group * clone)
}
void
-modp_free(struct group * old)
+modp_free(struct group *old)
{
struct modp_group *grp = old->group;
@@ -564,14 +565,15 @@ modp_free(struct group * old)
}
void
-modp_init(struct group * group)
+modp_init(struct group *group)
{
- struct modp_dscr *dscr = (struct modp_dscr *) group->group;
+ struct modp_dscr *dscr = (struct modp_dscr *)group->group;
struct modp_group *grp;
grp = malloc(sizeof *grp);
if (!grp)
- log_fatal("modp_init: malloc (%lu) failed", (unsigned long) sizeof *grp);
+ log_fatal("modp_init: malloc (%lu) failed",
+ (unsigned long)sizeof *grp);
group->bits = dscr->bits;
@@ -602,15 +604,15 @@ modp_init(struct group * group)
}
#ifdef USE_EC
-struct group *
-ec2n_clone(struct group * new, struct group * clone)
+struct group *
+ec2n_clone(struct group *new, struct group *clone)
{
struct ec2n_group *new_grp, *clone_grp = clone->group;
new_grp = malloc(sizeof *new_grp);
if (!new_grp) {
log_error("ec2n_clone: malloc (%lu) failed",
- (unsigned long) sizeof *new_grp);
+ (unsigned long)sizeof *new_grp);
free(new);
return 0;
}
@@ -648,7 +650,7 @@ fail:
}
void
-ec2n_free(struct group * old)
+ec2n_free(struct group *old)
{
struct ec2n_group *grp = old->group;
@@ -662,14 +664,15 @@ ec2n_free(struct group * old)
}
void
-ec2n_init(struct group * group)
+ec2n_init(struct group *group)
{
- struct ec2n_dscr *dscr = (struct ec2n_dscr *) group->group;
+ struct ec2n_dscr *dscr = (struct ec2n_dscr *)group->group;
struct ec2n_group *grp;
grp = malloc(sizeof *grp);
if (!grp)
- log_fatal("ec2n_init: malloc (%lu) failed", (unsigned long) sizeof *grp);
+ log_fatal("ec2n_init: malloc (%lu) failed",
+ (unsigned long)sizeof *grp);
group->bits = dscr->bits;
@@ -711,28 +714,28 @@ fail:
#endif /* USE_EC */
int
-modp_getlen(struct group * group)
+modp_getlen(struct group *group)
{
- struct modp_group *grp = (struct modp_group *) group->group;
+ struct modp_group *grp = (struct modp_group *)group->group;
return mpz_sizeinoctets(grp->p);
}
void
-modp_getraw(struct group * grp, math_mp_t v, u_int8_t * d)
+modp_getraw(struct group *grp, math_mp_t v, u_int8_t *d)
{
mpz_getraw(d, v, grp->getlen(grp));
}
int
-modp_setraw(struct group * grp, math_mp_t d, u_int8_t * s, int l)
+modp_setraw(struct group *grp, math_mp_t d, u_int8_t *s, int l)
{
mpz_setraw(d, s, l);
return 0;
}
int
-modp_setrandom(struct group * grp, math_mp_t d)
+modp_setrandom(struct group *grp, math_mp_t d)
{
int i, l = grp->getlen(grp);
u_int32_t tmp = 0;
@@ -760,9 +763,9 @@ modp_setrandom(struct group * grp, math_mp_t d)
}
int
-modp_operation(struct group * group, math_mp_t d, math_mp_t a, math_mp_t e)
+modp_operation(struct group *group, math_mp_t d, math_mp_t a, math_mp_t e)
{
- struct modp_group *grp = (struct modp_group *) group->group;
+ struct modp_group *grp = (struct modp_group *)group->group;
#if MP_FLAVOUR == MP_FLAVOUR_GMP
mpz_powm(d, a, e, grp->p);
@@ -776,16 +779,16 @@ modp_operation(struct group * group, math_mp_t d, math_mp_t a, math_mp_t e)
#ifdef USE_EC
int
-ec2n_getlen(struct group * group)
+ec2n_getlen(struct group *group)
{
- struct ec2n_group *grp = (struct ec2n_group *) group->group;
- int bits = b2n_sigbit(grp->grp->p) - 1;
+ struct ec2n_group *grp = (struct ec2n_group *)group->group;
+ int bits = b2n_sigbit(grp->grp->p) - 1;
return (7 + bits) >> 3;
}
void
-ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e)
+ec2n_getraw(struct group *group, ec2np_ptr xo, u_int8_t *e)
{
struct ec2n_group *grp = (struct ec2n_group *) group->group;
int chunks, bytes, i, j;
@@ -798,7 +801,8 @@ ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e)
for (i = chunks - 1; i >= 0; i--) {
tmp = (i >= x->chunks ? 0 : x->limp[i]);
- for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0; j--) {
+ for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0;
+ j--) {
e[j] = tmp & 0xff;
tmp >>= 8;
}
@@ -807,7 +811,7 @@ ec2n_getraw(struct group * group, ec2np_ptr xo, u_int8_t * e)
}
int
-ec2n_setraw(struct group * grp, ec2np_ptr out, u_int8_t * s, int l)
+ec2n_setraw(struct group *grp, ec2np_ptr out, u_int8_t *s, int l)
{
int len, bytes, i, j;
b2n_ptr outx = out->x;
@@ -831,7 +835,7 @@ ec2n_setraw(struct group * grp, ec2np_ptr out, u_int8_t * s, int l)
}
int
-ec2n_setrandom(struct group * group, ec2np_ptr x)
+ec2n_setrandom(struct group *group, ec2np_ptr x)
{
b2n_ptr d = x->x;
struct ec2n_group *grp = (struct ec2n_group *) group->group;
@@ -847,10 +851,10 @@ ec2n_setrandom(struct group * group, ec2np_ptr x)
* set to zero.
*/
int
-ec2n_operation(struct group * grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e)
+ec2n_operation(struct group *grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e)
{
b2n_ptr ex = e->x;
- struct ec2n_group *group = (struct ec2n_group *) grp->group;
+ struct ec2n_group *group = (struct ec2n_group *)grp->group;
if (a->y->chunks == 0)
if (ec2np_find_y(a, group->grp))
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 72bb3f0c9a9..24e77b01719 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.72 2004/04/29 22:36:26 hshoexer Exp $ */
+/* $OpenBSD: message.c,v 1.73 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -95,12 +95,13 @@ static int message_validate_vendor(struct message *, struct payload *);
static void message_packet_log(struct message *);
-static int (*message_validate_payload[]) (struct message *, struct payload *) =
+static int (*message_validate_payload[])(struct message *, struct payload *) =
{
- message_validate_sa, message_validate_proposal, message_validate_transform,
- message_validate_key_exch, message_validate_id, message_validate_cert,
- message_validate_cert_req, message_validate_hash, message_validate_sig,
- message_validate_nonce, message_validate_notify, message_validate_delete,
+ message_validate_sa, message_validate_proposal,
+ message_validate_transform, message_validate_key_exch,
+ message_validate_id, message_validate_cert, message_validate_cert_req,
+ message_validate_hash, message_validate_sig, message_validate_nonce,
+ message_validate_notify, message_validate_delete,
message_validate_vendor, message_validate_attribute
};
@@ -125,7 +126,7 @@ static u_int32_t last_xf_no;
* segment buffer sized SZ, copied from BUF if given.
*/
struct message *
-message_alloc(struct transport * t, u_int8_t * buf, size_t sz)
+message_alloc(struct transport *t, u_int8_t *buf, size_t sz)
{
struct message *msg;
int i;
@@ -134,7 +135,7 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz)
* We use calloc(3) because it zeroes the structure which we rely on in
* message_free when determining what sub-allocations to free.
*/
- msg = (struct message *) calloc(1, sizeof *msg);
+ msg = (struct message *)calloc(1, sizeof *msg);
if (!msg)
return 0;
msg->iov = calloc(1, sizeof *msg->iov);
@@ -151,7 +152,8 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz)
msg->iovlen = 1;
if (buf)
memcpy(msg->iov[0].iov_base, buf, sz);
- msg->nextp = (u_int8_t *) msg->iov[0].iov_base + ISAKMP_HDR_NEXT_PAYLOAD_OFF;
+ msg->nextp = (u_int8_t *)msg->iov[0].iov_base +
+ ISAKMP_HDR_NEXT_PAYLOAD_OFF;
msg->transport = t;
transport_reference(t);
for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++)
@@ -166,7 +168,7 @@ message_alloc(struct transport * t, u_int8_t * buf, size_t sz)
* ISAKMP header as the first segment.
*/
struct message *
-message_alloc_reply(struct message * msg)
+message_alloc_reply(struct message *msg)
{
struct message *reply;
@@ -180,7 +182,7 @@ message_alloc_reply(struct message * msg)
/* Free up all resources used by the MSG message. */
void
-message_free(struct message * msg)
+message_free(struct message *msg)
{
u_int32_t i;
struct payload *payload, *next;
@@ -199,12 +201,14 @@ message_free(struct message * msg)
if (msg->retrans)
timer_remove_event(msg->retrans);
for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++)
- for (payload = TAILQ_FIRST(&msg->payload[i]); payload; payload = next) {
+ for (payload = TAILQ_FIRST(&msg->payload[i]); payload;
+ payload = next) {
next = TAILQ_NEXT(payload, link);
free(payload);
}
while (TAILQ_FIRST(&msg->post_send) != 0)
- TAILQ_REMOVE(&msg->post_send, TAILQ_FIRST(&msg->post_send), link);
+ TAILQ_REMOVE(&msg->post_send, TAILQ_FIRST(&msg->post_send),
+ link);
/* If we are on the send queue, remove us from there. */
if (msg->flags & MSG_IN_TRANSIT) {
@@ -230,10 +234,9 @@ message_free(struct message * msg)
* parsed payloads.
*/
static int
-message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next,
- u_int8_t * buf, set * accepted_payloads,
- int (*func) (struct message *, struct payload *,
- u_int8_t, u_int8_t *))
+message_parse_payloads(struct message *msg, struct payload *p, u_int8_t next,
+ u_int8_t *buf, set *accepted_payloads, int (*func)(struct message *,
+ struct payload *, u_int8_t, u_int8_t *))
{
u_int8_t payload;
u_int16_t len;
@@ -242,14 +245,15 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next,
do {
LOG_DBG((LOG_MESSAGE, 50,
"message_parse_payloads: offset %ld payload %s",
- (long) (buf - (u_int8_t *) msg->iov[0].iov_base),
+ (long)(buf - (u_int8_t *) msg->iov[0].iov_base),
constant_name(isakmp_payload_cst, next)));
/* Does this payload's header fit? */
- if (buf + ISAKMP_GEN_SZ
- > (u_int8_t *) msg->iov[0].iov_base + msg->iov[0].iov_len) {
+ if (buf + ISAKMP_GEN_SZ > (u_int8_t *)msg->iov[0].iov_base +
+ msg->iov[0].iov_len) {
log_print("message_parse_payloads: short message");
- message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS,
+ 0, 1, 1);
return -1;
}
/* Ponder on the payload that is at BUF... */
@@ -259,16 +263,19 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next,
next = GET_ISAKMP_GEN_NEXT_PAYLOAD(buf);
if (next >= ISAKMP_PAYLOAD_RESERVED_MIN &&
next <= ISAKMP_PAYLOAD_RESERVED_MAX) {
- log_print("message_parse_payloads: invalid next payload type %d "
- "in payload of type %d", next, payload);
- message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1);
+ log_print("message_parse_payloads: invalid next "
+ "payload type %d in payload of type %d", next,
+ payload);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE,
+ 0, 1, 1);
return -1;
}
/* Reserved fields in ISAKMP messages should be zero. */
if (GET_ISAKMP_GEN_RESERVED(buf) != 0) {
- log_print("message_parse_payloads: reserved field non-zero: %x",
- GET_ISAKMP_GEN_RESERVED(buf));
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
+ log_print("message_parse_payloads: reserved field "
+ "non-zero: %x", GET_ISAKMP_GEN_RESERVED(buf));
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 1);
return -1;
}
/*
@@ -279,17 +286,23 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next,
if (message_payload_sz(payload) == 0) {
log_print("message_parse_payloads: unknown minimum "
"payload size for payload type %u", payload);
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 1);
return -1;
}
if (len < message_payload_sz(payload)) {
- log_print("message_parse_payloads: payload too short: %u", len);
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
+ log_print("message_parse_payloads: payload too "
+ "short: %u", len);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 1);
return -1;
}
- if (buf + len > (u_int8_t *) msg->iov[0].iov_base + msg->iov[0].iov_len) {
- log_print("message_parse_payloads: payload too long: %u", len);
- message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
+ if (buf + len > (u_int8_t *)msg->iov[0].iov_base +
+ msg->iov[0].iov_len) {
+ log_print("message_parse_payloads: payload too "
+ "long: %u", len);
+ message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED,
+ 0, 1, 1);
return -1;
}
/* Ignore private payloads. */
@@ -304,9 +317,10 @@ message_parse_payloads(struct message * msg, struct payload * p, u_int8_t next,
* this stage.
*/
if (!ISSET(payload, accepted_payloads)) {
- log_print("message_parse_payloads: payload type %d unexpected",
- payload);
- message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1);
+ log_print("message_parse_payloads: payload type %d "
+ "unexpected", payload);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE,
+ 0, 1, 1);
return -1;
}
/* Call the payload handler specified by the caller. */
@@ -329,10 +343,10 @@ next_payload:
* generic payload header.
*/
static int
-message_parse_proposal(struct message * msg, struct payload * p,
- u_int8_t payload, u_int8_t * buf)
+message_parse_proposal(struct message *msg, struct payload *p, u_int8_t payload,
+ u_int8_t *buf)
{
- set payload_set;
+ set payload_set;
/* Put the proposal into the proposal bucket. */
message_index_payload(msg, p, payload, buf);
@@ -340,31 +354,28 @@ message_parse_proposal(struct message * msg, struct payload * p,
ZERO(&payload_set);
SET(ISAKMP_PAYLOAD_TRANSFORM, &payload_set);
if (message_parse_payloads(msg,
- TAILQ_LAST(&msg->payload
- [ISAKMP_PAYLOAD_PROPOSAL],
- payload_head),
- ISAKMP_PAYLOAD_TRANSFORM,
- buf + ISAKMP_PROP_SPI_OFF
- + GET_ISAKMP_PROP_SPI_SZ(buf),
- &payload_set, message_parse_transform) == -1)
+ TAILQ_LAST(&msg->payload[ISAKMP_PAYLOAD_PROPOSAL], payload_head),
+ ISAKMP_PAYLOAD_TRANSFORM, buf + ISAKMP_PROP_SPI_OFF +
+ GET_ISAKMP_PROP_SPI_SZ(buf), &payload_set, message_parse_transform)
+ == -1)
return -1;
return 0;
}
static int
-message_parse_transform(struct message * msg, struct payload * p,
- u_int8_t payload, u_int8_t * buf)
+message_parse_transform(struct message *msg, struct payload *p,
+ u_int8_t payload, u_int8_t *buf)
{
/* Put the transform into the transform bucket. */
message_index_payload(msg, p, payload, buf);
LOG_DBG((LOG_MESSAGE, 50, "Transform %d's attributes",
- GET_ISAKMP_TRANSFORM_NO(buf)));
+ GET_ISAKMP_TRANSFORM_NO(buf)));
#ifdef USE_DEBUG
attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- msg->exchange->doi->debug_attribute, msg);
+ GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ msg->exchange->doi->debug_attribute, msg);
#endif
return 0;
@@ -418,18 +429,19 @@ message_payload_sz(u_int8_t payload)
/* Validate the attribute payload P in message MSG. */
static int
-message_validate_attribute(struct message * msg, struct payload * p)
+message_validate_attribute(struct message *msg, struct payload *p)
{
#ifdef USE_ISAKMP_CFG
/* If we don't have an exchange yet, create one. */
if (!msg->exchange) {
- if (zero_test((u_int8_t *) msg->iov[0].iov_base
- + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN))
+ if (zero_test((u_int8_t *) msg->iov[0].iov_base +
+ ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN))
msg->exchange = exchange_setup_p1(msg, IPSEC_DOI_IPSEC);
else
msg->exchange = exchange_setup_p2(msg, IPSEC_DOI_IPSEC);
if (!msg->exchange) {
- log_print("message_validate_attribute: can not create exchange");
+ log_print("message_validate_attribute: can not "
+ "create exchange");
message_free(msg);
return -1;
}
@@ -440,7 +452,7 @@ message_validate_attribute(struct message * msg, struct payload * p)
/* Validate the certificate payload P in message MSG. */
static int
-message_validate_cert(struct message * msg, struct payload * p)
+message_validate_cert(struct message *msg, struct payload *p)
{
if (GET_ISAKMP_CERT_ENCODING(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) {
message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1);
@@ -454,7 +466,7 @@ static int
message_validate_cert_req(struct message * msg, struct payload * p)
{
struct cert_handler *cert;
- size_t len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF;
+ size_t len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF;
if (GET_ISAKMP_CERTREQ_TYPE(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) {
message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1);
@@ -465,9 +477,8 @@ message_validate_cert_req(struct message * msg, struct payload * p)
* is included in the payload check if it can be decoded
*/
cert = cert_get(GET_ISAKMP_CERTREQ_TYPE(p->p));
- if (!cert
- || (len && !cert->certreq_validate(p->p + ISAKMP_CERTREQ_AUTHORITY_OFF,
- len))) {
+ if (!cert || (len && !cert->certreq_validate(p->p +
+ ISAKMP_CERTREQ_AUTHORITY_OFF, len))) {
message_drop(msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, 1);
return -1;
}
@@ -479,14 +490,14 @@ message_validate_cert_req(struct message * msg, struct payload * p)
* an exchange if we do not have one already.
*/
static int
-message_validate_delete(struct message * msg, struct payload * p)
+message_validate_delete(struct message *msg, struct payload *p)
{
u_int8_t proto = GET_ISAKMP_DELETE_PROTO(p->p);
struct doi *doi;
struct sa *sa, *isakmp_sa;
struct sockaddr *dst, *dst_isa;
u_int32_t nspis = GET_ISAKMP_DELETE_NSPIS(p->p);
- u_int8_t *spis = (u_int8_t *) p->p + ISAKMP_DELETE_SPI_OFF;
+ u_int8_t *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF;
u_int32_t i;
char *addr;
@@ -504,7 +515,8 @@ message_validate_delete(struct message * msg, struct payload * p)
else
msg->exchange = exchange_setup_p2(msg, doi->id);
if (!msg->exchange) {
- log_print("message_validate_delete: can not create exchange");
+ log_print("message_validate_delete: can not create "
+ "exchange");
message_free(msg);
return -1;
}
@@ -520,22 +532,25 @@ message_validate_delete(struct message * msg, struct payload * p)
isakmp_sa = msg->isakmp_sa;
if (!isakmp_sa) {
/* XXX should not happen? */
- log_print("message_validate_delete: invalid spi "
- "(no valid ISAKMP SA found)");
+ log_print("message_validate_delete: invalid spi (no "
+ "valid ISAKMP SA found)");
message_free(msg);
return -1;
}
- isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport, &dst_isa);
+ isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport,
+ &dst_isa);
/* Get SA to be deleted. */
msg->transport->vtbl->get_dst(msg->transport, &dst);
if (proto == ISAKMP_PROTO_ISAKMP)
- sa = sa_lookup_isakmp_sa(dst, spis + i * ISAKMP_HDR_COOKIES_LEN);
+ sa = sa_lookup_isakmp_sa(dst, spis + i
+ * ISAKMP_HDR_COOKIES_LEN);
else
- sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i], proto);
+ sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i],
+ proto);
if (!sa) {
- LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: invalid spi "
- "(no valid SA found)"));
+ LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: "
+ "invalid spi (no valid SA found)"));
message_free(msg);
return -1;
}
@@ -543,12 +558,12 @@ message_validate_delete(struct message * msg, struct payload * p)
/* Destination addresses must match. */
if (dst->sa_family != dst_isa->sa_family ||
- memcmp(sockaddr_addrdata(dst_isa), sockaddr_addrdata(dst),
- sockaddr_addrlen(dst))) {
+ memcmp(sockaddr_addrdata(dst_isa), sockaddr_addrdata(dst),
+ sockaddr_addrlen(dst))) {
sockaddr2text(dst_isa, &addr, 0);
log_print("message_validate_delete: invalid spi "
- "(illegal delete request from %s)", addr);
+ "(illegal delete request from %s)", addr);
free(addr);
message_free(msg);
return -1;
@@ -564,7 +579,7 @@ message_validate_delete(struct message * msg, struct payload * p)
* except INFORMATIONAL. This should be actually done here.
