diff options
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/ike_phase_1.c | 67 | ||||
-rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 155 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.8 | 6 | ||||
-rw-r--r-- | sbin/isakmpd/log.h | 7 | ||||
-rw-r--r-- | sbin/isakmpd/message.c | 10 | ||||
-rw-r--r-- | sbin/isakmpd/policy.c | 317 | ||||
-rw-r--r-- | sbin/isakmpd/x509.c | 136 |
7 files changed, 368 insertions, 330 deletions
diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 874b4f31bdc..981c84ec8ea 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_phase_1.c,v 1.22 2001/03/07 07:33:53 angelos Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.23 2001/03/13 14:05:18 ho Exp $ */ /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ /* @@ -598,8 +598,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg) "dh_create_shared failed"); return -1; } - LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: g^xy", - ie->g_xy, ie->g_x_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: g^xy", ie->g_xy, + ie->g_x_len)); /* Compute the SKEYID depending on the authentication method. */ ie->skeyid = ie->ike_auth->gen_skeyid (exchange, &ie->skeyid_len); @@ -608,8 +609,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg) /* XXX Log and teardown? */ return -1; } - LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID", - ie->skeyid, ie->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID", ie->skeyid, + ie->skeyid_len)); /* SKEYID_d. */ ie->skeyid_d = malloc (ie->skeyid_len); @@ -631,8 +633,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg) prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); prf->Update (prf->prfctx, "\0", 1); prf->Final (ie->skeyid_d, prf->prfctx); - LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", - ie->skeyid_d, ie->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", ie->skeyid_d, + ie->skeyid_len)); /* SKEYID_a. */ ie->skeyid_a = malloc (ie->skeyid_len); @@ -649,8 +652,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg) prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); prf->Update (prf->prfctx, "\1", 1); prf->Final (ie->skeyid_a, prf->prfctx); - LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", - ie->skeyid_a, ie->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", ie->skeyid_a, + ie->skeyid_len)); /* SKEYID_e. */ ie->skeyid_e = malloc (ie->skeyid_len); @@ -669,8 +673,9 @@ ike_phase_1_post_exchange_KE_NONCE (struct message *msg) prf->Update (prf->prfctx, "\2", 1); prf->Final (ie->skeyid_e, prf->prfctx); prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 80, "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", - ie->skeyid_e, ie->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", ie->skeyid_e, + ie->skeyid_len)); /* Key length determination. */ if (!exchange->key_length) @@ -860,7 +865,7 @@ ike_phase_1_send_ID (struct message *msg) memcpy (*id, buf + ISAKMP_GEN_SZ, *id_len); snprintf (header, 80, "ike_phase_1_send_ID: %s", constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (buf))); - LOG_DBG_BUF ((LOG_MISC, 40, header, buf + ISAKMP_ID_DATA_OFF, + LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF, sz - ISAKMP_ID_DATA_OFF)); return 0; @@ -932,7 +937,7 @@ ike_phase_1_recv_ID (struct message *msg) memcpy (*id, payload->p + ISAKMP_GEN_SZ, *id_len); snprintf (header, 80, "ike_phase_1_recv_ID: %s", constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (payload->p))); - LOG_DBG_BUF ((LOG_MISC, 40, header, payload->p + ISAKMP_ID_DATA_OFF, + LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, payload->p + ISAKMP_ID_DATA_OFF, *id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF)); payload->flags |= PL_MARK; @@ -989,7 +994,7 @@ ike_phase_1_recv_AUTH (struct message *msg) prf_free (prf); snprintf (header, 80, "ike_phase_1_recv_AUTH: computed HASH_%c", initiator ? 'R' : 'I'); - LOG_DBG_BUF ((LOG_MISC, 80, header, hash->digest, hashsize)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, header, hash->digest, hashsize)); /* Check that the hash we got matches the one we computed. */ if (memcmp (*hash_p, hash->digest, hashsize) != 0) @@ -1074,7 +1079,7 @@ ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa, } /* All protocols were OK, we succeeded. */ - LOG_DBG ((LOG_MISC, 20, "ike_phase_1_validate_prop: success")); + LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: success")); conf_free_list (conf); if (vs.life) free (vs.life); @@ -1093,7 +1098,7 @@ ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa, free (vs.life); } - LOG_DBG ((LOG_MISC, 20, "ike_phase_1_validate_prop: failure")); + LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure")); conf_free_list (conf); return 0; } @@ -1118,7 +1123,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, if (!tag) { - log_print ("attribute_unacceptable: attribute type %d not known", type); + LOG_DBG ((LOG_NEGOTIATION, 60, + "attribute_unacceptable: attribute type %d not known", type)); return 1; } @@ -1134,8 +1140,9 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, if (!str) { /* This attribute does not exist in this policy. */ - log_print ("attribute_unacceptable: attr %s does not exist in %s", - tag, xf->field); + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: attr %s does not exist in %s", + tag, xf->field)); return 1; } @@ -1158,8 +1165,9 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, LIST_INSERT_HEAD (&vs->attrs, node, link); return 0; } - log_print ("attribute_unacceptable: %s: got %s, expected %s", - tag, constant_lookup (map, decode_16 (value)), str); + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: %s: got %s, expected %s", tag, + constant_lookup (map, decode_16 (value)), str)); return 1; case IKE_ATTR_GROUP_PRIME: @@ -1180,8 +1188,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, if (!life_conf) { /* Life attributes given, but not in our policy. */ - log_print ("attribute_unacceptable: " - "received unexpected life attribute"); + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "received unexpected life attribute")); return 1; } @@ -1199,8 +1207,8 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, str = conf_get_str (life->field, "LIFE_TYPE"); if (!str) { - log_print ("attribute_unacceptable: " - "section [%s] has no LIFE_TYPE", life->field); + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "section [%s] has no LIFE_TYPE", life->field)); continue; } @@ -1215,16 +1223,17 @@ attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, goto bail_out; } } - log_print ("attribute_unacceptable: unrecognized LIFE_TYPE %d", - decode_16 (value)); + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: unrecognized LIFE_TYPE %d", + decode_16 (value))); vs->life = 0; break; case IKE_ATTR_LIFE_DURATION: if (!vs->life) { - log_print ("attribute_unacceptable: " - "LIFE_DURATION without LIFE_TYPE"); + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "LIFE_DURATION without LIFE_TYPE")); rv = 1; goto bail_out; } diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 2b3f87263ba..bc760944441 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.45 2001/02/19 16:58:04 angelos Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.46 2001/03/13 14:05:18 ho Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -145,10 +145,10 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) keynote_ids = calloc (keynote_policy_asserts_num, sizeof *keynote_ids); if (!keynote_ids) { - log_print ("check_policy: " - "failed to allocate %d bytes for book keeping", - keynote_policy_asserts_num * sizeof *keynote_ids); - return 0; + log_error ("check_policy: " + "failed to allocate %d bytes for book keeping", + keynote_policy_asserts_num * sizeof *keynote_ids); + return 0; } } @@ -157,7 +157,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) x509_ids = calloc (x509_policy_asserts_num, sizeof *x509_ids); if (!x509_ids) { - log_print ("check_policy: " + log_error ("check_policy: " "failed to allocate %d bytes for book keeping", x509_policy_asserts_num * sizeof *x509_ids); free (keynote_ids); @@ -199,7 +199,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal = calloc (nprinc, sizeof(*principal)); if (principal == NULL) { - log_print ("check_policy: failed to allocate %d bytes", + log_error ("check_policy: failed to allocate %d bytes", nprinc * sizeof(*principal)); goto policydone; } @@ -208,7 +208,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) strlen ("passphrase:"), sizeof (char)); if (principal[0] == NULL) { - log_print ("check_policy: failed to allocate %d bytes", + log_error ("check_policy: failed to allocate %d bytes", isakmp_sa->recv_certlen + 1 + strlen ("passphrase:")); goto policydone; } @@ -221,9 +221,9 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) 32 + 1, sizeof (char)); if (principal[1] == NULL) { - log_print ("check_policy: failed to allocate %d bytes", - strlen ("passphrase-md5-hex:") + 33); - goto policydone; + log_error ("check_policy: failed to allocate %d bytes", + strlen ("passphrase-md5-hex:") + 33); + goto policydone; } strcpy (principal[1], "passphrase-md5-hex:"); @@ -236,9 +236,9 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) 32 + 1, sizeof (char)); if (principal[2] == NULL) { - log_print ("check_policy: failed to allocate %d bytes", - strlen ("passphrase-sha1-hex:") + 33); - goto policydone; + log_error ("check_policy: failed to allocate %d bytes", + strlen ("passphrase-sha1-hex:") + 33); + goto policydone; } strcpy (principal[2], "passphrase-sha1-hex:"); @@ -255,7 +255,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal = calloc (nprinc, sizeof(*principal)); if (principal == NULL) { - log_print ("check_policy: failed to allocate %d bytes", + log_error ("check_policy: failed to allocate %d bytes", nprinc * sizeof(*principal)); goto policydone; } @@ -264,7 +264,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal[0] = strdup (isakmp_sa->recv_key); if (principal[0] == NULL) { - log_print ("check_policy: failed to allocate %d bytes", + log_error ("check_policy: failed to allocate %d bytes", strlen (isakmp_sa->recv_key)); goto policydone; } @@ -283,7 +283,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal = calloc (2, sizeof(*principal)); if (principal == NULL) { - log_print ("check_policy: failed to get memory for principal"); + log_error ("check_policy: failed to get memory for principal"); goto policydone; } @@ -310,7 +310,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) sizeof (char)); if (principal[1] == NULL) { - log_print ("check_policy: failed to allocate memory for principal"); + log_error ("check_policy: failed to allocate memory for principal"); LC (RSA_free, (key)); goto policydone; } @@ -329,7 +329,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) principal[1] = calloc (259, sizeof (char)); if (principal[1] == NULL) { - log_print ("check_policy: failed to allocate memory for principal[1]"); + log_error ("check_policy: failed to allocate memory for principal[1]"); LC (RSA_free, (key)); goto policydone; } @@ -366,7 +366,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) */ for (i = 0; i < nprinc; i++) { - LOG_DBG ((LOG_MISC, 40, "check_policy: adding authorizer [%s]", + LOG_DBG ((LOG_POLICY, 40, "check_policy: adding authorizer [%s]", principal[i])); if (LK (kn_add_authorizer, (isakmp_sa->policy_id, principal[i])) == -1) @@ -383,7 +383,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) /* Ask policy */ result = LK (kn_do_query, (isakmp_sa->policy_id, return_values, RETVALUES_NUM)); - LOG_DBG ((LOG_MISC, 40, "check_policy: kn_do_query returned %d", result)); + LOG_DBG ((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", result)); /* Cleanup environment */ LK (kn_cleanup_action_environment, (isakmp_sa->policy_id)); @@ -402,7 +402,7 @@ check_policy (struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) /* Check what policy said. */ if (result < 0) { - LOG_DBG ((LOG_MISC, 40, "check_policy: proposal refused")); + LOG_DBG ((LOG_POLICY, 40, "check_policy: proposal refused")); result = 0; goto policydone; } @@ -880,8 +880,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg) id = ipsec_build_id (local_id, &sz); if (!id) return -1; - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDic", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -891,8 +891,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg) id = ipsec_build_id (remote_id, &sz); if (!id) return -1; - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDrc", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -933,8 +933,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg) encode_32 (id + ISAKMP_ID_DATA_OFF, ntohl (((struct sockaddr_in *)src)->sin_addr.s_addr)); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDic", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -945,8 +945,8 @@ initiator_send_HASH_SA_NONCE (struct message *msg) id = ipsec_build_id (remote_id, &sz); if (!id) return -1; - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDrc", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -1027,29 +1027,30 @@ initiator_recv_HASH_SA_NONCE (struct message *msg) socklen_t srclen, dstlen; /* Allocate the prf and start calculating our HASH(1). XXX Share? */ - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: SKEYID_a", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: SKEYID_a", isa->skeyid_a, isa->skeyid_len)); prf = prf_alloc (isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); if (!prf) return -1; prf->Init (prf->prfctx); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: message_id", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "initiator_recv_HASH_SA_NONCE: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_recv_HASH_SA_NONCE: NONCE_I_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); rest = hashp->p + GET_ISAKMP_GEN_LENGTH (hashp->p); rest_len = (GET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base) - (rest - (u_int8_t*)msg->iov[0].iov_base)); - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, rest_len)); prf->Update (prf->prfctx, rest, rest_len); prf->Final (hash->digest, prf->prfctx); prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 80, + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, "initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest, hashsize)); if (memcmp (hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) != 0) @@ -1102,7 +1103,7 @@ initiator_recv_HASH_SA_NONCE (struct message *msg) } memcpy (ie->id_ci, idp->p, ie->id_ci_sz); idp->flags |= PL_MARK; - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDci", ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); @@ -1118,7 +1119,7 @@ initiator_recv_HASH_SA_NONCE (struct message *msg) } memcpy (ie->id_cr, idp->p, ie->id_cr_sz); idp->flags |= PL_MARK; - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDcr", ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); @@ -1257,25 +1258,25 @@ initiator_send_HASH (struct message *msg) } /* Allocate the prf and start calculating our HASH(3). XXX Share? */ - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: SKEYID_a", isa->skeyid_a, - isa->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a", + isa->skeyid_a, isa->skeyid_len)); prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); if (!prf) return -1; prf->Init (prf->prfctx); prf->Update (prf->prfctx, "\0", 1); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: message_id", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: NONCE_I_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: NONCE_R_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b", exchange->nonce_r, exchange->nonce_r_len)); prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); prf->Final (buf + ISAKMP_GEN_SZ, prf->prfctx); prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH: HASH(3)", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)", buf + ISAKMP_GEN_SZ, hashsize)); if (ie->group) @@ -1353,7 +1354,7 @@ post_quick_mode (struct message *msg) if (keymat != iproto->keymat[i]) { /* Hash in last round's KEYMAT. */ - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: last KEYMAT", keymat - prf->blocksize, prf->blocksize)); @@ -1364,29 +1365,30 @@ post_quick_mode (struct message *msg) /* If PFS is used hash in g^xy. */ if (ie->g_xy) { - LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: g^xy", - ie->g_xy, ie->g_x_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "post_quick_mode: g^xy", ie->g_xy, + ie->g_x_len)); prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len); } - LOG_DBG ((LOG_MISC, 90, + LOG_DBG ((LOG_NEGOTIATION, 90, "post_quick_mode: suite %d proto %d", proto->no, proto->proto)); prf->Update (prf->prfctx, &proto->proto, 1); - LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: SPI", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: SPI", proto->spi[i], proto->spi_sz[i])); prf->Update (prf->prfctx, proto->spi[i], proto->spi_sz[i]); - LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: Ni_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: Nr_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", exchange->nonce_r, exchange->nonce_r_len)); prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); prf->Final (keymat, prf->prfctx); } prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 90, "post_quick_mode: KEYMAT", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT", iproto->keymat[i], ie->keymat_len)); } } @@ -1442,16 +1444,17 @@ responder_recv_HASH_SA_NONCE (struct message *msg) * Check the payload's integrity. * XXX Share with ipsec_fill_in_hash? */ - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH_SA_NONCE: SKEYID_a", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: SKEYID_a", isa->skeyid_a, isa->skeyid_len)); prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); if (!prf) goto cleanup; prf->Init (prf->prfctx); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH_SA_NONCE: message_id", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "responder_recv_HASH_SA_NONCE: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH", hash + hash_len, msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len)); @@ -1459,7 +1462,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg) msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); prf->Final (my_hash, prf->prfctx); prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash, hash_len - ISAKMP_GEN_SZ)); if (memcmp (hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0) @@ -1496,7 +1499,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg) } memcpy (ie->id_ci, idp->p, ie->id_ci_sz); idp->flags |= PL_MARK; - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDci", ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); @@ -1512,7 +1515,7 @@ responder_recv_HASH_SA_NONCE (struct message *msg) } memcpy (ie->id_cr, idp->p, ie->id_cr_sz); idp->flags |= PL_MARK; - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDcr", ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); @@ -1756,8 +1759,8 @@ responder_send_HASH_SA_NONCE (struct message *msg) return -1; } memcpy (id, ie->id_ci, sz); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: IDic", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDic", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -1772,8 +1775,8 @@ responder_send_HASH_SA_NONCE (struct message *msg) return -1; } memcpy (id, ie->id_cr, sz); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: IDrc", id, - sz)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDrc", + id, sz)); if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { free (id); @@ -1782,18 +1785,19 @@ responder_send_HASH_SA_NONCE (struct message *msg) } /* Allocate the prf and start calculating our HASH(2). XXX Share? */ - LOG_DBG ((LOG_MISC, 95, "responder_recv_HASH: isakmp_sa %p isa %p", + LOG_DBG ((LOG_NEGOTIATION, 95, "responder_recv_HASH: isakmp_sa %p isa %p", isakmp_sa, isa)); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: SKEYID_a", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: SKEYID_a", isa->skeyid_a, isa->skeyid_len)); prf = prf_alloc (isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); if (!prf) return -1; prf->Init (prf->prfctx); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: message_id", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "responder_send_HASH_SA_NONCE: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_send_HASH_SA_NONCE: NONCE_I_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); @@ -1804,7 +1808,7 @@ responder_send_HASH_SA_NONCE (struct message *msg) snprintf (header, 80, "responder_send_HASH_SA_NONCE: payload %d after HASH(2)", i - 1); - LOG_DBG_BUF ((LOG_MISC, 90, header, msg->iov[i].iov_base, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base, msg->iov[i].iov_len)); prf->Update (prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len); } @@ -1812,7 +1816,8 @@ responder_send_HASH_SA_NONCE (struct message *msg) prf_free (prf); snprintf (header, 80, "responder_send_HASH_SA_NONCE: HASH_%c", initiator ? 'I' : 'R'); - LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF, + hashsize)); if (ie->group) message_register_post_send (msg, gen_g_xy); @@ -1839,7 +1844,7 @@ gen_g_xy (struct message *msg) log_print ("gen_g_xy: dh_create_shared failed"); return; } - LOG_DBG_BUF ((LOG_MISC, 80, "gen_g_xy: g^xy", ie->g_xy, ie->g_x_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, ie->g_x_len)); } static int @@ -1867,27 +1872,27 @@ responder_recv_HASH (struct message *msg) } /* Allocate the prf and start calculating our HASH(3). XXX Share? */ - LOG_DBG ((LOG_MISC, 95, "responder_recv_HASH: isakmp_sa %p isa %p", + LOG_DBG ((LOG_NEGOTIATION, 95, "responder_recv_HASH: isakmp_sa %p isa %p", isakmp_sa, isa)); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: SKEYID_a", isa->skeyid_a, - isa->skeyid_len)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a", + isa->skeyid_a, isa->skeyid_len)); prf = prf_alloc (isa->prf_type, isa->hash, isa->skeyid_a, isa->skeyid_len); if (!prf) goto cleanup; prf->Init (prf->prfctx); prf->Update (prf->prfctx, "\0", 1); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: message_id", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id", exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: NONCE_I_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_HASH: NONCE_R_b", + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b", exchange->nonce_r, exchange->nonce_r_len)); prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); prf->Final (my_hash, prf->prfctx); prf_free (prf); - LOG_DBG_BUF ((LOG_MISC, 90, + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "responder_recv_HASH: computed HASH(3)", my_hash, hash_len - ISAKMP_GEN_SZ)); if (memcmp (hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) != 0) diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index 826292c6f56..838f4bca2b9 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.20 2000/12/12 05:01:01 todd Exp $ +.\" $OpenBSD: isakmpd.8,v 1.21 2001/03/13 14:05:18 ho Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -136,6 +136,10 @@ Sysdep SA .It 7 Exchange +.It 8 +Negotiation +.It 9 +Policy .It A All .El diff --git a/sbin/isakmpd/log.h b/sbin/isakmpd/log.h index b8ea6ec5fe8..e67df75a450 100644 --- a/sbin/isakmpd/log.h +++ b/sbin/isakmpd/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.8 2000/04/07 22:05:08 niklas Exp $ */ +/* $OpenBSD: log.h,v 1.9 2001/03/13 14:05:18 ho Exp $ */ /* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */ /* @@ -48,10 +48,11 @@ enum log_classes { LOG_MISC, LOG_TRANSPORT, LOG_MESSAGE, LOG_CRYPTO, LOG_TIMER, LOG_SYSDEP, - LOG_SA, LOG_EXCHANGE, LOG_ENDCLASS + LOG_SA, LOG_EXCHANGE, LOG_NEGOTIATION, LOG_POLICY, LOG_ENDCLASS }; #define LOG_CLASSES_TEXT \ - { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch" } + { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch", "Negt", \ + "Plcy" } /* * "Class" LOG_REPORT will always be logged to the current log channel, diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index a4c10659d49..df34abc0132 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.36 2001/01/27 12:03:34 niklas Exp $ */ +/* $OpenBSD: message.c,v 1.37 2001/03/13 14:05:19 ho Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -1662,7 +1662,7 @@ message_negotiate_sa (struct message *msg, - ISAKMP_TRANSFORM_SA_ATTRS_OFF, exchange->doi->is_attribute_incompatible, msg)) { - LOG_DBG ((LOG_MESSAGE, 30, + LOG_DBG ((LOG_NEGOTIATION, 30, "message_negotiate_sa: " "transform %d proto %d proposal %d ok", GET_ISAKMP_TRANSFORM_NO (tp->p), @@ -1692,7 +1692,7 @@ message_negotiate_sa (struct message *msg, { if (!suite_ok_so_far) { - LOG_DBG ((LOG_MESSAGE, 30, + LOG_DBG ((LOG_NEGOTIATION, 30, "message_negotiate_sa: proto %d proposal %d failed", GET_ISAKMP_PROP_PROTO (propp->p), GET_ISAKMP_PROP_NO (propp->p))); @@ -1725,7 +1725,7 @@ message_negotiate_sa (struct message *msg, { if (!validate || validate (exchange, sa, msg->isakmp_sa)) { - LOG_DBG ((LOG_MESSAGE, 30, + LOG_DBG ((LOG_NEGOTIATION, 30, "message_negotiate_sa: proposal %d succeeded", GET_ISAKMP_PROP_NO (propp->p))); @@ -1738,7 +1738,7 @@ message_negotiate_sa (struct message *msg, else { /* Backtrack. */ - LOG_DBG ((LOG_MESSAGE, 30, + LOG_DBG ((LOG_NEGOTIATION, 30, "message_negotiate_sa: proposal %d failed", GET_ISAKMP_PROP_NO (propp->p))); next_tp = saved_tp; diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index a4bd3fe5b11..91b60f9d7de 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.23 2001/03/07 07:36:34 angelos Exp $ */ +/* $OpenBSD: policy.c,v 1.24 2001/03/13 14:05:19 ho Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -676,9 +676,9 @@ policy_callback (char *name) remote_id = strdup (remote_id_addr_upper); if (!remote_id) { - log_print ("policy_callback: strdup (\"%s\") failed", - remote_id_addr_upper); - goto bad; + log_error ("policy_callback: strdup (\"%s\") failed", + remote_id_addr_upper); + goto bad; } break; @@ -696,11 +696,11 @@ policy_callback (char *name) sizeof (char)); if (!remote_id) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (remote_id_addr_upper) - + strlen (remote_id_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (remote_id_addr_upper) + + strlen (remote_id_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (remote_id, remote_id_addr_lower); @@ -725,11 +725,11 @@ policy_callback (char *name) sizeof (char)); if (!remote_id) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (remote_id_addr_upper) - + strlen (remote_id_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (remote_id_addr_upper) + + strlen (remote_id_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (remote_id, remote_id_addr_lower); @@ -759,10 +759,10 @@ policy_callback (char *name) sizeof (char)); if (!remote_id) { - log_print ("policy_callback: calloc (%d, %d) failed", - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, + sizeof (char)); + goto bad; } memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); @@ -774,10 +774,10 @@ policy_callback (char *name) sizeof (char)); if (!remote_id) { - log_print ("policy_callback: calloc (%d, %d) failed", - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, + sizeof (char)); + goto bad; } memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); @@ -796,15 +796,15 @@ policy_callback (char *name) remote_id = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, sizeof (char)); if (!remote_id) { - log_print ("policy_callback: calloc (%d, %d) failed", - 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + 2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, + sizeof (char)); + goto bad; } for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++) { - remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; - remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; + remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; + remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; } break; @@ -871,9 +871,9 @@ policy_callback (char *name) remote_filter = strdup (remote_filter_addr_upper); if (!remote_filter) { - log_print ("policy_callback: strdup (\"%s\") failed", - remote_filter_addr_upper); - goto bad; + log_error ("policy_callback: strdup (\"%s\") failed", + remote_filter_addr_upper); + goto bad; } break; @@ -891,11 +891,11 @@ policy_callback (char *name) sizeof (char)); if (!remote_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (remote_filter_addr_upper) - + strlen (remote_filter_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (remote_filter_addr_upper) + + strlen (remote_filter_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (remote_filter, remote_filter_addr_lower); remote_filter[strlen (remote_filter_addr_lower)] = '-'; @@ -919,11 +919,11 @@ policy_callback (char *name) sizeof (char)); if (!remote_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (remote_filter_addr_upper) - + strlen (remote_filter_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (remote_filter_addr_upper) + + strlen (remote_filter_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (remote_filter, remote_filter_addr_lower); remote_filter[strlen (remote_filter_addr_lower)] = '-'; @@ -952,10 +952,10 @@ policy_callback (char *name) sizeof (char)); if (!remote_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - idremotesz - ISAKMP_ID_DATA_OFF + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + idremotesz - ISAKMP_ID_DATA_OFF + 1, + sizeof (char)); + goto bad; } memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, idremotesz); @@ -967,10 +967,10 @@ policy_callback (char *name) sizeof (char)); if (!remote_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - idremotesz - ISAKMP_ID_DATA_OFF + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + idremotesz - ISAKMP_ID_DATA_OFF + 1, + sizeof (char)); + goto bad; } memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, idremotesz); @@ -989,13 +989,15 @@ policy_callback (char *name) remote_filter = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); if (!remote_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, + sizeof (char)); + goto bad; } for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) { - remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; - remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; + remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4]; + remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF]; } break; @@ -1022,7 +1024,8 @@ policy_callback (char *name) #endif default: - sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]); + sprintf (remote_filter_proto_num, "%2d", + idremote[ISAKMP_GEN_SZ + 1]); remote_filter_proto = remote_filter_proto_num; break; } @@ -1044,9 +1047,9 @@ policy_callback (char *name) remote_filter = strdup (remote_filter_addr_upper); if (!remote_filter) { - log_print ("policy_callback: strdup (\"%s\") failed", - remote_filter_addr_upper); - goto bad; + log_error ("policy_callback: strdup (\"%s\") failed", + remote_filter_addr_upper); + goto bad; } } @@ -1065,9 +1068,9 @@ policy_callback (char *name) local_filter = strdup (local_filter_addr_upper); if (!local_filter) { - log_print ("policy_callback: strdup (\"%s\") failed", - local_filter_addr_upper); - goto bad; + log_error ("policy_callback: strdup (\"%s\") failed", + local_filter_addr_upper); + goto bad; } break; @@ -1085,11 +1088,11 @@ policy_callback (char *name) sizeof (char)); if (!local_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (local_filter_addr_upper) - + strlen (local_filter_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (local_filter_addr_upper) + + strlen (local_filter_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (local_filter, local_filter_addr_lower); local_filter[strlen (local_filter_addr_lower)] = '-'; @@ -1113,11 +1116,11 @@ policy_callback (char *name) sizeof (char)); if (!local_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - strlen (local_filter_addr_upper) - + strlen (local_filter_addr_lower) + 2, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + strlen (local_filter_addr_upper) + + strlen (local_filter_addr_lower) + 2, + sizeof (char)); + goto bad; } strcpy (local_filter, local_filter_addr_lower); local_filter[strlen (local_filter_addr_lower)] = '-'; @@ -1146,10 +1149,10 @@ policy_callback (char *name) sizeof (char)); if (!local_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - idlocalsz - ISAKMP_ID_DATA_OFF + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + idlocalsz - ISAKMP_ID_DATA_OFF + 1, + sizeof (char)); + goto bad; } memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, idlocalsz); @@ -1161,10 +1164,10 @@ policy_callback (char *name) sizeof (char)); if (!local_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", - idlocalsz - ISAKMP_ID_DATA_OFF + 1, - sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + idlocalsz - ISAKMP_ID_DATA_OFF + 1, + sizeof (char)); + goto bad; } memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, idlocalsz); @@ -1183,13 +1186,15 @@ policy_callback (char *name) local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); if (!local_filter) { - log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char)); - goto bad; + log_error ("policy_callback: calloc (%d, %d) failed", + 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, + sizeof (char)); + goto bad; } for (i = 0; i < idremotesz - ISAKMP_ID_DATA_OFF; i++) { - local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; - local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; + local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4]; + local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF]; } break; @@ -1216,7 +1221,8 @@ policy_callback (char *name) #endif default: - sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]); + sprintf (local_filter_proto_num, "%2d", + idlocal[ISAKMP_GEN_SZ + 1]); local_filter_proto = local_filter_proto_num; break; } @@ -1239,72 +1245,78 @@ policy_callback (char *name) local_filter = strdup (local_filter_addr_upper); if (!local_filter) { - log_print ("policy_callback: strdup (\"%s\") failed", - local_filter_addr_upper); - goto bad; + log_error ("policy_callback: strdup (\"%s\") failed", + local_filter_addr_upper); + goto bad; } } - LOG_DBG ((LOG_SA, 80, "Policy context (action attributes):")); - LOG_DBG ((LOG_SA, 80, "esp_present == %s", esp_present)); - LOG_DBG ((LOG_SA, 80, "ah_present == %s", ah_present)); - LOG_DBG ((LOG_SA, 80, "comp_present == %s", comp_present)); - LOG_DBG ((LOG_SA, 80, "ah_hash_alg == %s", ah_hash_alg)); - LOG_DBG ((LOG_SA, 80, "esp_enc_alg == %s", esp_enc_alg)); - LOG_DBG ((LOG_SA, 80, "comp_alg == %s", comp_alg)); - LOG_DBG ((LOG_SA, 80, "ah_auth_alg == %s", ah_auth_alg)); - LOG_DBG ((LOG_SA, 80, "esp_auth_alg == %s", esp_auth_alg)); - LOG_DBG ((LOG_SA, 80, "ah_life_seconds == %s", ah_life_seconds)); - LOG_DBG ((LOG_SA, 80, "ah_life_kbytes == %s", ah_life_kbytes)); - LOG_DBG ((LOG_SA, 80, "esp_life_seconds == %s", esp_life_seconds)); - LOG_DBG ((LOG_SA, 80, "esp_life_kbytes == %s", esp_life_kbytes)); - LOG_DBG ((LOG_SA, 80, "comp_life_seconds == %s", comp_life_seconds)); - LOG_DBG ((LOG_SA, 80, "comp_life_kbytes == %s", comp_life_kbytes)); - LOG_DBG ((LOG_SA, 80, "ah_encapsulation == %s", ah_encapsulation)); - LOG_DBG ((LOG_SA, 80, "esp_encapsulation == %s", esp_encapsulation)); - LOG_DBG ((LOG_SA, 80, "comp_encapsulation == %s", comp_encapsulation)); - LOG_DBG ((LOG_SA, 80, "comp_dict_size == %s", comp_dict_size)); - LOG_DBG ((LOG_SA, 80, "comp_private_alg == %s", comp_private_alg)); - LOG_DBG ((LOG_SA, 80, "ah_key_length == %s", ah_key_length)); - LOG_DBG ((LOG_SA, 80, "ah_key_rounds == %s", ah_key_rounds)); - LOG_DBG ((LOG_SA, 80, "esp_key_length == %s", esp_key_length)); - LOG_DBG ((LOG_SA, 80, "esp_key_rounds == %s", esp_key_rounds)); - LOG_DBG ((LOG_SA, 80, "ah_group_desc == %s", ah_group_desc)); - LOG_DBG ((LOG_SA, 80, "esp_group_desc == %s", esp_group_desc)); - LOG_DBG ((LOG_SA, 80, "comp_group_desc == %s", comp_group_desc)); - LOG_DBG ((LOG_SA, 80, "remote_filter_type == %s", remote_filter_type)); - LOG_DBG ((LOG_SA, 80, "remote_filter_addr_upper == %s", + LOG_DBG ((LOG_POLICY, 80, "Policy context (action attributes):")); + LOG_DBG ((LOG_POLICY, 80, "esp_present == %s", esp_present)); + LOG_DBG ((LOG_POLICY, 80, "ah_present == %s", ah_present)); + LOG_DBG ((LOG_POLICY, 80, "comp_present == %s", comp_present)); + LOG_DBG ((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); + LOG_DBG ((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); + LOG_DBG ((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); + LOG_DBG ((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); + LOG_DBG ((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); + LOG_DBG ((LOG_POLICY, 80, "ah_life_seconds == %s", ah_life_seconds)); + LOG_DBG ((LOG_POLICY, 80, "ah_life_kbytes == %s", ah_life_kbytes)); + LOG_DBG ((LOG_POLICY, 80, "esp_life_seconds == %s", esp_life_seconds)); + LOG_DBG ((LOG_POLICY, 80, "esp_life_kbytes == %s", esp_life_kbytes)); + LOG_DBG ((LOG_POLICY, 80, "comp_life_seconds == %s", comp_life_seconds)); + LOG_DBG ((LOG_POLICY, 80, "comp_life_kbytes == %s", comp_life_kbytes)); + LOG_DBG ((LOG_POLICY, 80, "ah_encapsulation == %s", ah_encapsulation)); + LOG_DBG ((LOG_POLICY, 80, "esp_encapsulation == %s", esp_encapsulation)); + LOG_DBG ((LOG_POLICY, 80, "comp_encapsulation == %s", + comp_encapsulation)); + LOG_DBG ((LOG_POLICY, 80, "comp_dict_size == %s", comp_dict_size)); + LOG_DBG ((LOG_POLICY, 80, "comp_private_alg == %s", comp_private_alg)); + LOG_DBG ((LOG_POLICY, 80, "ah_key_length == %s", ah_key_length)); + LOG_DBG ((LOG_POLICY, 80, "ah_key_rounds == %s", ah_key_rounds)); + LOG_DBG ((LOG_POLICY, 80, "esp_key_length == %s", esp_key_length)); + LOG_DBG ((LOG_POLICY, 80, "esp_key_rounds == %s", esp_key_rounds)); + LOG_DBG ((LOG_POLICY, 80, "ah_group_desc == %s", ah_group_desc)); + LOG_DBG ((LOG_POLICY, 80, "esp_group_desc == %s", esp_group_desc)); + LOG_DBG ((LOG_POLICY, 80, "comp_group_desc == %s", comp_group_desc)); + LOG_DBG ((LOG_POLICY, 80, "remote_filter_type == %s", + remote_filter_type)); + LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_upper == %s", remote_filter_addr_upper)); - LOG_DBG ((LOG_SA, 80, "remote_filter_addr_lower == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter_addr_lower == %s", remote_filter_addr_lower)); - LOG_DBG ((LOG_SA, 80, "remote_filter == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter == %s", (remote_filter ? remote_filter : ""))); - LOG_DBG ((LOG_SA, 80, "remote_filter_port == %s", remote_filter_port)); - LOG_DBG ((LOG_SA, 80, "remote_filter_proto == %s", remote_filter_proto)); - LOG_DBG ((LOG_SA, 80, "local_filter_type == %s", local_filter_type)); - LOG_DBG ((LOG_SA, 80, "local_filter_addr_upper == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_filter_port == %s", + remote_filter_port)); + LOG_DBG ((LOG_POLICY, 80, "remote_filter_proto == %s", + remote_filter_proto)); + LOG_DBG ((LOG_POLICY, 80, "local_filter_type == %s", local_filter_type)); + LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_upper == %s", local_filter_addr_upper)); - LOG_DBG ((LOG_SA, 80, "local_filter_addr_lower == %s", + LOG_DBG ((LOG_POLICY, 80, "local_filter_addr_lower == %s", local_filter_addr_lower)); - LOG_DBG ((LOG_SA, 80, "local_filter == %s", + LOG_DBG ((LOG_POLICY, 80, "local_filter == %s", (local_filter ? local_filter : ""))); - LOG_DBG ((LOG_SA, 80, "local_filter_port == %s", local_filter_port)); - LOG_DBG ((LOG_SA, 80, "local_filter_proto == %s", local_filter_proto)); - LOG_DBG ((LOG_SA, 80, "remote_id_type == %s", remote_id_type)); - LOG_DBG ((LOG_SA, 80, "remote_id_addr_upper == %s", + LOG_DBG ((LOG_POLICY, 80, "local_filter_port == %s", local_filter_port)); + LOG_DBG ((LOG_POLICY, 80, "local_filter_proto == %s", + local_filter_proto)); + LOG_DBG ((LOG_POLICY, 80, "remote_id_type == %s", remote_id_type)); + LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_upper == %s", remote_id_addr_upper)); - LOG_DBG ((LOG_SA, 80, "remote_id_addr_lower == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_id_addr_lower == %s", remote_id_addr_lower)); - LOG_DBG ((LOG_SA, 80, "remote_id == %s", (remote_id ? remote_id : ""))); - LOG_DBG ((LOG_SA, 80, "remote_id_port == %s", remote_id_port)); - LOG_DBG ((LOG_SA, 80, "remote_id_proto == %s", remote_id_proto)); - LOG_DBG ((LOG_SA, 80, "remote_negotiation_address == %s", + LOG_DBG ((LOG_POLICY, 80, "remote_id == %s", + (remote_id ? remote_id : ""))); + LOG_DBG ((LOG_POLICY, 80, "remote_id_port == %s", remote_id_port)); + LOG_DBG ((LOG_POLICY, 80, "remote_id_proto == %s", remote_id_proto)); + LOG_DBG ((LOG_POLICY, 80, "remote_negotiation_address == %s", remote_ike_address)); - LOG_DBG ((LOG_SA, 80, "local_negotiation_address == %s", + LOG_DBG ((LOG_POLICY, 80, "local_negotiation_address == %s", local_ike_address)); - LOG_DBG ((LOG_SA, 80, "pfs == %s", pfs)); - LOG_DBG ((LOG_SA, 80, "initiator == %s", initiator)); - LOG_DBG ((LOG_SA, 80, "phase1_group_desc == %s", phase1_group)); + LOG_DBG ((LOG_POLICY, 80, "pfs == %s", pfs)); + LOG_DBG ((LOG_POLICY, 80, "initiator == %s", initiator)); + LOG_DBG ((LOG_POLICY, 80, "phase1_group_desc == %s", phase1_group)); /* Unset dirty now. */ dirty = 0; @@ -1315,16 +1327,16 @@ policy_callback (char *name) if (strcmp (name, "GMTTimeOfDay") == 0) { - tt = time ((time_t) NULL); - strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); - return mytimeofday; + tt = time ((time_t) NULL); + strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); + return mytimeofday; } if (strcmp (name, "LocalTimeOfDay") == 0) { - tt = time ((time_t) NULL); - strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); - return mytimeofday; + tt = time ((time_t) NULL); + strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); + return mytimeofday; } if (strcmp (name, "initiator") == 0) @@ -1492,7 +1504,7 @@ policy_init (void) struct stat st; int fd, len, i; - LOG_DBG ((LOG_MISC, 50, "policy_init: initializing")); + LOG_DBG ((LOG_POLICY, 30, "policy_init: initializing")); #if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) if (!dyn_load (libkeynote_script)) @@ -1715,7 +1727,8 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, dirname = conf_get_str ("KeyNote", "Credential-directory"); if (!dirname) { - log_print ("keynote_cert_obtain: no Credential-directory"); + LOG_DBG ((LOG_POLICY, 30, + "keynote_cert_obtain: no Credential-directory")); return 0; } @@ -1730,7 +1743,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, file = calloc (len + 15, sizeof(char)); if (file == NULL) { - log_print ("keynote_cert_obtain: failed to allocate %d bytes", + log_error ("keynote_cert_obtain: failed to allocate %d bytes", len + 15); return 0; } @@ -1746,7 +1759,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, file = calloc (len + id_len, sizeof(char)); if (file == NULL) { - log_print ("keynote_cert_obtain: failed to allocate %d bytes", + log_error ("keynote_cert_obtain: failed to allocate %d bytes", len + id_len); return 0; } @@ -1763,7 +1776,8 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, if (stat (file, &sb) < 0) { - log_print ("keynote_cert_obtain: failed to stat \"%s\"", file); + LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to stat \"%s\"", + file)); free (file); return 0; } @@ -1771,7 +1785,7 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, *cert = calloc (sb.st_size, sizeof(char)); if (*cert == NULL) { - log_print ("keynote_cert_obtain: failed to allocate %d bytes", + log_error ("keynote_cert_obtain: failed to allocate %d bytes", sb.st_size); free (file); return 0; @@ -1780,15 +1794,16 @@ keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, fd = open (file, O_RDONLY, 0); if (fd < 0) { - log_print ("keynote_cert_obtain: failed to open \"%s\"", file); + LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to open \"%s\"", + file)); free (file); return 0; } if (read (fd, *cert, sb.st_size) != sb.st_size) { - log_print ("keynote_cert_obtain: failed to read %d bytes from \"%s\"", - sb.st_size, file); + LOG_DBG ((LOG_POLICY, 30, "keynote_cert_obtain: failed to read %d " + "bytes from \"%s\"", sb.st_size, file)); free (file); close (fd); return 0; diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index b8b09d85df2..1155fb2ec9a 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.42 2001/02/23 15:29:55 angelos Exp $ */ +/* $OpenBSD: x509.c,v 1.43 2001/03/13 14:05:19 ho Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -120,7 +120,7 @@ x509_generate_kn (X509 *cert) char *timecomp, *timecomp2; int i; - LOG_DBG ((LOG_CRYPTO, 90, + LOG_DBG ((LOG_POLICY, 90, "x509_generate_kn: generating KeyNote policy for certificate %p", cert)); @@ -133,7 +133,8 @@ x509_generate_kn (X509 *cert) if (!x509_cert_get_key (cert, &key)) { - log_print ("x509_generate_kn: failed to get public key from cert"); + LOG_DBG ((LOG_POLICY, 30, + "x509_generate_kn: failed to get public key from cert")); return 0; } @@ -145,13 +146,13 @@ x509_generate_kn (X509 *cert) { log_print ("x509_generate_kn: failed to get memory for public key"); LC (RSA_free, (key)); - log_print ("x509_generate_kn: cannot get subject key"); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key")); return 0; } if (!ikey) { LC (RSA_free, (key)); - log_print ("x509_generate_kn: cannot get subject key"); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get subject key")); return 0; } LC (RSA_free, (key)); @@ -167,7 +168,8 @@ x509_generate_kn (X509 *cert) X509_LU_X509) { LC (X509_STORE_CTX_cleanup, (&csc)); - log_print ("x509_generate_kn: no certificate found for issuer"); + LOG_DBG ((LOG_POLICY, 30, + "x509_generate_kn: no certificate found for issuer")); return 0; } } @@ -177,15 +179,16 @@ x509_generate_kn (X509 *cert) if (icert == NULL) { - log_print ("x509_generate_kn: " - "missing certificates, cannot construct X509 