summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/isakmpd/connection.c4
-rw-r--r--sbin/isakmpd/crypto.c4
-rw-r--r--sbin/isakmpd/dnssec.c4
-rw-r--r--sbin/isakmpd/exchange.c56
-rw-r--r--sbin/isakmpd/exchange.h18
-rw-r--r--sbin/isakmpd/ike_aggressive.c4
-rw-r--r--sbin/isakmpd/ike_auth.c12
-rw-r--r--sbin/isakmpd/ike_main_mode.c4
-rw-r--r--sbin/isakmpd/ike_quick_mode.c26
-rw-r--r--sbin/isakmpd/init.c8
-rw-r--r--sbin/isakmpd/ipsec.c14
-rw-r--r--sbin/isakmpd/isakmp_cfg.c4
-rw-r--r--sbin/isakmpd/isakmpd.c4
-rw-r--r--sbin/isakmpd/log.c6
-rw-r--r--sbin/isakmpd/message.h14
-rw-r--r--sbin/isakmpd/monitor.c4
-rw-r--r--sbin/isakmpd/policy.c4
-rw-r--r--sbin/isakmpd/sa.h12
-rw-r--r--sbin/isakmpd/sysdep/openbsd/sysdep.c8
-rw-r--r--sbin/isakmpd/transport.h12
20 files changed, 111 insertions, 111 deletions
diff --git a/sbin/isakmpd/connection.c b/sbin/isakmpd/connection.c
index 9185cc248f5..4a280ce757a 100644
--- a/sbin/isakmpd/connection.c
+++ b/sbin/isakmpd/connection.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: connection.c,v 1.39 2017/12/05 20:31:45 jca Exp $ */
+/* $OpenBSD: connection.c,v 1.40 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */
/*
@@ -91,7 +91,7 @@ connection_init(void)
* Passive connections normally include: all "active" connections that
* are not flagged "Active-Only", plus all connections listed in
* the 'Passive-Connections' list.
- */
+ */
TAILQ_INIT(&connections);
TAILQ_INIT(&connections_passive);
diff --git a/sbin/isakmpd/crypto.c b/sbin/isakmpd/crypto.c
index 1b0bd9024f3..eab9856276a 100644
--- a/sbin/isakmpd/crypto.c
+++ b/sbin/isakmpd/crypto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto.c,v 1.33 2015/12/09 21:41:50 naddy Exp $ */
+/* $OpenBSD: crypto.c,v 1.34 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */
/*
@@ -301,7 +301,7 @@ crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len)
/*
* XXX There is controversy about the correctness of updating the IV
* like this.
- */
+ */
memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
ks->xf->decrypt(ks, buf, len);
LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf,
diff --git a/sbin/isakmpd/dnssec.c b/sbin/isakmpd/dnssec.c
index 5704bc8e08b..53377829fa0 100644
--- a/sbin/isakmpd/dnssec.c
+++ b/sbin/isakmpd/dnssec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dnssec.c,v 1.25 2015/08/20 22:02:21 deraadt Exp $ */
+/* $OpenBSD: dnssec.c,v 1.26 2018/01/04 14:21:00 mpi Exp $ */
/*
* Copyright (c) 2001 Håkan Olsson. All rights reserved.
@@ -191,7 +191,7 @@ dns_get_key(int type, struct message *msg, int *keylen)
* Find a key with the wanted algorithm, if any.
* XXX If there are several keys present, we currently only find the
* first.
- */
+ */
for (i = 0; i < rr->rri_nrdatas && key_rr.datalen == 0; i++) {
key_rr.flags = ntohs((u_int16_t) * rr->rri_rdatas[i].rdi_data);
key_rr.protocol = *(rr->rri_rdatas[i].rdi_data + 2);
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index 019d03ada5a..6d6416ea957 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.c,v 1.140 2017/12/05 20:31:45 jca Exp $ */
+/* $OpenBSD: exchange.c,v 1.141 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
@@ -545,12 +545,12 @@ exchange_lookup(u_int8_t *msg, int phase2)
int i;
/*
- * We use the cookies to get bits to use as an index into exchange_tab,
+ * We use the cookies to get bits to use as an index into exchange_tab,
* as at least one (our cookie) is a good hash, xoring all the bits,
* 16 at a time, and then masking, should do. Doing it this way means
* we can validate cookies very fast thus delimiting the effects of
* "Denial of service"-attacks using packet flooding.
