summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/ike_phase_1.c67
-rw-r--r--sbin/isakmpd/ike_quick_mode.c155
-rw-r--r--sbin/isakmpd/isakmpd.86
-rw-r--r--sbin/isakmpd/log.h7
-rw-r--r--sbin/isakmpd/message.c10
-rw-r--r--sbin/isakmpd/policy.c317
-rw-r--r--sbin/isakmpd/x509.c136
7 files changed, 368 insertions, 330 deletions
diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c
index 874b4f31bdc..981c84ec8ea 100644
--- a/sbin/isakmpd/ike_phase_1.c
+++ b/sbin/isakmpd/ike_phase_1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_phase_1.c,v 1.22 2001/03/07 07:33:53 angelos Exp $ */
+/* $OpenBSD: ike_phase_1.c,v 1.23 2001/03/13 14:05:18 ho Exp $ */
/* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */
/*
@@ -598,8 +598,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg)
"dh_create_shared failed");
return -1;
}
- LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: g^xy",
- ie->g_xy, ie->g_x_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
+ "ike_phase_1_post_exchange_KE_NONCE: g^xy", ie->g_xy,
+ ie->g_x_len));
/* Compute the SKEYID depending on the authentication method. */
ie->skeyid = ie->ike_auth->gen_skeyid (exchange, &ie->skeyid_len);
@@ -608,8 +609,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg)
/* XXX Log and teardown? */
return -1;
}
- LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID",
- ie->skeyid, ie->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
+ "ike_phase_1_post_exchange_KE_NONCE: SKEYID", ie->skeyid,
+ ie->skeyid_len));
/* SKEYID_d. */
ie->skeyid_d = malloc (ie->skeyid_len);
@@ -631,8 +633,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg)
prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
prf->Update (prf->prfctx, "\0", 1);
prf->Final (ie->skeyid_d, prf->prfctx);
- LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d",
- ie->skeyid_d, ie->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
+ "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", ie->skeyid_d,
+ ie->skeyid_len));
/* SKEYID_a. */
ie->skeyid_a = malloc (ie->skeyid_len);
@@ -649,8 +652,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg)
prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
prf->Update (prf->prfctx, "\1", 1);
prf->Final (ie->skeyid_a, prf->prfctx);
- LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a",
- ie->skeyid_a, ie->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
+ "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", ie->skeyid_a,
+ ie->skeyid_len));
/* SKEYID_e. */
ie->skeyid_e = malloc (ie->skeyid_len);
@@ -669,8 +673,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg)
prf->Update (prf->prfctx, "\2", 1);
prf->Final (ie->skeyid_e, prf->prfctx);
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e",
- ie->skeyid_e, ie->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
+ "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", ie->skeyid_e,
+ ie->skeyid_len));
/* Key length determination. */
if (!exchange->key_length)
@@ -860,7 +865,7 @@ ike_phase_1_send_ID (struct message *msg)
memcpy (*id, buf + ISAKMP_GEN_SZ, *id_len);
snprintf (header, 80, "ike_phase_1_send_ID: %s",
constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (buf)));
- LOG_DBG_BUF ((LOG_MISC, 40, header, buf + ISAKMP_ID_DATA_OFF,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF,
sz - ISAKMP_ID_DATA_OFF));
return 0;
@@ -932,7 +937,7 @@ ike_phase_1_recv_ID (struct message *msg)
memcpy (*id, payload->p + ISAKMP_GEN_SZ, *id_len);
snprintf (header, 80, "ike_phase_1_recv_ID: %s",
constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (payload->p)));
- LOG_DBG_BUF ((LOG_MISC, 40, header, payload->p + ISAKMP_ID_DATA_OFF,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, payload->p + ISAKMP_ID_DATA_OFF,
*id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF));
payload->flags |= PL_MARK;
@@ -989,7 +994,7 @@ ike_phase_1_recv_AUTH (struct message *msg)
prf_free (prf);
snprintf (header, 80, "ike_phase_1_recv_AUTH: computed HASH_%c",
initiator ? 'R' : 'I');
- LOG_DBG_BUF ((LOG_MISC, 80, header, hash->digest, hashsize));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80, header, hash->digest, hashsize));
/* Check that the hash we got matches the one we computed. */
if (memcmp (*hash_p, hash->digest, hashsize) != 0)
@@ -1074,7 +1079,7 @@ ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa,
}
/* All protocols were OK, we succeeded. */
- LOG_DBG ((LOG_MISC, 20, "ike_phase_1_validate_prop: success"));
+ LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: success"));
conf_free_list (conf);
if (vs.life)
free (vs.life);
@@ -1093,7 +1098,7 @@ ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa,
free (vs.life);
}
- LOG_DBG ((LOG_MISC, 20, "ike_phase_1_validate_prop: failure"));
+ LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure"));
conf_free_list (conf);
return 0;
}
@@ -1118,7 +1123,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
if (!tag)
{
- log_print ("attribute_unacceptable: attribute type %d not known", type);
+ LOG_DBG ((LOG_NEGOTIATION, 60,
+ "attribute_unacceptable: attribute type %d not known", type));
return 1;
}
@@ -1134,8 +1140,9 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
if (!str)
{
/* This attribute does not exist in this policy. */
- log_print ("attribute_unacceptable: attr %s does not exist in %s",
- tag, xf->field);
+ LOG_DBG ((LOG_NEGOTIATION, 70,
+ "attribute_unacceptable: attr %s does not exist in %s",
+ tag, xf->field));
return 1;
}
@@ -1158,8 +1165,9 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
LIST_INSERT_HEAD (&vs->attrs, node, link);
return 0;
}
- log_print ("attribute_unacceptable: %s: got %s, expected %s",
- tag, constant_lookup (map, decode_16 (value)), str);
+ LOG_DBG ((LOG_NEGOTIATION, 70,
+ "attribute_unacceptable: %s: got %s, expected %s", tag,
+ constant_lookup (map, decode_16 (value)), str));
return 1;
case IKE_ATTR_GROUP_PRIME:
@@ -1180,8 +1188,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
if (!life_conf)
{
/* Life attributes given, but not in our policy. */
- log_print ("attribute_unacceptable: "
