diff options
| -rw-r--r-- | sbin/isakmpd/connection.c | 69 | ||||
| -rw-r--r-- | sbin/isakmpd/policy.c | 155 | ||||
| -rw-r--r-- | sbin/isakmpd/x509.c | 206 |
3 files changed, 226 insertions, 204 deletions
diff --git a/sbin/isakmpd/connection.c b/sbin/isakmpd/connection.c index 6e09a330681..2f6a2f10cb5 100644 --- a/sbin/isakmpd/connection.c +++ b/sbin/isakmpd/connection.c @@ -1,4 +1,4 @@ -/* $OpenBSD: connection.c,v 1.15 2001/03/14 10:42:19 deraadt Exp $ */ +/* $OpenBSD: connection.c,v 1.16 2001/03/14 12:15:45 niklas Exp $ */ /* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */ /* @@ -75,7 +75,7 @@ struct connection_passive #if 0 /* XXX Potential additions to 'connection_passive'. */ char *isakmp_peer; - struct sa *sa; /* XXX "Soft" ref to active sa? */ + struct sa *sa; /* XXX "Soft" ref to active sa? */ struct timeval sa_expiration; /* XXX *sa may expire. */ #endif }; @@ -120,10 +120,10 @@ connection_init () */ attrs = conf_get_list (conn->field, "Flags"); if (attrs) - for (attr = TAILQ_FIRST (&attrs->fields); attr; - attr = TAILQ_NEXT (attr, link)) - if (strcasecmp ("active-only", attr->field) == 0) - break; + for (attr = TAILQ_FIRST (&attrs->fields); attr; + attr = TAILQ_NEXT (attr, link)) + if (strcasecmp ("active-only", attr->field) == 0) + break; if (!attrs || (attrs && !attr)) if (connection_record_passive (conn->field)) log_print ("connection_init: could not record " @@ -196,17 +196,17 @@ connection_passive_lookup_by_name (char *name) } /* - * IDs of different types cannot be the same. + * IDs of different types cannot be the same. * XXX Rename to ipsec_compare_id, and move to ipsec.c ? */ -static int +static int compare_ids (u_int8_t *id1, u_int8_t *id2, size_t idlen) { int id1_type, id2_type; id1_type = GET_ISAKMP_ID_TYPE (id1); id2_type = GET_ISAKMP_ID_TYPE (id2); - + return id1_type == id2_type ? memcmp (id1 + ISAKMP_ID_DATA_OFF, id2 + ISAKMP_ID_DATA_OFF, idlen - ISAKMP_ID_DATA_OFF) : -1; @@ -217,7 +217,7 @@ char * connection_passive_lookup_by_ids (u_int8_t *id1, u_int8_t *id2) { struct connection_passive *conn; - + for (conn = TAILQ_FIRST (&connections_passive); conn; conn = TAILQ_NEXT (conn, link)) { @@ -248,7 +248,7 @@ connection_passive_lookup_by_ids (u_int8_t *id1, u_int8_t *id2) { if (conn->remote_id != NULL) continue; - + if (compare_ids (id1, conn->local_id, conn->local_sz) == 0 || compare_ids (id2, conn->local_id, conn->local_sz) == 0) { @@ -326,12 +326,12 @@ connection_record_passive (char *name) if (connection_passive_lookup_by_name (name)) { - LOG_DBG ((LOG_MISC, 10, + LOG_DBG ((LOG_MISC, 10, "connection_record_passive: cannot add \"%s\" twice", name)); return 0; } - + local_id = conf_get_str (name, "Local-ID"); if (!local_id) { @@ -351,7 +351,7 @@ connection_record_passive (char *name) sizeof *conn); return -1; } - + conn->name = strdup (name); if (!conn->name) { @@ -364,7 +364,7 @@ connection_record_passive (char *name) if (!conn->local_id) goto fail; - if (remote_id) + if (remote_id) { conn->remote_id = ipsec_build_id (remote_id, &conn->remote_sz); if (!conn->remote_id) @@ -374,7 +374,7 @@ connection_record_passive (char *name) conn->remote_id = NULL; TAILQ_INSERT_TAIL (&connections_passive, conn, link); - + LOG_DBG ((LOG_MISC, 60, "connection_record_passive: passive connection \"%s\" " "added", conn->name)); @@ -412,9 +412,9 @@ connection_passive_teardown (char *name) struct connection_passive *conn; conn = connection_passive_lookup_by_name (name); - if (!conn) + if (!conn) return; - + TAILQ_REMOVE (&connections_passive, conn, link); free (conn->name); free (conn->local_id); @@ -434,38 +434,43 @@ connection_report (void) gettimeofday (&now, 0); for (conn = TAILQ_FIRST (&connections); conn; conn = TAILQ_NEXT (conn, link)) - LOG_DBG ((LOG_REPORT, 0, + LOG_DBG ((LOG_REPORT, 0, "connection_report: connection %s next check %ld seconds", (conn->name ? conn->name : "<unnamed>"), conn->ev->expiration.tv_sec - now.tv_sec)); #ifdef USE_DEBUG - for (pconn = TAILQ_FIRST (&connections_passive); pconn; + for (pconn = TAILQ_FIRST (&connections_passive); pconn; pconn = TAILQ_NEXT (pconn, link)) LOG_DBG ((LOG_REPORT, 0, - "connection_report: passive connection %s %s", pconn->name, + "connection_report: passive connection %s %s", pconn->name, doi->decode_ids ("local_id: %s, remote_id: %s", - pconn->local_id, pconn->local_sz, - pconn->remote_id, pconn->remote_sz, 1))); + pconn->local_id, pconn->local_sz, + pconn->remote_id, pconn->remote_sz, 1))); #endif } -/* Reinit all connections (SIGHUP handling). */ +/* Reinitialize all connections (SIGHUP handling). */ void connection_reinit (void) { - struct connection *conn; - struct connection_passive *pconn; + struct connection *conn, *next; + struct connection_passive *pconn, *pnext; - LOG_DBG ((LOG_MISC, 30, + LOG_DBG ((LOG_MISC, 30, "connection_reinit: reinitializing connection list")); /* Remove all present connections. */ + for (conn = TAILQ_FIRST (&connections); conn; conn = next) + { + next = TAILQ_NEXT (conn); + connection_teardown (conn->name); + } - while ((conn = TAILQ_FIRST (&connections))) - connection_teardown (conn->name); - - while ((pconn = TAILQ_FIRST (&connections_passive))) - connection_passive_teardown (pconn->name); + for (pconn = TAILQ_FIRST (&connections_passive); pconn; pconn = pnext) + { + pnext = TAILQ_NEXT (pconn); + connection_passive_teardown (pconn->name); + } /* Setup new connections, as the (new) config directs. */ connection_init (); diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index 91b60f9d7de..3dde6fba2e3 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.24 2001/03/13 14:05:19 ho Exp $ */ +/* $OpenBSD: policy.c,v 1.25 2001/03/14 12:15:45 niklas Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -133,8 +133,8 @@ struct sa *policy_sa = 0; struct sa *policy_isakmp_sa = 0; static const char hextab[] = { - '0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' + '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; /* @@ -394,7 +394,7 @@ policy_callback (char *name) > (proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) return ""; - + type = GET_ISAKMP_ATTR_TYPE (attr); fmt = ISAKMP_ATTR_FORMAT (type); type = ISAKMP_ATTR_TYPE (type); @@ -632,25 +632,25 @@ policy_callback (char *name) /* XXX IPv4-specific. */ policy_sa->transport->vtbl->get_src (policy_sa->transport, - (struct sockaddr **) &sin, &fmt); + (struct sockaddr **)&sin, &fmt); my_inet_ntop4 (&(sin->sin_addr.s_addr), local_ike_address, sizeof local_ike_address - 1, 0); policy_sa->transport->vtbl->get_dst (policy_sa->transport, - (struct sockaddr **) &sin, &fmt); + (struct sockaddr **)&sin, &fmt); my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_ike_address, sizeof remote_ike_address - 1, 0); switch (policy_isakmp_sa->exch_type) - { - case ISAKMP_EXCH_AGGRESSIVE: - phase_1 = "aggressive"; - break; + { + case ISAKMP_EXCH_AGGRESSIVE: + phase_1 = "aggressive"; + break; - case ISAKMP_EXCH_ID_PROT: - phase_1 = "main"; - break; - } + case ISAKMP_EXCH_ID_PROT: + phase_1 = "main"; + break; + } if (policy_isakmp_sa->initiator) { @@ -702,7 +702,7 @@ policy_callback (char *name) sizeof (char)); goto bad; } - + strcpy (remote_id, remote_id_addr_lower); remote_id[strlen (remote_id_addr_lower)] = '-'; strcpy (remote_id + strlen (remote_id_addr_lower) + 1, @@ -764,7 +764,7 @@ policy_callback (char *name) sizeof (char)); goto bad; } - memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; @@ -779,7 +779,7 @@ policy_callback (char *name) sizeof (char)); goto bad; } - memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; @@ -793,7 +793,9 @@ policy_callback (char *name) case IPSEC_ID_KEY_ID: remote_id_type = "Key ID"; - remote_id = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, sizeof (char)); + remote_id + = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, + sizeof (char)); if (!remote_id) { log_error ("policy_callback: calloc (%d, %d) failed", @@ -803,8 +805,10 @@ policy_callback (char *name) } for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) { - remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; - remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; + remote_id[2 * i] + = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; + remote_id[2 * i + 1] + = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; } break; @@ -986,18 +990,22 @@ policy_callback (char *name) case IPSEC_ID_KEY_ID: remote_filter_type = "Key ID"; - remote_filter = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); + remote_filter + = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, + sizeof (char)); if (!remote_filter) { - log_error ("policy_callback: calloc (%d, %d) failed", - 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, + log_error ("policy_callback: calloc (%d, %d) failed", + 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); goto bad; } for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) { - remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; - remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; + remote_filter[2 * i] + = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; + remote_filter[2 * i + 1] + = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; } break; @@ -1016,7 +1024,7 @@ policy_callback (char *name) case IPPROTO_UDP: remote_filter_proto = "udp"; break; - + #ifdef IPPROTO_ETHERIP case IPPROTO_ETHERIP: remote_filter_proto = "etherip"; @@ -1024,7 +1032,7 @@ policy_callback (char *name) #endif default: - sprintf (remote_filter_proto_num, "%2d", + sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]); remote_filter_proto = remote_filter_proto_num; break; @@ -1183,18 +1191,21 @@ policy_callback (char *name) case IPSEC_ID_KEY_ID: local_filter_type = "Key ID"; - local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); + local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, + sizeof (char)); if (!local_filter) { - log_error ("policy_callback: calloc (%d, %d) failed", - 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, + log_error ("policy_callback: calloc (%d, %d) failed", + 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); goto bad; } for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) { - local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; - local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; + local_filter[2 * i] + = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; + local_filter[2 * i + 1] + = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; } break; @@ -1221,7 +1232,7 @@ policy_callback (char *name) #endif default: - sprintf (local_filter_proto_num, "%2d", + sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]); local_filter_proto = local_filter_proto_num; break; @@ -1233,7 +1244,7 @@ policy_callback (char *name) else { policy_sa->transport->vtbl->get_src (policy_sa->transport, - (struct sockaddr **) &sin, + (struct sockaddr **)&sin, &fmt); local_filter_type = "IPv4 address"; @@ -1268,7 +1279,7 @@ policy_callback (char *name) LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); - LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", + LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", comp_encapsulation)); LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); @@ -1279,7 +1290,7 @@ policy_callback (char *name) LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); - LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", remote_filter_type)); LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper)); @@ -1287,9 +1298,9 @@ policy_callback (char *name) remote_filter_addr_lower)); LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", (remote_filter ? remote_filter : ""))); - LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", remote_filter_port)); - LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", remote_filter_proto)); LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", @@ -1299,14 +1310,14 @@ policy_callback (char *name) LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", (local_filter ? local_filter : ""))); LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); - LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", + LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", local_filter_proto)); LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", remote_id_addr_upper)); LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", remote_id_addr_lower)); - LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", (remote_id ? remote_id : ""))); LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); @@ -1590,7 +1601,7 @@ keynote_cert_init (void) return 1; } -/* Just copy and return */ +/* Just copy and return. */ void * keynote_cert_get (u_int8_t *data, u_int32_t len) { @@ -1623,8 +1634,8 @@ keynote_cert_validate (void *scert) for (i = 0; i < num; i++) { - if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) != - SIGRESULT_TRUE) + if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) + != SIGRESULT_TRUE) { for (; i < num; i++) free (foo[i]); @@ -1639,7 +1650,7 @@ keynote_cert_validate (void *scert) return 1; } -/* Add received credentials */ +/* Add received credentials. */ int keynote_cert_insert (int sid, void *scert) { @@ -1660,38 +1671,42 @@ keynote_cert_insert (int sid, void *scert) return 1; } -/* Just regular memory free */ +/* Just regular memory free. */ void keynote_cert_free (void *cert) { free (cert); } -/* Verify that the key given to us is valid */ +/* Verify that the key given to us is valid. */ int keynote_certreq_validate (u_int8_t *data, u_int32_t len) { - struct keynote_deckey dc; - int err = 1; - char *dat; + struct keynote_deckey dc; + int err = 1; + char *dat; - dat = calloc (len + 1, sizeof(char)); - if (dat == NULL) - return 0; + dat = calloc (len + 1, sizeof (char)); + if (!dat) + { + log_error ("keynote_certreq_validate: calloc (%d, %d) failed", len + 1, + sizeof (char)) + return 0; + } - memcpy (dat, data, len); + memcpy (dat, data, len); - if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) - err = 0; - else - LK (kn_free_key, (&dc)); + if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) + err = 0; + else + LK (kn_free_key, (&dc)); - free (dat); + free (dat); - return err; + return err; } -/* Beats me what we should be doing with this */ +/* Beats me what we should be doing with this. */ void * keynote_certreq_decode (u_int8_t *data, u_int32_t len) { @@ -1719,7 +1734,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, return 0; } - /* Get type of ID */ + /* Get type of ID. */ idtype = id[0]; id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; @@ -1727,7 +1742,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, dirname = conf_get_str ("KeyNote", "Credential-directory"); if (!dirname) { - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: no Credential-directory")); return 0; } @@ -1776,13 +1791,13 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, if (stat (file, &sb) < 0) { - LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", + LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", file)); free (file); return 0; } - *cert = calloc (sb.st_size, sizeof(char)); + *cert = calloc (sb.st_size, sizeof (char)); if (*cert == NULL) { log_error ("keynote_cert_obtain: failed to allocate %d bytes", @@ -1815,7 +1830,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, return 1; } -/* This should never be called */ +/* This should never be called. */ int keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, u_int32_t **id_len) @@ -1823,7 +1838,7 @@ keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, return 0; } -/* Get the Authorizer key */ +/* Get the authorizer key. */ int keynote_cert_get_key (void *scert, void *keyp) { @@ -1831,8 +1846,8 @@ keynote_cert_get_key (void *scert, void *keyp) int sid, num; char **foo; - foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), &num)); - if ((foo == NULL) || (num == 0)) + foo = LK (kn_read_asserts, ((char *)scert, strlen ((char *)scert), &num)); + if (foo == NULL || num == 0) return 0; sid = LK (kn_add_assertion, (keynote_sessid, foo[num - 1], @@ -1850,10 +1865,10 @@ keynote_cert_get_key (void *scert, void *keyp) while (kl) { if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) - { + { *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); break; - } + } kl = kl->key_next; } diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index 1155fb2ec9a..7925a03d2a7 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.43 2001/03/13 14:05:19 ho Exp $ */ +/* $OpenBSD: x509.c,v 1.44 2001/03/14 12:15:46 niklas Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -68,7 +68,7 @@ #include "sa.h" #include "x509.h" -/* +/* * X509_STOREs do not support subjectAltNames, so we have to build * our own hash table. */ @@ -98,15 +98,17 @@ static int bucket_mask; #ifdef USE_POLICY /* * Given an X509 certificate, create a KeyNote assertion where - * Issuer/Subject -> Authorizer/Licensees, - * XXX RSA-specific + * Issuer/Subject -> Authorizer/Licensees. + * XXX RSA-specific. */ int x509_generate_kn (X509 *cert) { - char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n"; + char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s\"\n" + "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; char *ikey, *skey, *buf, isname[256], subname[256]; - char *fmt2 = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n"; + char *fmt2 = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n" + "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; X509_NAME *issuer, *subject; struct keynote_deckey dc; X509_STORE_CTX csc; @@ -129,11 +131,11 @@ x509_generate_kn (X509 *cert) /* Missing or self-signed, ignore cert but don't report failure. */ if (!issuer || !subject || !LC (X509_name_cmp, (issuer, subject))) - return 1; + return 1; if (!x509_cert_get_key (cert, &key)) { - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: failed to get public key from cert")); return 0; } @@ -157,7 +159,7 @@ x509_generate_kn (X509 *cert) } LC (RSA_free, (key)); - /* Now find issuer's certificate so we can get the public key */ + /* Now find issuer's certificate so we can get the public key. */ LC (X509_STORE_CTX_init, (&csc, x509_cas, cert, NULL)); if (LC (X509_STORE_get_by_subject, (&csc, X509_LU_X509, issuer, &obj)) != X509_LU_X509) @@ -168,7 +170,7 @@ x509_generate_kn (X509 *cert) X509_LU_X509) { LC (X509_STORE_CTX_cleanup, (&csc)); - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: no certificate found for issuer")); return 0; } @@ -187,7 +189,7 @@ x509_generate_kn (X509 *cert) if (!x509_cert_get_key (icert, &key)) { - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: failed to get public key from cert")); free (ikey); return 0; @@ -273,16 +275,16 @@ x509_generate_kn (X509 *cert) return 0; } - /* Validity checks */ - if ((tm->data[2] != '0' && tm->data[2] != '1') || - (tm->data[2] == '0' && tm->data[3] == '0') || - (tm->data[2] == '1' && tm->data[3] > '2') || - (tm->data[4] > '3') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '3' && tm->data[5] > '1') || - (tm->data[6] > '2') || - (tm->data[6] == '2' && tm->data[7] > '3') || - (tm->data[8] > '5')) + /* Validity checks. */ + if ((tm->data[2] != '0' && tm->data[2] != '1') + || (tm->data[2] == '0' && tm->data[3] == '0') + || (tm->data[2] == '1' && tm->data[3] > '2') + || (tm->data[4] > '3') + || (tm->data[4] == '0' && tm->data[5] == '0') + || (tm->data[4] == '3' && tm->data[5] > '1') + || (tm->data[6] > '2') + || (tm->data[6] == '2' && tm->data[7] > '3') + || (tm->data[8] > '5')) { LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidBefore time field")); @@ -292,7 +294,7 @@ x509_generate_kn (X509 *cert) return 0; } - /* Stupid UTC tricks */ + /* Stupid UTC tricks. */ if (tm->data[0] < '5') sprintf (before, "20%s", tm->data); else @@ -310,16 +312,16 @@ x509_generate_kn (X509 *cert) return 0; } - /* Validity checks */ - if ((tm->data[4] != '0' && tm->data[4] != '1') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '1' && tm->data[5] > '2') || - (tm->data[6] > '3') || - (tm->data[6] == '0' && tm->data[7] == '0') || - (tm->data[6] == '3' && tm->data[7] > '1') || - (tm->data[8] > '2') || - (tm->data[8] == '2' && tm->data[9] > '3') || - (tm->data[10] > '5')) + /* Validity checks. */ + if ((tm->data[4] != '0' && tm->data[4] != '1') + || (tm->data[4] == '0' && tm->data[5] == '0') + || (tm->data[4] == '1' && tm->data[5] > '2') + || (tm->data[6] > '3') + || (tm->data[6] == '0' && tm->data[7] == '0') + || (tm->data[6] == '3' && tm->data[7] > '1') + || (tm->data[8] > '2') + || (tm->data[8] == '2' && tm->data[9] > '3') + || (tm->data[10] > '5')) { LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidBefore time field")); @@ -332,20 +334,22 @@ x509_generate_kn (X509 *cert) sprintf(before, "%s", tm->data); } - /* Fix missing seconds */ + /* Fix missing seconds. */ if (tm->length < 12) { before[12] = '0'; before[13] = '0'; } - before[14] = '\0'; /* This will overwrite trailing 'Z' */ + /* This will overwrite trailing 'Z'. */ + before[14] = '\0'; } - if (((tm = X509_get_notAfter (cert)) == NULL) && - (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) + tm = X509_get_notAfter (cert); + if (tm == NULL) + && (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { - tt = time ((time_t) NULL); + tt = time (0); strftime (after, 14, "%G%m%d%H%M%S", localtime (&tt)); timecomp2 = "LocalTimeOfDay"; } @@ -387,16 +391,16 @@ x509_generate_kn (X509 *cert) return 0; } - /* Validity checks */ - if ((tm->data[2] != '0' && tm->data[2] != '1') || - (tm->data[2] == '0' && tm->data[3] == '0') || - (tm->data[2] == '1' && tm->data[3] > '2') || - (tm->data[4] > '3') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '3' && tm->data[5] > '1') || - (tm->data[6] > '2') || - (tm->data[6] == '2' && tm->data[7] > '3') || - (tm->data[8] > '5')) + /* Validity checks. */ + if ((tm->data[2] != '0' && tm->data[2] != '1') + || (tm->data[2] == '0' && tm->data[3] == '0') + || (tm->data[2] == '1' && tm->data[3] > '2') + || (tm->data[4] > '3') + || (tm->data[4] == '0' && tm->data[5] == '0') + || (tm->data[4] == '3' && tm->data[5] > '1') + || (tm->data[6] > '2') + || (tm->data[6] == '2' && tm->data[7] > '3') + || (tm->data[8] > '5')) { LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidAfter time field")); @@ -406,7 +410,7 @@ x509_generate_kn (X509 *cert) return 0; } - /* Stupid UTC tricks */ + /* Stupid UTC tricks. */ if (tm->data[0] < '5') sprintf (after, "20%s", tm->data); else @@ -424,16 +428,16 @@ x509_generate_kn (X509 *cert) return 0; } - /* Validity checks */ - if ((tm->data[4] != '0' && tm->data[4] != '1') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '1' && tm->data[5] > '2') || - (tm->data[6] > '3') || - (tm->data[6] == '0' && tm->data[7] == '0') || - (tm->data[6] == '3' && tm->data[7] > '1') || - (tm->data[8] > '2') || - (tm->data[8] == '2' && tm->data[9] > '3') || - (tm->data[10] > '5')) + /* Validity checks. */ + if ((tm->data[4] != '0' && tm->data[4] != '1') + || (tm->data[4] == '0' && tm->data[5] == '0') + || (tm->data[4] == '1' && tm->data[5] > '2') + || (tm->data[6] > '3') + || (tm->data[6] == '0' && tm->data[7] == '0') + || (tm->data[6] == '3' && tm->data[7] > '1') + || (tm->data[8] > '2') + || (tm->data[8] == '2' && tm->data[9] > '3') + || (tm->data[10] > '5')) { LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidAfter time field")); @@ -446,7 +450,7 @@ x509_generate_kn (X509 *cert) sprintf(after, "%s", tm->data); } - /* Fix missing seconds */ + /* Fix missing seconds. */ if (tm->length < 12) { after[12] = '0'; @@ -463,7 +467,7 @@ x509_generate_kn (X509 *cert) if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf), ASSERT_FLAG_LOCAL)) == -1) { - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: failed to add new KeyNote credential")); free (buf); return 0; @@ -475,14 +479,14 @@ x509_generate_kn (X509 *cert) if (!LC (X509_NAME_oneline, (issuer, isname, 256))) { - LOG_DBG ((LOG_POLICY, 50, + LOG_DBG ((LOG_POLICY, 50, "x509_generate_kn: X509_NAME_oneline (issuer, ...) failed")); return 0; } if (!LC (X509_NAME_oneline, (subject, subname, 256))) { - LOG_DBG ((LOG_POLICY, 50, + LOG_DBG ((LOG_POLICY, 50, "x509_generate_kn: X509_NAME_oneline (subject, ...) failed")); return 0; } @@ -501,7 +505,7 @@ x509_generate_kn (X509 *cert) if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf), ASSERT_FLAG_LOCAL)) == -1) { - LOG_DBG ((LOG_POLICY, 30, + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: failed to add new KeyNote credential")); free (buf); return 0; @@ -509,7 +513,7 @@ x509_generate_kn (X509 *cert) else LOG_DBG ((LOG_POLICY, 80, "x509_generate_kn: added policy:\n%s", buf)); - /* Store the X509-derived assertion so we can use it as a policy */ + /* Store the X509-derived assertion so we can use it as a policy. */ if (x509_policy_asserts_num == 0) { x509_policy_asserts = calloc (4, sizeof (char *)); @@ -546,18 +550,16 @@ x509_generate_kn (X509 *cert) x509_policy_asserts = new_asserts; } - /* Assign to the next available */ + /* Assign to the next available. */ x509_policy_asserts[x509_policy_asserts_num++] = buf; } - /* - * XXX - * Should add a remove-assertion event set to the expiration of the + /* + * XXX Should add a remove-assertion event set to the expiration of the * X509 cert (and remove such events when we reinit and close the keynote * session) -- that's relevant only for really long-lived daemons. * Alternatively (and preferably), we can encode the X509 expiration * in the KeyNote Conditions. - * XXX */ return 1; @@ -579,7 +581,7 @@ x509_hash (u_int8_t *id, size_t len) /* Hash in the last character of odd length IDs too. */ if (i < len) bucket ^= (id[i] + 1) * (id[i] + 257); - + bucket &= bucket_mask; return bucket; @@ -593,17 +595,17 @@ x509_hash_init () bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; - /* If reinitializing, free existing entries */ + /* If reinitializing, free existing entries. */ if (x509_tab) { for (i = 0; i <= bucket_mask; i++) for (certh = LIST_FIRST (&x509_tab[i]); certh; certh = LIST_NEXT (certh, link)) - { - LIST_REMOVE (certh, link); - LC (X509_free, (certh->cert)); - free (certh); - } + { + LIST_REMOVE (certh, link); + LC (X509_free, (certh->cert)); + free (certh); + } free (x509_tab); } @@ -676,21 +678,20 @@ x509_hash_enter (X509 *cert) for (i = 0; i < n; i++) { - certh = malloc (sizeof *certh); + certh = calloc (1, sizeof *certh); if (!certh) { cert_free_subjects (n, id, len); - log_error ("x509_hash_enter: malloc (%d) failed", sizeof *certh); + log_error ("x509_hash_enter: calloc (1, %d) failed", sizeof *certh); return 0; } - memset (certh, 0, sizeof *certh); certh->cert = cert; bucket = x509_hash (id[i], len[i]); LIST_INSERT_HEAD (&x509_tab[bucket], certh, link); - LOG_DBG ((LOG_CRYPTO, 70, "x509_hash_enter: cert %p added to bucket %d", + LOG_DBG ((LOG_CRYPTO, 70, "x509_hash_enter: cert %p added to bucket %d", cert, bucket)); } cert_free_subjects (n, id, len); @@ -718,7 +719,7 @@ x509_read_from_dir (X509_STORE *ctx, char *name, int hash) LOG_DBG ((LOG_CRYPTO, 40, "x509_read_from_dir: reading certs from %s", name)); - + dir = opendir (name); if (!dir) { @@ -795,7 +796,7 @@ x509_read_from_dir (X509_STORE *ctx, char *name, int hash) #else if (libkeynote && x509_generate_kn (cert) == 0) #endif - LOG_DBG ((LOG_POLICY, 50, + LOG_DBG ((LOG_POLICY, 50, "x509_read_from_dir: x509_generate_kn failed")); #endif /* USE_POLICY */ } @@ -825,7 +826,7 @@ x509_cert_init (void) return 0; } - /* Free if already initialized */ + /* Free if already initialized. */ if (x509_cas) LC (X509_STORE_free, (x509_cas)); @@ -850,7 +851,7 @@ x509_cert_init (void) return 0; } - /* Free if already initialized */ + /* Free if already initialized. */ if (x509_certs) LC (X509_STORE_free, (x509_certs)); @@ -892,7 +893,7 @@ x509_cert_get (u_int8_t *asn, u_int32_t len) /* * If we don't have a statically linked libcrypto, the dlopen must have * succeeded for X.509 to be usable. - */ + */ if (!libcrypto) return 0; #endif @@ -923,7 +924,7 @@ x509_cert_validate (void *scert) issuer = LC (X509_get_issuer_name, (cert)); subject = LC (X509_get_subject_name, (cert)); - + if (!issuer || !subject || LC (X509_name_cmp, (issuer, subject))) return 0; @@ -954,13 +955,14 @@ x509_cert_insert (int id, void *scert) #ifdef USE_KEYNOTE if (x509_generate_kn (cert) == 0) #else - if (libkeynote && x509_generate_kn (cert) == 0) + if (libkeynote && x509_generate_kn (cert) == 0) #endif - { - LOG_DBG ((LOG_POLICY, 50, "x509_cert_insert: x509_generate_kn failed")); - LC (X509_free, (cert)); - return 0; - } + { + LOG_DBG ((LOG_POLICY, 50, + "x509_cert_insert: x509_generate_kn failed")); + LC (X509_free, (cert)); + return 0; + } #endif /* USE_POLICY */ res = x509_hash_enter (cert); @@ -993,7 +995,7 @@ x509_certreq_validate (u_int8_t *asn, u_int32_t len) asn_free (&name); #endif - /* XXX - not supported directly in SSL - later */ + /* XXX - not supported directly in SSL - later. */ return res; } @@ -1026,7 +1028,7 @@ x509_certreq_decode (u_int8_t *asn, u_int32_t len) ".AttributeValueAssertion", &aca); if (tmp) x509_get_attribval (tmp, &naca.name2); - + asn_free (&aca); ret = malloc (sizeof (struct x509_aca)); @@ -1075,7 +1077,7 @@ x509_from_asn (u_char *asn, u_int len) log_error ("x509_from_asn: BIO_new (BIO_s_mem ()) failed"); return 0; } - + if (LC (BIO_write, (certh, asn, len)) == -1) { log_error ("x509_from_asn: BIO_write failed\n"); @@ -1165,12 +1167,12 @@ x509_cert_subjectaltname (X509 *scert, u_int8_t **altname, u_int32_t *len) sanlen = sandata[3]; sandata += 4; - if (sanlen + 4 != subjectaltname->value->length) + if (sanlen + 4 != subjectaltname->value->length) { log_print ("x509_cert_subjectaltname: subjectaltname invalid length"); return 0; } - + *len = sanlen; *altname = sandata; @@ -1220,11 +1222,11 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id, if (!subject) goto fail; - + (*id_len)[0] = ISAKMP_ID_DATA_OFF + LC (i2d_X509_NAME, (subject, NULL)) - ISAKMP_GEN_SZ; (*id)[0] = malloc ((*id_len)[0]); - if (!(*id)[0]) + if (!(*id)[0]) { log_print ("x509_cert_get_subject: malloc (%d) failed", (*id_len)[0]); goto fail; @@ -1285,7 +1287,7 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id, (*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ; (*id)[1] = malloc ((*id_len)[1]); - if (!(*id)[1]) + if (!(*id)[1]) { log_print ("x509_cert_get_subject: malloc (%d) failed", (*id_len)[1]); goto fail; @@ -1308,7 +1310,7 @@ x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id, free (buf); return 0; } - + int x509_cert_get_key (void *scert, void *keyp) { @@ -1317,7 +1319,7 @@ x509_cert_get_key (void *scert, void *keyp) key = LC (X509_get_pubkey, (cert)); - /* Check if we got the right key type */ + /* Check if we got the right key type. */ if (key->type != EVP_PKEY_RSA) { log_print ("x509_cert_get_key: public key is not a RSA key"); |