- */
+ */
for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) {
cp = msg + ISAKMP_HDR_COOKIES_OFF + i;
/* Doing it this way avoids alignment problems. */
@@ -591,9 +591,9 @@ exchange_create(int phase, int initiator, int doi, int type)
int delta;
/*
- * We want the exchange zeroed for exchange_free to be able to find
- * out what fields have been filled-in.
- */
+ * We want the exchange zeroed for exchange_free to be able to find
+ * out what fields have been filled-in.
+ */
exchange = calloc(1, sizeof *exchange);
if (!exchange) {
log_error("exchange_create: calloc (1, %lu) failed",
@@ -926,9 +926,9 @@ exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name,
exchange_dump("exchange_establish_p2", exchange);
/*
- * Do not create SA's for informational exchanges.
- * XXX How to handle new group mode?
- */
+ * Do not create SA's for informational exchanges.
+ * XXX How to handle new group mode?
+ */
if (exchange->type != ISAKMP_EXCH_INFO &&
exchange->type != ISAKMP_EXCH_TRANSACTION) {
/* XXX Number of SAs should come from the args structure. */
@@ -970,7 +970,7 @@ exchange_setup_p1(struct message *msg, u_int32_t doi)
/*
* Unless this is an informational exchange, look up our policy for
* this peer.
- */
+ */
type = GET_ISAKMP_HDR_EXCH_TYPE(msg->iov[0].iov_base);
if (type != ISAKMP_EXCH_INFO) {
/*
@@ -1336,12 +1336,12 @@ exchange_finalize(struct message *msg)
}
}
/*
- * Walk over all the SAs and noting them as ready. If we set the
- * COMMIT bit, tell the peer each SA is connected.
- *
- * XXX The decision should really be based on if a SA was installed
- * successfully.
- */
+ * Walk over all the SAs and noting them as ready. If we set the
+ * COMMIT bit, tell the peer each SA is connected.
+ *
+ * XXX The decision should really be based on if a SA was installed
+ * successfully.
+ */
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
/* Move over the name to the SA. */
@@ -1396,7 +1396,7 @@ exchange_finalize(struct message *msg)
* ISAKMP SA structure for future initialization of phase 2 exchanges'
* keystates. Also save the Phase 1 ID and authentication
* information.
- */
+ */
if (exchange->phase == 1 && msg->isakmp_sa) {
msg->isakmp_sa->keystate = exchange->keystate;
exchange->keystate = 0;
@@ -1458,11 +1458,11 @@ exchange_finalize(struct message *msg)
exchange->finalize = 0;
/*
- * There is no reason to keep the SAs connected to us anymore, in fact
- * it can hurt us if we have short lifetimes on the SAs and we try
- * to call exchange_report, where the SA list will be walked and
- * references to freed SAs can occur.
- */
+ * There is no reason to keep the SAs connected to us anymore, in fact
+ * it can hurt us if we have short lifetimes on the SAs and we try
+ * to call exchange_report, where the SA list will be walked and
+ * references to freed SAs can occur.
+ */
while (TAILQ_FIRST(&exchange->sa_list)) {
sa = TAILQ_FIRST(&exchange->sa_list);
@@ -1670,12 +1670,12 @@ exchange_add_certs(struct message *msg)
id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len;
/*
- * Without IDs we cannot handle this yet. Keep the aca_list around for
- * a later step/retry to see if we got the ID by then.
- * Note: A 'return -1' breaks X509-auth interop in the responder case
- * with some IPsec clients that send CERTREQs early (such as
+ * Without IDs we cannot handle this yet. Keep the aca_list around for
+ * a later step/retry to see if we got the ID by then.
+ * Note: A 'return -1' breaks X509-auth interop in the responder case
+ * with some IPsec clients that send CERTREQs early (such as
* the SSH Sentinel).