- "received unexpected life attribute");
+ LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
+ "received unexpected life attribute"));
return 1;
}
@@ -1199,8 +1207,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
str = conf_get_str (life->field, "LIFE_TYPE");
if (!str)
{
- log_print ("attribute_unacceptable: "
- "section [%s] has no LIFE_TYPE", life->field);
+ LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
+ "section [%s] has no LIFE_TYPE", life->field));
continue;
}
@@ -1215,16 +1223,17 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
goto bail_out;
}
}
- log_print ("attribute_unacceptable: unrecognized LIFE_TYPE %d",
- decode_16 (value));
+ LOG_DBG ((LOG_NEGOTIATION, 70,
+ "attribute_unacceptable: unrecognized LIFE_TYPE %d",
+ decode_16 (value)));
vs->life = 0;
break;
case IKE_ATTR_LIFE_DURATION:
if (!vs->life)
{
- log_print ("attribute_unacceptable: "
- "LIFE_DURATION without LIFE_TYPE");
+ LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
+ "LIFE_DURATION without LIFE_TYPE"));
rv = 1;
goto bail_out;
}
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 2b3f87263ba..bc760944441 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.45 2001/02/19 16:58:04 angelos Exp $ */
+/* $OpenBSD: ike_quick_mode.c,v 1.46 2001/03/13 14:05:18 ho Exp $ */
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
/*
@@ -145,10 +145,10 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
keynote_ids = calloc (keynote_policy_asserts_num, sizeof *keynote_ids);
if (!keynote_ids)
{
- log_print ("check_policy: "
- "failed to allocate %d bytes for book keeping",
- keynote_policy_asserts_num * sizeof *keynote_ids);
- return 0;
+ log_error ("check_policy: "
+ "failed to allocate %d bytes for book keeping",
+ keynote_policy_asserts_num * sizeof *keynote_ids);
+ return 0;
}
}
@@ -157,7 +157,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
x509_ids = calloc (x509_policy_asserts_num, sizeof *x509_ids);
if (!x509_ids)
{
- log_print ("check_policy: "
+ log_error ("check_policy: "
"failed to allocate %d bytes for book keeping",
x509_policy_asserts_num * sizeof *x509_ids);
free (keynote_ids);
@@ -199,7 +199,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
principal = calloc (nprinc, sizeof(*principal));
if (principal == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
+ log_error ("check_policy: failed to allocate %d bytes",
nprinc * sizeof(*principal));
goto policydone;
}
@@ -208,7 +208,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
strlen ("passphrase:"), sizeof (char));
if (principal[0] == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
+ log_error ("check_policy: failed to allocate %d bytes",
isakmp_sa->recv_certlen + 1 + strlen ("passphrase:"));
goto policydone;
}
@@ -221,9 +221,9 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
32 + 1, sizeof (char));
if (principal[1] == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
- strlen ("passphrase-md5-hex:") + 33);
- goto policydone;
+ log_error ("check_policy: failed to allocate %d bytes",
+ strlen ("passphrase-md5-hex:") + 33);
+ goto policydone;
}
strcpy (principal[1], "passphrase-md5-hex:");
@@ -236,9 +236,9 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
32 + 1, sizeof (char));
if (principal[2] == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
- strlen ("passphrase-sha1-hex:") + 33);
- goto policydone;
+ log_error ("check_policy: failed to allocate %d bytes",
+ strlen ("passphrase-sha1-hex:") + 33);
+ goto policydone;
}
strcpy (principal[2], "passphrase-sha1-hex:");
@@ -255,7 +255,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
principal = calloc (nprinc, sizeof(*principal));
if (principal == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
+ log_error ("check_policy: failed to allocate %d bytes",
nprinc * sizeof(*principal));
goto policydone;
}
@@ -264,7 +264,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
principal[0] = strdup (isakmp_sa->recv_key);
if (principal[0] == NULL)
{
- log_print ("check_policy: failed to allocate %d bytes",
+ log_error ("check_policy: failed to allocate %d bytes",
strlen (isakmp_sa->recv_key));
goto policydone;
}
@@ -283,7 +283,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
principal = calloc (2, sizeof(*principal));
if (principal == NULL)
{
- log_print ("check_policy: failed to get memory for principal");
+ log_error ("check_policy: failed to get memory for principal");
goto policydone;
}
@@ -310,7 +310,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
sizeof (char));
if (principal[1] == NULL)
{
- log_print ("check_policy: failed to allocate memory for principal");
+ log_error ("check_policy: failed to allocate memory for principal");
LC (RSA_free, (key));
goto policydone;
}
@@ -329,7 +329,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
principal[1] = calloc (259, sizeof (char));
if (principal[1] == NULL)
{
- log_print ("check_policy: failed to allocate memory for principal[1]");
+ log_error ("check_policy: failed to allocate memory for principal[1]");
LC (RSA_free, (key));
goto policydone;
}
@@ -366,7 +366,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
*/
for (i = 0; i < nprinc; i++)
{
- LOG_DBG ((LOG_MISC, 40, "check_policy: adding authorizer [%s]",
+ LOG_DBG ((LOG_POLICY, 40, "check_policy: adding authorizer [%s]",
principal[i]));
if (LK (kn_add_authorizer, (isakmp_sa->policy_id, principal[i])) == -1)
@@ -383,7 +383,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
/* Ask policy */
result = LK (kn_do_query, (isakmp_sa->policy_id, return_values,
RETVALUES_NUM));
- LOG_DBG ((LOG_MISC, 40, "check_policy: kn_do_query returned %d", result));
+ LOG_DBG ((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", result));
/* Cleanup environment */
LK (kn_cleanup_action_environment, (isakmp_sa->policy_id));
@@ -402,7 +402,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
/* Check what policy said. */
if (result < 0)
{
- LOG_DBG ((LOG_MISC, 40, "check_policy: proposal refused"));
+ LOG_DBG ((LOG_POLICY, 40, "check_policy: proposal refused"));
