diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2002-06-07 19:53:20 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2002-06-07 19:53:20 +0000 |
commit | 086cd9b6b51b882be00c9a82c6adcbbcaea5e99b (patch) | |
tree | 2e440ba6e281ced7b4d2ddcc3694fb614d87a955 /sbin | |
parent | 404680569036a0926f7bc53aafdc6719d9cfe92f (diff) |
Start for support of IKECFG in SET/ACK mode. Server side only so far.
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/exchange.c | 73 | ||||
-rw-r--r-- | sbin/isakmpd/isakmp_cfg.c | 392 |
2 files changed, 407 insertions, 58 deletions
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 9ff70e07085..6da0b577059 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,10 +1,10 @@ -/* $OpenBSD: exchange.c,v 1.65 2002/06/01 07:44:21 deraadt Exp $ */ +/* $OpenBSD: exchange.c,v 1.66 2002/06/07 19:53:19 ho Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * Copyright (c) 1999, 2000, 2002 Håkan Olsson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -715,6 +715,21 @@ exchange_add_finalization (struct exchange *exchange, exchange->finalize_arg = node; } +static void +exchange_establish_transaction (struct exchange *exchange, void *arg, int fail) +{ + /* Establish a TRANSACTION exchange. */ + struct exchange_finalization_node *node + = (struct exchange_finalization_node *)arg; + struct sa *isakmp_sa = sa_lookup_by_name ((char *)node->second_arg, 1); + + if (isakmp_sa && !fail) + exchange_establish_p2 (isakmp_sa, ISAKMP_EXCH_TRANSACTION, 0, 0, + node->first, node->first_arg); + + free (node); +} + /* Establish a phase 1 exchange. */ void exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, @@ -724,6 +739,8 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, { struct exchange *exchange; struct message *msg; + struct conf_list *flags; + struct conf_list_node *flag; char *tag = 0; char *str; @@ -805,8 +822,39 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, if (!exchange->policy && name) exchange->policy = conf_get_str ("Phase 1", "Default"); - exchange->finalize = finalize; - exchange->finalize_arg = arg; + if (name) + { + flags = conf_get_list (name, "Flags"); + if (flags) + { + for (flag = TAILQ_FIRST (&flags->fields); flag; + flag = TAILQ_NEXT (flag, link)) + if (strcasecmp (flag->field, "ikecfg") == 0) + { + struct exchange_finalization_node *node; + + node = calloc (1, (unsigned long)sizeof *node); + if (!node) + { + log_print ("exchange_establish_p1: calloc (1, %lu) failed", + (unsigned long)sizeof (*node)); + exchange_free (exchange); + return; + } + + /* Insert this finalization inbetween the original. */ + node->first = finalize; + node->first_arg = arg; + node->second_arg = name; + exchange_add_finalization (exchange, + exchange_establish_transaction, + node); + finalize = 0; + } + conf_free_list (flags); + } + } + exchange_add_finalization (exchange, finalize, arg); cookie_gen (t, exchange, exchange->cookies, ISAKMP_HDR_ICOOKIE_LEN); exchange_enter (exchange); #ifdef USE_DEBUG @@ -816,8 +864,9 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, msg = message_alloc (t, 0, ISAKMP_HDR_SZ); msg->exchange = exchange; - /* Do not create SA for an information exchange. */ - if (exchange->type != ISAKMP_EXCH_INFO) + /* Do not create SA for an information or transaction exchange. */ + if (exchange->type != ISAKMP_EXCH_INFO + && exchange->type != ISAKMP_EXCH_TRANSACTION) { /* * Don't install a transport into this SA as it will be an INADDR_ANY @@ -1393,8 +1442,6 @@ exchange_finalize (struct message *msg) exchange->keynote_key = 0; msg->isakmp_sa->policy_id = exchange->policy_id; exchange->policy_id = -1; - msg->isakmp_sa->id_i_len = exchange->id_i_len; - msg->isakmp_sa->id_r_len = exchange->id_r_len; msg->isakmp_sa->initiator = exchange->initiator; if (exchange->recv_certtype && exchange->recv_cert) @@ -1426,11 +1473,6 @@ exchange_finalize (struct message *msg) ->transport))); } - exchange->doi->finalize_exchange (msg); - if (exchange->finalize) - exchange->finalize (exchange, exchange->finalize_arg, 0); - exchange->finalize = 0; - /* Copy the ID from phase 1 to exchange or phase 2 SA. */ if (msg->isakmp_sa) { @@ -1450,6 +1492,11 @@ exchange_finalize (struct message *msg) } } + exchange->doi->finalize_exchange (msg); + if (exchange->finalize) + exchange->finalize (exchange, exchange->finalize_arg, 0); + exchange->finalize = 0; + /* * There is no reason to keep the SAs connected to us anymore, in fact * it can hurt us if we have short lifetimes on the SAs and we try diff --git a/sbin/isakmpd/isakmp_cfg.c b/sbin/isakmpd/isakmp_cfg.c index 28a210a8373..dd52874164d 100644 --- a/sbin/isakmpd/isakmp_cfg.c +++ b/sbin/isakmpd/isakmp_cfg.c @@ -1,7 +1,8 @@ -/* $OpenBSD: isakmp_cfg.c,v 1.9 2002/06/06 19:03:10 ho Exp $ */ +/* $OpenBSD: isakmp_cfg.c,v 1.10 2002/06/07 19:53:19 ho Exp $ */ /* * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2002 Håkan Olsson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -39,6 +40,7 @@ #include <netinet/in.h> #include <arpa/inet.h> #include <string.h> +#include <bitstring.h> #include "sysdep.h" @@ -53,6 +55,7 @@ #include "message.h" #include "prf.h" #include "sa.h" +#include "transport.h" #include "util.h" /* @@ -66,34 +69,45 @@ int16_t script_transaction[] = { EXCHANGE_SCRIPT_END }; -static int decode_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); -static int initiator_send_ATTR (struct message *); -static int initiator_recv_ATTR (struct message *); -static int responder_recv_ATTR (struct message *); -static int responder_send_ATTR (struct message *); +static int cfg_decode_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +static int cfg_initiator_send_ATTR (struct message *); +static int cfg_initiator_recv_ATTR (struct message *); +static int cfg_responder_recv_ATTR (struct message *); +static int cfg_responder_send_ATTR (struct message *); +/* Server: SET/ACK Client; REQ/REPLY */ int (*isakmp_cfg_initiator[]) (struct message *) = { - initiator_send_ATTR, - initiator_recv_ATTR + cfg_initiator_send_ATTR, + cfg_initiator_recv_ATTR }; +/* Server: REQ/REPLY Client: SET/ACK */ int (*isakmp_cfg_responder[]) (struct message *) = { - responder_recv_ATTR, - responder_send_ATTR + cfg_responder_recv_ATTR, + cfg_responder_send_ATTR }; -/* XXX A lot can be shared with responder_send_ATTR. */ +/* + * As "the server", this starts SET/ACK mode + * As "the client", this starts REQ/REPLY mode + * XXX A lot can be shared with responder_send_ATTR. + */ static int -initiator_send_ATTR (struct message *msg) +cfg_initiator_send_ATTR (struct message *msg) { struct exchange *exchange = msg->exchange; struct sa *isakmp_sa = msg->isakmp_sa; struct ipsec_sa *isa = isakmp_sa->data; + struct ipsec_exch *ie = exchange->data; struct hash *hash = hash_get (isa->hash); struct prf *prf; size_t hashsize = hash->hashsize; - u_int8_t *hashp = 0, *attrp; - size_t attrlen; + u_int8_t *hashp = 0, *attrp, *attr; + size_t attrlen, off; + char *id_string, *cfg_mode, *field; + struct sockaddr *sa; +#define CFG_ATTR_BIT_MAX ISAKMP_CFG_ATTR_FUTURE_MIN /* XXX */ + bitstr_t bit_decl (attrbits, CFG_ATTR_BIT_MAX); if (exchange->phase == 2) { @@ -101,7 +115,7 @@ initiator_send_ATTR (struct message *msg) hashp = malloc (ISAKMP_HASH_SZ + hashsize); if (!hashp) { - log_error ("responder_send_ATTR: malloc (%lu) failed", + log_error ("cfg_initiator_send_ATTR: malloc (%lu) failed", ISAKMP_HASH_SZ + (unsigned long)hashsize); return -1; } @@ -113,17 +127,198 @@ initiator_send_ATTR (struct message *msg) } } -#ifndef to_be_removed - attrp = 0; + /* XXX This is wrong. */ + id_string = ipsec_id_string (isakmp_sa->id_i, isakmp_sa->id_i_len); + if (!id_string) + { + log_print ("cfg_initiator_send_ATTR: cannot parse ID"); + goto fail; + } + + /* Check for attribute list to send to the other side */ attrlen = 0; + bit_nclear (attrbits, 0, CFG_ATTR_BIT_MAX - 1); + + cfg_mode = conf_get_str (id_string, "Mode"); + if (!cfg_mode || strcmp (cfg_mode, "SET") == 0) + { + /* SET/ACK mode */ + LOG_DBG ((LOG_NEGOTIATION, 10, "cfg_initiator_send_ATTR: SET/ACK mode")); + +#define ATTRFIND(STR,ATTR4,LEN4,ATTR6,LEN6) do \ + { \ + if ((sa = conf_get_address (id_string, STR)) != NULL) \ + switch (sa->sa_family) \ + { \ + case AF_INET: \ + bit_set (attrbits, ATTR4); \ + attrlen += ISAKMP_ATTR_SZ + LEN4; \ + break; \ + case AF_INET6: \ + bit_set (attrbits, ATTR6); \ + attrlen += ISAKMP_ATTR_SZ + LEN6; \ + break; \ + default: \ + } \ + free (sa); \ + } while (0) + + /* XXX We don't simultaneously support IPv4 and IPv6 addresses. */ + ATTRFIND ("Address", ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS, 4, + ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16); + ATTRFIND ("Netmask", ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK, 4, + ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16); + ATTRFIND ("Nameserver", ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS, 4, + ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16); + ATTRFIND ("WINS-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS, 4, + ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16); + ATTRFIND ("DHCP-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP, 4, + ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16); +#ifdef notyet + ATTRFIND ("Network", ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET, 8, + ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17); #endif +#undef ATTRFIND + + if (conf_get_str (id_string, "Lifetime")) + { + bit_set (attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); + attrlen += ISAKMP_ATTR_SZ + 4; + } + } + else + { + /* XXX REQ/REPLY */ + LOG_DBG ((LOG_NEGOTIATION, 10, + "cfg_initiator_send_ATTR: REQ/REPLY mode")); + } + + if (attrlen == 0) + { + /* No data found. */ + log_print ("cfg_initiator_send_ATTR: no IKECFG attributes found for %s", + id_string); + free (id_string); + return 0; + } + + attrp = calloc (1, attrlen); + if (!attrp) + { + log_error ("cfg_initiator_send_ATTR: calloc (1, %lu) failed", + (unsigned long)attrlen); + goto fail; + } + + if (message_add_payload (msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, 1)) + { + free (attrp); + goto fail; + } + if (!cfg_mode || strcmp (cfg_mode, "SET") == 0) + { + /* + * SET/ACK cont. Use the bitstring built previously to collect + * the right parameters for attrp. + */ + u_int16_t bit, length; + u_int32_t life; + + SET_ISAKMP_ATTRIBUTE_TYPE (attrp, ISAKMP_CFG_SET); + getrandom ((u_int8_t *)&ie->cfg_id, sizeof ie->cfg_id); + SET_ISAKMP_ATTRIBUTE_ID (attrp, ie->cfg_id); + + off = ISAKMP_ATTRIBUTE_SZ; + for (bit = 0; bit < CFG_ATTR_BIT_MAX; bit++) + if (bit_test (attrbits, bit)) + { + attr = attrp + off; + SET_ISAKMP_ATTR_TYPE (attr, bit); + + /* All the other are similar, this is the odd one. */ + if (bit == ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY) + { + life = conf_get_num (id_string, "Lifetime", 1200); + SET_ISAKMP_ATTR_LENGTH_VALUE (attr, 4); + encode_32 (attr + ISAKMP_ATTR_VALUE_OFF, life); + off += ISAKMP_ATTR_SZ + 