- */
+ */
if (!id)
return 0;
@@ -1761,7 +1761,7 @@ exchange_establish(char *name, void (*finalize)(struct exchange *, void *,
/*
* First of all, never try to establish anything if another exchange
* of the same kind is running.
- */
+ */
exchange = exchange_lookup_by_name(name, phase);
if (exchange) {
LOG_DBG((LOG_EXCHANGE, 40,
diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h
index e34f85d264a..d0db9038721 100644
--- a/sbin/isakmpd/exchange.h
+++ b/sbin/isakmpd/exchange.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.h,v 1.35 2017/09/18 07:42:52 mpi Exp $ */
+/* $OpenBSD: exchange.h,v 1.36 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */
/*
@@ -72,7 +72,7 @@ struct exchange {
* has been run to its end, successfully. The 2nd argument is true
* if the finalization hook is called due to the exchange not running
* to its end normally.
- */
+ */
void (*finalize)(struct exchange *, void *, int);
void *finalize_arg;
@@ -82,13 +82,13 @@ struct exchange {
/*
* The event that will occur when it has taken too long time to try to
* run the exchange and which will trigger auto-destruction.
- */
+ */
struct event *death;
/*
* Both initiator and responder cookies.
* XXX For code clarity we might split this into two fields.
- */
+ */
u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN];
/* The message ID signifying phase 2 exchanges. */
@@ -115,7 +115,7 @@ struct exchange {
/*
* A "program counter" into the script that validate message contents
* for this exchange.
- */
+ */
int16_t *exch_pc;
/* The last message received, used for checking for duplicates. */
@@ -127,13 +127,13 @@ struct exchange {
/*
* If some message is queued up for sending, we want to be able to
* remove it from the queue, when the exchange is deleted.
- */
+ */
struct message *in_transit;
/*
* Initiator's & responder's nonces respectively, with lengths.
* XXX Should this be in the DOI-specific parts instead?
- */
+ */
u_int8_t *nonce_i;
size_t nonce_i_len;
u_int8_t *nonce_r;
@@ -165,7 +165,7 @@ struct exchange {
/*
* Received certificate - used to verify signatures on packet,
* stored here for later policy processing.
- *
+ *
* The rules for the recv_* and sent_* fields are:
* - recv_cert stores the credential (if any) received from the peer;
* the kernel may pass us one, but we ignore it. We pass it to the
@@ -187,7 +187,7 @@ struct exchange {
* we don't pass it to the kernel, to avoid revealing such information
* to processes (processes either already know it, or have no business
* knowing it).
- */
+ */
int recv_certtype, recv_keytype;
void *recv_cert; /* Certificate received from peer,
* native format */
diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c
index 324460d3dac..5edcb651d43 100644
--- a/sbin/isakmpd/ike_aggressive.c
+++ b/sbin/isakmpd/ike_aggressive.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_aggressive.c,v 1.11 2010/06/29 19:50:16 reyk Exp $ */
+/* $OpenBSD: ike_aggressive.c,v 1.12 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */
/*
@@ -119,7 +119,7 @@ initiator_send_AUTH(struct message *msg)
* INITIAL-CONTACT in phase 1, thus contradicting what we learned
* above. I will bring this up in the IPsec list. For now we don't
* do INITIAL-CONTACT at all when using aggressive mode.
- */
+ */
return 0;
}
diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 86cf757ae9a..5e2a1a3b41d 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_auth.c,v 1.114 2017/11/08 13:33:49 patrick Exp $ */
+/* $OpenBSD: ike_auth.c,v 1.115 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
/*
@@ -348,7 +348,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
* case in Aggressive mode), try to find the preshared key in the
* section of the initiator's Phase 1 ID. This allows us to do
* mobile user support with preshared keys.
- */
+ */
if (!exchange->initiator && exchange->id_i) {
switch (exchange->id_i[0]) {
case IPSEC_ID_IPV4_ADDR:
@@ -387,7 +387,7 @@ pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz)
/*
* Get the pre-shared key for our peer. This will work even if the key
* has been passed to us through a mechanism like PFKEYv2.
- */
+ */
key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name,
(char *)buf, &keylen);
free(buf);
@@ -587,7 +587,7 @@ rsa_sig_decode_hash(struct message *msg)
* XXX Assume we should use the same kind of certification as the
* remote... moreover, just use the first CERT payload to decide what
* to use.