result = 0;
goto policydone;
}
@@ -880,8 +880,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg)
id = ipsec_build_id (local_id, &sz);
if (!id)
return -1;
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDic", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -891,8 +891,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg)
id = ipsec_build_id (remote_id, &sz);
if (!id)
return -1;
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDrc", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -933,8 +933,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg)
encode_32 (id + ISAKMP_ID_DATA_OFF,
ntohl (((struct sockaddr_in *)src)->sin_addr.s_addr));
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDic", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -945,8 +945,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg)
id = ipsec_build_id (remote_id, &sz);
if (!id)
return -1;
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDrc", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -1027,29 +1027,30 @@ initiator_recv_HASH_SA_NONCE (struct message *msg)
socklen_t srclen, dstlen;
/* Allocate the prf and start calculating our HASH(1). XXX Share? */
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: SKEYID_a",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: SKEYID_a",
isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc (isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len);
if (!prf)
return -1;
prf->Init (prf->prfctx);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: message_id",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
+ "initiator_recv_HASH_SA_NONCE: message_id",
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: NONCE_I_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: NONCE_I_b",
exchange->nonce_i, exchange->nonce_i_len));
prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
rest = hashp->p + GET_ISAKMP_GEN_LENGTH (hashp->p);
rest_len = (GET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base)
- (rest - (u_int8_t*)msg->iov[0].iov_base));
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest,
rest_len));
prf->Update (prf->prfctx, rest, rest_len);
prf->Final (hash->digest, prf->prfctx);
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 80,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80,
"initiator_recv_HASH_SA_NONCE: computed HASH(2)",
hash->digest, hashsize));
if (memcmp (hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) != 0)
@@ -1102,7 +1103,7 @@ initiator_recv_HASH_SA_NONCE (struct message *msg)
}
memcpy (ie->id_ci, idp->p, ie->id_ci_sz);
idp->flags |= PL_MARK;
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"initiator_recv_HASH_SA_NONCE: IDci",
ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz
- ISAKMP_GEN_SZ));
@@ -1118,7 +1119,7 @@ initiator_recv_HASH_SA_NONCE (struct message *msg)
}
memcpy (ie->id_cr, idp->p, ie->id_cr_sz);
idp->flags |= PL_MARK;
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"initiator_recv_HASH_SA_NONCE: IDcr",
ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz
- ISAKMP_GEN_SZ));
@@ -1257,25 +1258,25 @@ initiator_send_HASH (struct message *msg)
}
/* Allocate the prf and start calculating our HASH(3). XXX Share? */
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: SKEYID_a", isa->skeyid_a,
- isa->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a",
+ isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len);
if (!prf)
return -1;
prf->Init (prf->prfctx);
prf->Update (prf->prfctx, "\0", 1);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: message_id",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id",
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: NONCE_I_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b",
exchange->nonce_i, exchange->nonce_i_len));
prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: NONCE_R_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b",
exchange->nonce_r, exchange->nonce_r_len));
prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
prf->Final (buf + ISAKMP_GEN_SZ, prf->prfctx);
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: HASH(3)",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)",
buf + ISAKMP_GEN_SZ, hashsize));
if (ie->group)
@@ -1353,7 +1354,7 @@ post_quick_mode (struct message *msg)
if (keymat != iproto->keymat[i])
{
/* Hash in last round's KEYMAT. */
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"post_quick_mode: last KEYMAT",
keymat - prf->blocksize,
prf->blocksize));
@@ -1364,29 +1365,30 @@ post_quick_mode (struct message *msg)
/* If PFS is used hash in g^xy. */
if (ie->g_xy)
{
- LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: g^xy",
- ie->g_xy, ie->g_x_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
+ "post_quick_mode: g^xy", ie->g_xy,
+ ie->g_x_len));
prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len);
}
- LOG_DBG ((LOG_MISC, 90,
+ LOG_DBG ((LOG_NEGOTIATION, 90,
"post_quick_mode: suite %d proto %d", proto->no,
proto->proto));
prf->Update (prf->prfctx, &proto->proto, 1);
- LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: SPI",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: SPI",
proto->spi[i], proto->spi_sz[i]));
prf->Update (prf->prfctx, proto->spi[i], proto->spi_sz[i]);
- LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: Ni_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b",
exchange->nonce_i, exchange->nonce_i_len));
prf->Update (prf->prfctx, exchange->nonce_i,
exchange->nonce_i_len);
- LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: Nr_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b",
exchange->nonce_r, exchange->nonce_r_len));
prf->Update (prf->prfctx, exchange->nonce_r,
exchange->nonce_r_len);
prf->Final (keymat, prf->prfctx);
}
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: KEYMAT",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT",
iproto->keymat[i], ie->keymat_len));
}
}
@@ -1442,16 +1444,17 @@ responder_recv_HASH_SA_NONCE (struct message *msg)
* Check the payload's integrity.
* XXX Share with ipsec_fill_in_hash?