*/
static int
-message_validate_hash(struct message * msg, struct payload * p)
+message_validate_hash(struct message *msg, struct payload *p)
{
struct sa *isakmp_sa = msg->isakmp_sa;
struct ipsec_sa *isa;
@@ -580,7 +595,8 @@ message_validate_hash(struct message * msg, struct payload * p)
if (isakmp_sa == NULL) {
log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 1);
return -1;
}
isa = isakmp_sa->data;
@@ -588,27 +604,30 @@ message_validate_hash(struct message * msg, struct payload * p)
if (hash == NULL) {
log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 1);
return -1;
}
/* If no SKEYID_a, we can not do anything (should not happen). */
if (!isa->skeyid_a) {
log_print("message_validate_hash: invalid hash information");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 1);
return -1;
}
/* Allocate the prf and start calculating our HASH(1). */
- LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a", isa->skeyid_a,
- isa->skeyid_len));
- prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len);
+ LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a",
+ isa->skeyid_a, isa->skeyid_len));
+ prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
+ isa->skeyid_len);
if (!prf) {
message_free(msg);
return -1;
}
- comp_hash = (u_int8_t *) malloc(hash->hashsize);
+ comp_hash = (u_int8_t *)malloc(hash->hashsize);
if (!comp_hash) {
log_error("message_validate_hash: malloc (%lu) failed",
- (unsigned long) hash->hashsize);
+ (unsigned long)hash->hashsize);
prf_free(prf);
message_free(msg);
return -1;
@@ -618,22 +637,24 @@ message_validate_hash(struct message * msg, struct payload * p)
prf->Init(prf->prfctx);
LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: message_id",
- message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
+ message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update(prf->prfctx, message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p);
- rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base)
- - (rest - (u_int8_t *) msg->iov[0].iov_base));
- LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: payloads after HASH(1)",
- rest, rest_len));
+ rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - (rest -
+ (u_int8_t *)msg->iov[0].iov_base));
+ LOG_DBG_BUF((LOG_MISC, 90,
+ "message_validate_hash: payloads after HASH(1)", rest, rest_len));
prf->Update(prf->prfctx, rest, rest_len);
prf->Final(comp_hash, prf->prfctx);
prf_free(prf);
if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash, hash->hashsize)) {
- log_print("message_validate_hash: invalid hash value for %s payload",
- TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_DELETE])
- ? "DELETE" : "NOTIFY");
- message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0);
+ log_print("message_validate_hash: invalid hash value for "
+ "%s payload",
+ TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_DELETE]) ?
+ "DELETE" : "NOTIFY");
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION,
+ 0, 1, 0);
free(comp_hash);
return -1;
}
@@ -647,7 +668,7 @@ message_validate_hash(struct message * msg, struct payload * p)
/* Validate the identification payload P in message MSG. */
static int
-message_validate_id(struct message * msg, struct payload * p)
+message_validate_id(struct message *msg, struct payload *p)
{
struct exchange *exchange = msg->exchange;
size_t len = GET_ISAKMP_GEN_LENGTH(p->p);
@@ -659,11 +680,9 @@ message_validate_id(struct message * msg, struct payload * p)
return -1;
}
if (exchange->doi
- && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p),
- p->p + ISAKMP_ID_DOI_DATA_OFF,
- p->p + ISAKMP_ID_DATA_OFF,
- len - ISAKMP_ID_DATA_OFF,
- exchange)) {
+ && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p),
+ p->p + ISAKMP_ID_DOI_DATA_OFF, p->p + ISAKMP_ID_DATA_OFF, len -
+ ISAKMP_ID_DATA_OFF, exchange)) {
message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 1);
return -1;
}
@@ -672,7 +691,7 @@ message_validate_id(struct message * msg, struct payload * p)
/* Validate the key exchange payload P in message MSG. */
static int
-message_validate_key_exch(struct message * msg, struct payload * p)
+message_validate_key_exch(struct message *msg, struct payload *p)
{
struct exchange *exchange = msg->exchange;
size_t len = GET_ISAKMP_GEN_LENGTH(p->p);
@@ -683,10 +702,10 @@ message_validate_key_exch(struct message * msg, struct payload * p)
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
return -1;
}
- if (exchange->doi
- && exchange->doi->validate_key_information(p->p + ISAKMP_KE_DATA_OFF,
- len - ISAKMP_KE_DATA_OFF)) {
- message_drop(msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION, 0, 1, 1);
+ if (exchange->doi && exchange->doi->validate_key_information(p->p +
+ ISAKMP_KE_DATA_OFF, len - ISAKMP_KE_DATA_OFF)) {
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION,
+ 0, 1, 1);
return -1;
}
return 0;
@@ -694,7 +713,7 @@ message_validate_key_exch(struct message * msg, struct payload * p)
/* Validate the nonce payload P in message MSG. */
static int
-message_validate_nonce(struct message * msg, struct payload * p)
+message_validate_nonce(struct message *msg, struct payload *p)
{
if (!msg->exchange) {
/* We should have an exchange at this point. */
@@ -711,7 +730,7 @@ message_validate_nonce(struct message * msg, struct payload * p)
* an exchange if we do not have one already.
*/
static int
-message_validate_notify(struct message * msg, struct payload * p)
+message_validate_notify(struct message *msg, struct payload *p)
{
u_int8_t proto = GET_ISAKMP_NOTIFY_PROTO(p->p);
u_int16_t type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p);
@@ -725,13 +744,14 @@ message_validate_notify(struct message * msg, struct payload * p)
}
/* If we don't have an exchange yet, create one. */
if (!msg->exchange) {
- if (zero_test((u_int8_t *) msg->iov[0].iov_base
- + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN))
+ if (zero_test((u_int8_t *) msg->iov[0].iov_base +
+ ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN))
msg->exchange = exchange_setup_p1(msg, doi->id);
else
msg->exchange = exchange_setup_p2(msg, doi->id);
if (!msg->exchange) {
- log_print("message_validate_notify: can not create exchange");
+ log_print("message_validate_notify: can not create "
+ "exchange");
message_free(msg);
return -1;
}
@@ -761,7 +781,7 @@ message_validate_notify(struct message * msg, struct payload * p)
/* Validate the proposal payload P in message MSG. */
static int
-message_validate_proposal(struct message * msg, struct payload * p)
+message_validate_proposal(struct message *msg, struct payload *p)
{
u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->p);
u_int8_t *sa = p->context->p;
@@ -803,7 +823,7 @@ message_validate_proposal(struct message * msg, struct payload * p)
* first due to the IANA assigned payload number?
*/
static int
-message_validate_sa(struct message * msg, struct payload * p)
+message_validate_sa(struct message *msg, struct payload *p)
{
set payload_set;
size_t len;
@@ -819,12 +839,13 @@ message_validate_sa(struct message * msg, struct payload * p)
}
/*
* It's time to figure out what SA this message is about. If it is
- * already set, then we are creating a new phase 1 SA. Otherwise, lookup
- * the SA using the cookies and the message ID. If we cannot find
- * it, and the phase 1 SA is ready, setup a phase 2 SA.
+ * already set, then we are creating a new phase 1 SA. Otherwise,
+ * lookup the SA using the cookies and the message ID. If we cannot
+ * find it, and the phase 1 SA is ready, setup a phase 2 SA.
*/
if (!exchange) {
- if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN))
+ if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF,
+ ISAKMP_HDR_RCOOKIE_LEN))
exchange = exchange_setup_p1(msg, doi_id);
else if (msg->isakmp_sa->flags & SA_FLAG_READY)
exchange = exchange_setup_p2(msg, doi_id);
@@ -862,9 +883,10 @@ message_validate_sa(struct message * msg, struct payload * p)
* the length of the situation field is.
*/
if (exchange->doi->validate_situation(p->p + ISAKMP_SA_SIT_OFF, &len,
- GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) {
+ GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) {
log_print("message_validate_sa: situation not supported");
- message_drop(msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED,
+ 0, 1, 1);
return -1;
}
/*
@@ -878,8 +900,8 @@ message_validate_sa(struct message * msg, struct payload * p)
ZERO(&payload_set);
SET(ISAKMP_PAYLOAD_PROPOSAL, &payload_set);
if (message_parse_payloads(msg, p, ISAKMP_PAYLOAD_PROPOSAL,
- p->p + ISAKMP_SA_SIT_OFF + len, &payload_set,
- message_parse_proposal) == -1)
+ p->p + ISAKMP_SA_SIT_OFF + len, &payload_set,
+ message_parse_proposal) == -1)
return -1;
return 0;
@@ -887,7 +909,7 @@ message_validate_sa(struct message * msg, struct payload * p)
/* Validate the signature payload P in message MSG. */
static int
-message_validate_sig(struct message * msg, struct payload * p)
+message_validate_sig(struct message *msg, struct payload *p)
{
if (!msg->exchange) {
/* We should have an exchange at this point. */
@@ -901,7 +923,7 @@ message_validate_sig(struct message * msg, struct payload * p)
/* Validate the transform payload P in message MSG. */
static int
-message_validate_transform(struct message * msg, struct payload * p)
+message_validate_transform(struct message *msg, struct payload *p)
{
u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->context->p);
u_int8_t *prop = p->context->p;
@@ -919,12 +941,13 @@ message_validate_transform(struct message * msg, struct payload * p)
}
/* Check that the reserved field is zero. */
if (!zero_test(p->p + ISAKMP_TRANSFORM_RESERVED_OFF,
- ISAKMP_TRANSFORM_RESERVED_LEN)) {
+ ISAKMP_TRANSFORM_RESERVED_LEN)) {
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1);
return -1;
}
/*
- * Check that we get monotonically increasing transform numbers per proposal.
+ * Check that we get monotonically increasing transform numbers per
+ * proposal.
*/
if (prop != last_prop)
last_prop = prop;
@@ -936,10 +959,10 @@ message_validate_transform(struct message * msg, struct payload * p)
/* Validate the attributes. */
if (attribute_map(p->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(p->p)
- - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- msg->exchange->doi->validate_attribute, msg)) {
- message_drop(msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED, 0, 1, 1);
+ GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ msg->exchange->doi->validate_attribute, msg)) {
+ message_drop(msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED,
+ 0, 1, 1);
return -1;
}
return 0;
@@ -947,7 +970,7 @@ message_validate_transform(struct message * msg, struct payload * p)
/* Validate the vendor payload P in message MSG. */
static int
-message_validate_vendor(struct message * msg, struct payload * p)
+message_validate_vendor(struct message *msg, struct payload *p)
{
if (!msg->exchange) {
/* We should have an exchange at this point. */
@@ -971,8 +994,8 @@ message_validate_vendor(struct message * msg, struct payload * p)
* node so we can go from transforms -> payloads -> SAs.
*/
static int
-message_index_payload(struct message * msg, struct payload * p,
- u_int8_t payload, u_int8_t * buf)
+message_index_payload(struct message *msg, struct payload *p, u_int8_t payload,
+ u_int8_t *buf)
{
struct payload *payload_node;
@@ -994,19 +1017,19 @@ message_index_payload(struct message * msg, struct payload * p,
* computed message length (i.e. without padding) in msg->iov[0].iov_len.
*/
static int
-message_sort_payloads(struct message * msg, u_int8_t next)
+message_sort_payloads(struct message *msg, u_int8_t next)
{
- set payload_set;
- int i, sz;
+ set payload_set;
+ int i, sz;
ZERO(&payload_set);
for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++)
- if (i != ISAKMP_PAYLOAD_PROPOSAL && i != ISAKMP_PAYLOAD_TRANSFORM)
+ if (i != ISAKMP_PAYLOAD_PROPOSAL && i !=
+ ISAKMP_PAYLOAD_TRANSFORM)
SET(i, &payload_set);
- sz =
- message_parse_payloads(msg, 0, next,
- (u_int8_t *) msg->iov[0].iov_base + ISAKMP_HDR_SZ,
- &payload_set, message_index_payload);
+ sz = message_parse_payloads(msg, 0, next,
+ (u_int8_t *)msg->iov[0].iov_base + ISAKMP_HDR_SZ, &payload_set,
+ message_index_payload);
if (sz == -1)
return -1;
msg->iov[0].iov_len = ISAKMP_HDR_SZ + sz;
@@ -1016,19 +1039,20 @@ message_sort_payloads(struct message * msg, u_int8_t next)
/* Run all the generic payload tests that the drafts specify. */
static int
-message_validate_payloads(struct message * msg)
+message_validate_payloads(struct message *msg)
{
int i;
struct payload *p;
for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++)
- for (p = TAILQ_FIRST(&msg->payload[i]); p; p = TAILQ_NEXT(p, link)) {
- LOG_DBG((LOG_MESSAGE, 60,
- "message_validate_payloads: "
- "payload %s at %p of message %p",
- constant_name(isakmp_payload_cst, i), p->p, msg));
+ for (p = TAILQ_FIRST(&msg->payload[i]); p;
+ p = TAILQ_NEXT(p, link)) {
+ LOG_DBG((LOG_MESSAGE, 60, "message_validate_payloads: "
+ "payload %s at %p of message %p",
+ constant_name(isakmp_payload_cst, i), p->p, msg));
field_dump_payload(fields[i - ISAKMP_PAYLOAD_SA], p->p);
- if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] (msg, p))
+ if (message_validate_payload[i - ISAKMP_PAYLOAD_SA]
+ (msg, p))
return -1;
}
return 0;
@@ -1040,7 +1064,7 @@ message_validate_payloads(struct message * msg)
* the exchange this message, MSG, is part of, and feed it there.
*/
int
-message_recv(struct message * msg)
+message_recv(struct message *msg)
{
u_int8_t *buf = msg->iov[0].iov_base;
size_t sz = msg->iov[0].iov_len;
@@ -1054,7 +1078,8 @@ message_recv(struct message * msg)
/* Messages shorter than an ISAKMP header are bad. */
if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) {
log_print("message_recv: bad message length");
- message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1);
+ message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS,
+ 0, 1, 1);
return -1;
}
#ifdef USE_DEBUG
@@ -1063,28 +1088,29 @@ message_recv(struct message * msg)
#endif
/*
- * If the responder cookie is zero, this is a request to setup an ISAKMP SA.
- * Otherwise the cookies should refer to an existing ISAKMP SA.
+ * If the responder cookie is zero, this is a request to setup an
+ * ISAKMP SA. Otherwise the cookies should refer to an existing
+ * ISAKMP SA.
*
- * XXX This is getting ugly, please reread later to see if it can be made
- * nicer.
+ * XXX This is getting ugly, please reread later to see if it can be
+ * made nicer.
*/
setup_isakmp_sa = zero_test(buf + ISAKMP_HDR_RCOOKIE_OFF,
ISAKMP_HDR_RCOOKIE_LEN);
if (setup_isakmp_sa) {
/*
- * This might be a retransmission of a former ISAKMP SA setup message.
- * If so, just drop it.
+ * This might be a retransmission of a former ISAKMP SA setup
+ * message. If so, just drop it.
* XXX Must we really look in both the SA and exchange pools?
*/
if (exchange_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)
- || sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)) {
+ || sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)) {
/*
- * XXX Later we should differentiate between retransmissions and
- * potential replay attacks.
+ * XXX Later we should differentiate between
+ * retransmissions and potential replay attacks.
*/
LOG_DBG((LOG_MESSAGE, 90,
- "message_recv: dropping setup for existing SA"));
+ "message_recv: dropping setup for existing SA"));
message_free(msg);
return -1;
}
@@ -1094,19 +1120,20 @@ message_recv(struct message * msg)
sa_reference(msg->isakmp_sa);
/*
- * If we cannot find an ISAKMP SA out of the cookies, this is either
- * a responder's first reply, and we need to upgrade our exchange,
- * or it's just plain invalid cookies.
+ * If we cannot find an ISAKMP SA out of the cookies, this is
+ * either a responder's first reply, and we need to upgrade
+ * our exchange, or it's just plain invalid cookies.
*/
if (!msg->isakmp_sa) {
- msg->exchange
- = exchange_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF);
+ msg->exchange = exchange_lookup_from_icookie(buf +
+ ISAKMP_HDR_ICOOKIE_OFF);
if (msg->exchange && msg->exchange->phase == 1
- && zero_test(msg->exchange->cookies + ISAKMP_HDR_RCOOKIE_OFF,
- ISAKMP_HDR_RCOOKIE_LEN))
+ && zero_test(msg->exchange->cookies +
+ ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN))
exchange_upgrade_p1(msg);
else {
- log_print("message_recv: invalid cookie(s) %08x%08x %08x%08x",
+ log_print("message_recv: invalid cookie(s) "
+ "%08x%08x %08x%08x",
decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF),
decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF + 4),
decode_32(buf + ISAKMP_HDR_RCOOKIE_OFF),
@@ -1116,13 +1143,13 @@ message_recv(struct message * msg)
tmp_proto.proto = ISAKMP_PROTO_ISAKMP;
tmp_proto.spi_sz[1] = ISAKMP_HDR_COOKIES_LEN;
tmp_proto.spi[1] = buf + ISAKMP_HDR_COOKIES_OFF;
- message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE, &tmp_proto, 1,
- 1);
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE,
+ &tmp_proto, 1, 1);
return -1;
}
#if 0
- msg->isakmp_sa
- = sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF);
+ msg->isakmp_sa = sa_lookup_from_icookie(buf +
+ ISAKMP_HDR_ICOOKIE_OFF);
if (msg->isakmp_sa)
sa_isakmp_upgrade(msg);
#endif
@@ -1134,30 +1161,30 @@ message_recv(struct message * msg)
return -1;
if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) >= ISAKMP_PAYLOAD_RESERVED_MIN) {
- log_print("message_recv: "
- "invalid payload type %d in ISAKMP header "
- "(check passphrases, if applicable and in Phase 1)",
- GET_ISAKMP_HDR_NEXT_PAYLOAD(buf));
+ log_print("message_recv: invalid payload type %d in ISAKMP "
+ "header (check passphrases, if applicable and in Phase 1)",
+ GET_ISAKMP_HDR_NEXT_PAYLOAD(buf));
message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1);
return -1;
}
/* Validate that the message is of version 1.0. */
if (ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)) != 1) {
log_print("message_recv: invalid version major %d",
- ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)));
+ ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)));
message_drop(msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, 1);
return -1;
}
if (ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)) != 0) {
log_print("message_recv: invalid version minor %d",
- ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)));
+ ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)));
message_drop(msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, 1);
return -1;
}
/*
- * Validate the exchange type. If it's a DOI-specified exchange wait until
- * after all payloads have been seen for the validation as the SA payload
- * might not yet have been parsed, thus the DOI might be unknown.
+ * Validate the exchange type. If it's a DOI-specified exchange wait
+ * until after all payloads have been seen for the validation as the
+ * SA payload might not yet have been parsed, thus the DOI might be
+ * unknown.
*/
exch_type = GET_ISAKMP_HDR_EXCH_TYPE(buf);
if (exch_type == ISAKMP_EXCH_NONE
@@ -1165,7 +1192,7 @@ message_recv(struct message * msg)
exch_type <= ISAKMP_EXCH_FUTURE_MAX)
|| (setup_isakmp_sa && exch_type >= ISAKMP_EXCH_DOI_MIN)) {
log_print("message_recv: invalid exchange type %s",
- constant_name(isakmp_exch_cst, exch_type));
+ constant_name(isakmp_exch_cst, exch_type));
message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1);
return -1;
}
@@ -1174,10 +1201,10 @@ message_recv(struct message * msg)
* have an ISAKMP SA to decrypt with.
*/
flags = GET_ISAKMP_HDR_FLAGS(buf);
- if (flags
- & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT | ISAKMP_FLAGS_AUTH_ONLY)) {
+ if (flags & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT |
+ ISAKMP_FLAGS_AUTH_ONLY)) {
log_print("message_recv: invalid flags 0x%x",
- GET_ISAKMP_HDR_FLAGS(buf));
+ GET_ISAKMP_HDR_FLAGS(buf));
message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
return -1;
}
@@ -1199,19 +1226,20 @@ message_recv(struct message * msg)
*/
msg->exchange = exchange_lookup(buf, 0);
if (!msg->exchange) {
- log_print("message_recv: phase 1 message after ISAKMP SA is ready");
+ log_print("message_recv: phase 1 message after "
+ "ISAKMP SA is ready");
message_free(msg);
return -1;
} else if (msg->exchange->last_sent) {
- LOG_DBG((LOG_MESSAGE, 80,
- "message_recv: resending last message from phase 1"));
+ LOG_DBG((LOG_MESSAGE, 80, "message_recv: resending "
+ "last message from phase 1"));
message_send(msg->exchange->last_sent);
}
}
if (flags & ISAKMP_FLAGS_ENC) {
if (!msg->isakmp_sa) {
- LOG_DBG((LOG_MISC, 10,
- "message_recv: no isakmp_sa for encrypted message"));
+ LOG_DBG((LOG_MISC, 10, "message_recv: no isakmp_sa "
+ "for encrypted message"));
message_free(msg);
return -1;
}
@@ -1237,11 +1265,11 @@ message_recv(struct message * msg)
message_packet_log(msg);
/*
- * Check the overall payload structure at the same time as indexing them by
- * type.
