diff options
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/cert.h | 6 | ||||
-rw-r--r-- | sbin/isakmpd/conf.c | 40 | ||||
-rw-r--r-- | sbin/isakmpd/connection.c | 10 | ||||
-rw-r--r-- | sbin/isakmpd/exchange.c | 19 | ||||
-rw-r--r-- | sbin/isakmpd/ike_auth.c | 98 | ||||
-rw-r--r-- | sbin/isakmpd/key.c | 25 | ||||
-rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 163 | ||||
-rw-r--r-- | sbin/isakmpd/policy.c | 10 | ||||
-rw-r--r-- | sbin/isakmpd/sa.c | 37 | ||||
-rw-r--r-- | sbin/isakmpd/x509.c | 4 |
10 files changed, 206 insertions, 206 deletions
diff --git a/sbin/isakmpd/cert.h b/sbin/isakmpd/cert.h index 387432c1e66..df4db49cb19 100644 --- a/sbin/isakmpd/cert.h +++ b/sbin/isakmpd/cert.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.h,v 1.8 2001/06/05 05:59:42 niklas Exp $ */ +/* $OpenBSD: cert.h,v 1.9 2001/07/01 19:48:42 niklas Exp $ */ /* $EOM: cert.h,v 1.8 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -83,7 +83,9 @@ struct certreq_aca { u_int16_t id; struct cert_handler *handler; - void *data; /* if NULL everything is acceptable. */ + + /* If data is a null pointer, everything is acceptable. */ + void *data; }; struct certreq_aca *certreq_decode (u_int16_t, u_int8_t *, u_int32_t); diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index 840afa2286d..5fb00e3424b 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.31 2001/06/29 19:42:16 niklas Exp $ */ +/* $OpenBSD: conf.c,v 1.32 2001/07/01 19:48:43 niklas Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -319,23 +319,23 @@ conf_parse (int trans, char *buf, size_t sz) * XXX No EC2N DH support here yet. */ -/* Find the value for a section+tag in the transaction list */ +/* Find the value for a section+tag in the transaction list. */ char * conf_get_trans_str (int trans, char *section, char *tag) { struct conf_trans *node, *nf = 0; - + for (node = TAILQ_FIRST (&conf_trans_queue); node; node = TAILQ_NEXT (node, link)) - if (node->trans == trans && strcmp (section, node->section) == 0 && - strcmp (tag, node->tag) == 0) + if (node->trans == trans && strcmp (section, node->section) == 0 + && strcmp (tag, node->tag) == 0) { if (!nf) nf = node; else if (node->override) nf = node; } - return nf ? nf->value : NULL; + return nf ? nf->value : 0; } int @@ -366,19 +366,19 @@ conf_load_defaults (int tr) int enc, auth, hash, proto, mode, pfs; char sect[256], *dflt; - char *mm_auth[] = { "PRE_SHARED", "DSS", "RSA_SIG", NULL }; - char *mm_hash[] = { "MD5", "SHA", NULL }; + char *mm_auth[] = { "PRE_SHARED", "DSS", "RSA_SIG", 0 }; + char *mm_hash[] = { "MD5", "SHA", 0 }; char *mm_enc[] = { "DES_CBC", "BLOWFISH_CBC", "3DES_CBC", - "CAST_CBC", NULL }; - char *dh_group[] = { "MODP_768", "MODP_1024", "MODP_1536", NULL }; - char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", "AES", NULL }; - char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "NONE", NULL }; + "CAST_CBC", 0 }; + char *dh_group[] = { "MODP_768", "MODP_1024", "MODP_1536", 0 }; + char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", "AES", 0 }; + char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "NONE", 0 }; /* Abbreviations to make section names a bit shorter. */ - char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", NULL }; - char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", NULL }; - char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", NULL }; - char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD", "", NULL }; + char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", 0 }; + char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", 0 }; + char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", 0 }; + char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD", "", 0 }; /* Helper #defines, incl abbreviations. */ #define PROTO(x) ((x) ? "AH" : "ESP") @@ -1065,7 +1065,7 @@ conf_report_dump (struct dumper *node) void conf_report (void) { - struct conf_binding *cb, *last = NULL; + struct conf_binding *cb, *last = 0; int i; char *current_section = (char *)0; struct dumper *dumper, *dnode; @@ -1082,7 +1082,7 @@ conf_report (void) { if (!cb->is_default) { - /* Dump this entry */ + /* Dump this entry. */ if (!current_section || strcmp (cb->section, current_section)) { if (current_section) @@ -1130,8 +1130,8 @@ conf_report (void) return; mem_fail: - LOG_DBG ((LOG_REPORT, 0, "conf_report: memory allocation failure.")); - while ((dnode = dumper) != NULL) + log_error ("conf_report: malloc/calloc failed"); + while ((dnode = dumper) != 0) { dumper = dumper->next; if (dnode->s) diff --git a/sbin/isakmpd/connection.c b/sbin/isakmpd/connection.c index 26cb5127ce3..bee8aa03a54 100644 --- a/sbin/isakmpd/connection.c +++ b/sbin/isakmpd/connection.c @@ -1,4 +1,4 @@ -/* $OpenBSD: connection.c,v 1.18 2001/06/27 03:31:40 angelos Exp $ */ +/* $OpenBSD: connection.c,v 1.19 2001/07/01 19:48:43 niklas Exp $ */ /* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */ /* @@ -179,7 +179,7 @@ connection_lookup (char *name) int connection_exist (char *name) { - return (connection_lookup (name) != NULL); + return (connection_lookup (name) != 0); } /* Find the passive connection named NAME. */ @@ -221,7 +221,7 @@ connection_passive_lookup_by_ids (u_int8_t *id1, u_int8_t *id2) for (conn = TAILQ_FIRST (&connections_passive); conn; conn = TAILQ_NEXT (conn, link)) { - if (conn->remote_id == NULL) + if (!conn->remote_id) continue; /* @@ -246,7 +246,7 @@ connection_passive_lookup_by_ids (u_int8_t *id1, u_int8_t *id2) for (conn = TAILQ_FIRST (&connections_passive); conn; conn = TAILQ_NEXT (conn, link)) { - if (conn->remote_id != NULL) + if (!conn->remote_id) continue; if (compare_ids (id1, conn->local_id, conn->local_sz) == 0 @@ -371,7 +371,7 @@ connection_record_passive (char *name) goto fail; } else - conn->remote_id = NULL; + conn->remote_id = 0; TAILQ_INSERT_TAIL (&connections_passive, conn, link); diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index da51c9a1833..b9ec5470f44 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.55 2001/07/01 06:03:34 angelos Exp $ */ +/* $OpenBSD: exchange.c,v 1.56 2001/07/01 19:48:43 niklas Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -794,7 +794,7 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, } exchange->policy = name ? conf_get_str (name, "Configuration") : 0; - if ((exchange->policy == NULL) && name) + if (!exchange->policy && name) exchange->policy = conf_get_str ("Phase 1", "Default"); exchange->finalize = finalize; @@ -1258,7 +1258,7 @@ exchange_check_old_sa (struct sa *sa, void *v_arg) || (sa->flags & SA_FLAG_REPLACED)) return 0; - if (sa->phase != new_sa->phase || new_sa->name == NULL + if (sa->phase != new_sa->phase || new_sa->name == 0 || strcasecmp (sa->name, new_sa->name)) return 0; @@ -1366,11 +1366,12 @@ exchange_finalize (struct message *msg) msg->isakmp_sa->recv_key = exchange->recv_key; msg->isakmp_sa->sent_key = exchange->sent_key; msg->isakmp_sa->keynote_key = exchange->keynote_key; - exchange->recv_key = NULL; /* Reset */ - exchange->sent_key = NULL; /* Reset */ - exchange->keynote_key = NULL; /* Reset */ + /* Reset. */ + exchange->recv_key = 0; + exchange->sent_key = 0; + exchange->keynote_key = 0; + exchange->policy_id = -1; msg->isakmp_sa->policy_id = exchange->policy_id; - exchange->policy_id = -1; /* Reset */ msg->isakmp_sa->id_i_len = exchange->id_i_len; msg->isakmp_sa->id_r_len = exchange->id_r_len; msg->isakmp_sa->initiator = exchange->initiator; @@ -1393,12 +1394,12 @@ exchange_finalize (struct message *msg) LOG_DBG ((LOG_EXCHANGE, 10, "exchange_finalize: phase 1 done: %s, %s", - exchange->doi == NULL ? "<no doi>" : + !exchange->doi ? "<no doi>" : exchange->doi->decode_ids ("initiator id %s, responder id %s", exchange->id_i, exchange->id_i_len, exchange->id_r, exchange->id_r_len, 0), - msg->isakmp_sa == NULL || msg->isakmp_sa->transport == NULL + !msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>" : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa ->transport))); diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index c8a5913959c..3f8a45737e3 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.51 2001/06/29 19:55:36 angelos Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.52 2001/07/01 19:48:43 niklas Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -193,22 +193,22 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) return 0; #endif #if defined(USE_KEYNOTE) - if ((local_id) && - ((keyfile = conf_get_str ("KeyNote", - "Credential-directory")) != NULL)) + if (local_id && + (keyfile = conf_get_str ("KeyNote", "Credential-directory")) != 0) { struct stat sb; struct keynote_deckey dc; char *privkeyfile, *buf2; int fd; - privkeyfile = calloc (strlen (keyfile) + strlen (local_id) + - strlen (PRIVATE_KEY_FILE) + 3, sizeof (char)); - if (privkeyfile == NULL) + privkeyfile = calloc (strlen (keyfile) + strlen (local_id) + + sizeof PRIVATE_KEY_FILE + sizeof "//" - 1, + sizeof (char)); + if (!privkeyfile) { log_print ("ike_auth_get_key: failed to allocate %d bytes", - strlen (keyfile) + strlen (local_id) + - strlen (PRIVATE_KEY_FILE) + 3); + strlen (keyfile) + strlen (local_id) + + sizeof PRIVATE_KEY_FILE + sizeof "//" - 1); return 0; } @@ -231,7 +231,7 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) } buf = calloc (sb.st_size + 1, sizeof (char)); - if (buf == NULL) + if (!buf) { log_print ("ike_auth_get_key: failed allocating %d bytes", sb.st_size + 1); @@ -285,10 +285,11 @@ ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) /* Otherwise, try X.509 */ keyfile = conf_get_str ("X509-certificates", "Private-key"); - if (check_file_secrecy (keyfile, NULL)) + if (check_file_secrecy (keyfile, 0)) return 0; - if ((keyh = LC (BIO_new, (LC (BIO_s_file, ())))) == NULL) + keyh = LC (BIO_new, (LC (BIO_s_file, ()))); + if (keyh == NULL) { log_print ("ike_auth_get_key: " "BIO_new (BIO_s_file ()) failed"); @@ -348,21 +349,19 @@ pre_shared_gen_skeyid (struct exchange *exchange, size_t *sz) switch (exchange->id_i[0]) { case IPSEC_ID_IPV4_ADDR: - util_ntoa ((char **)&buf, AF_INET, exchange->id_i + - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); - if (!buf) - return 0; - break; case IPSEC_ID_IPV6_ADDR: - util_ntoa ((char **)&buf, AF_INET6, exchange->id_i + - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); + util_ntoa ((char **)&buf, + exchange->id_i[0] == IPSEC_ID_IPV4_ADDR + ? AF_INET : AF_INET6, + exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); if (!buf) return 0; + break; case IPSEC_ID_FQDN: case IPSEC_ID_USER_FQDN: - buf = calloc (exchange->id_i_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof (char)); + buf = calloc (exchange->id_i_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ + 1, sizeof (char)); if (!buf) { log_print ("pre_shared_gen_skeyid: malloc (%d) failed", @@ -567,7 +566,7 @@ rsa_sig_decode_hash (struct message *msg) struct ipsec_exch *ie = exchange->data; struct payload *p; void *cert = 0; - u_int8_t *rawcert = NULL; + u_int8_t *rawcert = 0; u_int32_t rawcertlen; RSA *key = 0; size_t hashsize = ie->hash->hashsize; @@ -579,7 +578,7 @@ rsa_sig_decode_hash (struct message *msg) size_t id_len; int found = 0, n, i, id_found; #if defined(USE_DNSSEC) - u_int8_t *rawkey = NULL; + u_int8_t *rawkey = 0; u_int32_t rawkeylen; #endif @@ -605,9 +604,8 @@ rsa_sig_decode_hash (struct message *msg) handler = cert_get (GET_ISAKMP_CERT_ENCODING (p->p)); if (!handler) { - log_print ("rsa_sig_decode_hash: " - "cert_get (%d) failed", p != NULL - ? GET_ISAKMP_CERT_ENCODING (p->p) : -1); + log_print ("rsa_sig_decode_hash: cert_get (%d) failed", + p ? GET_ISAKMP_CERT_ENCODING (p->p) : -1); return -1; } @@ -760,15 +758,14 @@ rsa_sig_decode_hash (struct message *msg) return -1; } - exchange->keynote_key = calloc (strlen (pp) + - strlen ("rsa-hex:") + 1, + exchange->keynote_key = calloc (strlen (pp) + sizeof "rsa-hex:", sizeof (char)); - if (exchange->keynote_key == NULL) + if (!exchange->keynote_key) { free (pp); LK (kn_free_key, (&dc)); log_print ("rsa_sig_decode_hash: failed to allocate %d bytes", - strlen (pp) + strlen ("rsa-hex:") + 1); + strlen (pp) + sizeof "rsa-hex:"); return -1; } @@ -905,8 +902,9 @@ rsa_sig_encode_hash (struct message *msg) id_len = initiator ? exchange->id_i_len : exchange->id_r_len; /* We may have been provided these by the kernel */ - if ((buf = conf_get_str (exchange->name, "Credentials")) != NULL && - (idtype = conf_get_num (exchange->name, "Credential_Type", -1) != -1)) + buf = conf_get_str (exchange->name, "Credentials"); + if (buf + && (idtype = conf_get_num (exchange->name, "Credential_Type", -1) != -1)) { exchange->sent_certtype = idtype; handler = cert_get (idtype); @@ -917,14 +915,14 @@ rsa_sig_encode_hash (struct message *msg) } exchange->sent_cert = handler->cert_from_printable (buf); - if (exchange->sent_cert == NULL) + if (!exchange->sent_cert) { log_print ("rsa_sig_encode_hash: failed to retrieve certificate"); return -1; } handler->cert_serialize (exchange->sent_cert, &data, &datalen); - if (data == NULL) + if (!data) { log_print ("rsa_sig_encode_hash: cert serialization failed"); return -1; @@ -1011,22 +1009,19 @@ rsa_sig_encode_hash (struct message *msg) switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) { case IPSEC_ID_IPV4_ADDR: - util_ntoa ((char **)&buf2, AF_INET, id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); - if (!buf2) - return 0; - break; case IPSEC_ID_IPV6_ADDR: - util_ntoa ((char **)&buf2, AF_INET6, id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); + util_ntoa ((char **)&buf2, + id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] == IPSEC_ID_IPV4_ADDR + ? AF_INET : AF_INET6, + id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); if (!buf2) return 0; break; case IPSEC_ID_FQDN: case IPSEC_ID_USER_FQDN: - buf2 = calloc (id_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof (char)); + buf2 = calloc (id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, + sizeof (char)); if (!buf2) { log_print ("rsa_sig_encode_hash: malloc (%d) failed", @@ -1039,16 +1034,17 @@ rsa_sig_encode_hash (struct message *msg) /* XXX Support more ID types? */ default: - buf2 = NULL; + buf2 = 0; break; } /* Again, we may have these from the kernel */ - if ((buf = conf_get_str (exchange->name, "OKAuthentication")) != NULL) + buf = conf_get_str (exchange->name, "OKAuthentication"); + if (buf) { key_from_printable (ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, buf, &data, &datalen); - if ((data == NULL) || (datalen == -1)) + if (!data || datalen == -1) { log_print ("rsa_sig_encode_hash: badly formatted RSA private key"); return 0; @@ -1058,21 +1054,21 @@ rsa_sig_encode_hash (struct message *msg) exchange->sent_key = key_internalize (ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, data, datalen); - if (exchange->sent_key == NULL) + if (!exchange->sent_key) { log_print ("rsa_sig_encode_hash: bad RSA private key from dynamic " "SA acquisition subsystem"); return 0; } } - else /* Try through the regular means */ + else /* Try through the regular means. */ { exchange->sent_key = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, - buf2, NULL); + buf2, 0); free (buf2); - /* Did we find a key ? */ - if (exchange->sent_key == NULL) + /* Did we find a key? */ + if (!exchange->sent_key) { log_print ("rsa_sig_encode_hash: could not get private key"); return -1; diff --git a/sbin/isakmpd/key.c b/sbin/isakmpd/key.c index 20d6640bfcf..882df58df78 100644 --- a/sbin/isakmpd/key.c +++ b/sbin/isakmpd/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.2 