- */
+ */
p = payload_first(msg, ISAKMP_PAYLOAD_CERT);
if (!p)
handler = cert_get(ISAKMP_CERTENC_KEYNOTE);
@@ -601,7 +601,7 @@ rsa_sig_decode_hash(struct message *msg)
/*
* We need the policy session initialized now, so we can add
* credentials etc.
- */
+ */
exchange->policy_id = kn_init();
if (exchange->policy_id == -1) {
log_print("rsa_sig_decode_hash: failed to initialize policy "
@@ -640,7 +640,7 @@ rsa_sig_decode_hash(struct message *msg)
* Walk over potential CERT payloads in this message.
* XXX I believe this is the wrong spot for this. CERTs can appear
* anytime.
- */
+ */
TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_CERT], link) {
p->flags |= PL_MARK;
diff --git a/sbin/isakmpd/ike_main_mode.c b/sbin/isakmpd/ike_main_mode.c
index e88c4295654..6592e0666f5 100644
--- a/sbin/isakmpd/ike_main_mode.c
+++ b/sbin/isakmpd/ike_main_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_main_mode.c,v 1.17 2010/06/29 19:50:16 reyk Exp $ */
+/* $OpenBSD: ike_main_mode.c,v 1.18 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */
/*
@@ -102,7 +102,7 @@ responder_send_KE_NONCE(struct message *msg)
/*
* Calculate DH values & key material in parallel with the message
* going on a roundtrip over the wire.
- */
+ */
message_register_post_send(msg,
(void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE);
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index dd437bdf884..dc3c027006d 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.112 2017/12/07 11:44:02 mpi Exp $ */
+/* $OpenBSD: ike_quick_mode.c,v 1.113 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
/*
@@ -302,7 +302,7 @@ check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
* Add the authorizer (who is requesting the SA/ID);
* this may be a public or a secret key, depending on
* what mode of authentication we used in Phase 1.
- */
+ */
for (i = 0; i < nprinc; i++) {
LOG_DBG((LOG_POLICY, 40, "check_policy: "
"adding authorizer [%s]", principal[i]));
@@ -366,7 +366,7 @@ policydone:
* XXX Currently, check_policy() is only called from
* message_negotiate_sa(), and so this log message reflects this.
* Change to something better?
- */
+ */
if (result == 0)
log_print("check_policy: negotiated SA failed policy check");
@@ -374,7 +374,7 @@ policydone:
* Given that we have only 2 return values from policy (true/false)
* we can just return the query result directly (no pre-processing
* needed).
- */
+ */
return result;
}
@@ -845,7 +845,7 @@ initiator_send_HASH_SA_NONCE(struct message *msg)
* Add the payloads. As this is a SA, we need to recompute the
* lengths of the payloads containing others. We also need to
* reset these payload's "next payload type" field.
- */
+ */
if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
goto bail_out;
SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len);
@@ -878,7 +878,7 @@ initiator_send_HASH_SA_NONCE(struct message *msg)
/*
* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len.
- */
+ */
ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len);
if (!ie->sa_i_b)
goto bail_out;
@@ -886,7 +886,7 @@ initiator_send_HASH_SA_NONCE(struct message *msg)
/*
* Generate a nonce, and add it to the message.
* XXX I want a better way to specify the nonce's size.
- */
+ */
if (exchange_gen_nonce(msg, 16))
return -1;
@@ -1094,9 +1094,9 @@ initiator_recv_HASH_SA_NONCE(struct message *msg)
/*
* As we are getting an answer on our transform offer, only one
* transform should be given.
- *
+ *
* XXX Currently we only support negotiating one SA per quick mode run.
- */
+ */
if (TAILQ_NEXT(sa_p, link)) {
log_print("initiator_recv_HASH_SA_NONCE: "
"multiple SA payloads in quick mode not supported yet");
@@ -1364,7 +1364,7 @@ post_quick_mode(struct message *msg)
/*
* Loop over all SA negotiations and do both an in- and an outgoing SA
* per protocol.