+ * Check the overall payload structure at the same time as indexing
+ * them by type.
*/
if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) != ISAKMP_PAYLOAD_NONE
- && message_sort_payloads(msg, GET_ISAKMP_HDR_NEXT_PAYLOAD(buf))) {
+ && message_sort_payloads(msg, GET_ISAKMP_HDR_NEXT_PAYLOAD(buf))) {
if (ks)
free(ks);
return -1;
@@ -1274,7 +1302,8 @@ message_recv(struct message * msg)
*/
if (exch_type >= ISAKMP_EXCH_DOI_MIN && exch_type <= ISAKMP_EXCH_DOI_MAX
&& msg->exchange->doi->validate_exchange(exch_type)) {
- log_print("message_recv: invalid DOI exchange type %d", exch_type);
+ log_print("message_recv: invalid DOI exchange type %d",
+ exch_type);
message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1);
if (ks)
free(ks);
@@ -1299,7 +1328,7 @@ message_recv(struct message * msg)
if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
(msg->exchange->phase == 2 || msg->exchange->keystate)) {
log_print("message_recv: cleartext phase %d message",
- msg->exchange->phase);
+ msg->exchange->phase);
message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
return -1;
}
@@ -1310,7 +1339,7 @@ message_recv(struct message * msg)
}
void
-message_send_expire(struct message * msg)
+message_send_expire(struct message *msg)
{
msg->retrans = 0;
@@ -1319,7 +1348,7 @@ message_send_expire(struct message * msg)
/* Queue up message MSG for transmittal. */
void
-message_send(struct message * msg)
+message_send(struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct message *m;
@@ -1352,8 +1381,8 @@ message_send(struct message * msg)
/* Keep the COMMIT bit on. */
if (exchange->flags & EXCHANGE_FLAG_COMMITTED)
SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base,
- GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base)
- | ISAKMP_FLAGS_COMMIT);
+ GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base)
+ | ISAKMP_FLAGS_COMMIT);
#ifdef USE_DEBUG
message_dump_raw("message_send", msg, LOG_MESSAGE);
@@ -1372,7 +1401,7 @@ message_send(struct message * msg)
for (m = TAILQ_FIRST(q); m; m = TAILQ_NEXT(m, link))
if (m == msg) {
LOG_DBG((LOG_MESSAGE, 60,
- "message_send: msg %p already on sendq %p", m, q));
+ "message_send: msg %p already on sendq %p", m, q));
return;
}
TAILQ_INSERT_TAIL(q, msg, link);
@@ -1384,14 +1413,14 @@ message_send(struct message * msg)
* identifying the exchange.
*/
void
-message_setup_header(struct message * msg, u_int8_t exchange, u_int8_t flags,
- u_int8_t * msg_id)
+message_setup_header(struct message *msg, u_int8_t exchange, u_int8_t flags,
+ u_int8_t *msg_id)
{
- u_int8_t *buf = msg->iov[0].iov_base;
+ u_int8_t *buf = msg->iov[0].iov_base;
SET_ISAKMP_HDR_ICOOKIE(buf, msg->exchange->cookies);
- SET_ISAKMP_HDR_RCOOKIE(buf,
- msg->exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN);
+ SET_ISAKMP_HDR_RCOOKIE(buf, msg->exchange->cookies +
+ ISAKMP_HDR_ICOOKIE_LEN);
SET_ISAKMP_HDR_NEXT_PAYLOAD(buf, ISAKMP_PAYLOAD_NONE);
SET_ISAKMP_HDR_VERSION(buf, ISAKMP_VERSION_MAKE(1, 0));
SET_ISAKMP_HDR_EXCH_TYPE(buf, exchange);
@@ -1409,8 +1438,8 @@ message_setup_header(struct message * msg, u_int8_t exchange, u_int8_t flags,
* XXX We might want to resize the iov array several slots at a time.
*/
int
-message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf,
- size_t sz, int link)
+message_add_payload(struct message *msg, u_int8_t payload, u_int8_t *buf,
+ size_t sz, int link)
{
struct iovec *new_iov;
struct payload *payload_node;
@@ -1418,14 +1447,15 @@ message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf,
payload_node = calloc(1, sizeof *payload_node);
if (!payload_node) {
log_error("message_add_payload: calloc (1, %lu) failed",
- (unsigned long) sizeof *payload_node);
+ (unsigned long)sizeof *payload_node);
return -1;
}
- new_iov
- = (struct iovec *) realloc(msg->iov, (msg->iovlen + 1) * sizeof *msg->iov);
+ new_iov = (struct iovec *) realloc(msg->iov, (msg->iovlen + 1) *
+ sizeof *msg->iov);
if (!new_iov) {
- log_error("message_add_payload: realloc (%p, %lu) failed", msg->iov,
- (msg->iovlen + 1) * (unsigned long) sizeof *msg->iov);
+ log_error("message_add_payload: realloc (%p, %lu) failed",
+ msg->iov, (msg->iovlen + 1) *
+ (unsigned long)sizeof *msg->iov);
free(payload_node);
return -1;
}
@@ -1440,11 +1470,12 @@ message_add_payload(struct message * msg, u_int8_t payload, u_int8_t * buf,
SET_ISAKMP_GEN_RESERVED(buf, 0);
SET_ISAKMP_GEN_LENGTH(buf, sz);
SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base,
- GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) + sz);
+ GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) + sz);
/*
- * For the sake of exchange_validate we index the payloads even in outgoing
- * messages, however context and flags are uninteresting in this situation.
+ * For the sake of exchange_validate we index the payloads even in
+ * outgoing messages, however context and flags are uninteresting in
+ * this situation.
*/
payload_node->p = buf;
TAILQ_INSERT_TAIL(&msg->payload[payload], payload_node, link);
@@ -1461,12 +1492,12 @@ struct info_args {
struct {
u_int16_t msg_type;
u_int8_t *spi;
- } n;
+ } n;
struct {
u_int16_t nspis;
u_int8_t *spis;
- } d;
- } u;
+ } d;
+ } u;
};
/*
@@ -1481,9 +1512,8 @@ struct info_args {
* status value?
*/
void
-message_send_notification(struct message * msg, struct sa * isakmp_sa,
- u_int16_t notify, struct proto * proto,
- int incoming)
+message_send_notification(struct message *msg, struct sa *isakmp_sa,
+ u_int16_t notify, struct proto * proto, int incoming)
{
struct info_args args;
struct sa *doi_sa = proto ? proto->sa : isakmp_sa;
@@ -1495,17 +1525,17 @@ message_send_notification(struct message * msg, struct sa * isakmp_sa,
args.u.n.msg_type = notify;
args.u.n.spi = proto ? proto->spi[incoming] : 0;
if (isakmp_sa && (isakmp_sa->flags & SA_FLAG_READY))
- exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0, 0);
+ exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args,
+ 0, 0);
else
exchange_establish_p1(msg->transport, ISAKMP_EXCH_INFO,
- msg->exchange
- ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP,
- 0, &args, 0, 0);
+ msg->exchange ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP,
+ 0, &args, 0, 0);
}
/* Send a DELETE inside an informational exchange for each protocol in SA. */
void
-message_send_delete(struct sa * sa)
+message_send_delete(struct sa *sa)
{
struct info_args args;
struct proto *proto;
@@ -1516,8 +1546,8 @@ message_send_delete(struct sa * sa)
isakmp_sa = sa_isakmp_lookup_by_peer(dst, sysdep_sa_len(dst));
if (!isakmp_sa) {
/*
- * XXX We ought to setup an ISAKMP SA with our peer here and send
- * the DELETE over that one.
+ * XXX We ought to setup an ISAKMP SA with our peer here and
+ * send the DELETE over that one.
*/
return;
}
@@ -1525,22 +1555,23 @@ message_send_delete(struct sa * sa)
args.doi = sa->doi->id;
args.u.d.nspis = 1;
for (proto = TAILQ_FIRST(&sa->protos); proto;
- proto = TAILQ_NEXT(proto, link)) {
+ proto = TAILQ_NEXT(proto, link)) {
args.proto = proto->proto;
args.spi_sz = proto->spi_sz[1];
args.u.d.spis = proto->spi[1];
- exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0, 0);
+ exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args,
+ 0, 0);
}
}
/* Build the informational message into MSG. */
int
-message_send_info(struct message * msg)
+message_send_info(struct message *msg)
{
u_int8_t *buf;
size_t sz;
struct info_args *args = msg->extra;
- u_int8_t payload;
+ u_int8_t payload;
/* Let the DOI get the first hand on the message. */
if (msg->exchange->doi->informational_pre_hook)
@@ -1548,10 +1579,11 @@ message_send_info(struct message * msg)
return -1;
sz = (args->discr == 'N' ? ISAKMP_NOTIFY_SPI_OFF + args->spi_sz
- : ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz);
+ : ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz);
buf = calloc(1, sz);
if (!buf) {
- log_error("message_send_info: calloc (1, %lu) failed", (unsigned long) sz);
+ log_error("message_send_info: calloc (1, %lu) failed",
+ (unsigned long)sz);
message_free(msg);
return -1;
}
@@ -1575,7 +1607,7 @@ message_send_info(struct message * msg)
SET_ISAKMP_DELETE_SPI_SZ(buf, args->spi_sz);
SET_ISAKMP_DELETE_NSPIS(buf, args->u.d.nspis);
memcpy(buf + ISAKMP_DELETE_SPI_OFF, args->u.d.spis,
- args->u.d.nspis * args->spi_sz);
+ args->u.d.nspis * args->spi_sz);
msg->flags |= MSG_PRIORITIZED;
break;
}
@@ -1601,8 +1633,8 @@ message_send_info(struct message * msg)
* set, free the message when ready with it.
*/
void
-message_drop(struct message * msg, int notify, struct proto * proto,
- int incoming, int clean)
+message_drop(struct message *msg, int notify, struct proto *proto, int incoming,
+ int clean)
{
struct transport *t = msg->transport;
struct sockaddr *dst;
@@ -1616,25 +1648,27 @@ message_drop(struct message * msg, int notify, struct proto * proto,
}
switch (dst->sa_family) {
case AF_INET:
- port = ((struct sockaddr_in *) dst)->sin_port;
+ port = ((struct sockaddr_in *)dst)->sin_port;
break;
case AF_INET6:
- port = ((struct sockaddr_in6 *) dst)->sin6_port;
+ port = ((struct sockaddr_in6 *)dst)->sin6_port;
break;
default:
- log_print("message_drop: unknown protocol family %d", dst->sa_family);
+ log_print("message_drop: unknown protocol family %d",
+ dst->sa_family);
}
log_print("dropped message from %s port %d due to notification type %s",
- address ? address : "<unknown>", htons(port),
- constant_name(isakmp_notify_cst, notify));
+ address ? address : "<unknown>", htons(port),
+ constant_name(isakmp_notify_cst, notify));
if (address)
free(address);
/* If specified, return a notification. */
if (notify)
- message_send_notification(msg, msg->isakmp_sa, notify, proto, incoming);
+ message_send_notification(msg, msg->isakmp_sa, notify, proto,
+ incoming);
if (clean)
message_free(msg);
}
@@ -1644,9 +1678,9 @@ message_drop(struct message * msg, int notify, struct proto * proto,
* as we can without resorting to per-payload handling.
*/
void
-message_dump_raw(char *header, struct message * msg, int class)
+message_dump_raw(char *header, struct message *msg, int class)
{
- u_int32_t i, j, k = 0;
+ u_int32_t i, j, k = 0;
char buf[80], *p = buf;
LOG_DBG((class, 70, "%s: message %p", header, msg));
@@ -1654,7 +1688,7 @@ message_dump_raw(char *header, struct message * msg, int class)
for (i = 0; i < msg->iovlen; i++)
for (j = 0; j < msg->iov[i].iov_len; j++) {
snprintf(p, sizeof buf - (int) (p - buf), "%02x",
- ((u_int8_t *) msg->iov[i].iov_base)[j]);
+ ((u_int8_t *) msg->iov[i].iov_base)[j]);
p += 2;
if (++k % 32 == 0) {
*p = '\0';
@@ -1669,7 +1703,7 @@ message_dump_raw(char *header, struct message * msg, int class)
}
static void
-message_packet_log(struct message * msg)
+message_packet_log(struct message *msg)
{
#ifdef USE_DEBUG
struct sockaddr *src, *dst;
@@ -1698,7 +1732,7 @@ message_packet_log(struct message * msg)
* we encrypt.
*/
static int
-message_encrypt(struct message * msg)
+message_encrypt(struct message *msg)
{
struct exchange *exchange = msg->exchange;
size_t i, sz = 0;
@@ -1709,23 +1743,24 @@ message_encrypt(struct message * msg)
return 0;
/*
- * For encryption we need to put all payloads together in a single buffer.
- * This buffer should be padded to the current crypto transform's blocksize.
+ * For encryption we need to put all payloads together in a single
+ * buffer. This buffer should be padded to the current crypto
+ * transform's blocksize.
*/
for (i = 1; i < msg->iovlen; i++)
sz += msg->iov[i].iov_len;
- sz = ((sz + exchange->crypto->blocksize - 1) / exchange->crypto->blocksize)
- * exchange->crypto->blocksize;
+ sz = ((sz + exchange->crypto->blocksize - 1) /
+ exchange->crypto->blocksize) * exchange->crypto->blocksize;
buf = realloc(msg->iov[1].iov_base, sz);
if (!buf) {
log_error("message_encrypt: realloc (%p, %lu) failed",
- msg->iov[1].iov_base, (unsigned long) sz);
+ msg->iov[1].iov_base, (unsigned long) sz);
return -1;
}
msg->iov[1].iov_base = buf;
for (i = 2; i < msg->iovlen; i++) {
memcpy(buf + msg->iov[1].iov_len, msg->iov[i].iov_base,
- msg->iov[i].iov_len);
+ msg->iov[i].iov_len);
msg->iov[1].iov_len += msg->iov[i].iov_len;
free(msg->iov[i].iov_base);
}
@@ -1736,8 +1771,7 @@ message_encrypt(struct message * msg)
msg->iovlen = 2;
SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base,
- GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base)
- | ISAKMP_FLAGS_ENC);
+ GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) | ISAKMP_FLAGS_ENC);
SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz);
crypto_encrypt(exchange->keystate, buf, msg->iov[1].iov_len);
msg->flags |= MSG_ENCRYPTED;
@@ -1753,7 +1787,7 @@ message_encrypt(struct message * msg)
* this specific SA.
*/
static int
-message_check_duplicate(struct message * msg)
+message_check_duplicate(struct message *msg)
{
struct exchange *exchange = msg->exchange;
size_t sz = msg->iov[0].iov_len;
@@ -1764,23 +1798,25 @@ message_check_duplicate(struct message * msg)
return 0;
LOG_DBG((LOG_MESSAGE, 90, "message_check_duplicate: last_received %p",
- exchange->last_received));
+ exchange->last_received));
if (exchange->last_received) {
LOG_DBG_BUF((LOG_MESSAGE, 95,
- "message_check_duplicate: last_received",
- exchange->last_received->orig,
- exchange->last_received->orig_sz));
+ "message_check_duplicate: last_received",
+ exchange->last_received->orig,
+ exchange->last_received->orig_sz));
/* Is it a duplicate, lose the new one. */
if (sz == exchange->last_received->orig_sz
&& memcmp(pkt, exchange->last_received->orig, sz) == 0) {
LOG_DBG((LOG_MESSAGE, 80,
- "message_check_duplicate: dropping dup"));
+ "message_check_duplicate: dropping dup"));
/*
- * Retransmit if the previos sent message was the last of an
- * exchange, otherwise just wait for the ordinary retransmission.
+ * Retransmit if the previos sent message was the last
+ * of an exchange, otherwise just wait for the
+ * ordinary retransmission.
*/
- if (exchange->last_sent && (exchange->last_sent->flags & MSG_LAST))
+ if (exchange->last_sent && (exchange->last_sent->flags
+ & MSG_LAST))
message_send(exchange->last_sent);
message_free(msg);
return -1;
@@ -1794,10 +1830,10 @@ message_check_duplicate(struct message * msg)
if (exchange->last_sent == exchange->in_transit) {
if (exchange->in_transit->flags & MSG_PRIORITIZED)
TAILQ_REMOVE(&exchange->in_transit->transport->prio_sendq,
- exchange->in_transit, link);
+ exchange->in_transit, link);
else
TAILQ_REMOVE(&exchange->in_transit->transport->sendq,
- exchange->in_transit, link);
+ exchange->in_transit, link);
exchange->in_transit = 0;
}
message_free(exchange->last_sent);
@@ -1808,8 +1844,7 @@ message_check_duplicate(struct message * msg)
/* Helper to message_negotiate_sa. */
static INLINE struct payload *
-step_transform(struct payload * tp, struct payload ** propp,
- struct payload ** sap)
+step_transform(struct payload *tp, struct payload **propp, struct payload **sap)
{
tp = TAILQ_NEXT(tp, link);
if (tp) {
@@ -1824,9 +1859,8 @@ step_transform(struct payload * tp, struct payload ** propp,
* SA payload) we accept as a full protection suite.
*/
int
-message_negotiate_sa(struct message * msg,
- int (*validate) (struct exchange *, struct sa *,
- struct sa *))
+message_negotiate_sa(struct message *msg, int (*validate)(struct exchange *,
+ struct sa *, struct sa *))
{
struct payload *tp, *propp, *sap, *next_tp = 0, *next_propp, *next_sap;
struct payload *saved_tp = 0, *saved_propp = 0, *saved_sap = 0;
@@ -1858,7 +1892,7 @@ message_negotiate_sa(struct message * msg,
sa = TAILQ_FIRST(&exchange->sa_list);
for (tp = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); tp;
- tp = next_tp) {
+ tp = next_tp) {
propp = tp->context;
sap = propp->context;
sap->flags |= PL_MARK;
@@ -1866,16 +1900,16 @@ message_negotiate_sa(struct message * msg,
/* For each transform, see if it is compatible. */
if (!attribute_map(tp->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- GET_ISAKMP_GEN_LENGTH(tp->p)
- - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
- exchange->doi->is_attribute_incompatible, msg)) {
- LOG_DBG((LOG_NEGOTIATION, 30,
- "message_negotiate_sa: "
- "transform %d proto %d proposal %d ok",
- GET_ISAKMP_TRANSFORM_NO(tp->p),
- GET_ISAKMP_PROP_PROTO(propp->p),
- GET_ISAKMP_PROP_NO(propp->p)));
- if (sa_add_transform(sa, tp, exchange->initiator, &proto))
+ GET_ISAKMP_GEN_LENGTH(tp->p) -
+ ISAKMP_TRANSFORM_SA_ATTRS_OFF,
+ exchange->doi->is_attribute_incompatible, msg)) {
+ LOG_DBG((LOG_NEGOTIATION, 30, "message_negotiate_sa: "
+ "transform %d proto %d proposal %d ok",
+ GET_ISAKMP_TRANSFORM_NO(tp->p),
+ GET_ISAKMP_PROP_PROTO(propp->p),
+ GET_ISAKMP_PROP_NO(propp->p)));
+ if (sa_add_transform(sa, tp, exchange->initiator,
+ &proto))
goto cleanup;
suite_ok_so_far = 1;
@@ -1883,8 +1917,8 @@ message_negotiate_sa(struct message * msg,
saved_propp = next_propp;
saved_sap = next_sap;
/* Skip to last transform of this protocol proposal. */
- while ((next_tp = step_transform(tp, &next_propp, &next_sap))
- && next_propp == propp)
+ while ((next_tp = step_transform(tp, &next_propp,
+ &next_sap)) && next_propp == propp)
tp = next_tp;
}
retry_transform:
@@ -1894,27 +1928,30 @@ retry_transform:
*/
if (next_tp && propp != next_propp && sap == next_sap
&& (GET_ISAKMP_PROP_NO(propp->p)
- == GET_ISAKMP_PROP_NO(next_propp->p))) {
+ == GET_ISAKMP_PROP_NO(next_propp->p))) {
if (!suite_ok_so_far) {
LOG_DBG((LOG_NEGOTIATION, 30,
- "message_negotiate_sa: proto %d proposal %d failed",
- GET_ISAKMP_PROP_PROTO(propp->p),
- GET_ISAKMP_PROP_NO(propp->p)));
+ "message_negotiate_sa: proto %d proposal "
+ "%d failed",
+ GET_ISAKMP_PROP_PROTO(propp->p),
+ GET_ISAKMP_PROP_NO(propp->p)));
/*
* Remove potentially succeeded choices from
* the SA.