chain"); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: " + "missing certificates, cannot construct X509 chain")); free (ikey); return 0; } if (!x509_cert_get_key (icert, &key)) { - log_print ("x509_generate_kn: failed to get public key from cert"); + LOG_DBG ((LOG_POLICY, 30, + "x509_generate_kn: failed to get public key from cert")); free (ikey); return 0; } @@ -201,7 +204,7 @@ x509_generate_kn (X509 *cert) log_error ("x509_generate_kn: failed to get memory for public key"); free (ikey); LC (RSA_free, (key)); - log_print ("x509_generate_kn: cannot get issuer key"); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key")); return 0; } @@ -209,7 +212,7 @@ x509_generate_kn (X509 *cert) { free (ikey); LC (RSA_free, (key)); - log_print ("x509_generate_kn: cannot get issuer key"); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer key")); return 0; } LC (RSA_free, (key)); @@ -249,12 +252,12 @@ x509_generate_kn (X509 *cert) { if (tm->data[i] < '0' || tm->data[i] > '9') { - log_error ("x509_generate_kn: invalid data in " - "NotValidBefore time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid data in " + "NotValidBefore time field")); + free (ikey); + free (skey); + free (buf); + return 0; } } @@ -262,9 +265,8 @@ x509_generate_kn (X509 *cert) { if ((tm->length < 10) || (tm->length > 13)) { - log_error ("x509_generate_kn: " - "invalid length of NotValidBefore time field (%d)", - tm->length); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length " + "of NotValidBefore time field (%d)", tm->length)); free (ikey); free (skey); free (buf); @@ -282,12 +284,12 @@ x509_generate_kn (X509 *cert) (tm->data[6] == '2' && tm->data[7] > '3') || (tm->data[8] > '5')) { - log_error ("x509_generate_kn: invalid value in " - "NotValidBefore time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " + "NotValidBefore time field")); + free (ikey); + free (skey); + free (buf); + return 0; } /* Stupid UTC tricks */ @@ -300,9 +302,8 @@ x509_generate_kn (X509 *cert) { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { - log_error ("x509_generate_kn: " - "invalid length of NotValidBefore time field (%d)", - tm->length); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of " + "NotValidBefore time field (%d)", tm->length)); free (ikey); free (skey); free (buf); @@ -320,12 +321,12 @@ x509_generate_kn (X509 *cert) (tm->data[8] == '2' && tm->data[9] > '3') || (tm->data[10] > '5')) { - log_error ("x509_generate_kn: invalid value in " - "NotValidBefore time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " + "NotValidBefore time field")); + free (ikey); + free (skey); + free (buf); + return 0; } sprintf(before, "%s", tm->data); @@ -365,12 +366,12 @@ x509_generate_kn (X509 *cert) { if (tm->data[i] < '0' || tm->data[i] > '9') { - log_error ("x509_generate_kn: invalid data in " - "NotValidAfter time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid data in " + "NotValidAfter time field")); + free (ikey); + free (skey); + free (buf); + return 0; } } @@ -378,9 +379,8 @@ x509_generate_kn (X509 *cert) { if ((tm->length < 10) || (tm->length > 13)) { - log_error ("x509_generate_kn: " - "invalid length of NotValidAfter time field (%d)", - tm->length); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of " + "NotValidAfter time field (%d)", tm->length)); free (ikey); free (skey); free (buf); @@ -398,12 +398,12 @@ x509_generate_kn (X509 *cert) (tm->data[6] == '2' && tm->data[7] > '3') || (tm->data[8] > '5')) { - log_error ("x509_generate_kn: invalid value in " - "NotValidAfter time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " + "NotValidAfter time field")); + free (ikey); + free (skey); + free (buf); + return 0; } /* Stupid UTC tricks */ @@ -416,9 +416,8 @@ x509_generate_kn (X509 *cert) { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { - log_error ("x509_generate_kn: " - "invalid length of NotValidAfter time field (%d)", - tm->length); + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid length of " + "NotValidAfter time field (%d)", tm->length)); free (ikey); free (skey); free (buf); @@ -436,12 +435,12 @@ x509_generate_kn (X509 *cert) (tm->data[8] == '2' && tm->data[9] > '3') || (tm->data[10] > '5')) { - log_error ("x509_generate_kn: invalid value in " - "NotValidAfter time field"); - free (ikey); - free (skey); - free (buf); - return 0; + LOG_DBG ((LOG_POLICY, 30, "x509_generate_kn: invalid value in " + "NotValidAfter time field")); + free (ikey); + free (skey); + free (buf); + return 0; } sprintf(after, "%s", tm->data); @@ -464,7 +463,8 @@ x509_generate_kn (X509 *cert) if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf), ASSERT_FLAG_LOCAL)) == -1) { - log_error ("x509_generate_kn: failed to add new KeyNote credential"); + LOG_DBG ((LOG_POLICY, 30, + "x509_generate_kn: failed to add new KeyNote credential")); free (buf); return 0; } @@ -475,13 +475,15 @@ x509_generate_kn (X509 *cert) if (!LC (X509_NAME_oneline, (issuer, isname, 256))) { - log_print ("x509_generate_kn: X509_NAME_oneline (issuer, ...) failed"); + LOG_DBG ((LOG_POLICY, 50, + "x509_generate_kn: X509_NAME_oneline (issuer, ...) failed")); return 0; } if (!LC (X509_NAME_oneline, (subject, subname, 256))) { - log_print ("x509_generate_kn: X509_NAME_oneline (subject, ...) failed"); + LOG_DBG ((LOG_POLICY, 50, + "x509_generate_kn: X509_NAME_oneline (subject, ...) failed")); return 0; } @@ -499,12 +501,13 @@ x509_generate_kn (X509 *cert) if (LK (kn_add_assertion, (keynote_sessid, buf, strlen (buf), ASSERT_FLAG_LOCAL)) == -1) { - log_error ("x509_generate_kn: failed to add new KeyNote credential"); + LOG_DBG ((LOG_POLICY, 30, + "x509_generate_kn: failed to add new KeyNote credential")); free (buf); return 0; } else - LOG_DBG ((LOG_CRYPTO, 80, "x509_generate_kn: added policy:\n%s", buf)); + LOG_DBG ((LOG_POLICY, 80, "x509_generate_kn: added policy:\n%s", buf)); /* Store the X509-derived assertion so we can use it as a policy */ if (x509_policy_asserts_num == 0) @@ -792,7 +795,8 @@ x509_read_from_dir (X509_STORE *ctx, char *name, int hash) #else if (libkeynote && x509_generate_kn (cert) == 0) #endif - log_print ("x509_read_from_dir: x509_generate_kn failed"); + LOG_DBG ((LOG_POLICY, 50, + "x509_read_from_dir: x509_generate_kn failed")); #endif /* USE_POLICY */ } } @@ -953,7 +957,7 @@ x509_cert_insert (int id, void *scert) if (libkeynote && x509_generate_kn (cert) == 0) #endif { - log_print ("x509_cert_insert: x509_generate_kn failed"); + LOG_DBG ((LOG_POLICY, 50, "x509_cert_insert: x509_generate_kn failed")); LC (X509_free, (cert)); return 0; } |