- */
+ */
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
for (proto = TAILQ_FIRST(&sa->protos); proto;
@@ -1520,7 +1520,7 @@ responder_recv_HASH_SA_NONCE(struct message *msg)
/*
* Check the payload's integrity.
* XXX Share with ipsec_fill_in_hash?
- */
+ */
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: "
"SKEYID_a", isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
@@ -1759,7 +1759,7 @@ next_sa:
/*
* Try to find and set the connection name on the exchange.
- */
+ */
/*
* Check for accepted identities as well as lookup the connection
@@ -1767,7 +1767,7 @@ next_sa:
*
* When not using policies make sure the peer proposes sane IDs.
* Otherwise this is done by KeyNote.
- */
+ */
name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr);
if (name) {
exchange->name = strdup(name);
diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c
index b0744b4d8dd..4f2e889724b 100644
--- a/sbin/isakmpd/init.c
+++ b/sbin/isakmpd/init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: init.c,v 1.41 2013/04/24 13:46:09 deraadt Exp $ */
+/* $OpenBSD: init.c,v 1.42 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */
/*
@@ -110,7 +110,7 @@ reinit(void)
* User-initiated SIGHUP's maybe "authorizes" a wait until
* next connection-check.
* XXX This means we discard exchange->last_msg, is this really ok?
- */
+ */
/* Reread config file. */
conf_reinit();
@@ -129,14 +129,14 @@ reinit(void)
/*
* Rescan interfaces (call reinit() in all transports).
- */
+ */
transport_reinit();
/*
* XXX "These" (non-existent) reinitializations should not be done.
* cookie_reinit ();
* ui_reinit ();
- */
+ */
sa_reinit();
}
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 855462e09bb..92bb178488a 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.148 2017/10/27 08:29:32 mpi Exp $ */
+/* $OpenBSD: ipsec.c,v 1.149 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -832,7 +832,7 @@ ipsec_get_keystate(struct message *msg)
* For phase 2 when no SA yet is setup we need to hash the IV used by
* the ISAKMP SA concatenated with the message ID, and use that as an
* IV for further cryptographic operations.
- */
+ */
if (!msg->isakmp_sa->keystate) {
log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p",
msg->isakmp_sa);
@@ -1206,7 +1206,7 @@ ipsec_responder(struct message *msg)
/*
* XXX So far we don't accept any proposals for exchanges we don't
* support.
- */
+ */
if (payload_first(msg, ISAKMP_PAYLOAD_SA)) {
message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
return -1;
@@ -1560,7 +1560,7 @@ ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto,
/*
* If no pseudo-random function was negotiated, it's HMAC.
* XXX As PRF_HMAC currently is zero, this is a no-op.
- */
+ */
if (!ie->prf_type)
ie->prf_type = PRF_HMAC;
}
@@ -2348,7 +2348,7 @@ ipsec_add_contact(struct message *msg)
/*
* XXX There are better algorithms for already mostly-sorted data like
* this, but only qsort is standard. I will someday do this inline.
- */
+ */
qsort(contacts, contact_cnt, sizeof *contacts, addr_cmp);
return 0;
}
@@ -2521,7 +2521,7 @@ ipsec_id_string(u_int8_t *id, size_t id_len)
* XXX Real ugly way of making the offsets correct. Be aware that id
* now will point before the actual buffer and cannot be dereferenced
* without an offset larger than or equal to ISAKM_GEN_SZ.
- */
+ */
id -= ISAKMP_GEN_SZ;
/* This is the actual length of the ID data field. */
@@ -2531,7 +2531,7 @@ ipsec_id_string(u_int8_t *id, size_t id_len)
* Conservative allocation.
* XXX I think the ASN1 DN case can be thought through to give a better
* estimate.
- */
+ */
size = MAXIMUM(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
sizeof "asn1_dn/" + id_len);
buf = malloc(size);
diff --git a/sbin/isakmpd/isakmp_cfg.c b/sbin/isakmpd/isakmp_cfg.c
index ef8bcd24a97..972d0cf6370 100644
--- a/sbin/isakmpd/isakmp_cfg.c
+++ b/sbin/isakmpd/isakmp_cfg.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmp_cfg.c,v 1.39 2014/01/23 01:04:28 deraadt Exp $ */
+/* $OpenBSD: isakmp_cfg.c,v 1.40 2018/01/04 14:21:00 mpi Exp $ */
/*
* Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
@@ -262,7 +262,7 @@ cfg_initiator_send_ATTR(struct message *msg)
/*
* Use the bitstring built previously to collect the right
* parameters for attrp.