*/
while (TAILQ_FIRST(&sa->protos))
- TAILQ_REMOVE(&sa->protos, TAILQ_FIRST(&sa->protos), link);
+ TAILQ_REMOVE(&sa->protos,
+ TAILQ_FIRST(&sa->protos), link);
/*
* Skip to the last transform of this
* protection suite.
*/
- while ((next_tp = step_transform(tp, &next_propp, &next_sap))
- && (GET_ISAKMP_PROP_NO(next_propp->p)
- == GET_ISAKMP_PROP_NO(propp->p))
- && next_sap == sap)
+ while ((next_tp = step_transform(tp,
+ &next_propp, &next_sap))
+ && (GET_ISAKMP_PROP_NO(next_propp->p)
+ == GET_ISAKMP_PROP_NO(propp->p))
+ && next_sap == sap)
tp = next_tp;
}
suite_ok_so_far = 0;
@@ -1924,33 +1961,35 @@ retry_transform:
* suite.
*/
if (!next_tp
- || (propp != next_propp
- && (GET_ISAKMP_PROP_NO(propp->p)
- != GET_ISAKMP_PROP_NO(next_propp->p)))
+ || (propp != next_propp && (GET_ISAKMP_PROP_NO(propp->p)
+ != GET_ISAKMP_PROP_NO(next_propp->p)))
|| sap != next_sap) {
/*
- * Check if the suite we just considered was OK, if so we check
- * it against the accepted ones.
+ * Check if the suite we just considered was OK, if so
+ * we check it against the accepted ones.
*/
if (suite_ok_so_far) {
- if (!validate || validate(exchange, sa, msg->isakmp_sa)) {
+ if (!validate || validate(exchange, sa,
+ msg->isakmp_sa)) {
LOG_DBG((LOG_NEGOTIATION, 30,
- "message_negotiate_sa: proposal %d succeeded",
- GET_ISAKMP_PROP_NO(propp->p)));
+ "message_negotiate_sa: proposal "
+ "%d succeeded",
+ GET_ISAKMP_PROP_NO(propp->p)));
/*
* Skip to the last transform of this
* SA.
*/
- while ((next_tp
- = step_transform(tp, &next_propp, &next_sap))
- && next_sap == sap)
+ while ((next_tp = step_transform(tp,
+ &next_propp, &next_sap))
+ && next_sap == sap)
tp = next_tp;
} else {
/* Backtrack. */
LOG_DBG((LOG_NEGOTIATION, 30,
- "message_negotiate_sa: proposal %d failed",
- GET_ISAKMP_PROP_NO(propp->p)));
+ "message_negotiate_sa: proposal "
+ "%d failed",
+ GET_ISAKMP_PROP_NO(propp->p)));
next_tp = saved_tp;
next_propp = saved_propp;
next_sap = saved_sap;
@@ -1961,8 +2000,9 @@ retry_transform:
* choices from the SA.
*/
while (TAILQ_FIRST(&sa->protos))
- TAILQ_REMOVE(&sa->protos, TAILQ_FIRST(&sa->protos),
- link);
+ TAILQ_REMOVE(&sa->protos,
+ TAILQ_FIRST(&sa->protos),
+ link);
goto retry_transform;
}
}
@@ -1971,12 +2011,15 @@ retry_transform:
if (!next_tp || sap != next_sap) {
if (!suite_ok_so_far) {
/*
- * XXX We cannot possibly call this a drop... seeing we just turn
- * down one of the offers, can we? I suggest renaming
- * message_drop to something else.
+ * XXX We cannot possibly call this a drop...
+ * seeing we just turn down one of the offers,
+ * can we? I suggest renaming message_drop to
+ * something else.
*/
- log_print("message_negotiate_sa: no compatible proposal found");
- message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
+ log_print("message_negotiate_sa: no "
+ "compatible proposal found");
+ message_drop(msg,
+ ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
}
sa = TAILQ_NEXT(sa, next);
}
@@ -1998,7 +2041,7 @@ cleanup:
* found in the exchange MSG is part of..
*/
int
-message_add_sa_payload(struct message * msg)
+message_add_sa_payload(struct message *msg)
{
struct exchange *exchange = msg->exchange;
u_int8_t *sa_buf, *saved_nextp_sa, *saved_nextp_prop;
@@ -2016,14 +2059,14 @@ message_add_sa_payload(struct message * msg)
* Generate SA payloads.
*/
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
- sa = TAILQ_NEXT(sa, next)) {
+ sa = TAILQ_NEXT(sa, next)) {
/* Setup a SA payload. */
sa_len = ISAKMP_SA_SIT_OFF + doi->situation_size();
extra_sa_len = 0;
sa_buf = malloc(sa_len);
if (!sa_buf) {
log_error("message_add_sa_payload: malloc (%lu) failed",
- (unsigned long) sa_len);
+ (unsigned long)sa_len);
goto cleanup;
}
SET_ISAKMP_SA_DOI(sa_buf, doi->id);
@@ -2032,7 +2075,7 @@ message_add_sa_payload(struct message * msg)
/* Count transforms. */
nprotos = 0;
for (proto = TAILQ_FIRST(&sa->protos); proto;
- proto = TAILQ_NEXT(proto, link))
+ proto = TAILQ_NEXT(proto, link))
nprotos++;
/*
@@ -2041,44 +2084,49 @@ message_add_sa_payload(struct message * msg)
*/
transforms = calloc(nprotos, sizeof *transforms);
if (!transforms) {
- log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos,
- (unsigned long) sizeof *transforms);
+ log_error("message_add_sa_payload: calloc (%d, %lu) "
+ "failed", nprotos,
+ (unsigned long)sizeof *transforms);
goto cleanup;
}
transform_lens = calloc(nprotos, sizeof *transform_lens);
if (!transform_lens) {
- log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos,
- (unsigned long) sizeof *transform_lens);
+ log_error("message_add_sa_payload: calloc (%d, %lu) "
+ "failed", nprotos,
+ (unsigned long) sizeof *transform_lens);
goto cleanup;
}
proposals = calloc(nprotos, sizeof *proposals);
if (!proposals) {
- log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos,
- (unsigned long) sizeof *proposals);
+ log_error("message_add_sa_payload: calloc (%d, %lu) "
+ "failed", nprotos,
+ (unsigned long)sizeof *proposals);
goto cleanup;
}
proposal_lens = calloc(nprotos, sizeof *proposal_lens);
if (!proposal_lens) {
- log_error("message_add_sa_payload: calloc (%d, %lu) failed", nprotos,
- (unsigned long) sizeof *proposal_lens);
+ log_error("message_add_sa_payload: calloc (%d, %lu) "
+ "failed", nprotos,
+ (unsigned long)sizeof *proposal_lens);
goto cleanup;
}
/* Pick out the chosen transforms. */
for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto;
- proto = TAILQ_NEXT(proto, link), i++) {
- transform_lens[i] = GET_ISAKMP_GEN_LENGTH(proto->chosen->p);
+ proto = TAILQ_NEXT(proto, link), i++) {
+ transform_lens[i] =
+ GET_ISAKMP_GEN_LENGTH(proto->chosen->p);
transforms[i] = malloc(transform_lens[i]);
if (!transforms[i]) {
- log_error("message_add_sa_payload: malloc (%lu) failed",
- (unsigned long) transform_lens[i]);
+ log_error("message_add_sa_payload: malloc "
+ "(%lu) failed",
+ (unsigned long)transform_lens[i]);
goto cleanup;
}
/* Get incoming SPI from application. */
if (doi->get_spi) {
spi = doi->get_spi(&spi_sz,
- GET_ISAKMP_PROP_PROTO(proto->chosen
- ->context->p),
- msg);
+ GET_ISAKMP_PROP_PROTO(proto->chosen->context->p),
+ msg);
if (spi_sz && !spi)
goto cleanup;
proto->spi[1] = spi;
@@ -2089,17 +2137,20 @@ message_add_sa_payload(struct message * msg)
proposal_lens[i] = ISAKMP_PROP_SPI_OFF + spi_sz;
proposals[i] = malloc(proposal_lens[i]);
if (!proposals[i]) {
- log_error("message_add_sa_payload: malloc (%lu) failed",
- (unsigned long) proposal_lens[i]);
+ log_error("message_add_sa_payload: malloc "
+ "(%lu) failed",
+ (unsigned long)proposal_lens[i]);
goto cleanup;
}
- memcpy(transforms[i], proto->chosen->p, transform_lens[i]);
+ memcpy(transforms[i], proto->chosen->p,
+ transform_lens[i]);
memcpy(proposals[i], proto->chosen->context->p,
- ISAKMP_PROP_SPI_OFF);
+ ISAKMP_PROP_SPI_OFF);
SET_ISAKMP_PROP_NTRANSFORMS(proposals[i], 1);
SET_ISAKMP_PROP_SPI_SZ(proposals[i], spi_sz);
if (spi_sz)
- memcpy(proposals[i] + ISAKMP_PROP_SPI_OFF, spi, spi_sz);
+ memcpy(proposals[i] + ISAKMP_PROP_SPI_OFF, spi,
+ spi_sz);
extra_sa_len += proposal_lens[i] + transform_lens[i];
}
@@ -2108,24 +2159,25 @@ message_add_sa_payload(struct message * msg)
* lengths of the payloads containing others. We also need to
* reset these payload's "next payload type" field.
*/
- if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf,
+ sa_len, 1))
goto cleanup;
SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + extra_sa_len);
sa_buf = 0;
saved_nextp_sa = msg->nextp;
for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto;
- proto = TAILQ_NEXT(proto, link), i++) {
- if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, proposals[i],
- proposal_lens[i], i > 1))
+ proto = TAILQ_NEXT(proto, link), i++) {
+ if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL,
+ proposals[i], proposal_lens[i], i > 1))
goto cleanup;
- SET_ISAKMP_GEN_LENGTH(proposals[i],
- proposal_lens[i] + transform_lens[i]);
+ SET_ISAKMP_GEN_LENGTH(proposals[i], proposal_lens[i] +
+ transform_lens[i]);
proposals[i] = 0;
saved_nextp_prop = msg->nextp;
if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM,
- transforms[i], transform_lens[i], 0))
+ transforms[i], transform_lens[i], 0))
goto cleanup;
msg->nextp = saved_nextp_prop;
transforms[i] = 0;
@@ -2164,8 +2216,8 @@ cleanup:
* Return a copy of MSG's constants starting from OFFSET and stash the size
* in SZP. It is the callers responsibility to free this up.
*/
-u_int8_t *
-message_copy(struct message * msg, size_t offset, size_t * szp)
+u_int8_t *
+message_copy(struct message *msg, size_t offset, size_t *szp)
{
int skip = 0;
size_t i, sz = 0;
@@ -2189,7 +2241,7 @@ message_copy(struct message * msg, size_t offset, size_t * szp)
p = buf;
for (i = skip + 1; i < msg->iovlen; i++) {
memcpy(p, (u_int8_t *) msg->iov[i].iov_base + start,
- msg->iov[i].iov_len - start);
+ msg->iov[i].iov_len - start);
p += msg->iov[i].iov_len - start;
start = 0;
}
@@ -2198,8 +2250,8 @@ message_copy(struct message * msg, size_t offset, size_t * szp)
/* Register a post-send function POST_SEND with message MSG. */
int
-message_register_post_send(struct message * msg,
- void (*post_send) (struct message *))
+message_register_post_send(struct message *msg,
+ void (*post_send)(struct message *))
{
struct post_send *node;
@@ -2213,7 +2265,7 @@ message_register_post_send(struct message * msg,
/* Run the post-send functions of message MSG. */
void
-message_post_send(struct message * msg)
+message_post_send(struct message *msg)
{
struct post_send *node;
diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h
index 45fdfb30835..63c2571cd06 100644
--- a/sbin/isakmpd/message.h
+++ b/sbin/isakmpd/message.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.h,v 1.18 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: message.h,v 1.19 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -55,7 +55,8 @@ struct payload {
u_int8_t *p;
/*
- * A pointer to the parent payload, used for proposal and transform payloads.
+ * A pointer to the parent payload, used for proposal and transform
+ * payloads.
*/
struct payload *context;
@@ -88,7 +89,8 @@ struct message {
u_int flags;
/*
- * This is the transport the message either arrived on or will be sent to.
+ * This is the transport the message either arrived on or will be sent
+ * to.
*/
struct transport *transport;
@@ -102,11 +104,12 @@ struct message {
struct exchange *exchange;
/*
- * A segmented buffer structure holding the messages raw contents. On input
- * only segment 0 will be filled, holding all of the message. On output, as
- * long as the message body is unencrypted each segment will be one payload,
- * after encryption segment 0 will be the unencrypted header, and segment 1
- * will be the encrypted payloads, all of them.
+ * A segmented buffer structure holding the messages raw contents. On
+ * input only segment 0 will be filled, holding all of the message.
+ * On output, as long as the message body is unencrypted each segment
+ * will be one payload, after encryption segment 0 will be the
+ * unencrypted header, and segment 1 will be the encrypted payloads,
+ * all of them.
*/
struct iovec *iov;
@@ -117,7 +120,7 @@ struct message {
u_int8_t *nextp;
/* "Smart" pointers to each payload, sorted by type. */
- TAILQ_HEAD(payload_head, payload) payload[ISAKMP_PAYLOAD_RESERVED_MIN];
+ TAILQ_HEAD(payload_head, payload) payload[ISAKMP_PAYLOAD_RESERVED_MIN];
/* Number of times this message has been sent. */
int xmits;
@@ -125,7 +128,7 @@ struct message {
/* The timeout event causing retransmission of this message. */
struct event *retrans;
- /* The (possibly encrypted) message text, used for duplicate testing. */
+ /* The (possibly encrypted) message text, used for duplicate testing. */
u_int8_t *orig;
size_t orig_sz;
@@ -139,7 +142,7 @@ struct message {
* Hooks for stuff needed to be done after the message has gone out to
* the wire.
*/
- TAILQ_HEAD(post_send_head, post_send) post_send;
+ TAILQ_HEAD(post_send_head, post_send) post_send;
};
/* Message flags. */
@@ -162,8 +165,7 @@ struct message {
TAILQ_HEAD(msg_head, message);
-extern int
-message_add_payload(struct message *, u_int8_t, u_int8_t *,
+extern int message_add_payload(struct message *, u_int8_t, u_int8_t *,
size_t, int);
extern int message_add_sa_payload(struct message *);
extern struct message *message_alloc(struct transport *, u_int8_t *, size_t);
@@ -172,21 +174,19 @@ extern u_int8_t *message_copy(struct message *, size_t, size_t *);
extern void message_drop(struct message *, int, struct proto *, int, int);
extern void message_dump_raw(char *, struct message *, int);
extern void message_free(struct message *);
-extern int
-message_negotiate_sa(struct message *,
- int (*) (struct exchange *, struct sa *,
- struct sa *));
- extern int message_recv(struct message *);
- extern int message_register_post_send(struct message *,
- void (*) (struct message *));
- extern void message_post_send(struct message *);
- extern void message_send(struct message *);
- extern void message_send_expire(struct message *);
- extern void message_send_delete(struct sa *);
- extern int message_send_info(struct message *);
- extern void message_send_notification(struct message *, struct sa *,
- u_int16_t, struct proto *, int);
- extern void message_setup_header(struct message *, u_int8_t, u_int8_t,
- u_int8_t *);
+extern int message_negotiate_sa(struct message *,
+ int (*)(struct exchange *, struct sa *, struct sa *));
+extern int message_recv(struct message *);
+extern int message_register_post_send(struct message *,
+ void (*) (struct message *));
+extern void message_post_send(struct message *);
+extern void message_send(struct message *);
+extern void message_send_expire(struct message *);
+extern void message_send_delete(struct sa *);
+extern int message_send_info(struct message *);
+extern void message_send_notification(struct message *, struct sa *,
+ u_int16_t, struct proto *, int);
+extern void message_setup_header(struct message *, u_int8_t, u_int8_t,
+ u_int8_t *);
#endif /* _MESSAGE_H_ */
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c
index a1604bb493f..0fe3a0190e0 100644
--- a/sbin/isakmpd/monitor.c
+++ b/sbin/isakmpd/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.20 2004/05/10 18:34:15 deraadt Exp $ */
+/* $OpenBSD: monitor.c,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */
/*
* Copyright (c) 2003 Håkan Olsson. All rights reserved.