*/
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH_SA_NONCE: SKEYID_a",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: SKEYID_a",
isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len);
if (!prf)
goto cleanup;
prf->Init (prf->prfctx);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH_SA_NONCE: message_id",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
+ "responder_recv_HASH_SA_NONCE: message_id",
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"responder_recv_HASH_SA_NONCE: message after HASH",
hash + hash_len,
msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len));
@@ -1459,7 +1462,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg)
msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len);
prf->Final (my_hash, prf->prfctx);
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash,
hash_len - ISAKMP_GEN_SZ));
if (memcmp (hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0)
@@ -1496,7 +1499,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg)
}
memcpy (ie->id_ci, idp->p, ie->id_ci_sz);
idp->flags |= PL_MARK;
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"responder_recv_HASH_SA_NONCE: IDci",
ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz
- ISAKMP_GEN_SZ));
@@ -1512,7 +1515,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg)
}
memcpy (ie->id_cr, idp->p, ie->id_cr_sz);
idp->flags |= PL_MARK;
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"responder_recv_HASH_SA_NONCE: IDcr",
ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz
- ISAKMP_GEN_SZ));
@@ -1756,8 +1759,8 @@ responder_send_HASH_SA_NONCE (struct message *msg)
return -1;
}
memcpy (id, ie->id_ci, sz);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: IDic", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDic",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -1772,8 +1775,8 @@ responder_send_HASH_SA_NONCE (struct message *msg)
return -1;
}
memcpy (id, ie->id_cr, sz);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: IDrc", id,
- sz));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDrc",
+ id, sz));
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1))
{
free (id);
@@ -1782,18 +1785,19 @@ responder_send_HASH_SA_NONCE (struct message *msg)
}
/* Allocate the prf and start calculating our HASH(2). XXX Share? */
- LOG_DBG ((LOG_MISC, 95, "responder_recv_HASH: isakmp_sa %p isa %p",
+ LOG_DBG ((LOG_NEGOTIATION, 95, "responder_recv_HASH: isakmp_sa %p isa %p",
isakmp_sa, isa));
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: SKEYID_a",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: SKEYID_a",
isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc (isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len);
if (!prf)
return -1;
prf->Init (prf->prfctx);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: message_id",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
+ "responder_send_HASH_SA_NONCE: message_id",
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: NONCE_I_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: NONCE_I_b",
exchange->nonce_i, exchange->nonce_i_len));
prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
@@ -1804,7 +1808,7 @@ responder_send_HASH_SA_NONCE (struct message *msg)
snprintf (header, 80,
"responder_send_HASH_SA_NONCE: payload %d after HASH(2)",
i - 1);
- LOG_DBG_BUF ((LOG_MISC, 90, header, msg->iov[i].iov_base,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base,
msg->iov[i].iov_len));
prf->Update (prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len);
}
@@ -1812,7 +1816,8 @@ responder_send_HASH_SA_NONCE (struct message *msg)
prf_free (prf);
snprintf (header, 80, "responder_send_HASH_SA_NONCE: HASH_%c",
initiator ? 'I' : 'R');
- LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF,
+ hashsize));
if (ie->group)
message_register_post_send (msg, gen_g_xy);
@@ -1839,7 +1844,7 @@ gen_g_xy (struct message *msg)
log_print ("gen_g_xy: dh_create_shared failed");
return;
}
- LOG_DBG_BUF ((LOG_MISC, 80, "gen_g_xy: g^xy", ie->g_xy, ie->g_x_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, ie->g_x_len));
}
static int
@@ -1867,27 +1872,27 @@ responder_recv_HASH (struct message *msg)
}
/* Allocate the prf and start calculating our HASH(3). XXX Share? */
- LOG_DBG ((LOG_MISC, 95, "responder_recv_HASH: isakmp_sa %p isa %p",
+ LOG_DBG ((LOG_NEGOTIATION, 95, "responder_recv_HASH: isakmp_sa %p isa %p",
isakmp_sa, isa));
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: SKEYID_a", isa->skeyid_a,
- isa->skeyid_len));
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a",
+ isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len);
if (!prf)
goto cleanup;
prf->Init (prf->prfctx);
prf->Update (prf->prfctx, "\0", 1);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: message_id",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id",
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: NONCE_I_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b",
exchange->nonce_i, exchange->nonce_i_len));
prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
- LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: NONCE_R_b",
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b",
exchange->nonce_r, exchange->nonce_r_len));
prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
prf->Final (my_hash, prf->prfctx);
prf_free (prf);
- LOG_DBG_BUF ((LOG_MISC, 90,
+ LOG_DBG_BUF ((LOG_NEGOTIATION, 90,
"responder_recv_HASH: computed HASH(3)", my_hash,
hash_len - ISAKMP_GEN_SZ));
if (memcmp (hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0)
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index 826292c6f56..838f4bca2b9 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.20 2000/12/12 05:01:01 todd Exp $
+.\" $OpenBSD: isakmpd.8,v 1.21 2001/03/13 14:05:18 ho Exp $
.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
.\"
.\" Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -136,6 +136,10 @@ Sysdep
SA
.It 7
Exchange
+.It 8
+Negotiation
+.It 9
+Policy
.It A
All
.El
diff --git a/sbin/isakmpd/log.h b/sbin/isakmpd/log.h
index b8ea6ec5fe8..e67df75a450 100644
--- a/sbin/isakmpd/log.h
+++ b/sbin/isakmpd/log.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.h,v 1.8 2000/04/07 22:05:08 niklas Exp $ */
+/* $OpenBSD: log.h,v 1.9 2001/03/13 14:05:18 ho Exp $ */
/* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */
/*
@@ -48,10 +48,11 @@
enum log_classes {
LOG_MISC, LOG_TRANSPORT, LOG_MESSAGE, LOG_CRYPTO, LOG_TIMER, LOG_SYSDEP,
- LOG_SA, LOG_EXCHANGE, LOG_ENDCLASS
+ LOG_SA, LOG_EXCHANGE, LOG_NEGOTIATION, LOG_POLICY, LOG_ENDCLASS
};
#define LOG_CLASSES_TEXT \
- { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch" }
+ { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch", "Negt", \