- */
+ */
for (bit = 0; bit < CFG_ATTR_BIT_MAX; bit++)
if (bit_test(attrbits, bit)) {
attr = attrp + off;
diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index b957e7dc1cd..a1d955ae06a 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: isakmpd.c,v 1.105 2017/12/05 20:31:45 jca Exp $ */
+/* $OpenBSD: isakmpd.c,v 1.106 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */
/*
@@ -286,7 +286,7 @@ set_slave_signals(void)
/*
* Do a clean daemon shutdown on TERM/INT. These signals must be
* initialized before monitor_init(). INT is only used with '-d'.
- */
+ */
signal(SIGTERM, daemon_shutdown_now);
if (debug == 1) /* i.e '-dd' will skip this. */
signal(SIGINT, daemon_shutdown_now);
diff --git a/sbin/isakmpd/log.c b/sbin/isakmpd/log.c
index 409cf2a416f..bc826383e9d 100644
--- a/sbin/isakmpd/log.c
+++ b/sbin/isakmpd/log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.62 2014/10/25 03:18:13 lteo Exp $ */
+/* $OpenBSD: log.c,v 1.63 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */
/*
@@ -233,7 +233,7 @@ log_debug(int cls, int level, const char *fmt, ...)
/*
* If we are not debugging this class, or the level is too low, just
* return.
- */
+ */
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
va_start(ap, fmt);
@@ -251,7 +251,7 @@ log_debug_buf(int cls, int level, const char *header, const u_int8_t *buf,
/*
* If we are not debugging this class, or the level is too low, just
* return.
- */
+ */
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h
index 5df66b7e332..686948ce265 100644
--- a/sbin/isakmpd/message.h
+++ b/sbin/isakmpd/message.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.h,v 1.27 2016/03/10 07:32:16 yasuoka Exp $ */
+/* $OpenBSD: message.h,v 1.28 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -56,7 +56,7 @@ struct payload {
/*
* A pointer to the parent payload, used for proposal and transform
* payloads.
- */
+ */
struct payload *context;
/* Payload flags described below. */
@@ -90,13 +90,13 @@ struct message {
/*
* This is the transport the message either arrived on or will be sent
* to.
- */
+ */
struct transport *transport;
/*
* This is the ISAKMP SA protecting this message.
* XXX Needs to be redone to some keystate pointer or something.
- */
+ */
struct sa *isakmp_sa;
/* This is the exchange where this message appears. */
@@ -109,7 +109,7 @@ struct message {
* will be one payload, after encryption segment 0 will be the
* unencrypted header, and segment 1 will be the encrypted payloads,
* all of them.
- */
+ */
struct iovec *iov;
/* The segment count. */
@@ -134,13 +134,13 @@ struct message {
/*
* Extra baggage needed to travel with the message. Used transiently
* in context sensitive ways.
- */
+ */
void *extra;
/*
* Hooks for stuff needed to be done after the message has gone out to
* the wire.
- */
+ */
TAILQ_HEAD(post_send_head, post_send) post_send;
};
diff --git a/sbin/isakmpd/monitor.c b/sbin/isakmpd/monitor.c
index 5a8fb910262..c3f521f38b2 100644
--- a/sbin/isakmpd/monitor.c
+++ b/sbin/isakmpd/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.74 2015/08/20 22:02:21 deraadt Exp $ */
+/* $OpenBSD: monitor.c,v 1.75 2018/01/04 14:21:00 mpi Exp $ */
/*
* Copyright (c) 2003 Håkan Olsson. All rights reserved.