@@ -117,10 +117,12 @@ monitor_init(void)
log_fatal("monitor_init: chroot failed");
if (setgid(pw->pw_gid) != 0)
- log_fatal("monitor_init: setgid(%d) failed", pw->pw_gid);
+ log_fatal("monitor_init: setgid(%d) failed",
+ pw->pw_gid);
if (setuid(pw->pw_uid) != 0)
- log_fatal("monitor_init: setuid(%d) failed", pw->pw_uid);
+ log_fatal("monitor_init: setuid(%d) failed",
+ pw->pw_uid);
LOG_DBG((LOG_MISC, 10,
"monitor_init: privileges dropped for child process"));
@@ -134,14 +136,15 @@ monitor_init(void)
int
monitor_open(const char *path, int flags, mode_t mode)
{
- int fd, mode32 = (int32_t) mode;
- int32_t err;
- char realpath[MAXPATHLEN];
+ int fd, mode32 = (int32_t) mode;
+ int32_t err;
+ char realpath[MAXPATHLEN];
if (path[0] == '/')
strlcpy(realpath, path, sizeof realpath);
else
- snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, path);
+ snprintf(realpath, sizeof realpath, "%s/%s", m_state.root,
+ path);
/* Write data to priv process. */
if (m_write_int32(m_state.s, MONITOR_GET_FD))
@@ -180,8 +183,8 @@ errout:
FILE *
monitor_fopen(const char *path, const char *mode)
{
- FILE *fp;
- int fd, flags = 0, mask, saved_errno;
+ FILE *fp;
+ int fd, flags = 0, mask, saved_errno;
/* Only the child process is supposed to run this. */
if (m_state.pid)
@@ -192,10 +195,12 @@ monitor_fopen(const char *path, const char *mode)
flags = (mode[1] == '+' ? O_RDWR : O_RDONLY);
break;
case 'w':
- flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | O_TRUNC;
+ flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT |
+ O_TRUNC;
break;
case 'a':
- flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | O_APPEND;
+ flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT |
+ O_APPEND;
break;
default:
log_fatal("monitor_fopen: bad call");
@@ -239,33 +244,33 @@ monitor_stat(const char *path, struct stat *sb)
int
monitor_socket(int domain, int type, int protocol)
{
- int s;
- int32_t err;
+ int s;
+ int32_t err;
if (m_write_int32(m_state.s, MONITOR_GET_SOCKET))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) domain))
+ if (m_write_int32(m_state.s, (int32_t)domain))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) type))
+ if (m_write_int32(m_state.s, (int32_t)type))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) protocol))
+ if (m_write_int32(m_state.s, (int32_t)protocol))
goto errout;
if (m_read_int32(m_state.s, &err))
goto errout;
if (err != 0) {
- errno = (int) err;
+ errno = (int)err;
return -1;
}
/* Read result. */
s = mm_receive_fd(m_state.s);
if (s < 0) {
log_error("monitor_socket: mm_receive_fd () failed: %s",
- strerror(errno));
+ strerror(errno));
return -1;
}
return s;
@@ -277,34 +282,34 @@ errout:
int
monitor_setsockopt(int s, int level, int optname, const void *optval,
- socklen_t optlen)
+ socklen_t optlen)
{
- int32_t ret, err;
+ int32_t ret, err;
if (m_write_int32(m_state.s, MONITOR_SETSOCKOPT))
goto errout;
if (mm_send_fd(m_state.s, s))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) level))
+ if (m_write_int32(m_state.s, (int32_t)level))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) optname))
+ if (m_write_int32(m_state.s, (int32_t)optname))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) optlen))
+ if (m_write_int32(m_state.s, (int32_t)optlen))
goto errout;
- if (m_write_raw(m_state.s, (char *) optval, (size_t) optlen))
+ if (m_write_raw(m_state.s, (char *)optval, (size_t)optlen))
goto errout;
if (m_read_int32(m_state.s, &err))
goto errout;
if (err != 0)
- errno = (int) err;
+ errno = (int)err;
if (m_read_int32(m_state.s, &ret))
goto errout;
- return (int) ret;
+ return (int)ret;
errout:
log_print("monitor_setsockopt: read/write error");
@@ -314,28 +319,28 @@ errout:
int
monitor_bind(int s, const struct sockaddr *name, socklen_t namelen)
{
- int32_t ret, err;
+ int32_t ret, err;
if (m_write_int32(m_state.s, MONITOR_BIND))
goto errout;
if (mm_send_fd(m_state.s, s))
goto errout;
- if (m_write_int32(m_state.s, (int32_t) namelen))
+ if (m_write_int32(m_state.s, (int32_t)namelen))
goto errout;
- if (m_write_raw(m_state.s, (char *) name, (size_t) namelen))
+ if (m_write_raw(m_state.s, (char *)name, (size_t)namelen))
goto errout;
if (m_read_int32(m_state.s, &err))
goto errout;
if (err != 0)
- errno = (int) err;
+ errno = (int)err;
if (m_read_int32(m_state.s, &ret))
goto errout;
- return (int) ret;
+ return (int)ret;
errout:
log_print("monitor_bind: read/write error");
@@ -345,8 +350,8 @@ errout:
int
monitor_mkfifo(const char *path, mode_t mode)
{
- int32_t ret, err;
- char realpath[MAXPATHLEN];
+ int32_t ret, err;
+ char realpath[MAXPATHLEN];
/* Only the child process is supposed to run this. */
if (m_state.pid)
@@ -355,7 +360,8 @@ monitor_mkfifo(const char *path, mode_t mode)
if (path[0] == '/')
strlcpy(realpath, path, sizeof realpath);
else
- snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, path);
+ snprintf(realpath, sizeof realpath, "%s/%s", m_state.root,
+ path);
if (m_write_int32(m_state.s, MONITOR_MKFIFO))
goto errout;
@@ -363,7 +369,7 @@ monitor_mkfifo(const char *path, mode_t mode)
if (m_write_raw(m_state.s, realpath, strlen(realpath) + 1))
goto errout;
- ret = (int32_t) mode;
+ ret = (int32_t)mode;
if (m_write_int32(m_state.s, ret))
goto errout;
@@ -371,12 +377,12 @@ monitor_mkfifo(const char *path, mode_t mode)
goto errout;
if (err != 0)
- errno = (int) err;
+ errno = (int)err;
if (m_read_int32(m_state.s, &ret))
goto errout;
- return (int) ret;
+ return (int)ret;
errout:
log_print("monitor_mkfifo: read/write error");
@@ -401,11 +407,11 @@ monitor_opendir(const char *path)
}
/* Now build a list with all dirents from fd. */
if (fstat(fd, &sb) < 0) {
- (void) close(fd);
+ (void)close(fd);
return NULL;
}
if (!S_ISDIR(sb.st_mode)) {
- (void) close(fd);
+ (void)close(fd);
errno = EACCES;
return NULL;
}
@@ -415,21 +421,21 @@ monitor_opendir(const char *path)
buf = calloc(bufsize, sizeof(char));
if (buf == NULL) {
- (void) close(fd);
+ (void)close(fd);
errno = EACCES;
return NULL;
}
nbytes = getdirentries(fd, buf, bufsize, &base);
if (nbytes <= 0) {
- (void) close(fd);
+ (void)close(fd);
free(buf);
errno = EACCES;
return NULL;
}
- (void) close(fd);
+ (void)close(fd);
for (entries = 0, cp = buf; cp < buf + nbytes;) {
- dp = (struct dirent *) cp;
+ dp = (struct dirent *)cp;
cp += dp->d_reclen;
entries++;
}
@@ -450,7 +456,7 @@ monitor_opendir(const char *path)
direntries->current = 0;
for (entries = 0, cp = buf; cp < buf + nbytes;) {
- dp = (struct dirent *) cp;
+ dp = (struct dirent *)cp;
direntries->dirents[entries++] = dp;
cp += dp->d_reclen;
}
@@ -500,7 +506,7 @@ monitor_got_sigchld(int sig)
static void
sig_pass_to_chld(int sig)
{
- int oerrno = errno;
+ int oerrno = errno;
if (m_state.pid != -1)
kill(m_state.pid, sig);
@@ -511,10 +517,10 @@ sig_pass_to_chld(int sig)
void
monitor_loop(int debugging)
{
- pid_t pid;
- fd_set *fds;
- size_t fdsn;
- int n, maxfd;
+ pid_t pid;
+ fd_set *fds;
+ size_t fdsn;
+ int n, maxfd;
if (!debugging)
log_to(0);
@@ -522,7 +528,7 @@ monitor_loop(int debugging)
maxfd = m_state.s + 1;
fdsn = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
- fds = (fd_set *) malloc(fdsn);
+ fds = (fd_set *)malloc(fdsn);
if (!fds) {
kill(m_state.pid, SIGTERM);
log_fatal("monitor_loop: malloc (%lu) failed",
@@ -539,8 +545,8 @@ monitor_loop(int debugging)
while (cur_state < STATE_QUIT) {
/*
- * Currently, there is no need for us to hang around if the child
- * is in the process of shutting down.
+ * Currently, there is no need for us to hang around if the
+ * child is in the process of shutting down.
*/
if (sigtermed || sigchlded) {
if (sigtermed)
@@ -573,7 +579,7 @@ monitor_loop(int debugging)
}
} else if (n)
if (FD_ISSET(m_state.s, fds)) {
- int32_t msgcode;
+ int32_t msgcode;
if (m_read_int32(m_state.s, &msgcode))
m_flush(m_state.s);
else
@@ -631,10 +637,10 @@ monitor_loop(int debugging)
static void
m_priv_getfd(int s)
{
- char path[MAXPATHLEN];
- int32_t v, err;
- int flags;
- mode_t mode;
+ char path[MAXPATHLEN];
+ int32_t v, err;
+ int flags;
+ mode_t mode;
/*
* We expect the following data on the socket:
@@ -649,7 +655,7 @@ m_priv_getfd(int s)
if (m_read_int32(s, &v))
goto errout;
- flags = (int) v;
+ flags = (int)v;
if (m_read_int32(s, &v))
goto errout;
@@ -660,9 +666,9 @@ m_priv_getfd(int s)
v = -1;
} else {
err = 0;
- v = (int32_t) open(path, flags, mode);
+ v = (int32_t)open(path, flags, mode);
if (v < 0)
- err = (int32_t) errno;
+ err = (int32_t)errno;
}
if (m_write_int32(s, err))
@@ -684,25 +690,25 @@ errout:
static void
m_priv_getsocket(int s)
{
- int domain, type, protocol;
- int32_t v, err;
+ int domain, type, protocol;
+ int32_t v, err;
if (m_read_int32(s, &v))
goto errout;
- domain = (int) v;
+ domain = (int)v;
if (m_read_int32(s, &v))
goto errout;
- type = (int) v;
+ type = (int)v;
if (m_read_int32(s, &v))
goto errout;
- protocol = (int) v;
+ protocol = (int)v;
err = 0;
- v = (int32_t) socket(domain, type, protocol);
+ v = (int32_t)socket(domain, type, protocol);
if (v < 0)
- err = (int32_t) errno;
+ err = (int32_t)errno;
if (m_write_int32(s, err))
goto errout;
@@ -723,10 +729,10 @@ errout:
static void
m_priv_setsockopt(int s)
{
- int sock, level, optname;
- char *optval = 0;
- socklen_t optlen;
- int32_t v, err;
+ int sock, level, optname;
+ char *optval = 0;
+ socklen_t optlen;
+ int32_t v, err;
sock = mm_receive_fd(s);
if (sock < 0)
@@ -741,7 +747,7 @@ m_priv_setsockopt(int s)
if (m_read_int32(s, &optlen))
goto errout;
- optval = (char *) malloc(optlen);
+ optval = (char *)malloc(optlen);
if (!optval)
goto errout;
@@ -753,9 +759,9 @@ m_priv_setsockopt(int s)
v = -1;
} else {
err = 0;
- v = (int32_t) setsockopt(sock, level, optname, optval, optlen);
+ v = (int32_t)setsockopt(sock, level, optname, optval, optlen);
if (v < 0)
- err = (int32_t) errno;
+ err = (int32_t)errno;
}
close(sock);
@@ -783,10 +789,10 @@ errout:
static void
m_priv_bind(int s)
{
- int sock;
+ int sock;
struct sockaddr *name = 0;
- socklen_t namelen;
- int32_t v, err;
+ socklen_t namelen;
+ int32_t v, err;
sock = mm_receive_fd(s);
if (sock < 0)
@@ -796,11 +802,11 @@ m_priv_bind(int s)
goto errout;
namelen = (socklen_t) v;
- name = (struct sockaddr *) malloc(namelen);
+ name = (struct sockaddr *)malloc(namelen);
if (!name)
goto errout;
- if (m_read_raw(s, (char *) name, (size_t) namelen))
+ if (m_read_raw(s, (char *)name, (size_t)namelen))
goto errout;
if (m_priv_check_bind(name, namelen) != 0) {
@@ -808,11 +814,11 @@ m_priv_bind(int s)
v = -1;
} else {
err = 0;
- v = (int32_t) bind(sock, name, namelen);
+ v = (int32_t)bind(sock, name, namelen);
if (v < 0) {
log_error("m_priv_bind: bind(%d,%p,%d) returned %d",
- sock, name, namelen, v);
- err = (int32_t) errno;
+ sock, name, namelen, v);
+ err = (int32_t)errno;
}
}
@@ -841,9 +847,9 @@ errout:
static void
m_priv_mkfifo(int s)
{
- char path[MAXPATHLEN];
- mode_t mode;
- int32_t v, err;
+ char path[MAXPATHLEN];
+ mode_t mode;
+ int32_t v, err;
if (m_read_raw(s, path, MAXPATHLEN))
goto errout;
@@ -856,18 +862,19 @@ m_priv_mkfifo(int s)
* ui_fifo is set before creation of the unpriv'ed child. So path
* should exactly match ui_fifo. It's also restricted to /var/run.
*/
- if (m_priv_local_sanitize_path(path, sizeof path, O_RDWR) != 0 ||
- strncmp(ui_fifo, path, strlen(ui_fifo))) {
+ if (m_priv_local_sanitize_path(path, sizeof path, O_RDWR) != 0
+ || strncmp(ui_fifo, path, strlen(ui_fifo))) {
err = EACCES;
v = -1;
} else {
unlink(path); /* XXX See ui.c:ui_init() */
err = 0;
- v = (int32_t) mkfifo(path, mode);
+ v = (int32_t)mkfifo(path, mode);
if (v) {
- log_error("m_priv_mkfifo: mkfifo(\"%s\", %o) failed", path, mode);
- err = (int32_t) errno;
+ log_error("m_priv_mkfifo: mkfifo(\"%s\", %o) failed",
+ path, mode);
+ err = (int32_t)errno;
}
}
@@ -892,7 +899,8 @@ errout:
int
m_write_int32(int s, int32_t value)
{
- u_int32_t v;
+ u_int32_t v;
+
memcpy(&v, &value, sizeof v);
return (write(s, &v, sizeof v) == -1);
}
@@ -909,7 +917,8 @@ m_write_raw(int s, char *data, size_t dlen)
int
m_read_int32(int s, int32_t *value)
{
- u_int32_t v;
+ u_int32_t v;
+
if (read(s, &v, sizeof v) != sizeof v)
return 1;
memcpy(value, &v, sizeof v);
@@ -919,8 +928,9 @@ m_read_int32(int s, int32_t *value)
int
m_read_raw(int s, char *data, size_t maxlen)
{
- u_int32_t v;
- int r;
+ u_int32_t v;
+ int r;
+
if (m_read_int32(s, &v))
return 1;
if (v > maxlen)
@@ -933,7 +943,7 @@ m_read_raw(int s, char *data, size_t maxlen)
void
m_flush(int s)
{
- u_int8_t tmp;
+ u_int8_t tmp;
int one = 1;
ioctl(s, FIONBIO, &one);/* Non-blocking */
@@ -945,7 +955,7 @@ m_flush(int s)
static int
m_priv_local_sanitize_path(char *path, size_t pmax, int flags)
{
- char *p;
+ char *p;
/*
* We only permit paths starting with
@@ -957,7 +967,7 @@ m_priv_local_sanitize_path(char *path, size_t pmax, int flags)
goto bad_path;
/* Any path containing '..' is invalid. */
- for (p = path; *p && (p - path) < (int) pmax; p++)
+ for (p = path; *p && (p - path) < (int)pmax; p++)
if (*p == '.' && *(p + 1) == '.')
goto bad_path;
@@ -1027,9 +1037,9 @@ m_priv_check_bind(const struct sockaddr *sa, socklen_t salen)
log_print("NULL address");
return 1;
}
- if (sysdep_sa_len((struct sockaddr *) sa) != salen) {
+ if (sysdep_sa_len((struct sockaddr *)sa) != salen) {
log_print("Length mismatch: %d %d",
- (int) sysdep_sa_len((struct sockaddr *) sa), (int) salen);
+ (int)sysdep_sa_len((struct sockaddr *)sa), (int)salen);
return 1;
}
switch (sa->sa_family) {
@@ -1038,14 +1048,14 @@ m_priv_check_bind(const struct sockaddr *sa, socklen_t salen)
log_print("Invalid inet address length");
return 1;
}
- port = ((const struct sockaddr_in *) sa)->sin_port;
+ port = ((const struct sockaddr_in *)sa)->sin_port;
break;
case AF_INET6:
if (salen != sizeof(struct sockaddr_in6)) {
log_print("Invalid inet6 address length");
return 1;
}
- port = ((const struct sockaddr_in6 *) sa)->sin6_port;
+ port = ((const struct sockaddr_in6 *)sa)->sin6_port;
break;
default:
log_print("Unknown address family");
@@ -1066,10 +1076,11 @@ static void
m_priv_increase_state(int state)
{
if (state <= cur_state)
- log_print("m_priv_increase_state: attempt to decrase state or match "
- "current state");
+ log_print("m_priv_increase_state: attempt to decrase state "
+ "or match current state");
if (state < STATE_INIT || state > STATE_QUIT)
- log_print("m_priv_increase_state: attempt to switch to invalid state");
+ log_print("m_priv_increase_state: attempt to switch to "
+ "invalid state");
cur_state = state;
}
@@ -1077,6 +1088,7 @@ static void
m_priv_test_state(int state)
{
if (cur_state != state)
- log_print("m_priv_test_state: Illegal state: %d != %d", cur_state, state);
+ log_print("m_priv_test_state: Illegal state: %d != %d",
+ cur_state, state);
return;
}
diff --git a/sbin/isakmpd/monitor_fdpass.c b/sbin/isakmpd/monitor_fdpass.c
index 0a1e3065c4d..8031416e7e4 100644
--- a/sbin/isakmpd/monitor_fdpass.c
+++ b/sbin/isakmpd/monitor_fdpass.c
@@ -47,7 +47,7 @@ mm_send_fd(int socket, int fd)
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
- *(int *) CMSG_DATA(cmsg) = fd;
+ *(int *)CMSG_DATA(cmsg) = fd;
vec.iov_base = &ch;
vec.iov_len = 1;
@@ -60,7 +60,7 @@ mm_send_fd(int socket, int fd)
}
if (n != 1) {
log_error("%s: sendmsg: expected sent 1 got %ld",
- __func__, (long) n);
+ __func__, (long)n);
return -1;
}
return 0;
@@ -90,7 +90,7 @@ mm_receive_fd(int socket)
}
if (n != 1) {
log_error("%s: recvmsg: expected received 1 got %ld", __func__,
- (long) n);
+ (long)n);
return -1;
}
cmsg = CMSG_FIRSTHDR(&msg);
@@ -99,6 +99,6 @@ mm_receive_fd(int socket)
cmsg->cmsg_type);
return -1;
}
- fd = (*(int *) CMSG_DATA(cmsg));
+ fd = (*(int *)CMSG_DATA(cmsg));
return fd;
}
diff --git a/sbin/isakmpd/pf_key_v2.h b/sbin/isakmpd/pf_key_v2.h
index f3abff45963..f6f3711f100 100644
--- a/sbin/isakmpd/pf_key_v2.h
+++ b/sbin/isakmpd/pf_key_v2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.h,v 1.9 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: pf_key_v2.h,v 1.10 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -42,15 +42,12 @@ struct sockaddr;
extern void pf_key_v2_connection_check(char *);
extern int pf_key_v2_delete_spi(struct sa *, struct proto *, int);
extern int pf_key_v2_enable_sa(struct sa *, struct sa *);
-extern int
-pf_key_v2_enable_spi(in_addr_t, in_addr_t, in_addr_t, in_addr_t,
- u_int8_t *, u_int8_t, in_addr_t);
-extern u_int8_t *
-pf_key_v2_get_spi(size_t *, u_int8_t, struct sockaddr *,
- struct sockaddr *, u_int32_t);
-extern int
-pf_key_v2_group_spis(struct sa *, struct proto *, struct proto *,
- int);
+extern int pf_key_v2_enable_spi(in_addr_t, in_addr_t, in_addr_t,
+ in_addr_t, u_int8_t *, u_int8_t, in_addr_t);
+extern u_int8_t *pf_key_v2_get_spi(size_t *, u_int8_t, struct sockaddr *,
+ struct sockaddr *, u_int32_t);
+extern int pf_key_v2_group_spis(struct sa *, struct proto *,
+ struct proto *, int);
extern void pf_key_v2_handler(int);
extern int pf_key_v2_open(void);
extern int pf_key_v2_set_spi(struct sa *, struct proto *, int, struct sa *);
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index e2fb68512a7..1b3516399f2 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.72 2004/05/23 16:14:22 deraadt Exp $ */
+/* $OpenBSD: policy.c,v 1.73 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
/*
@@ -81,7 +81,7 @@ static const char hextab[] = {
* Adaptation of Vixie's inet_ntop4 ()
*/
static const char *
-my_inet_ntop4(const in_addr_t * src, char *dst, size_t size, int normalize)
+my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize)
{
static const char fmt[] = "%03u.%03u.%03u.%03u";
char tmp[sizeof "255.255.255.255"];
@@ -107,10 +107,10 @@ my_inet_ntop6(const unsigned char *src, char *dst, size_t size)
{
static const char fmt[] =
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x";
- char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
+ char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
- if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], src[4],
- src[5], src[6], src[7], src[8], src[9], src[10], src[11],
+ if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3],
+ src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11],
src[12], src[13], src[14], src[15]) > (int)size) {
errno = ENOSPC;
return 0;
@@ -209,10 +209,14 @@ policy_callback(char *name)
memset(esp_key_rounds, 0, sizeof esp_key_rounds);
memset(comp_dict_size, 0, sizeof comp_dict_size);
memset(comp_private_alg, 0, sizeof comp_private_alg);
- memset(remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper);
- memset(remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower);
- memset(local_filter_addr_upper, 0, sizeof local_filter_addr_upper);
- memset(local_filter_addr_lower, 0, sizeof local_filter_addr_lower);
+ memset(remote_filter_addr_upper, 0,
+ sizeof remote_filter_addr_upper);
+ memset(remote_filter_addr_lower, 0,
+ sizeof remote_filter_addr_lower);
+ memset(local_filter_addr_upper, 0,
+ sizeof local_filter_addr_upper);
+ memset(local_filter_addr_lower, 0,
+ sizeof local_filter_addr_lower);
memset(remote_id_addr_upper, 0, sizeof remote_id_addr_upper);
memset(remote_id_addr_lower, 0, sizeof remote_id_addr_lower);
memset(ah_group_desc, 0, sizeof ah_group_desc);
@@ -236,7 +240,8 @@ policy_callback(char *name)
pfs = "yes";
is = policy_isakmp_sa->data;
- snprintf(phase1_group, sizeof phase1_group, "%u", is->group_desc);
+ snprintf(phase1_group, sizeof phase1_group, "%u",
+ is->group_desc);
for (proto = TAILQ_FIRST(&policy_sa->protos); proto;
proto = TAILQ_NEXT(proto, link)) {
@@ -353,7 +358,8 @@ policy_callback(char *name)
break;
}
- for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF;
+ for (attr = proto->chosen->p +
+ ISAKMP_TRANSFORM_SA_ATTRS_OFF;
attr < proto->chosen->p +
GET_ISAKMP_GEN_LENGTH(proto->chosen->p);
attr = value + len) {
@@ -365,7 +371,8 @@ policy_callback(char *name)
type = GET_ISAKMP_ATTR_TYPE(attr);
fmt = ISAKMP_ATTR_FORMAT(type);
type = ISAKMP_ATTR_TYPE(type);
- value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF :
+ value = attr + (fmt ?