+ "Plcy" }
/*
* "Class" LOG_REPORT will always be logged to the current log channel,
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index a4c10659d49..df34abc0132 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.36 2001/01/27 12:03:34 niklas Exp $ */
+/* $OpenBSD: message.c,v 1.37 2001/03/13 14:05:19 ho Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -1662,7 +1662,7 @@ message_negotiate_sa (struct message *msg,
- ISAKMP_TRANSFORM_SA_ATTRS_OFF,
exchange->doi->is_attribute_incompatible, msg))
{
- LOG_DBG ((LOG_MESSAGE, 30,
+ LOG_DBG ((LOG_NEGOTIATION, 30,
"message_negotiate_sa: "
"transform %d proto %d proposal %d ok",
GET_ISAKMP_TRANSFORM_NO (tp->p),
@@ -1692,7 +1692,7 @@ message_negotiate_sa (struct message *msg,
{
if (!suite_ok_so_far)
{
- LOG_DBG ((LOG_MESSAGE, 30,
+ LOG_DBG ((LOG_NEGOTIATION, 30,
"message_negotiate_sa: proto %d proposal %d failed",
GET_ISAKMP_PROP_PROTO (propp->p),
GET_ISAKMP_PROP_NO (propp->p)));
@@ -1725,7 +1725,7 @@ message_negotiate_sa (struct message *msg,
{
if (!validate || validate (exchange, sa, msg->isakmp_sa))
{
- LOG_DBG ((LOG_MESSAGE, 30,
+ LOG_DBG ((LOG_NEGOTIATION, 30,
"message_negotiate_sa: proposal %d succeeded",
GET_ISAKMP_PROP_NO (propp->p)));
@@ -1738,7 +1738,7 @@ message_negotiate_sa (struct message *msg,
else
{
/* Backtrack. */
- LOG_DBG ((LOG_MESSAGE, 30,
+ LOG_DBG ((LOG_NEGOTIATION, 30,
"message_negotiate_sa: proposal %d failed",
GET_ISAKMP_PROP_NO (propp->p)));
next_tp = saved_tp;
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index a4bd3fe5b11..91b60f9d7de 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.23 2001/03/07 07:36:34 angelos Exp $ */
+/* $OpenBSD: policy.c,v 1.24 2001/03/13 14:05:19 ho Exp $ */
/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
/*
@@ -676,9 +676,9 @@ policy_callback (char *name)
remote_id = strdup (remote_id_addr_upper);
if (!remote_id)
{
- log_print ("policy_callback: strdup (\"%s\") failed",
- remote_id_addr_upper);
- goto bad;
+ log_error ("policy_callback: strdup (\"%s\") failed",
+ remote_id_addr_upper);
+ goto bad;
}
break;
@@ -696,11 +696,11 @@ policy_callback (char *name)
sizeof (char));
if (!remote_id)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (remote_id_addr_upper)
- + strlen (remote_id_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (remote_id, remote_id_addr_lower);
@@ -725,11 +725,11 @@ policy_callback (char *name)
sizeof (char));
if (!remote_id)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (remote_id_addr_upper)
- + strlen (remote_id_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_id_addr_upper)
+ + strlen (remote_id_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (remote_id, remote_id_addr_lower);
@@ -759,10 +759,10 @@ policy_callback (char *name)
sizeof (char));
if (!remote_id)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
@@ -774,10 +774,10 @@ policy_callback (char *name)
sizeof (char));
if (!remote_id)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
@@ -796,15 +796,15 @@ policy_callback (char *name)
remote_id = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, sizeof (char));
if (!remote_id)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1,
+ sizeof (char));
+ goto bad;
}
for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++)
{
- remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4];
- remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF];
+ remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4];
+ remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF];
}
break;
@@ -871,9 +871,9 @@ policy_callback (char *name)
remote_filter = strdup (remote_filter_addr_upper);
if (!remote_filter)
{
- log_print ("policy_callback: strdup (\"%s\") failed",
- remote_filter_addr_upper);
- goto bad;
+ log_error ("policy_callback: strdup (\"%s\") failed",
+ remote_filter_addr_upper);
+ goto bad;
}
break;
@@ -891,11 +891,11 @@ policy_callback (char *name)
sizeof (char));
if (!remote_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (remote_filter_addr_upper)
- + strlen (remote_filter_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (remote_filter, remote_filter_addr_lower);
remote_filter[strlen (remote_filter_addr_lower)] = '-';
@@ -919,11 +919,11 @@ policy_callback (char *name)
sizeof (char));
if (!remote_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (remote_filter_addr_upper)
- + strlen (remote_filter_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (remote_filter_addr_upper)
+ + strlen (remote_filter_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (remote_filter, remote_filter_addr_lower);
remote_filter[strlen (remote_filter_addr_lower)] = '-';
@@ -952,10 +952,10 @@ policy_callback (char *name)
sizeof (char));
if (!remote_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ idremotesz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF,
idremotesz);
@@ -967,10 +967,10 @@ policy_callback (char *name)
sizeof (char));
if (!remote_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ idremotesz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF,
idremotesz);
@@ -989,13 +989,15 @@ policy_callback (char *name)
remote_filter = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
if (!remote_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1,
+ sizeof (char));
+ goto bad;
}
for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++)
{
- remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4];
- remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF];
+ remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4];
+ remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF];
}
break;
@@ -1022,7 +1024,8 @@ policy_callback (char *name)
#endif
default:
- sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]);
+ sprintf (remote_filter_proto_num, "%2d",
+ idremote[ISAKMP_GEN_SZ + 1]);
remote_filter_proto = remote_filter_proto_num;
break;
}
@@ -1044,9 +1047,9 @@ policy_callback (char *name)
remote_filter = strdup (remote_filter_addr_upper);
if (!remote_filter)
{
- log_print ("policy_callback: strdup (\"%s\") failed",
- remote_filter_addr_upper);
- goto bad;
+ log_error ("policy_callback: strdup (\"%s\") failed",
+ remote_filter_addr_upper);
+ goto bad;
}
}
@@ -1065,9 +1068,9 @@ policy_callback (char *name)
local_filter = strdup (local_filter_addr_upper);
if (!local_filter)
{
- log_print ("policy_callback: strdup (\"%s\") failed",
- local_filter_addr_upper);
- goto bad;
+ log_error ("policy_callback: strdup (\"%s\") failed",
+ local_filter_addr_upper);
+ goto bad;
}
break;
@@ -1085,11 +1088,11 @@ policy_callback (char *name)
sizeof (char));
if (!local_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (local_filter_addr_upper)