@@ -692,7 +692,7 @@ m_priv_local_sanitize_path(char *path, size_t pmax, int flags)
* We only permit paths starting with
* /etc/isakmpd/ (read only)
* /var/run/ (rw)
- */
+ */
if (realpath(path, new_path) == NULL ||
realpath("/var/run", var_run) == NULL) {
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index f1f919adfbb..e3da6a5053b 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.97 2013/11/22 04:12:47 deraadt Exp $ */
+/* $OpenBSD: policy.c,v 1.98 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
/*
@@ -231,7 +231,7 @@ policy_callback(char *name)
/*
* If dirty is set, this is the first request for an attribute, so
* populate our value cache.
- */
+ */
if (dirty) {
ie = policy_exchange->data;
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index 257d1839a70..2364e61db2c 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.52 2015/03/26 12:21:37 mikeb Exp $ */
+/* $OpenBSD: sa.h,v 1.53 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -77,7 +77,7 @@ struct proto {
/*
* The chosen transform, only valid while the incoming SA payload that
* held it is available for duplicate testing.
- */
+ */
struct payload *chosen;
/* The chosen transform's ID. */
@@ -107,7 +107,7 @@ struct sa {
/*
* When several SA's are being negotiated in one message we connect
* them through this link.
- */
+ */
TAILQ_ENTRY(sa) next;
/*
@@ -164,14 +164,14 @@ struct sa {
/*
* The key used to authenticate phase 1, in printable format, used
* only by KeyNote.
- */
+ */
char *keynote_key;
/*
* Certificates or other information from Phase 1; these are copied
* from the exchange, so look at exchange.h for an explanation of
* their use.
- */
+ */
int recv_certtype, recv_keytype;
/* Certificate received from peer, native format. */
void *recv_cert;
@@ -181,7 +181,7 @@ struct sa {
/*
* Certificates or other information we used to authenticate to the
* peer, Phase 1.
- */
+ */
int sent_certtype;
/* Certificate (to be) sent to peer, native format. */
void *sent_cert;
diff --git a/sbin/isakmpd/sysdep/openbsd/sysdep.c b/sbin/isakmpd/sysdep/openbsd/sysdep.c
index a44a3c04c93..8090a265ba0 100644
--- a/sbin/isakmpd/sysdep/openbsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/openbsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.36 2014/01/22 03:09:31 deraadt Exp $ */
+/* $OpenBSD: sysdep.c,v 1.37 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -94,9 +94,9 @@ sysdep_cleartext(int fd, int af)
}
/*
- * Need to bypass system security policy, so I can send and
- * receive key management datagrams in the clear.
- */
+ * Need to bypass system security policy, so I can send and
+ * receive key management datagrams in the clear.
+ */
level = IPSEC_LEVEL_BYPASS;
if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].auth_level,
(char *) &level, sizeof level) == -1) {
diff --git a/sbin/isakmpd/transport.h b/sbin/isakmpd/transport.h
index 2b809936b69..ecbe38129e5 100644
--- a/sbin/isakmpd/transport.h
+++ b/sbin/isakmpd/transport.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: transport.h,v 1.20 2016/08/26 06:18:01 guenther Exp $ */
+/* $OpenBSD: transport.h,v 1.21 2018/01/04 14:21:00 mpi Exp $ */
/* $EOM: transport.h,v 1.16 2000/07/17 18:57:59 provos Exp $ */
/*
@@ -78,7 +78,7 @@ struct transport_vtbl {
/*
* Read a message from the transport's incoming pipe and start
* handling it.
- */
+ */
void (*handle_message) (struct transport *);
/* Send a message through the outgoing pipe. */
@@ -87,18 +87,18 @@ struct transport_vtbl {
/*
* Fill out a sockaddr structure with the transport's destination end's
* address info.
- */
+ */
void (*get_dst) (struct transport *, struct sockaddr **);
/*
* Fill out a sockaddr structure with the transport's source end's
* address info.
- */
+ */
void (*get_src) (struct transport *, struct sockaddr **);
/*
* Return a string with decoded src and dst information
- */
+ */
char *(*decode_ids) (struct transport *);
/*
@@ -126,7 +126,7 @@ struct transport {
* Prioritized send queue. Messages in this queue will be transmitted
* before the normal sendq, they will also all be transmitted prior
* to a daemon shutdown. Currently only used for DELETE notifications.
- */
+ */
struct msg_head prio_sendq;
/* Flags describing the transport. */