2001/06/25 05:15:11 angelos Exp $ */ +/* $OpenBSD: key.c,v 1.3 2001/07/01 19:48:43 niklas Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -66,17 +66,18 @@ key_serialize (int type, int private, void *key, u_int8_t **data, int *datalen) case ISAKMP_KEYTYPE_PUBLIC: *datalen = LC (i2d_RSAPublicKey, ((RSA *)key, NULL)); *data = p = malloc (*datalen); - if (*data == NULL) + if (!p) { log_error("key_serialize: malloc (%d) failed", *datalen); return; } *datalen = LC (i2d_RSAPublicKey, ((RSA *)key, &p)); break; + case ISAKMP_KEYTYPE_PRIVATE: *datalen = LC (i2d_RSAPrivateKey, ((RSA *)key, NULL)); *data = p = malloc (*datalen); - if (*data == NULL) + if (!p) { log_error("key_serialize: malloc (%d) failed", *datalen); return; @@ -102,23 +103,25 @@ key_printable (int type, int private, u_int8_t *data, int datalen) { case ISAKMP_KEY_PASSPHRASE: return strdup ((char *)data); + case ISAKMP_KEY_RSA: s = malloc (datalen * 2); - if (s == NULL) + if (!s) { log_error ("key_printable: malloc (%d) failed", datalen * 2); - return NULL; + return 0; } for (i = 0; i < datalen; i++) sprintf (s + (2 * i), "%02x", data[i]); return s; + default: log_error ("key_printable: unknown/unsupported key type %d", type); - return NULL; + return 0; } } -/* Convert from serialized to internal */ +/* Convert from serialized to internal. */ void * key_internalize (int type, int private, u_int8_t *data, int datalen) { @@ -135,7 +138,7 @@ key_internalize (int type, int private, u_int8_t *data, int datalen) return LC (d2i_RSAPrivateKey, (NULL, &data, datalen)); default: log_error ("key_internalize: not public or private RSA key passed"); - return NULL; + return 0; } break; default: @@ -143,7 +146,7 @@ key_internalize (int type, int private, u_int8_t *data, int datalen) break; } - return NULL; + return 0; } /* Convert from printable to serialized */ @@ -157,16 +160,18 @@ key_from_printable (int type, int private, char *key, u_int8_t **data, *datalen = strlen (key); *data = strdup (key); break; + case ISAKMP_KEY_RSA: *datalen = (strlen (key) + 1) / 2; /* Round up, just in case */ *data = malloc (*datalen); - if (*data == NULL) + if (!*data) { log_error ("key_from_printable: malloc (%d) failed", *datalen); return; } *datalen = hex2raw (key, *data, *datalen); break; + default: log_error ("key_from_printable: unknown/unsupported key type %d", type); break; diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 61cd4f178e8..bfb5e0350dc 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.75 2001/07/01 18:33:50 angelos Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.76 2001/07/01 19:48:44 niklas Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -189,7 +189,7 @@ pf_key_v2_seq_by_sa (u_int8_t *spi, size_t sz, u_int8_t proto, node = TAILQ_NEXT (node, link)) if (node->proto == proto && node->sz == sz && memcmp (node->spi, spi, sz) == 0 - && node->dstlen == dst->sa_len + && node->dstlen == dst->sa_len && memcmp (node->dst, dst, dst->sa_len) == 0) return node->seq; return 0; @@ -649,7 +649,7 @@ pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, #endif /* Setup the ADDRESS extensions. */ - len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (src->sa_len); + len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (src->sa_len); addr = calloc (1, len); if (!addr) goto cleanup; @@ -675,7 +675,7 @@ pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, goto cleanup; addr = 0; - len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (dst->sa_len); + len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (dst->sa_len); addr = calloc (1, len); if (!addr) goto cleanup; @@ -842,7 +842,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, ssa.sadb_sa_auth = SADB_AALG_MD5HMAC96; #else ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; -#endif +#endif break; case IPSEC_AUTH_HMAC_SHA: @@ -1424,14 +1424,14 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, } static __inline__ int -pf_key_v2_mask_to_bits (u_int32_t mask) +pf_key_v2_mask_to_bits (u_int32_t mask) { u_int32_t hmask = ntohl (mask); return (33 - ffs (~hmask + 1)) % 33; } static int -pf_key_v2_mask6_to_bits (u_int8_t *mask) +pf_key_v2_mask6_to_bits (u_int8_t *mask) { int n; bit_ffc (mask, 128, &n); @@ -1439,7 +1439,7 @@ pf_key_v2_mask6_to_bits (u_int8_t *mask) } static void -pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src, +pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src, struct sockaddr *dst, in_port_t port, int ingress) { struct sockaddr_in *ip4_sa; @@ -1454,9 +1454,9 @@ pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src, ip4_sa->sin_len = sizeof *ip4_sa; ip4_sa->sin_port = port; if (dst) - p = (u_int8_t *)(ingress ? - &((struct sockaddr_in *)src)->sin_addr.s_addr : - &((struct sockaddr_in *)dst)->sin_addr.s_addr); + p = (u_int8_t *)(ingress + ? &((struct sockaddr_in *)src)->sin_addr.s_addr + : &((struct sockaddr_in *)dst)->sin_addr.s_addr); else p = (u_int8_t *)&((struct sockaddr_in *)src)->sin_addr.s_addr; ip4_sa->sin_addr.s_addr = *((in_addr_t *)p); @@ -1468,9 +1468,9 @@ pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src, ip6_sa->sin6_len = sizeof *ip6_sa; ip6_sa->sin6_port = port; if (dst) - p = (u_int8_t *)(ingress ? - &((struct sockaddr_in6 *)src)->sin6_addr.s6_addr : - &((struct sockaddr_in6 *)dst)->sin6_addr.s6_addr); + p = (u_int8_t *)(ingress + ? &((struct sockaddr_in6 *)src)->sin6_addr.s6_addr + : &((struct sockaddr_in6 *)dst)->sin6_addr.s6_addr); else p = (u_int8_t *)&((struct sockaddr_in6 *)src)->sin6_addr.s6_addr; memcpy (ip6_sa->sin6_addr.s6_addr, p, sizeof (struct in6_addr)); @@ -1490,9 +1490,9 @@ pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src, */ static int pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, - struct sockaddr *raddr, struct sockaddr *rmask, - u_int8_t tproto, u_int16_t sport, u_int16_t dport, - u_int8_t *spi, u_int8_t proto, struct sockaddr *dst, + struct sockaddr *raddr, struct sockaddr *rmask, + u_int8_t tproto, u_int16_t sport, u_int16_t dport, + u_int8_t *spi, u_int8_t proto, struct sockaddr *dst, struct sockaddr *src, int delete, int ingress, u_int8_t srcid_type, u_int8_t *srcid, int srcid_len, u_int8_t dstid_type, u_int8_t *dstid, int dstid_len) @@ -1638,7 +1638,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, #ifdef SADB_X_EXT_FLOW_TYPE pf_key_v2_setup_sockaddr (addr + 1, src, dst, 0, ingress); #else - pf_key_v2_setup_sockaddr (addr + 1, dst, NULL, 0, 0); + pf_key_v2_setup_sockaddr (addr + 1, dst, 0, 0, 0); #endif if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, PF_KEY_V2_NODE_MALLOCED) == -1) @@ -1652,7 +1652,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_exttype = SADB_X_EXT_SRC_FLOW; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, laddr, NULL, sport, 0); + pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, sport, 0); if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; @@ -1664,7 +1664,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_exttype = SADB_X_EXT_SRC_MASK; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, lmask, NULL, sport ? 0xffff : 0, 0); + pf_key_v2_setup_sockaddr (addr + 1, lmask, 0, sport ? 0xffff : 0, 0); if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; @@ -1676,7 +1676,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_exttype = SADB_X_EXT_DST_FLOW; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, raddr, NULL, sport, 0); + pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, sport, 0); if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; @@ -1688,7 +1688,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_exttype = SADB_X_EXT_DST_MASK; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, rmask, NULL, sport ? 0xffff : 0, 0); + pf_key_v2_setup_sockaddr (addr + 1, rmask, 0, sport ? 0xffff : 0, 0); if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, PF_KEY_V2_NODE_MALLOCED) == -1) goto cleanup; @@ -1714,7 +1714,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, rmask_str = 0; LOG_DBG ((LOG_SYSDEP, 50, - "pf_key_v2_flow: src %x %x dst %x %x proto %u sport %u dport %u", + "pf_key_v2_flow: src %s %s dst %s %s proto %u sport %u dport %u", laddr_str ? laddr_str : "<???>", lmask_str ? laddr_str : "<???>", raddr_str ? laddr_str : "<???>", rmask_str ? laddr_str : "<???>", tproto, ntohs (sport), ntohs (dport))); @@ -1738,10 +1738,10 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, if (err) { if (err == ESRCH) /* These are common and usually harmless. */ - LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", + LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", strerror (err))); else - log_print ("pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", + log_print ("pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", strerror (err)); goto cleanup; } @@ -1803,18 +1803,18 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_proto = IPSEC_ULPROTO_ANY; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, laddr, NULL, IPSEC_PORT_ANY, 0); + pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, IPSEC_PORT_ANY, 0); switch (laddr->sa_family) { case AF_INET: ip4_sa = (struct sockaddr_in *)lmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask_to_bits (ip4_sa->sin_addr.s_addr); + addr->sadb_address_prefixlen + = pf_key_v2_mask_to_bits (ip4_sa->sin_addr.s_addr); break; case AF_INET6: ip6_sa = (struct sockaddr_in6 *)lmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask6_to_bits (&ip6_sa->sin6_addr.s6_addr[0]); + addr->sadb_address_prefixlen + = pf_key_v2_mask6_to_bits (&ip6_sa->sin6_addr.s6_addr[0]); break; } if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, @@ -1829,18 +1829,18 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, addr->sadb_address_len = len / PF_KEY_V2_CHUNK; addr->sadb_address_proto = IPSEC_ULPROTO_ANY; addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr (addr + 1, raddr, NULL, IPSEC_PORT_ANY, 0); + pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, IPSEC_PORT_ANY, 0); switch (raddr->sa_family) { case AF_INET: ip4_sa = (struct sockaddr_in *)rmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask_to_bits (ip4_sa->sin_addr.s_addr); + addr->sadb_address_prefixlen + = pf_key_v2_mask_to_bits (ip4_sa->sin_addr.s_addr); break; case AF_INET6: ip6_sa = (struct sockaddr_in6 *)rmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask6_to_bits (&ip6_sa->sin6_addr.s6_addr[0]); + addr->sadb_address_prefixlen + = pf_key_v2_mask6_to_bits (&ip6_sa->sin6_addr.s6_addr[0]); break; } if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, @@ -1891,7 +1891,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, /* Add source and destination addresses. */ saddr = (struct sockaddr *)(ipsecrequest + 1); - pf_key_v2_setup_sockaddr (saddr, src, NULL, 0, 0); + pf_key_v2_setup_sockaddr (saddr, src, 0, 0, 0); switch (src->sa_family) { case AF_INET: @@ -1901,7 +1901,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, saddr = (struct sockaddr *)((struct sockaddr_in6 *)saddr + 1); break; } - pf_key_v2_setup_sockaddr (saddr, dst, NULL, 0, 0); + pf_key_v2_setup_sockaddr (saddr, dst, 0, 0, 0); if (pf_key_v2_msg_add (flow, (struct sadb_ext *)policy, 0) == -1) goto cleanup; @@ -1916,7 +1916,7 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask, rmask_str = 0; LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_flow: src %x %x dst %x %x", - laddr_str ? laddr_str : "<???>", lmask_str ? laddr_str : "<???>", + laddr_str ? laddr_str : "<???>", lmask_str ? laddr_str : "<???>", raddr_str ? laddr_str : "<???>", rmask_str ? laddr_str : "<???>")); if (laddr_str) @@ -2027,10 +2027,10 @@ pf_key_v2_convert_id (u_int8_t *id, int idlen, int *reslen, int *idtype) addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; if (inet_ntop (AF_INET, addr, addrbuf, ADDRESS_MAX) == NULL) return 0; - sprintf (addrbuf + strlen (addrbuf), "/%d", - pf_key_v2_mask_to_bits ((u_int32_t)*(addr + - sizeof (struct in_addr)))); - *reslen = strlen(addrbuf); + sprintf (addrbuf + strlen (addrbuf), "/%d", + pf_key_v2_mask_to_bits ((u_int32_t) + *(addr + sizeof (struct in_addr)))); + *reslen = strlen (addrbuf); res = strdup (addrbuf); if (!res) return 0; @@ -2042,7 +2042,7 @@ pf_key_v2_convert_id (u_int8_t *id, int idlen, int *reslen, int *idtype) addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; if (inet_ntop (AF_INET6, addr, addrbuf, ADDRESS_MAX) == NULL) return 0; - sprintf (addrbuf + strlen (addrbuf), "/%d", + sprintf (addrbuf + strlen (addrbuf), "/%d", pf_key_v2_mask6_to_bits (addr + sizeof (struct in6_addr))); *reslen = strlen (addrbuf); res = strdup (addrbuf); @@ -2118,13 +2118,13 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa) case AF_INET: ((struct sockaddr_in *)hostmask)->sin_family = AF_INET; ((struct sockaddr_in *)hostmask)->sin_len = sizeof (struct in_addr); - memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff, + memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff, sizeof (struct in_addr)); break; case AF_INET6: ((struct sockaddr_in6 *)hostmask)->sin6_family = AF_INET6; ((struct sockaddr_in6 *)hostmask)->sin6_len = sizeof (struct in6_addr); - memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff, + memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff, sizeof (struct in6_addr)); break; } @@ -2132,8 +2132,8 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa) /* Ingress flows, handling SA bundles. */ while (TAILQ_NEXT (proto, link)) { - error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0, - proto->spi[1], proto->proto, src, dst, + error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0, + proto->spi[1], proto->proto, src, dst, 0, 1, 0, 0, 0, 0, 0, 0); if (error) goto cleanup; @@ -2207,7 +2207,7 @@ pf_key_v2_conf_refhandle (int af, char *section) return num; } -/* Remove all dynamically-established configuration entries. */ +/* Remove all dynamically-established configuration entries. */ static int pf_key_v2_remove_conf (char *section) { @@ -2312,14 +2312,14 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming) case AF_INET: ((struct sockaddr_in *)hostmask)->sin_family = AF_INET; ((struct sockaddr_in *)hostmask)->sin_len = sizeof (struct in_addr); - memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff, + memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff, sizeof (struct in_addr)); break; case AF_INET6: ((struct sockaddr_in6 *)hostmask)->sin6_family = AF_INET6; - ((struct sockaddr_in6 *)hostmask)->sin6_len = + ((struct sockaddr_in6 *)hostmask)->sin6_len = sizeof (struct in6_addr); - memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff, + memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff, sizeof (struct in6_addr)); break; } @@ -2327,8 +2327,8 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming) /* Ingress flow --- SA bundles */ while (TAILQ_NEXT (proto, link)) { - error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0, - proto->spi[1], proto->proto, src, dst, + error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0, + proto->spi[1], proto->proto, src, dst, 1, 1, 0, 0, 0, 0, 0, 0); if (error) return error; @@ -2350,7 +2350,7 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming) int pf_key_v2_delete_spi (struct sa *sa, struct proto *proto, int incoming) { - struct sadb_msg msg; + struct sadb_msg msg; struct sadb_sa ssa; struct sadb_address *addr = 0; struct sockaddr *saddr; @@ -2491,7 +2491,7 @@ pf_key_v2_delete_spi (struct sa *sa, struct proto *proto, int incoming) err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; if (err) { - LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_delete_spi: DELETE: %s", + LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_delete_spi: DELETE: %s", strerror (err))); goto cleanup; } @@ -2826,7 +2826,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) dhostflag = 1; break; - case AF_INET6: + case AF_INET6: if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)sflow)->sin6_addr, ssflow, ADDRESS_MAX) == NULL) { @@ -2923,7 +2923,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) - sizeof (struct sadb_ident); if (((unsigned char *)(srcident + 1))[slen - 1] != '\0') { - log_print ("pf_key_v2_acquire: source identity not NULL-terminated"); + log_print ("pf_key_v2_acquire: source identity not NUL-terminated"); goto fail; } @@ -2963,8 +2963,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) /* NUL-terminate the PREFIX string at the separator, then dup. */ *srcid = '\0'; - slen = strlen ((char *)(srcident + 1)) + strlen ("ID:/") - + 1 + strlen ("Address"); + slen = strlen ((char *)(srcident + 1)) + sizeof "ID:Address/"; srcid = malloc (slen); if (!srcid) { @@ -3012,7 +3011,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) { log_print ("pf_key_v2_acquire: no user FQDN or ID provided"); goto fail; - } + } if (srcident->sadb_ident_id) { @@ -3036,25 +3035,24 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) } } - srcid = malloc ((slen ? slen : strlen (pwd->pw_name)) + - strlen (prefstring) + 1 + strlen ("ID:/")); + srcid = malloc ((slen ? slen : strlen (pwd->pw_name)) + + strlen (prefstring) + sizeof "ID:/"); if (!srcid) { log_error ("pf_key_v2_acquire: malloc (%d) failed", slen ? slen : strlen (pwd->pw_name) - + strlen (prefstring) + 1 + strlen ("ID:/")); + + strlen (prefstring) + sizeof "ID:/"); goto fail; } sprintf (srcid, "ID:%s/", prefstring); if (slen != 0) - strlcat (srcid + strlen ("ID:/") + strlen (prefstring), + strlcat (srcid + sizeof "ID:/" - 1 + strlen (prefstring), (char *)(srcident + 1), - slen + strlen (prefstring) + 1 + strlen ("ID:/")); + slen + strlen (prefstring) + sizeof "ID:/"); else - strlcat (srcid + strlen ("ID:/") + strlen (prefstring), - pwd->pw_name, - strlen (prefstring) + 1 + strlen ("ID:/")); + strlcat (srcid + sizeof "ID:/" - 1 + strlen (prefstring), + pwd->pw_name, strlen (prefstring) + sizeof "ID:/"); pwd = 0; /* Set the section if it doesn't already exist. */ @@ -3064,7 +3062,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) if (conf_set (af, srcid, "ID-type", prefstring, 1, 0) || conf_set (af, srcid, "Refcount", "1", 1, 0) || conf_set (af, srcid, "Name", - srcid + strlen ("ID:/") + strlen (prefstring), + srcid + sizeof "ID:/" - 1 + strlen (prefstring), 1, 0)) { conf_end (af, 0); @@ -3131,8 +3129,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) /* NUL-terminate the PREFIX string at the separator, then dup. */ *dstid = '\0'; - slen = strlen ((char *)(dstident + 1)) + strlen ("ID:/") - + 1 + strlen ("Address"); + slen = strlen ((char *)(dstident + 1)) + sizeof "ID:Address/"; dstid = malloc (slen); if (!dstid) { @@ -3177,11 +3174,11 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) * name). If there is both a string and a user ID, check * that they match. */ - if ((slen == 0) && (dstident->sadb_ident_id == 0)) + if (slen == 0 && dstident->sadb_ident_id == 0) { log_print ("pf_key_v2_acquire: no user FQDN or ID provided"); goto fail; - } + } if (dstident->sadb_ident_id) { @@ -3206,24 +3203,24 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) } dstid = malloc ((slen ? slen : strlen (pwd->pw_name)) - + strlen (prefstring) + 1 + strlen ("ID:/")); + + strlen (prefstring) + sizeof "ID:/"); if (!dstid) { log_error ("pf_key_v2_acquire: malloc (%d) failed", slen ? slen : strlen (pwd->pw_name) - + strlen (prefstring) + 1 + strlen ("ID:/")); + + strlen (prefstring) + sizeof "ID:/"); goto fail; } sprintf (dstid, "ID:%s/", prefstring); if (slen != 0) - strlcat (dstid + strlen ("ID:/") + strlen (prefstring), + strlcat (dstid + sizeof "ID:/" - 1 + strlen (prefstring), (char *)(dstident + 1), - slen + strlen (prefstring) + 1 + strlen ("ID:/")); + slen + strlen (prefstring) + sizeof "ID:/"); else - strlcat (dstid + strlen ("ID:/") + strlen (prefstring), + strlcat (dstid + sizeof "ID:/" - 1 + strlen (prefstring), pwd->pw_name, - strlen (prefstring) + 1 + strlen ("ID:/")); + strlen (prefstring) + sizeof "ID:/"); pwd = 0; /* Set the section if it doesn't already exist. */ @@ -3233,7 +3230,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) if (conf_set (af, dstid, "ID-type", prefstring, 1, 0) || conf_set (af, dstid, "Refcount", "1", 1, 0) || conf_set (af, dstid, "Name", - dstid + strlen ("ID:/") + strlen (prefstring), + dstid + sizeof "ID:/" - 1 + strlen (prefstring), 1, 0)) { conf_end (af, 0); @@ -3291,9 +3288,9 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) * exists -- otherwise use the defaults) */ - peer = malloc (strlen (dstbuf) + strlen (srcbuf) + - (srcid ? strlen (srcid) : 0) + - (dstid ? strlen (dstid) : 0) + strlen ("Peer-/-/") + 1); + peer = malloc (strlen (dstbuf) + strlen (srcbuf) + + (srcid ? strlen (srcid) : 0) + + (dstid ? strlen (dstid) : 0) + sizeof "Peer-/-/"); if (!peer) goto fail; diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index 