- + strlen (local_filter_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (local_filter, local_filter_addr_lower);
local_filter[strlen (local_filter_addr_lower)] = '-';
@@ -1113,11 +1116,11 @@ policy_callback (char *name)
sizeof (char));
if (!local_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- strlen (local_filter_addr_upper)
- + strlen (local_filter_addr_lower) + 2,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ strlen (local_filter_addr_upper)
+ + strlen (local_filter_addr_lower) + 2,
+ sizeof (char));
+ goto bad;
}
strcpy (local_filter, local_filter_addr_lower);
local_filter[strlen (local_filter_addr_lower)] = '-';
@@ -1146,10 +1149,10 @@ policy_callback (char *name)
sizeof (char));
if (!local_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ idlocalsz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF,
idlocalsz);
@@ -1161,10 +1164,10 @@ policy_callback (char *name)
sizeof (char));
if (!local_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed",
- idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ idlocalsz - ISAKMP_ID_DATA_OFF + 1,
+ sizeof (char));
+ goto bad;
}
memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF,
idlocalsz);
@@ -1183,13 +1186,15 @@ policy_callback (char *name)
local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
if (!local_filter)
{
- log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
- goto bad;
+ log_error ("policy_callback: calloc (%d, %d) failed",
+ 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1,
+ sizeof (char));
+ goto bad;
}
for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++)
{
- local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4];
- local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF];
+ local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4];
+ local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF];
}
break;
@@ -1216,7 +1221,8 @@ policy_callback (char *name)
#endif
default:
- sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]);
+ sprintf (local_filter_proto_num, "%2d",
+ idlocal[ISAKMP_GEN_SZ + 1]);
local_filter_proto = local_filter_proto_num;
break;
}
@@ -1239,72 +1245,78 @@ policy_callback (char *name)
local_filter = strdup (local_filter_addr_upper);
if (!local_filter)
{
- log_print ("policy_callback: strdup (\"%s\") failed",
- local_filter_addr_upper);
- goto bad;
+ log_error ("policy_callback: strdup (\"%s\") failed",
+ local_filter_addr_upper);
+ goto bad;
}
}
- LOG_DBG ((LOG_SA, 80, "Policy context (action attributes):"));
- LOG_DBG ((LOG_SA, 80, "esp_present == %s", esp_present));
- LOG_DBG ((LOG_SA, 80, "ah_present == %s", ah_present));
- LOG_DBG ((LOG_SA, 80, "comp_present == %s", comp_present));
- LOG_DBG ((LOG_SA, 80, "ah_hash_alg == %s", ah_hash_alg));
- LOG_DBG ((LOG_SA, 80, "esp_enc_alg == %s", esp_enc_alg));
- LOG_DBG ((LOG_SA, 80, "comp_alg == %s", comp_alg));
- LOG_DBG ((LOG_SA, 80, "ah_auth_alg == %s", ah_auth_alg));
- LOG_DBG ((LOG_SA, 80, "esp_auth_alg == %s", esp_auth_alg));
- LOG_DBG ((LOG_SA, 80, "ah_life_seconds == %s", ah_life_seconds));
- LOG_DBG ((LOG_SA, 80, "ah_life_kbytes == %s", ah_life_kbytes));
- LOG_DBG ((LOG_SA, 80, "esp_life_seconds == %s", esp_life_seconds));
- LOG_DBG ((LOG_SA, 80, "esp_life_kbytes == %s", esp_life_kbytes));
- LOG_DBG ((LOG_SA, 80, "comp_life_seconds == %s", comp_life_seconds));
- LOG_DBG ((LOG_SA, 80, "comp_life_kbytes == %s", comp_life_kbytes));
- LOG_DBG ((LOG_SA, 80, "ah_encapsulation == %s", ah_encapsulation));
- LOG_DBG ((LOG_SA, 80, "esp_encapsulation == %s", esp_encapsulation));
- LOG_DBG ((LOG_SA, 80, "comp_encapsulation == %s", comp_encapsulation));
- LOG_DBG ((LOG_SA, 80, "comp_dict_size == %s", comp_dict_size));
- LOG_DBG ((LOG_SA, 80, "comp_private_alg == %s", comp_private_alg));
- LOG_DBG ((LOG_SA, 80, "ah_key_length == %s", ah_key_length));
- LOG_DBG ((LOG_SA, 80, "ah_key_rounds == %s", ah_key_rounds));
- LOG_DBG ((LOG_SA, 80, "esp_key_length == %s", esp_key_length));
- LOG_DBG ((LOG_SA, 80, "esp_key_rounds == %s", esp_key_rounds));
- LOG_DBG ((LOG_SA, 80, "ah_group_desc == %s", ah_group_desc));
- LOG_DBG ((LOG_SA, 80, "esp_group_desc == %s", esp_group_desc));
- LOG_DBG ((LOG_SA, 80, "comp_group_desc == %s", comp_group_desc));
- LOG_DBG ((LOG_SA, 80, "remote_filter_type == %s", remote_filter_type));
- LOG_DBG ((LOG_SA, 80, "remote_filter_addr_upper == %s",
+ LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):"));
+ LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present));
+ LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present));
+ LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present));
+ LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg));
+ LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg));
+ LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg));
+ LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg));
+ LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg));
+ LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds));
+ LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes));
+ LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds));
+ LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes));
+ LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds));
+ LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes));
+ LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation));
+ LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation));
+ LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s",
+ comp_encapsulation));
+ LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size));
+ LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg));
+ LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length));
+ LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds));
+ LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length));
+ LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds));
+ LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc));
+ LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc));
+ LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc));
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s",
+ remote_filter_type));
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s",
remote_filter_addr_upper));
- LOG_DBG ((LOG_SA, 80, "remote_filter_addr_lower == %s",
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s",
remote_filter_addr_lower));
- LOG_DBG ((LOG_SA, 80, "remote_filter == %s",
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s",
(remote_filter ? remote_filter : "")));
- LOG_DBG ((LOG_SA, 80, "remote_filter_port == %s", remote_filter_port));
- LOG_DBG ((LOG_SA, 80, "remote_filter_proto == %s", remote_filter_proto));
- LOG_DBG ((LOG_SA, 80, "local_filter_type == %s", local_filter_type));
- LOG_DBG ((LOG_SA, 80, "local_filter_addr_upper == %s",