+ ISAKMP_ATTR_LENGTH_VALUE_OFF :
ISAKMP_ATTR_VALUE_OFF);
len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN :
GET_ISAKMP_ATTR_LENGTH_VALUE(attr));
@@ -1781,15 +1788,15 @@ policy_init(void)
/* Allocate memory to keep policies. */
ptr = calloc(sz + 1, sizeof(char));
if (!ptr)
- log_fatal("policy_init: calloc (%lu, %lu) failed", (unsigned long)sz + 1,
- (unsigned long)sizeof(char));
+ log_fatal("policy_init: calloc (%lu, %lu) failed",
+ (unsigned long)sz + 1, (unsigned long)sizeof(char));
/* Just in case there are short reads... */
for (len = 0; len < sz; len += i) {
i = read(fd, ptr + len, sz - len);
if (i == -1)
- log_fatal("policy_init: read (%d, %p, %lu) failed", fd, ptr + len,
- (unsigned long)(sz - len));
+ log_fatal("policy_init: read (%d, %p, %lu) failed", fd,
+ ptr + len, (unsigned long)(sz - len));
}
/* We're done with this. */
@@ -1825,9 +1832,9 @@ keynote_cert_init(void)
/* Just copy and return. */
void *
-keynote_cert_get(u_int8_t * data, u_int32_t len)
+keynote_cert_get(u_int8_t *data, u_int32_t len)
{
- char *foo = malloc(len + 1);
+ char *foo = malloc(len + 1);
if (foo == NULL)
return NULL;
@@ -1844,8 +1851,8 @@ keynote_cert_get(u_int8_t * data, u_int32_t len)
int
keynote_cert_validate(void *scert)
{
- char **foo;
- int num, i;
+ char **foo;
+ int num, i;
if (scert == NULL)
return 0;
@@ -1873,8 +1880,8 @@ keynote_cert_validate(void *scert)
int
keynote_cert_insert(int sid, void *scert)
{
- char **foo;
- int num;
+ char **foo;
+ int num;
if (scert == NULL)
return 0;
@@ -1898,16 +1905,16 @@ keynote_cert_free(void *cert)
/* Verify that the key given to us is valid. */
int
-keynote_certreq_validate(u_int8_t * data, u_int32_t len)
+keynote_certreq_validate(u_int8_t *data, u_int32_t len)
{
struct keynote_deckey dc;
- int err = 1;
- char *dat;
+ int err = 1;
+ char *dat;
dat = calloc(len + 1, sizeof(char));
if (!dat) {
- log_error("keynote_certreq_validate: calloc (%d, %lu) failed", len + 1,
- (unsigned long)sizeof(char));
+ log_error("keynote_certreq_validate: calloc (%d, %lu) failed",
+ len + 1, (unsigned long)sizeof(char));
return 0;
}
memcpy(dat, data, len);
@@ -1923,8 +1930,8 @@ keynote_certreq_validate(u_int8_t * data, u_int32_t len)
}
/* Beats me what we should be doing with this. */
-void *
-keynote_certreq_decode(u_int8_t * data, u_int32_t len)
+void *
+keynote_certreq_decode(u_int8_t *data, u_int32_t len)
{
/* XXX */
return NULL;
@@ -1937,8 +1944,8 @@ keynote_free_aca(void *blob)
}
int
-keynote_cert_obtain(u_int8_t * id, size_t id_len, void *data, u_int8_t ** cert,
- u_int32_t * certlen)
+keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
+ u_int32_t *certlen)
{
char *dirname, *file, *addr_str;
struct stat sb;
@@ -1965,26 +1972,26 @@ keynote_cert_obtain(u_int8_t * id, size_t id_len, void *data, u_int8_t ** cert,
switch (idtype) {
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
- util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6,
- id);
+ util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ?
+ AF_INET : AF_INET6, id);
if (addr_str == 0)
return 0;
file = calloc(len + strlen(addr_str), sizeof(char));
if (file == NULL) {
- log_error("keynote_cert_obtain: failed to allocate %lu bytes",
- (unsigned long)len + strlen(addr_str));
+ log_error("keynote_cert_obtain: failed to allocate "
+ "%lu bytes", (unsigned long)len +
+ strlen(addr_str));
free(addr_str);
return 0;
}
- snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, addr_str,
- CREDENTIAL_FILE);
+ snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname,
+ addr_str, CREDENTIAL_FILE);
free(addr_str);
break;
case IPSEC_ID_FQDN:
- case IPSEC_ID_USER_FQDN:
- {
+ case IPSEC_ID_USER_FQDN: {
file = calloc(len + id_len, sizeof(char));
if (file == NULL) {
log_error("keynote_cert_obtain: failed to allocate %lu bytes",
diff --git a/sbin/isakmpd/prf.c b/sbin/isakmpd/prf.c
index c5d538a11b5..fdb91fe9adc 100644
--- a/sbin/isakmpd/prf.c
+++ b/sbin/isakmpd/prf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: prf.c,v 1.13 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: prf.c,v 1.14 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: prf.c,v 1.7 1999/05/02 12:50:29 niklas Exp $ */
/*
@@ -40,9 +40,9 @@
#include "log.h"
#include "prf.h"
-void prf_hash_init(struct prf_hash_ctx *);
-void prf_hash_update(struct prf_hash_ctx *, unsigned char *, unsigned int);
-void prf_hash_final(unsigned char *, struct prf_hash_ctx *);
+void prf_hash_init(struct prf_hash_ctx *);
+void prf_hash_update(struct prf_hash_ctx *, unsigned char *, unsigned int);
+void prf_hash_final(unsigned char *, struct prf_hash_ctx *);
/* PRF behaves likes a hash */
@@ -94,7 +94,7 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared,
prf = malloc(sizeof *prf);
if (!prf) {
log_error("prf_alloc: malloc (%lu) failed",
- (unsigned long) sizeof *prf);
+ (unsigned long)sizeof *prf);
return 0;
}
if (type == PRF_HMAC) {
@@ -102,19 +102,21 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared,
prfctx = malloc(sizeof *prfctx);
if (!prfctx) {
log_error("prf_alloc: malloc (%lu) failed",
- (unsigned long) sizeof *prfctx);
+ (unsigned long)sizeof *prfctx);
goto cleanprf;
}
prf->prfctx = prfctx;
prfctx->ctx = malloc(hash->ctxsize);
if (!prfctx->ctx) {
- log_error("prf_alloc: malloc (%d) failed", hash->ctxsize);
+ log_error("prf_alloc: malloc (%d) failed",
+ hash->ctxsize);
goto cleanprfctx;
}
prfctx->ctx2 = malloc(hash->ctxsize);
if (!prfctx->ctx2) {
- log_error("prf_alloc: malloc (%d) failed", hash->ctxsize);
+ log_error("prf_alloc: malloc (%d) failed",
+ hash->ctxsize);
free(prfctx->ctx);
goto cleanprfctx;
}
@@ -123,10 +125,10 @@ prf_alloc(enum prfs type, int subtype, unsigned char *shared,
prfctx->hash = hash;
/* Use the correct function pointers. */
- prf->Init = (void (*) (void *)) prf_hash_init;
- prf->Update = (void (*) (void *, unsigned char *,
- unsigned int)) prf_hash_update;
- prf->Final = (void (*) (unsigned char *, void *)) prf_hash_final;
+ prf->Init = (void(*)(void *))prf_hash_init;
+ prf->Update = (void(*)(void *, unsigned char *,
+ unsigned int))prf_hash_update;
+ prf->Final = (void(*)(unsigned char *, void *))prf_hash_final;
/* Init HMAC contexts. */
hash->HMACInit(hash, shared, sharedsize);
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index 5698323f236..feed2c79d76 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.81 2004/05/13 06:56:34 ho Exp $ */
+/* $OpenBSD: sa.c,v 1.82 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -92,7 +92,7 @@ sa_init(void)
sa_tab = malloc((bucket_mask + 1) * sizeof(struct sa_list));
if (!sa_tab)
log_fatal("sa_init: malloc (%lu) failed",
- (bucket_mask + 1) * (unsigned long) sizeof(struct sa_list));
+ (bucket_mask + 1) * (unsigned long)sizeof(struct sa_list));
for (i = 0; i <= bucket_mask; i++)
LIST_INIT(&sa_tab[i]);
}
@@ -102,8 +102,8 @@ sa_init(void)
static void
sa_resize(void)
{
- int new_mask = (bucket_mask + 1) * 2 - 1;
- int i;
+ int new_mask = (bucket_mask + 1) * 2 - 1;
+ int i;
struct sa_list *new_tab;
new_tab = realloc(sa_tab, (new_mask + 1) * sizeof(struct sa_list));
@@ -145,7 +145,7 @@ sa_check_icookie(struct sa *sa, void *icookie)
}
/* Lookup an ISAKMP SA out of just the initiator cookie. */
-struct sa *
+struct sa *
sa_lookup_from_icookie(u_int8_t *cookie)
{
return sa_find(sa_check_icookie, cookie);
@@ -306,7 +306,7 @@ sa_enter(struct sa *sa)
* Lookup the SA given by the header fields MSG. PHASE2 is false when
* looking for phase 1 SAa and true otherwise.
*/
-struct sa *
+struct sa *
sa_lookup_by_header(u_int8_t *msg, int phase2)
{
return sa_lookup(msg + ISAKMP_HDR_COOKIES_OFF,
@@ -344,13 +344,13 @@ sa_lookup(u_int8_t *cookies, u_int8_t *message_id)
bucket ^= cp[0] | cp[1] << 8;
}
bucket &= bucket_mask;
- for (sa = LIST_FIRST(&sa_tab[bucket]); sa &&
- (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 ||
- (message_id && memcmp(message_id, sa->message_id,
- ISAKMP_HDR_MESSAGE_ID_LEN) != 0) ||
- (!message_id && !zero_test(sa->message_id,
- ISAKMP_HDR_MESSAGE_ID_LEN)));
- sa = LIST_NEXT(sa, link))
+ for (sa = LIST_FIRST(&sa_tab[bucket]);
+ sa && (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0
+ || (message_id && memcmp(message_id, sa->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN) != 0)
+ || (!message_id && !zero_test(sa->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN)));
+ sa = LIST_NEXT(sa, link))
;
return sa;
@@ -369,7 +369,7 @@ sa_create(struct exchange *exchange, struct transport *t)
sa = calloc(1, sizeof *sa);
if (!sa) {
log_error("sa_create: calloc (1, %lu) failed",
- (unsigned long) sizeof *sa);
+ (unsigned long)sizeof *sa);
return -1;
}
sa->transport = t;
@@ -390,7 +390,7 @@ sa_create(struct exchange *exchange, struct transport *t)
sa->data = calloc(1, sa->doi->sa_size);
if (!sa->data) {
log_error("sa_create: calloc (1, %lu) failed",
- (unsigned long) sa->doi->sa_size);
+ (unsigned long)sa->doi->sa_size);
free(sa);
return -1;
}
@@ -889,10 +889,10 @@ sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase)
"protocol mismatch", match, match->no));
return 1;
}
- avs = (struct attr_validation_state *) calloc(1, sizeof *avs);
+ avs = (struct attr_validation_state *)calloc(1, sizeof *avs);
if (!avs) {
log_error("sa_validate_proto_xf: calloc (1, %lu)",
- (unsigned long) sizeof *avs);
+ (unsigned long)sizeof *avs);
return 1;
}
avs->phase = phase;
@@ -906,7 +906,7 @@ sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase)
/* Check against the transforms we suggested. */
avs->mode++;
for (pa = TAILQ_FIRST(&match->xfs); pa && !found;
- pa = TAILQ_NEXT(pa, next)) {
+ pa = TAILQ_NEXT(pa, next)) {
if (xf_id != GET_ISAKMP_TRANSFORM_ID(pa->attrs))
continue;
@@ -954,7 +954,7 @@ sa_add_transform(struct sa *sa, struct payload *xf, int initiator,
proto = calloc(1, sizeof *proto);
if (!proto)
log_error("sa_add_transform: calloc (1, %lu) failed",
- (unsigned long) sizeof *proto);
+ (unsigned long)sizeof *proto);
} else {
/*
* RFC 2408, section 4.2 states the responder SHOULD use the
@@ -989,7 +989,7 @@ sa_add_transform(struct sa *sa, struct payload *xf, int initiator,
proto->data = calloc(1, sa->doi->proto_size);
if (!proto->data) {
log_error("sa_add_transform: calloc (1, %lu) failed",
- (unsigned long) sa->doi->proto_size);
+ (unsigned long)sa->doi->proto_size);
goto cleanup;
}
}
@@ -1151,11 +1151,12 @@ sa_flag(char *attr)
*/
{
"__ondemand", SA_FLAG_ONDEMAND
- }, {
+ },
+ {
"ikecfg", SA_FLAG_IKECFG
},
};
- size_t i;
+ size_t i;
for (i = 0; i < sizeof sa_flag_map / sizeof sa_flag_map[0]; i++)
if (strcasecmp(attr, sa_flag_map[i].name) == 0)
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index 0bdd97d9c73..fdf2323c644 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.36 2004/05/13 06:56:34 ho Exp $ */
+/* $OpenBSD: sa.h,v 1.37 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -77,8 +77,8 @@ struct proto {
u_int8_t *spi[2];
/*
- * The chosen transform, only valid while the incoming SA payload that held
- * it is available for duplicate testing.
+ * The chosen transform, only valid while the incoming SA payload that
+ * held it is available for duplicate testing.
*/
struct payload *chosen;
@@ -88,7 +88,7 @@ struct proto {
/* DOI-specific data. */
void *data;
- /* Proposal transforms data, for validating the responders selection. */
+ /* Proposal transforms data, for validating the responders selection. */
TAILQ_HEAD(proto_attr_head, proto_attr) xfs;
size_t xf_cnt;
};
@@ -107,8 +107,8 @@ struct sa {
LIST_ENTRY(sa) link;
/*
- * When several SA's are being negotiated in one message we connect them
- * through this link.
+ * When several SA's are being negotiated in one message we connect
+ * them through this link.
*/
TAILQ_ENTRY(sa) next;
@@ -128,7 +128,7 @@ struct sa {
u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
/* The protection suite chosen. */
- TAILQ_HEAD(proto_head, proto) protos;
+ TAILQ_HEAD(proto_head, proto) protos;
/* The exchange type we should use when rekeying. */
u_int8_t exch_type;
@@ -166,14 +166,15 @@ struct sa {
int policy_id;
/*
- * The key used to authenticate phase 1, in printable format, used only by
- * KeyNote.
+ * The key used to authenticate phase 1, in printable format, used
+ * only by KeyNote.
*/
char *keynote_key;
/*
- * Certificates or other information from Phase 1; these are copied from the
- * exchange, so look at exchange.h for an explanation of their use.
+ * Certificates or other information from Phase 1; these are copied
+ * from the exchange, so look at exchange.h for an explanation of
+ * their use.
*/
int recv_certtype, recv_keytype;
/* Certificate received from peer, native format. */
@@ -182,8 +183,8 @@ struct sa {
void *recv_key;
/*
- * Certificates or other information we used to authenticate to the peer,
- * Phase 1.
+ * Certificates or other information we used to authenticate to the
+ * peer, Phase 1.
*/
int sent_certtype;
/* Certificate (to be) sent to peer, native format. */
@@ -226,9 +227,8 @@ struct sa {
#define SA_FLAG_IKECFG 0x40
extern void proto_free(struct proto * proto);
-extern int
-sa_add_transform(struct sa *, struct payload *, int,
- struct proto **);
+extern int sa_add_transform(struct sa *, struct payload *, int,
+ struct proto **);
extern int sa_create(struct exchange *, struct transport *);
extern int sa_enter(struct sa *);
extern void sa_delete(struct sa *, int);
diff --git a/sbin/isakmpd/timer.c b/sbin/isakmpd/timer.c
index 180ccc823a0..9faca130604 100644
--- a/sbin/isakmpd/timer.c
+++ b/sbin/isakmpd/timer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: timer.c,v 1.12 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: timer.c,v 1.13 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: timer.c,v 1.13 2000/02/20 19:58:42 niklas Exp $ */
/*
@@ -56,7 +56,8 @@ timer_next_event(struct timeval **timeout)
if (timercmp(&now, &TAILQ_FIRST(&events)->expiration, >=))
timerclear(*timeout);
else
- timersub(&TAILQ_FIRST(&events)->expiration, &now, *timeout);
+ timersub(&TAILQ_FIRST(&events)->expiration, &now,
+ *timeout);
} else
*timeout = 0;
}
@@ -104,8 +105,8 @@ timer_add_event(char *name, void (*func)(void *), void *arg,
arg, n->name, n->arg, expiration->tv_sec - now.tv_sec));
TAILQ_INSERT_BEFORE(n, ev, link);
} else {
- LOG_DBG((LOG_TIMER, 10, "timer_add_event: event %s(%p) added last, "
- "expiration in %lds", name, arg,
+ LOG_DBG((LOG_TIMER, 10, "timer_add_event: event %s(%p) added "
+ "last, expiration in %lds", name, arg,
expiration->tv_sec - now.tv_sec));
TAILQ_INSERT_TAIL(&events, ev, link);
}
diff --git a/sbin/isakmpd/timer.h b/sbin/isakmpd/timer.h
index a107107e69e..2e890a37cec 100644
--- a/sbin/isakmpd/timer.h
+++ b/sbin/isakmpd/timer.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: timer.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: timer.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: timer.h,v 1.6 1999/04/11 22:35:55 ho Exp $ */
/*
@@ -48,7 +48,7 @@ extern void timer_init(void);
extern void timer_next_event(struct timeval **);
extern void timer_handle_expirations(void);
extern struct event *timer_add_event(char *, void (*) (void *), void *,
- struct timeval *);
+ struct timeval *);
extern void timer_remove_event(struct event *);
extern void timer_report(void);
diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c
index 376ca492d2f..e72b64d464f 100644
--- a/sbin/isakmpd/udp.c
+++ b/sbin/isakmpd/udp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp.c,v 1.70 2004/05/23 16:14:37 deraadt Exp $ */
+/* $OpenBSD: udp.c,v 1.71 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */
/*
@@ -137,7 +137,8 @@ udp_make(struct sockaddr *laddr)
t = calloc(1, sizeof *t);
if (!t) {
- log_print("udp_make: malloc (%lu) failed", (unsigned long) sizeof *t);
+ log_print("udp_make: malloc (%lu) failed",
+ (unsigned long)sizeof *t);
return 0;
}
s = socket(laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP);
@@ -153,7 +154,8 @@ udp_make(struct sockaddr *laddr)
/* Wildcard address ? */
switch (laddr->sa_family) {
case AF_INET:
- if (((struct sockaddr_in *)laddr)->sin_addr.s_addr == INADDR_ANY)
+ if (((struct sockaddr_in *)laddr)->sin_addr.s_addr ==
+ INADDR_ANY)
wildcardaddress = 1;
break;
case AF_INET6:
@@ -164,17 +166,17 @@ udp_make(struct sockaddr *laddr)
/*
* In order to have several bound specific address-port combinations
- * with the same port SO_REUSEADDR is needed.
- * If this is a wildcard socket and we are not listening there, but only
- * sending from it make sure it is entirely reuseable with SO_REUSEPORT.
+ * with the same port SO_REUSEADDR is needed. If this is a wildcard
+ * socket and we are not listening there, but only sending from it
+ * make sure it is entirely reuseable with SO_REUSEPORT.