9fdaaeb798d..91480f191c5 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.36 2001/07/01 18:57:33 angelos Exp $ */ +/* $OpenBSD: policy.c,v 1.37 2001/07/01 19:48:44 niklas Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -1103,9 +1103,9 @@ policy_callback (char *name) log_error ("policy_callback: sockaddr2text failed"); goto bad; } - memcpy (remote_filter_addr_upper, addr, + memcpy (remote_filter_addr_upper, addr, sizeof remote_filter_addr_upper); - memcpy (remote_filter_addr_lower, addr, + memcpy (remote_filter_addr_lower, addr, sizeof remote_filter_addr_lower); free (addr); remote_filter = strdup (remote_filter_addr_upper); @@ -1330,9 +1330,9 @@ policy_callback (char *name) log_error ("policy_callback: sockaddr2text failed"); goto bad; } - memcpy (local_filter_addr_upper, addr, + memcpy (local_filter_addr_upper, addr, sizeof local_filter_addr_upper); - memcpy (local_filter_addr_lower, addr, + memcpy (local_filter_addr_lower, addr, sizeof local_filter_addr_lower); free (addr); local_filter = strdup (local_filter_addr_upper); diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index 413d837f140..625b88cf604 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.45 2001/06/29 18:52:17 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.46 2001/07/01 19:48:44 niklas Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -97,7 +97,6 @@ sa_init () { LIST_INIT (&sa_tab[i]); } - } /* XXX We don't yet resize. */ @@ -238,8 +237,8 @@ isakmp_sa_check (struct sa *sa, void *v_arg) return 0; } -/* - * Find an ISAKMP SA with a "name" of DST & SPI. +/* + * Find an ISAKMP SA with a "name" of DST & SPI. */ struct sa * sa_lookup_isakmp_sa (struct sockaddr *dst, u_int8_t *spi) @@ -308,7 +307,7 @@ sa_lookup_by_header (u_int8_t *msg, int phase2) /* * Lookup the SA given by the COOKIES and possibly the MESSAGE_ID unless - * NULL, meaning we are looking for phase 1 SAs. + * a null pointer, meaning we are looking for phase 1 SAs. */ struct sa * sa_lookup (u_int8_t *cookies, u_int8_t *message_id) @@ -413,36 +412,36 @@ sa_dump (char *header, struct sa *sa) char spi_header[80]; int i; - LOG_DBG ((LOG_REPORT, 0, "%s: %p %s phase %d doi %d flags 0x%x", - header, sa, sa->name ? sa->name : "<unnamed>", sa->phase, + LOG_DBG ((LOG_REPORT, 0, "%s: %p %s phase %d doi %d flags 0x%x", + header, sa, sa->name ? sa->name : "<unnamed>", sa->phase, sa->doi->id, sa->flags)); - LOG_DBG ((LOG_REPORT, 0, + LOG_DBG ((LOG_REPORT, 0, "%s: icookie %08x%08x rcookie %08x%08x", header, decode_32 (sa->cookies), decode_32 (sa->cookies + 4), decode_32 (sa->cookies + 8), decode_32 (sa->cookies + 12))); - LOG_DBG ((LOG_REPORT, 0, "%s: msgid %08x refcnt %d", header, + LOG_DBG ((LOG_REPORT, 0, "%s: msgid %08x refcnt %d", header, decode_32 (sa->message_id), sa->refcnt)); for (proto = TAILQ_FIRST (&sa->protos); proto; proto = TAILQ_NEXT (proto, link)) { - LOG_DBG ((LOG_REPORT, 0, + LOG_DBG ((LOG_REPORT, 0, "%s: suite %d proto %d", header, proto->no, proto->proto)); - LOG_DBG ((LOG_REPORT, 0, + LOG_DBG ((LOG_REPORT, 0, "%s: spi_sz[0] %d spi[0] %p spi_sz[1] %d spi[1] %p", header, proto->spi_sz[0], proto->spi[0], proto->spi_sz[1], proto->spi[1])); LOG_DBG ((LOG_REPORT, 0, "%s: %s, %s", header, - sa->doi == NULL ? "<nodoi>" - : sa->doi->decode_ids ("initiator id: %s, responder id: %s", - sa->id_i, sa->id_i_len, + !sa->doi ? "<nodoi>" + : sa->doi->decode_ids ("initiator id: %s, responder id: %s", + sa->id_i, sa->id_i_len, sa->id_r, sa->id_r_len, 0), - sa->transport == NULL ? "<no transport>" : + !sa->transport ? "<no transport>" : sa->transport->vtbl->decode_ids (sa->transport))); for (i = 0; i < 2; i++) if (proto->spi[i]) { snprintf (spi_header, 80, "%s: spi[%d]", header, i); - LOG_DBG_BUF ((LOG_REPORT, 0, spi_header, proto->spi[i], + LOG_DBG_BUF ((LOG_REPORT, 0, spi_header, proto->spi[i], proto->spi_sz[i])); } } @@ -531,7 +530,7 @@ sa_release (struct sa *sa) { struct proto *proto; struct cert_handler *handler; - + LOG_DBG ((LOG_SA, 80, "sa_release: SA %p had %d references", sa, sa->refcnt)); @@ -671,7 +670,7 @@ sa_add_transform (struct sa *sa, struct payload *xf, int initiator, "proto %p no %d proto %d chosen %p sa %p id %d", proto, proto->no, proto->proto, proto->chosen, proto->sa, proto->id)); - + return 0; cleanup: @@ -777,7 +776,7 @@ sa_setup_expirations (struct sa *sa) u_int64_t seconds = sa->seconds; struct timeval expiration; - /* + /* * Set the soft timeout to a random percentage between 85 & 95 of * the negotiated lifetime to break strictly synchronized * renegotiations. This works better when the randomization is on the diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index 7be9a639734..0d4b080178a 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.58 2001/06/22 16:21:43 provos Exp $ */ +/* $OpenBSD: x509.c,v 1.59 2001/07/01 19:48:44 niklas Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -233,7 +233,7 @@ x509_generate_kn (int id, X509 *cert) if (((tm = X509_get_notBefore (cert)) == NULL) || (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { - tt = time ((time_t) NULL); + tt = time (0); strftime (before, 14, "%G%m%d%H%M%S", localtime (&tt)); timecomp = "LocalTimeOfDay"; } |