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s",
+ remote_filter_port));
+ LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s",
+ remote_filter_proto));
+ LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type));
+ LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s",
local_filter_addr_upper));
- LOG_DBG ((LOG_SA, 80, "local_filter_addr_lower == %s",
+ LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s",
local_filter_addr_lower));
- LOG_DBG ((LOG_SA, 80, "local_filter == %s",
+ LOG_DBG ((LOG_POLICY, 80, "local_filter == %s",
(local_filter ? local_filter : "")));
- LOG_DBG ((LOG_SA, 80, "local_filter_port == %s", local_filter_port));
- LOG_DBG ((LOG_SA, 80, "local_filter_proto == %s", local_filter_proto));
- LOG_DBG ((LOG_SA, 80, "remote_id_type == %s", remote_id_type));
- LOG_DBG ((LOG_SA, 80, "remote_id_addr_upper == %s",
+ LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port));
+ LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s",
+ local_filter_proto));
+ LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type));
+ LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s",
remote_id_addr_upper));
- LOG_DBG ((LOG_SA, 80, "remote_id_addr_lower == %s",
+ LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s",
remote_id_addr_lower));
- LOG_DBG ((LOG_SA, 80, "remote_id == %s", (remote_id ? remote_id : "")));
- LOG_DBG ((LOG_SA, 80, "remote_id_port == %s", remote_id_port));
- LOG_DBG ((LOG_SA, 80, "remote_id_proto == %s", remote_id_proto));
- LOG_DBG ((LOG_SA, 80, "remote_negotiation_address == %s",
+ LOG_DBG ((LOG_POLICY, 80, "remote_id == %s",
+ (remote_id ? remote_id : "")));
+ LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port));
+ LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto));
+ LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s",
remote_ike_address));
- LOG_DBG ((LOG_SA, 80, "local_negotiation_address == %s",
+ LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s",
local_ike_address));
- LOG_DBG ((LOG_SA, 80, "pfs == %s", pfs));
- LOG_DBG ((LOG_SA, 80, "initiator == %s", initiator));
- LOG_DBG ((LOG_SA, 80, "phase1_group_desc == %s", phase1_group));
+ LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs));
+ LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator));
+ LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group));
/* Unset dirty now. */
dirty = 0;
@@ -1315,16 +1327,16 @@ policy_callback (char *name)
if (strcmp (name, "GMTTimeOfDay") == 0)
{
- tt = time ((time_t) NULL);
- strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt));
- return mytimeofday;
+ tt = time ((time_t) NULL);
+ strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt));
+ return mytimeofday;
}
if (strcmp (name, "LocalTimeOfDay") == 0)
{
- tt = time ((time_t) NULL);
- strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt));
- return mytimeofday;
+ tt = time ((time_t) NULL);
+ strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt));
+ return mytimeofday;
}
if (strcmp (name, "initiator") == 0)
@@ -1492,7 +1504,7 @@ policy_init (void)
struct stat st;
int fd, len, i;
- LOG_DBG ((LOG_MISC, 50, "policy_init: initializing"));
+ LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing"));
#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE)
if (!dyn_load (libkeynote_script))
@@ -1715,7 +1727,8 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
dirname = conf_get_str ("KeyNote", "Credential-directory");
if (!dirname)
{
- log_print ("keynote_cert_obtain: no Credential-directory");
+ LOG_DBG ((LOG_POLICY, 30,
+ "keynote_cert_obtain: no Credential-directory"));
return 0;
}
@@ -1730,7 +1743,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
file = calloc (len + 15, sizeof(char));
if (file == NULL)
{
- log_print ("keynote_cert_obtain: failed to allocate %d bytes",
+ log_error ("keynote_cert_obtain: failed to allocate %d bytes",
len + 15);
return 0;
}
@@ -1746,7 +1759,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
file = calloc (len + id_len, sizeof(char));
if (file == NULL)
{
- log_print ("keynote_cert_obtain: failed to allocate %d bytes",
+ log_error ("keynote_cert_obtain: failed to allocate %d bytes",
len + id_len);
return 0;
}
@@ -1763,7 +1776,8 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
if (stat (file, &sb) < 0)
{
- log_print ("keynote_cert_obtain: failed to stat \"%s\"", file);
+ LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"",
+ file));
free (file);
return 0;
}
@@ -1771,7 +1785,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
*cert = calloc (sb.st_size, sizeof(char));
if (*cert == NULL)
{
- log_print ("keynote_cert_obtain: failed to allocate %d bytes",
+ log_error ("keynote_cert_obtain: failed to allocate %d bytes",
sb.st_size);
free (file);
return 0;
@@ -1780,15 +1794,16 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
fd = open (file, O_RDONLY, 0);
if (fd < 0)
{
- log_print ("keynote_cert_obtain: failed to open \"%s\"", file);
+ LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"",
+ file));
free (file);
return 0;
}
if (read (fd, *cert, sb.st_size) != sb.st_size)
{
- log_print ("keynote_cert_obtain: failed to read %d bytes from \"%s\"",
- sb.st_size, file);
+ LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %d "
+ "bytes from \"%s\"", sb.st_size, file));
free (file);
close (fd);
return 0;
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index b8b09d85df2..1155fb2ec9a 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.42 2001/02/23 15:29:55 angelos Exp $ */
+/* $OpenBSD: x509.c,v 1.43 2001/03/13 14:05:19 ho Exp $ */
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */
/*
@@ -120,7 +120,7 @@ x509_generate_kn (X509 *cert)
char *timecomp, *timecomp2;
int i;
- LOG_DBG ((LOG_CRYPTO, 90,
+ LOG_DBG ((LOG_POLICY, 90,
"x509_generate_kn: generating KeyNote policy for certificate %p",
cert));
@@ -133,7 +133,8 @@ x509_generate_kn (X509 *cert)
if (!x509_cert_get_key (cert, &key))
{
- log_print ("x509_generate_kn: failed to get public key from cert");
+ LOG_DBG ((LOG_POLICY, 30,
+ "x509_generate_kn: failed to get public key from cert"));
return 0;
}
@@ -145,13 +146,13 @@ x509_generate_kn (X509 *cert)
{
log_print ("x509_generate_kn: failed to get memory for public key");
LC (RSA_free, (key));
- log_print ("x509_generate_kn: cannot get subject key");
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key"));
return 0;
}
if (!ikey)
{
LC (RSA_free, (key));
- log_print ("x509_generate_kn: cannot get subject key");
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key"));
return 0;
}
LC (RSA_free, (key));
@@ -167,7 +168,8 @@ x509_generate_kn (X509 *cert)
X509_LU_X509)
{
LC (X509_STORE_CTX_cleanup, (&csc));
- log_print ("x509_generate_kn: no certificate found for issuer");