4; + continue; + } + + switch (bit) + { + case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: + case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: + case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: + case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: + case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: + length = 4; + break; + + case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: + length = 16; + break; + + default: + length = 0; /* Silence gcc. */ + } + + switch (bit) + { + case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: + field = "Address"; + break; + + case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: + field = "Netmask"; + break; + + case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: + field = "Nameserver"; + break; + + case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: + field = "DHCP-server"; + break; + + case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: + case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: + field = "WINS-server"; + break; + + default: + field = 0; /* Silence gcc. */ + } + + sa = conf_get_address (id_string, field); + SET_ISAKMP_ATTR_LENGTH_VALUE (attr, length); + memcpy (attr + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata (sa), + length); + + off += length + ISAKMP_ATTR_SZ; + } + } + else + { + /* XXX REQ/REPLY cont. */ + goto fail; + } + if (exchange->phase == 2) { prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); if (!prf) - return -1; + goto fail; prf->Init (prf->prfctx); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); @@ -132,16 +327,36 @@ initiator_send_ATTR (struct message *msg) prf_free (prf); } return 0; + + fail: + if (id_string) + free (id_string); + return -1; } +/* + * As "the server", this ends SET/ACK. + * As "the client", this ends REQ/REPLY. + */ static int -initiator_recv_ATTR (struct message *msg) +cfg_initiator_recv_ATTR (struct message *msg) { - struct exchange *exchange = msg->exchange; -#if 0 + struct payload *attrp + = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); +#ifdef notyet struct payload *p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_ATTRIBUTE]); #endif struct payload *hashp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa = isakmp_sa->data; + struct isakmp_cfg_attr *attr; + struct prf *prf; + u_int8_t *hash, *comp_hash; + size_t hash_len; + struct sockaddr *sa; + char *addr; if (exchange->phase == 2) { @@ -149,21 +364,102 @@ initiator_recv_ATTR (struct message *msg) { /* XXX Should another NOTIFY type be used? */ message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); - log_print ("initiator_recv_ATTR: phase 2 message missing HASH"); + log_print ("cfg_initiator_recv_ATTR: phase 2 message missing HASH"); return -1; } - /* XXX Verify hash! */ + hash = hashp->p; + hash_len = GET_ISAKMP_GEN_LENGTH (hash); + comp_hash = malloc (hash_len - ISAKMP_GEN_SZ); + if (!comp_hash) + { + log_error ("cfg_initiator_recv_ATTR: malloc (%lu) failed", + (unsigned long)hash_len - ISAKMP_GEN_SZ); + return -1; + } + + /* Verify hash! */ + prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, + isa->skeyid_len); + if (!prf) + { + free (comp_hash); + return -1; + } + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN); + prf->Update (prf->prfctx, hash + hash_len, + msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); + prf->Final (comp_hash, prf->prfctx); + prf_free (prf); + if (memcmp (hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ) + != 0) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + free (comp_hash); + return -1; + } + free (comp_hash); /* Mark the HASH as handled. */ hashp->flags |= PL_MARK; } + ie->cfg_id = GET_ISAKMP_ATTRIBUTE_ID (attrp->p); + + switch (attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]) + { + case ISAKMP_CFG_ACK: + case ISAKMP_CFG_REPLY: + break; + + default: + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + log_print ("cfg_responder_recv_ATTR: " + "unexpected configuration message type %d", + attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]); + return -1; + } + + attribute_map (attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (attrp->p) + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, ie); + + if (attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF] == ISAKMP_CFG_ACK) + { + /* SET / ACKNOWLEDGE */ + const char *uk_addr = "<unknown>"; + + msg->transport->vtbl->get_src (isakmp_sa->transport, &sa); + if (sockaddr2text (sa, &addr, 0) < 0) + addr = (char *)uk_addr; + + for (attr = LIST_FIRST (&ie->attrs); attr; attr = LIST_NEXT (attr, link)) + LOG_DBG ((LOG_NEGOTIATION, 50, "cfg_responder_recv_ATTR: " + "client %s ACKs attribute %s", addr, + constant_name (isakmp_cfg_attr_cst, attr->type))); + + if (addr != uk_addr) + free (addr); + } + else /* ISAKMP_CFG_REPLY */ + { + /* + * XXX REQ/REPLY: effect attributes we've gotten responses on. + */ + } + return 0; } +/* + * As "the server", this starts REQ/REPLY (initiated by the client). + * As "the client", this starts SET/ACK (initiated by the server). + */ static int -responder_recv_ATTR (struct message *msg) +cfg_responder_recv_ATTR (struct message *msg) { struct exchange *exchange = msg->exchange; struct payload *attrp @@ -182,7 +478,7 @@ responder_recv_ATTR (struct message *msg) { /* XXX Should another NOTIFY type be used? */ message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); - log_print ("responder_recv_ATTR: phase 2 message missing HASH"); + log_print ("cfg_responder_recv_ATTR: phase 2 message missing HASH"); return -1; } @@ -191,7 +487,7 @@ responder_recv_ATTR (struct message *msg) comp_hash = malloc (hash_len - ISAKMP_GEN_SZ); if (!comp_hash) { - log_error ("responder_recv_ATTR: malloc (%lu) failed", + log_error ("cfg_responder_recv_ATTR: malloc (%lu) failed", (unsigned long)hash_len - ISAKMP_GEN_SZ); return -1; } @@ -231,7 +527,8 @@ responder_recv_ATTR (struct message *msg) case ISAKMP_CFG_REQUEST: attribute_map (attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, GET_ISAKMP_GEN_LENGTH (attrp->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, decode_attribute, ie); + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, cfg_decode_attribute, + ie); break; #ifdef notyet @@ -241,7 +538,7 @@ responder_recv_ATTR (struct message *msg) default: message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - log_print ("responder_recv_ATTR: " + log_print ("cfg_responder_recv_ATTR: " "unexpected configuration message type %d", attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]); return -1; @@ -250,9 +547,13 @@ responder_recv_ATTR (struct message *msg) return 0; } -/* XXX A lot can be shared with initiator_send_ATTR. */ +/* + * As "the server", this ends REQ/REPLY mode. + * As "the client", this ends SET/ACK mode. + * XXX A lot can be shared with initiator_send_ATTR. + */ static int -responder_send_ATTR (struct message *msg) +cfg_responder_send_ATTR (struct message *msg) { struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; @@ -276,7 +577,7 @@ responder_send_ATTR (struct message *msg) id_string = ipsec_id_string (isakmp_sa->id_i, isakmp_sa->id_i_len); if (!id_string) { - log_print ("responder_send_ATTR: cannot parse client's ID"); + log_print ("cfg_responder_send_ATTR: cannot parse client's ID"); goto fail; } @@ -286,7 +587,7 @@ responder_send_ATTR (struct message *msg) hashp = malloc (ISAKMP_HASH_SZ + hashsize); if (!hashp) { - log_error ("responder_send_ATTR: malloc (%lu) failed", + log_error ("cfg_responder_send_ATTR: malloc (%lu) failed", ISAKMP_HASH_SZ + (unsigned long)hashsize); goto fail; } @@ -348,7 +649,7 @@ responder_send_ATTR (struct message *msg) attrp = calloc (1, attrlen); if (!attrp) { - log_error ("responder_send_ATTR: calloc (1, %lu) failed", + log_error ("cfg_responder_send_ATTR: calloc (1, %lu) failed", (unsigned long)attrlen); goto fail; } @@ -401,7 +702,7 @@ responder_send_ATTR (struct message *msg) case ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET: case ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET: - field = "Address"; /* XXX or "Network" */ + field = "Network"; /* XXX or just "Address" */ break; case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: @@ -443,7 +744,7 @@ responder_send_ATTR (struct message *msg) sa = conf_get_address (id_string, field); if (!sa) { - LOG_DBG ((LOG_NEGOTIATION, 10, "responder_send_ATTR: " + LOG_DBG ((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: " "attribute not found: %s", field)); attr->length = 0; break; @@ -451,7 +752,7 @@ responder_send_ATTR (struct message *msg) if (sa->sa_family != family) { - log_print ("responder_send_ATTR: attribute %s - expected %s " + log_print ("cfg_responder_send_ATTR: attribute %s - expected %s " "got %s data", field, (family == AF_INET ? "IPv4" : "IPv6"), (sa->sa_family == AF_INET ? "IPv4" : "IPv6")); @@ -476,14 +777,14 @@ responder_send_ATTR (struct message *msg) sa = conf_get_address (id_string, "Netmask"); if (!sa) { - LOG_DBG ((LOG_NEGOTIATION, 10, "responder_send_ATTR: " + LOG_DBG ((LOG_NEGOTIATION, 10, "cfg_responder_send_ATTR: " "attribute not found: Netmask")); attr->length = 0; break; } if (sa->sa_family != AF_INET) { - log_print ("responder_send_ATTR: attribute Netmask - " + log_print ("cfg_responder_send_ATTR: attribute Netmask - " "expected IPv4 got IPv6 data"); free (sa); attr->length = 0; @@ -500,14 +801,14 @@ responder_send_ATTR (struct message *msg) if (prefix == -1) { - log_print ("responder_send_ATTR: " + log_print ("cfg_responder_send_ATTR: " "attribute not found: Prefix"); attr->length = 0; break; } else if (prefix < -1 || prefix > 128) { - log_print ("responder_send_ATTR: attribute Prefix - " + log_print ("cfg_responder_send_ATTR: attribute Prefix - " "invalid value %d", prefix); attr->length = 0; break; @@ -566,7 +867,8 @@ responder_send_ATTR (struct message *msg) * attributes indexed by type for easy retrieval. */ static int -decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, void *vie) +cfg_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vie) { struct ipsec_exch *ie = vie; struct isakmp_cfg_attr *attr; @@ -576,15 +878,15 @@ decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, void *vie) return 0; if (type == 0 || type >= ISAKMP_CFG_ATTR_FUTURE_MIN) { - LOG_DBG ((LOG_NEGOTIATION, 30, "decode_attribute: invalid attr type %u", - type)); + LOG_DBG ((LOG_NEGOTIATION, 30, + "cfg_decode_attribute: invalid attr type %u", type)); return -1; } attr = calloc (1, sizeof *attr); if (!attr) { - log_error ("decode_attribute: calloc (1, %lu) failed", + log_error ("cfg_decode_attribute: calloc (1, %lu) failed", (unsigned long)sizeof *attr); return -1; } @@ -595,7 +897,7 @@ decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, void *vie) attr->value = malloc (len); if (!attr->value) { - log_error ("decode_attribute: malloc (%d) failed", len); + log_error ("cfg_decode_attribute: malloc (%d) failed", len); free (attr); /* Should we also deallocate all other values? */ return -1; |