*/
on = 1;
if (setsockopt(s, SOL_SOCKET,
wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR,
- (void *) &on, sizeof on) == -1) {
- log_error("udp_make: setsockopt (%d, %d, %d, %p, %lu)", s, SOL_SOCKET,
- wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR,
- &on, (unsigned long) sizeof on);
+ (void *)&on, sizeof on) == -1) {
+ log_error("udp_make: setsockopt (%d, %d, %d, %p, %lu)", s,
+ SOL_SOCKET, wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR,
+ &on, (unsigned long)sizeof on);
goto err;
}
t->transport.vtbl = &udp_transport_vtbl;
@@ -184,10 +186,10 @@ udp_make(struct sockaddr *laddr)
if (sockaddr2text(t->src, &tstr, 0))
log_error("udp_make: bind (%d, %p, %lu)", s, &t->src,
- (unsigned long) sizeof t->src);
+ (unsigned long)sizeof t->src);
else {
log_error("udp_make: bind (%d, %s, %lu)", s, tstr,
- (unsigned long) sizeof t->src);
+ (unsigned long)sizeof t->src);
free(tstr);
}
goto err;
@@ -218,16 +220,18 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr)
t = malloc(sizeof *u);
if (!t) {
- log_error("udp_clone: malloc (%lu) failed", (unsigned long) sizeof *u);
+ log_error("udp_clone: malloc (%lu) failed",
+ (unsigned long)sizeof *u);
return 0;
}
- u2 = (struct udp_transport *) t;
+ u2 = (struct udp_transport *)t;
memcpy(u2, u, sizeof *u);
u2->src = malloc(sysdep_sa_len(u->src));
if (!u2->src) {
- log_error("udp_clone: malloc (%d) failed", sysdep_sa_len(u->src));
+ log_error("udp_clone: malloc (%d) failed",
+ sysdep_sa_len(u->src));
free(t);
return 0;
}
@@ -235,7 +239,8 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr)
u2->dst = malloc(sysdep_sa_len(raddr));
if (!u2->dst) {
- log_error("udp_clone: malloc (%d) failed", sysdep_sa_len(raddr));
+ log_error("udp_clone: malloc (%d) failed",
+ sysdep_sa_len(raddr));
free(u2->src);
free(t);
return 0;
@@ -256,12 +261,12 @@ udp_clone(struct udp_transport *u, struct sockaddr *raddr)
static struct transport *
udp_bind(const struct sockaddr *addr)
{
- struct sockaddr *src = malloc(sysdep_sa_len((struct sockaddr *) addr));
+ struct sockaddr *src = malloc(sysdep_sa_len((struct sockaddr *)addr));
if (!src)
return 0;
- memcpy(src, addr, sysdep_sa_len((struct sockaddr *) addr));
+ memcpy(src, addr, sysdep_sa_len((struct sockaddr *)addr));
return udp_make(src);
}
@@ -317,8 +322,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
* in the IP stack.
*/
if (if_addr->sa_family == AF_INET &&
- (((struct sockaddr_in *) if_addr)->sin_addr.s_addr == INADDR_ANY ||
- (((struct sockaddr_in *) if_addr)->sin_addr.s_addr == INADDR_NONE)))
+ (((struct sockaddr_in *)if_addr)->sin_addr.s_addr == INADDR_ANY ||
+ (((struct sockaddr_in *)if_addr)->sin_addr.s_addr == INADDR_NONE)))
return 0;
/*
@@ -329,13 +334,13 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
if (sysdep_sa_len(if_addr) > sizeof saddr_st)
return 0;
memcpy(saddr, if_addr, sysdep_sa_len(if_addr));
- switch (saddr->sa_family) { /* Add the port number to the sockaddr. */
+ switch (saddr->sa_family) { /* Add the port number to the sockaddr. */
case AF_INET:
- ((struct sockaddr_in *) saddr)->sin_port =
+ ((struct sockaddr_in *)saddr)->sin_port =
htons(strtol(port, &ep, 10));
break;
case AF_INET6:
- ((struct sockaddr_in6 *) saddr)->sin6_port =
+ ((struct sockaddr_in6 *)saddr)->sin6_port =
htons(strtol(port, &ep, 10));
break;
}
@@ -353,7 +358,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
}
strlcpy(flags_ifr.ifr_name, ifname, sizeof flags_ifr.ifr_name);
if (ioctl(s, SIOCGIFFLAGS, (caddr_t) & flags_ifr) == -1) {
- log_error("udp_bind_if: ioctl (%d, SIOCGIFFLAGS, ...) failed", s);
+ log_error("udp_bind_if: ioctl (%d, SIOCGIFFLAGS, ...) failed",
+ s);
return -1;
}
close(s);
@@ -372,10 +378,10 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
}
switch (if_addr->sa_family) {
case AF_INET:
- ((struct sockaddr_in *) if_addr)->sin_port = htons(lport);
+ ((struct sockaddr_in *)if_addr)->sin_port = htons(lport);
break;
case AF_INET6:
- ((struct sockaddr_in6 *) if_addr)->sin6_port = htons(lport);
+ ((struct sockaddr_in6 *)if_addr)->sin6_port = htons(lport);
break;
default:
log_print("udp_bind_if: unsupported protocol family %d",
@@ -394,8 +400,8 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
for (address = TAILQ_FIRST(&listen_on->fields); address;
address = TAILQ_NEXT(address, link)) {
if (text2sockaddr(address->field, port, &addr)) {
- log_print("udp_bind_if: invalid address %s in \"Listen-on\"",
- address->field);
+ log_print("udp_bind_if: invalid address %s "
+ "in \"Listen-on\"", address->field);
continue;
}
/* If found, take the easy way out. */
@@ -408,10 +414,10 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
conf_free_list(listen_on);
/*
- * If address is zero then we did not find the address among the ones
- * we should listen to.
- * XXX We do not discover if we do not find our listen addresses...
- * Maybe this should be the other way round.
+ * If address is zero then we did not find the address among
+ * the ones we should listen to.
+ * XXX We do not discover if we do not find our listen
+ * addresses... Maybe this should be the other way round.
*/
if (!address)
return 0;
@@ -425,7 +431,7 @@ udp_bind_if(char *ifname, struct sockaddr *if_addr, void *arg)
free(addr_str);
return -1;
}
- LIST_INSERT_HEAD(&udp_listen_list, (struct udp_transport *) t, link);
+ LIST_INSERT_HEAD(&udp_listen_list, (struct udp_transport *)t, link);
return 0;
}
@@ -453,7 +459,8 @@ udp_create(char *name)
return 0;
}
if (text2sockaddr(addr_str, port_str, &dst)) {
- log_print("udp_create: address \"%s\" not understood", addr_str);
+ log_print("udp_create: address \"%s\" not understood",
+ addr_str);
return 0;
}
addr_str = conf_get_str(name, "Local-address");
@@ -474,15 +481,16 @@ udp_create(char *name)
}
}
if (text2sockaddr(addr_str, port_str, &addr)) {
- log_print("udp_create: address \"%s\" not understood", addr_str);
+ log_print("udp_create: address \"%s\" not understood",
+ addr_str);
rv = 0;
goto ret;
}
u = udp_listen_lookup(addr);
free(addr);
if (!u) {
- log_print("udp_create: %s:%s must exist as a listener too", addr_str,
- port_str);
+ log_print("udp_create: %s:%s must exist as a listener too",
+ addr_str, port_str);
rv = 0;
goto ret;
}
@@ -494,9 +502,9 @@ ret:
}
void
-udp_remove(struct transport * t)
+udp_remove(struct transport *t)
{
- struct udp_transport *u = (struct udp_transport *) t;
+ struct udp_transport *u = (struct udp_transport *)t;
if (u->src)
free(u->src);
@@ -517,9 +525,9 @@ udp_remove(struct transport * t)
/* Report transport-method specifics of the T transport. */
void
-udp_report(struct transport * t)
+udp_report(struct transport *t)
{
- struct udp_transport *u = (struct udp_transport *) t;
+ struct udp_transport *u = (struct udp_transport *)t;
char *src, *dst;
if (sockaddr2text(u->src, &src, 0))
@@ -564,8 +572,8 @@ udp_reinit(void)
/* Re-probe interface list. */
if (if_map(udp_bind_if, port) == -1)
- log_print("udp_init: Could not bind the ISAKMP UDP port %s on all "
- "interfaces", port);
+ log_print("udp_init: Could not bind the ISAKMP UDP port %s "
+ "on all interfaces", port);
/*
* Release listening transports for local addresses that no
@@ -607,8 +615,8 @@ udp_init(void)
/* Bind the ISAKMP UDP port on all network interfaces we have. */
if (if_map(udp_bind_if, port) == -1)
- log_fatal("udp_init: Could not bind the ISAKMP UDP port %s on all "
- "interfaces", port);
+ log_fatal("udp_init: Could not bind the ISAKMP UDP port %s "
+ "on all interfaces", port);
/* Only listen to the specified address if Listen-on is configured */
listen_on = conf_get_list("General", "Listen-on");
@@ -624,48 +632,50 @@ udp_init(void)
*/
lport = strtol(port, &ep, 10);
if (*ep != '\0' || lport < (long) 0 || lport > (long) USHRT_MAX) {
- log_print("udp_init: port string \"%s\" not convertible to in_port_t",
- port);
+ log_print("udp_init: port string \"%s\" not convertible to "
+ "in_port_t", port);
return;
}
/*
- * Bind to INADDR_ANY in case of new addresses popping up.
- * Packet reception on this transport is taken as a hint to reprobe the
+ * Bind to INADDR_ANY in case of new addresses popping up. Packet
+ * reception on this transport is taken as a hint to reprobe the
* interface list.
*/
if (!bind_family || (bind_family & BIND_FAMILY_INET4)) {
memset(&dflt_stor, 0, sizeof dflt_stor);
dflt->sin_family = AF_INET;
#if !defined (LINUX_IPSEC)
- ((struct sockaddr_in *) dflt)->sin_len = sizeof(struct sockaddr_in);
+ ((struct sockaddr_in *)dflt)->sin_len =
+ sizeof(struct sockaddr_in);
#endif
- ((struct sockaddr_in *) dflt)->sin_port = htons(lport);
+ ((struct sockaddr_in *)dflt)->sin_port = htons(lport);
- default_transport = udp_bind((struct sockaddr *) & dflt_stor);
+ default_transport = udp_bind((struct sockaddr *)&dflt_stor);
if (!default_transport) {
log_error("udp_init: could not allocate default "
"IPv4 ISAKMP UDP port");
return;
}
LIST_INSERT_HEAD(&udp_listen_list,
- (struct udp_transport *) default_transport, link);
+ (struct udp_transport *)default_transport, link);
}
if (!bind_family || (bind_family & BIND_FAMILY_INET6)) {
memset(&dflt_stor, 0, sizeof dflt_stor);
dflt->sin_family = AF_INET6;
#if !defined (LINUX_IPSEC)
- ((struct sockaddr_in6 *) dflt)->sin6_len = sizeof(struct sockaddr_in6);
+ ((struct sockaddr_in6 *)dflt)->sin6_len =
+ sizeof(struct sockaddr_in6);
#endif
- ((struct sockaddr_in6 *) dflt)->sin6_port = htons(lport);
+ ((struct sockaddr_in6 *)dflt)->sin6_port = htons(lport);
- default_transport6 = udp_bind((struct sockaddr *) & dflt_stor);
+ default_transport6 = udp_bind((struct sockaddr *)&dflt_stor);
if (!default_transport6) {
log_error("udp_init: could not allocate default "
"IPv6 ISAKMP UDP port");
return;
}
LIST_INSERT_HEAD(&udp_listen_list,
- (struct udp_transport *) default_transport6, link);
+ (struct udp_transport *)default_transport6, link);
}
}
@@ -674,9 +684,9 @@ udp_init(void)
* as the number of file descriptors to check.
*/
static int
-udp_fd_set(struct transport * t, fd_set * fds, int bit)
+udp_fd_set(struct transport *t, fd_set *fds, int bit)
{
- struct udp_transport *u = (struct udp_transport *) t;
+ struct udp_transport *u = (struct udp_transport *)t;
if (bit)
FD_SET(u->s, fds);
@@ -688,9 +698,9 @@ udp_fd_set(struct transport * t, fd_set * fds, int bit)
/* Check if transport T's socket is set in FDS. */
static int
-udp_fd_isset(struct transport * t, fd_set * fds)
+udp_fd_isset(struct transport *t, fd_set *fds)
{
- struct udp_transport *u = (struct udp_transport *) t;
+ struct udp_transport *u = (struct udp_transport *)t;
return FD_ISSET(u->s, fds);
}
@@ -713,8 +723,8 @@ udp_handle_message(struct transport * t)
n = recvfrom(u->s, buf, UDP_SIZE, 0, (struct sockaddr *) & from, &len);
if (n == -1) {
- log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, UDP_SIZE, 0,
- &from, &len);
+ log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf,
+ UDP_SIZE, 0, &from, &len);
return;
}
/*
@@ -725,9 +735,9 @@ udp_handle_message(struct transport * t)
udp_reinit();
/*
- * As we don't know the actual destination address of the packet,
- * we can't really deal with it. So, just ignore it and hope we
- * catch the retransmission.
+ * As we don't know the actual destination address of the
+ * packet, we can't really deal with it. So, just ignore it
+ * and hope we catch the retransmission.
*/
return;
}
@@ -735,14 +745,14 @@ udp_handle_message(struct transport * t)
* Make a specialized UDP transport structure out of the incoming
* transport and the address information we got from recvfrom(2).
*/
- t = udp_clone(u, (struct sockaddr *) & from);
+ t = udp_clone(u, (struct sockaddr *)&from);
if (!t)
return;
msg = message_alloc(t, buf, n);
if (!msg) {
- log_error("failed to allocate message structure, dropping packet "
- "received on transport %p", u);
+ log_error("failed to allocate message structure, dropping "
+ "packet received on transport %p", u);
return;
}
message_recv(msg);
@@ -750,9 +760,9 @@ udp_handle_message(struct transport * t)
/* Physically send the message MSG over its associated transport. */
static int
-udp_send_message(struct message * msg)
+udp_send_message(struct message *msg)
{
- struct udp_transport *u = (struct udp_transport *) msg->transport;
+ struct udp_transport *u = (struct udp_transport *)msg->transport;
ssize_t n;
struct msghdr m;
@@ -781,9 +791,9 @@ udp_send_message(struct message * msg)
* to by DST.
*/
static void
-udp_get_dst(struct transport * t, struct sockaddr ** dst)
+udp_get_dst(struct transport *t, struct sockaddr **dst)
{
- *dst = ((struct udp_transport *) t)->dst;
+ *dst = ((struct udp_transport *)t)->dst;
}
/*
@@ -791,33 +801,35 @@ udp_get_dst(struct transport * t, struct sockaddr ** dst)
* to by SRC. Put its length into SRC_LEN.
*/
static void
-udp_get_src(struct transport * t, struct sockaddr ** src)
+udp_get_src(struct transport *t, struct sockaddr **src)
{
- *src = ((struct udp_transport *) t)->src;
+ *src = ((struct udp_transport *)t)->src;
}
static char *
-udp_decode_ids(struct transport * t)
+udp_decode_ids(struct transport *t)
{
static char result[1024];
char idsrc[256], iddst[256];
#ifdef HAVE_GETNAMEINFO
- if (getnameinfo(((struct udp_transport *) t)->src,
- sysdep_sa_len(((struct udp_transport *) t)->src),
+ if (getnameinfo(((struct udp_transport *)t)->src,
+ sysdep_sa_len(((struct udp_transport *)t)->src),
idsrc, sizeof idsrc, NULL, 0, NI_NUMERICHOST) != 0) {
log_print("udp_decode_ids: getnameinfo () failed for 'src'");
strlcpy(idsrc, "<error>", 256);
}
- if (getnameinfo(((struct udp_transport *) t)->dst,
- sysdep_sa_len(((struct udp_transport *) t)->dst),
+ if (getnameinfo(((struct udp_transport *)t)->dst,
+ sysdep_sa_len(((struct udp_transport *)t)->dst),
iddst, sizeof iddst, NULL, 0, NI_NUMERICHOST) != 0) {
log_print("udp_decode_ids: getnameinfo () failed for 'dst'");
strlcpy(iddst, "<error>", 256);
}
#else
- strlcpy(idsrc, inet_ntoa(((struct udp_transport *) t)->src.sin_addr), 256);
- strlcpy(iddst, inet_ntoa(((struct udp_transport *) t)->dst.sin_addr), 256);
+ strlcpy(idsrc, inet_ntoa(((struct udp_transport *)t)->src.sin_addr),
+ 256);
+ strlcpy(iddst, inet_ntoa(((struct udp_transport *)t)->dst.sin_addr),
+ 256);
#endif /* HAVE_GETNAMEINFO */
snprintf(result, sizeof result, "src: %s dst: %s", idsrc, iddst);
diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c
index acba4404bc3..6a091c224ac 100644
--- a/sbin/isakmpd/ui.c
+++ b/sbin/isakmpd/ui.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui.c,v 1.39 2004/05/13 06:56:34 ho Exp $ */
+/* $OpenBSD: ui.c,v 1.40 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */
/*
@@ -114,7 +114,7 @@ ui_init(void)
static void
ui_connect(char *cmd)
{
- char name[81];
+ char name[81];
if (sscanf(cmd, "c %80s", name) != 1) {
log_print("ui_connect: command \"%s\" malformed", cmd);
@@ -478,7 +478,7 @@ ui_handler(void)
buf = malloc(sz);
if (!buf) {
log_print("ui_handler: malloc (%lu) failed",
- (unsigned long) sz);
+ (unsigned long)sz);
return;
}
p = buf;
@@ -489,7 +489,7 @@ ui_handler(void)
new_buf = realloc(buf, sz * 2);
if (!new_buf) {
log_print("ui_handler: realloc (%p, %lu) failed", buf,
- (unsigned long) sz * 2);
+ (unsigned long)sz * 2);
free(buf);
buf = 0;
return;
@@ -502,7 +502,7 @@ ui_handler(void)
n = read(ui_socket, p, resid);
if (n == -1) {
log_error("ui_handler: read (%d, %p, %lu)", ui_socket, p,
- (unsigned long) resid);
+ (unsigned long)resid);
return;
}
if (!n)
diff --git a/sbin/isakmpd/util.c b/sbin/isakmpd/util.c
index 3209e116aef..2fdf6852ee2 100644
--- a/sbin/isakmpd/util.c
+++ b/sbin/isakmpd/util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: util.c,v 1.38 2004/05/23 16:14:22 deraadt Exp $ */
+/* $OpenBSD: util.c,v 1.39 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: util.c,v 1.23 2000/11/23 12:22:08 niklas Exp $ */
/*
@@ -240,7 +240,7 @@ hex2raw(char *s, u_int8_t *buf, size_t sz)
}
int
-text2sockaddr(char *address, char *port, struct sockaddr ** sa)
+text2sockaddr(char *address, char *port, struct sockaddr **sa)
{
#ifdef HAVE_GETNAMEINFO
struct addrinfo *ai, hints;
@@ -287,7 +287,7 @@ text2sockaddr(char *address, char *port, struct sockaddr ** sa)
sp = getservbyname(port, "udp");
if (!sp) {
lport = strtol(port, &ep, 10);
- if (ep == port || lport < 0 || lport > (long) USHRT_MAX) {
+ if (ep == port || lport < 0 || lport > (long)USHRT_MAX) {
free(*sa);
return -1;
}
@@ -295,9 +295,9 @@ text2sockaddr(char *address, char *port, struct sockaddr ** sa)
} else
lport = sp->s_port;
if ((*sa)->sa_family == AF_INET)
- ((struct sockaddr_in *) *sa)->sin_port = lport;
+ ((struct sockaddr_in *)*sa)->sin_port = lport;
else
- ((struct sockaddr_in6 *) *sa)->sin6_port = lport;
+ ((struct sockaddr_in6 *)*sa)->sin6_port = lport;
return 0;
#endif
}
@@ -321,9 +321,11 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag)
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
- if (inet_ntop(sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1) == NULL) {
- log_error("sockaddr2text: inet_ntop (%d, %p, %p, %d) failed",
- sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1);
+ if (inet_ntop(sa->sa_family, sa->sa_data, buf, NI_MAXHOST - 1)
+ == NULL) {
+ log_error("sockaddr2text: inet_ntop (%d, %p, %p, %d) "
+ "failed", sa->sa_family, sa->sa_data, buf,
+ NI_MAXHOST - 1);
return -1;
}
buf[NI_MAXHOST - 1] = '\0';
@@ -331,7 +333,7 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag)
default:
log_print("sockaddr2text: unsupported protocol family %d\n",
- sa->sa_family);
+ sa->sa_family);
return -1;
}
#endif
@@ -356,8 +358,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag)
return -1;
}
val = strtol(token, &ep, 10);
- if (ep == token || val < (long) 0 ||
- val > (long) UCHAR_MAX) {
+ if (ep == token || val < (long)0 ||
+ val > (long)UCHAR_MAX) {
free(*address);
return -1;
}
@@ -370,8 +372,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag)
case AF_INET6:
/*
- * XXX In the algorithm below there are some magic numbers we
- * probably could give explaining names.
+ * XXX In the algorithm below there are some magic
+ * numbers we probably could give explaining names.