+ LOG_DBG ((LOG_POLICY, 30,
+ "x509_generate_kn: no certificate found for issuer"));
return 0;
}
}
@@ -177,15 +179,16 @@ x509_generate_kn (X509 *cert)
if (icert == NULL)
{
- log_print ("x509_generate_kn: "
- "missing certificates, cannot construct X509 chain");
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: "
+ "missing certificates, cannot construct X509 chain"));
free (ikey);
return 0;
}
if (!x509_cert_get_key (icert, &key))
{
- log_print ("x509_generate_kn: failed to get public key from cert");
+ LOG_DBG ((LOG_POLICY, 30,
+ "x509_generate_kn: failed to get public key from cert"));
free (ikey);
return 0;
}
@@ -201,7 +204,7 @@ x509_generate_kn (X509 *cert)
log_error ("x509_generate_kn: failed to get memory for public key");
free (ikey);
LC (RSA_free, (key));
- log_print ("x509_generate_kn: cannot get issuer key");
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key"));
return 0;
}
@@ -209,7 +212,7 @@ x509_generate_kn (X509 *cert)
{
free (ikey);
LC (RSA_free, (key));
- log_print ("x509_generate_kn: cannot get issuer key");
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key"));
return 0;
}
LC (RSA_free, (key));
@@ -249,12 +252,12 @@ x509_generate_kn (X509 *cert)
{
if (tm->data[i] < '0' || tm->data[i] > '9')
{
- log_error ("x509_generate_kn: invalid data in "
- "NotValidBefore time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid data in "
+ "NotValidBefore time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
}
@@ -262,9 +265,8 @@ x509_generate_kn (X509 *cert)
{
if ((tm->length < 10) || (tm->length > 13))
{
- log_error ("x509_generate_kn: "
- "invalid length of NotValidBefore time field (%d)",
- tm->length);
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length "
+ "of NotValidBefore time field (%d)", tm->length));
free (ikey);
free (skey);
free (buf);
@@ -282,12 +284,12 @@ x509_generate_kn (X509 *cert)
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5'))
{
- log_error ("x509_generate_kn: invalid value in "
- "NotValidBefore time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in "
+ "NotValidBefore time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
/* Stupid UTC tricks */
@@ -300,9 +302,8 @@ x509_generate_kn (X509 *cert)
{ /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15))
{
- log_error ("x509_generate_kn: "
- "invalid length of NotValidBefore time field (%d)",
- tm->length);
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of "
+ "NotValidBefore time field (%d)", tm->length));
free (ikey);
free (skey);
free (buf);
@@ -320,12 +321,12 @@ x509_generate_kn (X509 *cert)
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5'))
{
- log_error ("x509_generate_kn: invalid value in "
- "NotValidBefore time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in "
+ "NotValidBefore time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
sprintf(before, "%s", tm->data);
@@ -365,12 +366,12 @@ x509_generate_kn (X509 *cert)
{
if (tm->data[i] < '0' || tm->data[i] > '9')
{
- log_error ("x509_generate_kn: invalid data in "
- "NotValidAfter time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid data in "
+ "NotValidAfter time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
}
@@ -378,9 +379,8 @@ x509_generate_kn (X509 *cert)
{
if ((tm->length < 10) || (tm->length > 13))
{
- log_error ("x509_generate_kn: "
- "invalid length of NotValidAfter time field (%d)",
- tm->length);
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of "
+ "NotValidAfter time field (%d)", tm->length));
free (ikey);
free (skey);
free (buf);
@@ -398,12 +398,12 @@ x509_generate_kn (X509 *cert)
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5'))
{
- log_error ("x509_generate_kn: invalid value in "
- "NotValidAfter time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in "
+ "NotValidAfter time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
/* Stupid UTC tricks */
@@ -416,9 +416,8 @@ x509_generate_kn (X509 *cert)
{ /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15))
{
- log_error ("x509_generate_kn: "
- "invalid length of NotValidAfter time field (%d)",
- tm->length);
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of "
+ "NotValidAfter time field (%d)", tm->length));
free (ikey);
free (skey);
free (buf);
@@ -436,12 +435,12 @@ x509_generate_kn (X509 *cert)
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5'))
{
- log_error ("x509_generate_kn: invalid value in "
- "NotValidAfter time field");
- free (ikey);
- free (skey);
- free (buf);
- return 0;
+ LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in "
+ "NotValidAfter time field"));
+ free (ikey);
+ free (skey);
+ free (buf);
+ return 0;
}
sprintf(after, "%s", tm->data);
@@ -464,7 +463,8 @@ x509_generate_kn (X509 *cert)
if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf),
ASSERT_FLAG_LOCAL)) == -1)
{
- log_error ("x509_generate_kn: failed to add new KeyNote credential");
+ LOG_DBG ((LOG_POLICY, 30,
+ "x509_generate_kn: failed to add new KeyNote credential"));
free (buf);
return 0;
}
@@ -475,13 +475,15 @@ x509_generate_kn (X509 *cert)
if (!LC (X509_NAME_oneline, (issuer, isname, 256)))
{
- log_print ("x509_generate_kn: X509_NAME_oneline (issuer, ...) failed");
+ LOG_DBG ((LOG_POLICY, 50,
+ "x509_generate_kn: X509_NAME_oneline (issuer, ...) failed"));
return 0;
}
if (!LC (X509_NAME_oneline, (subject, subname, 256)))
{
- log_print ("x509_generate_kn: X509_NAME_oneline (subject, ...) failed");
+ LOG_DBG ((LOG_POLICY, 50,
+ "x509_generate_kn: X509_NAME_oneline (subject, ...) failed"));
return 0;
}
@@ -499,12 +501,13 @@ x509_generate_kn (X509 *cert)
if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf),
ASSERT_FLAG_LOCAL)) == -1)
{
- log_error ("x509_generate_kn: failed to add new KeyNote credential");
+ LOG_DBG ((LOG_POLICY, 30,
+ "x509_generate_kn: failed to add new KeyNote credential"));
free (buf);
return 0;
}
else
- LOG_DBG ((LOG_CRYPTO, 80, "x509_generate_kn: added policy:\n%s", buf));
+ LOG_DBG ((LOG_POLICY, 80, "x509_generate_kn: added policy:\n%s", buf));
/* Store the X509-derived assertion so we can use it as a policy */
if (x509_policy_asserts_num == 0)
@@ -792,7 +795,8 @@ x509_read_from_dir (X509_STORE *ctx, char *name, int hash)
#else
if (libkeynote && x509_generate_kn (cert) == 0)
#endif
- log_print ("x509_read_from_dir: x509_generate_kn failed");
+ LOG_DBG ((LOG_POLICY, 50,
+ "x509_read_from_dir: x509_generate_kn failed"));
#endif /* USE_POLICY */
}
}
@@ -953,7 +957,7 @@ x509_cert_insert (int id, void *scert)
if (libkeynote && x509_generate_kn (cert) == 0)
#endif
{
- log_print ("x509_cert_insert: x509_generate_kn failed");
+ LOG_DBG ((LOG_POLICY, 50, "x509_cert_insert: x509_generate_kn failed"));
LC (X509_free, (cert));
return 0;
}