*/
addrlen = sizeof "0000:0000:0000:0000:0000:0000:0000:0000";
*address = malloc(addrlen);
@@ -379,7 +381,8 @@ sockaddr2text(struct sockaddr *sa, char **address, int zflag)
return -1;
for (i = 0, j = 0; i < 8; i++) {
- snprintf((*address) + j, addrlen - j, "%02x%02x",
+ snprintf((*address) + j, addrlen - j,
+ "%02x%02x",
((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i],
((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i + 1]);
j += 4;
@@ -406,9 +409,9 @@ sockaddr_addrlen(struct sockaddr *sa)
{
switch (sa->sa_family) {
case AF_INET6:
- return sizeof((struct sockaddr_in6 *) sa)->sin6_addr.s6_addr;
+ return sizeof((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
case AF_INET:
- return sizeof((struct sockaddr_in *) sa)->sin_addr.s_addr;
+ return sizeof((struct sockaddr_in *)sa)->sin_addr.s_addr;
default:
log_print("sockaddr_addrlen: unsupported protocol family %d",
sa->sa_family);
@@ -421,9 +424,9 @@ sockaddr_addrdata(struct sockaddr *sa)
{
switch (sa->sa_family) {
case AF_INET6:
- return (u_int8_t *) & ((struct sockaddr_in6 *) sa)->sin6_addr.s6_addr;
+ return (u_int8_t *)&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
case AF_INET:
- return (u_int8_t *) & ((struct sockaddr_in *) sa)->sin_addr.s_addr;
+ return (u_int8_t *)&((struct sockaddr_in *)sa)->sin_addr.s_addr;
default:
log_print("sockaddr_addrdata: unsupported protocol family %d",
sa->sa_family);
@@ -436,9 +439,9 @@ sockaddr_port(struct sockaddr *sa)
{
switch (sa->sa_family) {
case AF_INET6:
- return ((struct sockaddr_in6 *) sa)->sin6_port;
+ return ((struct sockaddr_in6 *)sa)->sin6_port;
case AF_INET:
- return ((struct sockaddr_in *) sa)->sin_port;
+ return ((struct sockaddr_in *)sa)->sin_port;
default:
log_print("sockaddr_port: unsupported protocol family %d",
sa->sa_family);
@@ -472,8 +475,8 @@ util_ntoa(char **buf, int af, u_int8_t *addr)
memcpy(sockaddr_addrdata(sfrom), addr, sockaddr_addrlen(sfrom));
if (sockaddr2text(sfrom, buf, 0)) {
- log_print("util_ntoa: "
- "could not make printable address out of sockaddr %p", sfrom);
+ log_print("util_ntoa: could not make printable address out "
+ "of sockaddr %p", sfrom);
*buf = 0;
}
}
@@ -499,13 +502,13 @@ check_file_secrecy(char *name, size_t *file_size)
return -1;
}
if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) {
- log_print("conf_file_secrecy: not loading %s - too open permissions",
- name);
+ log_print("conf_file_secrecy: not loading %s - too open "
+ "permissions", name);
errno = EPERM;
return -1;
}
if (file_size)
- *file_size = (size_t) st.st_size;
+ *file_size = (size_t)st.st_size;
return 0;
}
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index dda7dda0197..718c6ddbc8e 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.88 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: x509.c,v 1.89 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */
/*
@@ -107,11 +107,11 @@ LIST_HEAD(x509_list, x509_hash) * x509_tab = 0;
int
x509_generate_kn(int id, X509 *cert)
{
- char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s\"\n"
- "Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
+ char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s"
+ "\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n";
char *ikey, *skey, *buf, isname[256], subname[256];
char *fmt2 = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n"
- "Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
+ "Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
X509_NAME *issuer, *subject;
struct keynote_deckey dc;
X509_STORE_CTX csc;
@@ -144,14 +144,17 @@ x509_generate_kn(int id, X509 *cert)
ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
- log_print("x509_generate_kn: failed to get memory for public key");
+ log_print("x509_generate_kn: failed to get memory for "
+ "public key");
RSA_free(key);
- LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key"));
+ LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
+ "subject key"));
return 0;
}
if (!ikey) {
RSA_free(key);
- LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key"));
+ LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
+ "subject key"));
return 0;
}
RSA_free(key);
@@ -162,8 +165,8 @@ x509_generate_kn(int id, X509 *cert)
X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
X509_STORE_CTX_init(&csc, x509_certs, cert, NULL);
- if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) !=
- X509_LU_X509) {
+ if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj)
+ != X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: no certificate found for issuer"));
@@ -192,16 +195,19 @@ x509_generate_kn(int id, X509 *cert)
skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
- log_error("x509_generate_kn: failed to get memory for public key");
+ log_error("x509_generate_kn: failed to get memory for public "
+ "key");
free(ikey);
RSA_free(key);
- LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key"));
+ LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
+ "key"));
return 0;
}
if (!skey) {
free(ikey);
RSA_free(key);
- LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key"));
+ LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
+ "key"));
return 0;
}
RSA_free(key);
@@ -246,7 +252,8 @@ x509_generate_kn(int id, X509 *cert)
if ((tm->length < 10) || (tm->length > 13)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length "
- "of NotValidBefore time field (%d)", tm->length));
+ "of NotValidBefore time field (%d)",
+ tm->length));
free(ikey);
free(skey);
free(buf);
@@ -272,14 +279,17 @@ x509_generate_kn(int id, X509 *cert)
}
/* Stupid UTC tricks. */
if (tm->data[0] < '5')
- snprintf(before, sizeof before, "20%s", tm->data);
+ snprintf(before, sizeof before, "20%s",
+ tm->data);
else
- snprintf(before, sizeof before, "19%s", tm->data);
+ snprintf(before, sizeof before, "19%s",
+ tm->data);
} else { /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
- "NotValidBefore time field (%d)", tm->length));
+ "NotValidBefore time field (%d)",
+ tm->length));
free(ikey);
free(skey);
free(buf);
@@ -379,7 +389,8 @@ x509_generate_kn(int id, X509 *cert)
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
- "NotValidAfter time field (%d)", tm->length));
+ "NotValidAfter time field (%d)",
+ tm->length));
free(ikey);
free(skey);
free(buf);
@@ -414,7 +425,8 @@ x509_generate_kn(int id, X509 *cert)
after[14] = '\0'; /* This will overwrite trailing 'Z' */
}
- snprintf(buf, buf_len, fmt, skey, ikey, timecomp, before, timecomp2, after);
+ snprintf(buf, buf_len, fmt, skey, ikey, timecomp, before, timecomp2,
+ after);
free(ikey);
free(skey);
@@ -445,8 +457,8 @@ x509_generate_kn(int id, X509 *cert)
log_error("x509_generate_kn: malloc (%d) failed", buf_len);
return 0;
}
- snprintf(buf, buf_len, fmt2, isname, subname, timecomp, before, timecomp2,
- after);
+ snprintf(buf, buf_len, fmt2, isname, subname, timecomp, before,
+ timecomp2, after);
if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
LOG_DBG((LOG_POLICY, 30,
@@ -454,7 +466,8 @@ x509_generate_kn(int id, X509 *cert)
free(buf);
return 0;
}
- LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s", buf));
+ LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s",
+ buf));
free(buf);
return 1;
@@ -492,7 +505,7 @@ x509_hash_init(void)
if (x509_tab) {
for (i = 0; i <= bucket_mask; i++)
for (certh = LIST_FIRST(&x509_tab[i]); certh;
- certh = LIST_FIRST(&x509_tab[i])) {
+ certh = LIST_FIRST(&x509_tab[i])) {
LIST_REMOVE(certh, link);
free(certh);
}
@@ -501,7 +514,7 @@ x509_hash_init(void)
x509_tab = malloc((bucket_mask + 1) * sizeof(struct x509_list));
if (!x509_tab)
log_fatal("x509_hash_init: malloc (%lu) failed",
- (bucket_mask + 1) * (unsigned long) sizeof(struct x509_list));
+ (bucket_mask + 1) * (unsigned long)sizeof(struct x509_list));
for (i = 0; i <= bucket_mask; i++) {
LIST_INIT(&x509_tab[i]);
}
@@ -524,7 +537,8 @@ x509_hash_find(u_int8_t *id, size_t len)
id_found = 0;
for (i = 0; i < n; i++) {
LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", id, len));
- LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i], clen[i]));
+ LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i],
+ clen[i]));
/*
* XXX This identity predicate needs to be
* understood.
@@ -566,7 +580,7 @@ x509_hash_enter(X509 *cert)
if (!certh) {
cert_free_subjects(n, id, len);
log_error("x509_hash_enter: calloc (1, %lu) failed",
- (unsigned long) sizeof *certh);
+ (unsigned long)sizeof *certh);
return 0;
}
certh->cert = cert;
@@ -574,7 +588,8 @@ x509_hash_enter(X509 *cert)
bucket = x509_hash(id[i], len[i]);
LIST_INSERT_HEAD(&x509_tab[bucket], certh, link);
- LOG_DBG((LOG_CRYPTO, 70, "x509_hash_enter: cert %p added to bucket %d",
+ LOG_DBG((LOG_CRYPTO, 70,
+ "x509_hash_enter: cert %p added to bucket %d",
cert, bucket));
}
cert_free_subjects(n, id, len);
@@ -609,8 +624,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)
dir = monitor_opendir(name);
if (!dir) {
LOG_DBG((LOG_CRYPTO, 10,
- "x509_read_from_dir: opendir (\"%s\") failed: "
- "%s", name, strerror(errno)));
+ "x509_read_from_dir: opendir (\"%s\") failed: %s",
+ name, strerror(errno)));
return 0;
}
strlcpy(fullname, name, sizeof fullname);
@@ -631,7 +646,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)
continue;
}
- LOG_DBG((LOG_CRYPTO, 60, "x509_read_from_dir: reading certificate %s",
+ LOG_DBG((LOG_CRYPTO, 60,
+ "x509_read_from_dir: reading certificate %s",
file->d_name));
#if defined (USE_PRIVSEP)
@@ -651,7 +667,8 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)
#else
certh = BIO_new(BIO_s_file());
if (!certh) {
- log_error("x509_read_from_dir: BIO_new (BIO_s_file ()) failed");
+ log_error("x509_read_from_dir: BIO_new (BIO_s_file "
+ "()) failed");
continue;
}
if (BIO_read_filename(certh, fullname) == -1) {
@@ -669,20 +686,20 @@ x509_read_from_dir(X509_STORE *ctx, char *name, int hash)
BIO_free(certh);
#endif /* USE_PRIVSEP */
if (cert == NULL) {
- log_print("x509_read_from_dir: PEM_read_bio_X509 failed for %s",
- file->d_name);
+ log_print("x509_read_from_dir: PEM_read_bio_X509 "
+ "failed for %s", file->d_name);
continue;
}
if (!X509_STORE_add_cert(ctx, cert)) {
/*
* This is actually expected if we have several
- * certificates only differing in subjectAltName, which
- * is not an something that is strange. Consider
- * multi-homed machines.
+ * certificates only differing in subjectAltName,
+ * which is not an something that is strange.
+ * Consider multi-homed machines.
*/
LOG_DBG((LOG_CRYPTO, 50,
- "x509_read_from_dir: X509_STORE_add_cert failed for %s",
- file->d_name));
+ "x509_read_from_dir: X509_STORE_add_cert failed "
+ "for %s", file->d_name));
}
if (hash)
if (!x509_hash_enter(cert))
@@ -717,13 +734,13 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
log_print("x509_read_crls_from_dir: directory name too long");
return 0;
}
- LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs from %s",
- name));
+ LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs "
+ "from %s", name));
dir = monitor_opendir(name);
if (!dir) {
- LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir (\"%s\") "
- "failed: %s", name, strerror(errno)));
+ LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir "
+ "(\"%s\") failed: %s", name, strerror(errno)));
return 0;
}
strlcpy(fullname, name, sizeof fullname);
@@ -739,12 +756,13 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
} else {
struct stat sb;
- if (monitor_stat(fullname, &sb) == -1 || !(sb.st_mode & S_IFREG))
+ if (monitor_stat(fullname, &sb) == -1 ||
+ !(sb.st_mode & S_IFREG))
continue;
}
- LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading CRL %s",
- file->d_name));
+ LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading "
+ "CRL %s", file->d_name));
#if defined (USE_PRIVSEP)
crlfp = monitor_fopen(fullname, "r");
@@ -765,7 +783,8 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
if (BIO_read_filename(crlh, fullname) == -1) {
BIO_free(crlh);
log_error("x509_read_crls_from_dir: "
- "BIO_read_filename (crlh, \"%s\") failed", fullname);
+ "BIO_read_filename (crlh, \"%s\") failed",
+ fullname);
continue;
}
crl = PEM_read_bio_X509_CRL(crlh, NULL, NULL, NULL);
@@ -774,7 +793,8 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
#endif /* USE_PRIVSEP */
if (crl == NULL) {
log_print("x509_read_crls_from_dir: "
- "PEM_read_bio_X509_CRL failed for %s", file->d_name);
+ "PEM_read_bio_X509_CRL failed for %s",
+ file->d_name);
continue;
}
if (!X509_STORE_add_crl(ctx, crl)) {
@@ -783,11 +803,12 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
continue;
}
/*
- * XXX This is to make x509_cert_validate set this (and another) flag
- * XXX when validating certificates. Currently, OpenSSL defaults to
- * XXX reject an otherwise valid certificate (chain) if these flags
- * XXX are set but there are no CRLs to check. The current workaround
- * XXX is to only set the flags if we actually loaded some CRL data.
+ * XXX This is to make x509_cert_validate set this (and
+ * XXX another) flag when validating certificates. Currently,
+ * XXX OpenSSL defaults to reject an otherwise valid
+ * XXX certificate (chain) if these flags are set but there
+ * XXX are no CRLs to check. The current workaround is to only
+ * XXX set the flags if we actually loaded some CRL data.
*/
X509_STORE_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
}
@@ -802,7 +823,7 @@ x509_read_crls_from_dir(X509_STORE *ctx, char *name)
int
x509_cert_init(void)
{
- char *dirname;
+ char *dirname;
x509_hash_init();
@@ -856,7 +877,7 @@ x509_crl_init(void)
* support it.
*/
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- char *dirname;
+ char *dirname;
dirname = conf_get_str("X509-certificates", "CRL-directory");
if (!dirname) {
log_print("x509_crl_init: no CRL-directory");
@@ -940,10 +961,10 @@ x509_cert_validate(void *scert)
int
x509_cert_insert(int id, void *scert)
{
- X509 *cert;
- int res;
+ X509 *cert;
+ int res;
- cert = X509_dup((X509 *) scert);
+ cert = X509_dup((X509 *)scert);
if (!cert) {
log_print("x509_cert_insert: X509_dup failed");
return 0;
@@ -998,7 +1019,8 @@ x509_certreq_validate(u_int8_t *asn, u_int32_t len)
if (!asn_template_clone(&name, 1) ||
(asn = asn_decode_sequence(asn, len, &name)) == 0) {
- log_print("x509_certreq_validate: can not decode 'acceptable CA' info");
+ log_print("x509_certreq_validate: can not decode 'acceptable "
+ "CA' info");
res = 0;
}
asn_free(&name);
@@ -1021,13 +1043,14 @@ x509_certreq_decode(u_int8_t *asn, u_int32_t len)
if (!asn_template_clone(&aca, 1) ||
(asn = asn_decode_sequence(asn, len, &aca)) == 0) {
- log_print("x509_certreq_decode: can not decode 'acceptable CA' info");
+ log_print("x509_certreq_decode: can not decode 'acceptable "
+ "CA' info");
goto fail;
}
memset(&naca, 0, sizeof(naca));
- tmp = asn_decompose("aca.RelativeDistinguishedName.AttributeValueAssertion",
- &aca);
+ tmp = asn_decompose("aca.RelativeDistinguishedName."
+ "AttributeValueAssertion", &aca);
if (!tmp)
goto fail;
x509_get_attribval(tmp, &naca.name1);
@@ -1146,7 +1169,8 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
if (!subjectaltname || !subjectaltname->value ||
!subjectaltname->value->data || subjectaltname->value->length < 4) {
- log_print("x509_cert_subjectaltname: invalid subjectaltname extension");
+ log_print("x509_cert_subjectaltname: invalid "
+ "subjectaltname extension");
return 0;
}
/* SSL does not handle unknown ASN stuff well, do it by hand. */
@@ -1156,7 +1180,8 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
sandata += 4;
if (sanlen + 4 != subjectaltname->value->length) {
- log_print("x509_cert_subjectaltname: subjectaltname invalid length");
+ log_print("x509_cert_subjectaltname: subjectaltname invalid "
+ "length");
return 0;
}
*len = sanlen;
@@ -1181,8 +1206,9 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
*id_len = 0;
/*
- * XXX There can be a collection of subjectAltNames, but for now
- * I only return the subjectName and a single subjectAltName, if present.
+ * XXX There can be a collection of subjectAltNames, but for now I
+ * only return the subjectName and a single subjectAltName, if
+ * present.
*/
type = x509_cert_subjectaltname(cert, &altname, &altlen);
if (!type) {
@@ -1194,13 +1220,13 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
*id = calloc(*cnt, sizeof **id);
if (!*id) {
log_print("x509_cert_get_subject: malloc (%lu) failed",
- *cnt * (unsigned long) sizeof **id);
+ *cnt * (unsigned long)sizeof **id);
goto fail;
}
*id_len = malloc(*cnt * sizeof **id_len);
if (!*id_len) {
log_print("x509_cert_get_subject: malloc (%lu) failed",
- *cnt * (unsigned long) sizeof **id_len);
+ *cnt * (unsigned long)sizeof **id_len);
goto fail;
}
/* Stash the subjectName into the first slot. */
@@ -1209,10 +1235,12 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
goto fail;
(*id_len)[0] =
- ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) - ISAKMP_GEN_SZ;
+ ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) -
+ ISAKMP_GEN_SZ;
(*id)[0] = malloc((*id_len)[0]);
if (!(*id)[0]) {
- log_print("x509_cert_get_subject: malloc (%d) failed", (*id_len)[0]);
+ log_print("x509_cert_get_subject: malloc (%d) failed",
+ (*id_len)[0]);
goto fail;
}
SET_ISAKMP_ID_TYPE((*id)[0] - ISAKMP_GEN_SZ, IPSEC_ID_DER_ASN1_DN);
@@ -1238,8 +1266,8 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
case X509v3_IP_ADDR:
/*
- * XXX I dislike the numeric constants, but I don't know what we
- * should use otherwise.
+ * XXX I dislike the numeric constants, but I don't
+ * know what we should use otherwise.
*/
switch (altlen) {
case 4:
@@ -1251,8 +1279,8 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
break;
default:
- log_print("x509_cert_get_subject: "
- "invalid subjectAltName IPaddress length %d ",
+ log_print("x509_cert_get_subject: invalid "
+ "subjectAltName IPaddress length %d ",
altlen);
goto fail;
}
@@ -1304,9 +1332,9 @@ x509_cert_get_key(void *scert, void *keyp)
X509_free(cert);
return 0;
}
- *(RSA **) keyp = RSAPublicKey_dup(key->pkey.rsa);
+ *(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa);
- return *(RSA **) keyp == NULL ? 0 : 1;
+ return *(RSA **)keyp == NULL ? 0 : 1;
}
void *
@@ -1320,13 +1348,13 @@ x509_serialize(void *scert, u_int8_t **data, u_int32_t *datalen)
{
u_int8_t *p;
- *datalen = i2d_X509((X509 *) scert, NULL);
+ *datalen = i2d_X509((X509 *)scert, NULL);
*data = p = malloc(*datalen);
if (!p) {
log_error("x509_serialize: malloc (%d) failed", *datalen);
return;
}
- *datalen = i2d_X509((X509 *) scert, &p);
+ *datalen = i2d_X509((X509 *)scert, &p);
}
/* From cert to printable */
@@ -1344,7 +1372,8 @@ x509_printable(void *cert)
s = malloc(datalen * 2 + 1);
if (!s) {
free(data);
- log_error("x509_printable: malloc (%d) failed", datalen * 2 + 1);
+ log_error("x509_printable: malloc (%d) failed",
+ datalen * 2 + 1);
return 0;
}
for (i = 0; i < datalen; i++)
diff --git a/sbin/isakmpd/x509.h b/sbin/isakmpd/x509.h
index 3ed64feff86..adba74e8c0b 100644
--- a/sbin/isakmpd/x509.h
+++ b/sbin/isakmpd/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.20 2004/04/15 18:39:27 deraadt Exp $ */
+/* $OpenBSD: x509.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */
/* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */
/*
@@ -68,7 +68,8 @@ int x509_cert_get_key(void *, void *);
int x509_cert_get_subjects(void *, int *, u_int8_t ***, u_int32_t **);
int x509_cert_init(void);
int x509_crl_init(void);
-int x509_cert_obtain(u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *);
+int x509_cert_obtain(u_int8_t *, size_t, void *, u_int8_t **,
+ u_int32_t *);
int x509_cert_validate(void *);
void x509_free_aca(void *);
void *x509_cert_dup(void *);