summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/ipsec.c91
1 files changed, 65 insertions, 26 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 0c81dc59958..fc98b78eaae 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.50 2001/06/29 19:08:11 ho Exp $ */
+/* $OpenBSD: ipsec.c,v 1.51 2001/07/01 14:17:06 ho Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -113,7 +113,7 @@ static int ipsec_initiator (struct message *);
static void ipsec_proto_init (struct proto *, char *);
static int ipsec_responder (struct message *);
static void ipsec_setup_situation (u_int8_t *);
-static void ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *);
+static int ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *);
static size_t ipsec_situation_size (void);
static u_int8_t ipsec_spi_size (u_int8_t);
static int ipsec_validate_attribute (u_int16_t, u_int8_t *, u_int16_t, void *);
@@ -336,11 +336,25 @@ ipsec_finalize_exchange (struct message *msg)
isa = sa->data;
if (exchange->initiator)
+ {
/* Initiator is source, responder is destination. */
- ipsec_set_network (ie->id_ci, ie->id_cr, isa);
+ if (ipsec_set_network (ie->id_ci, ie->id_cr, isa))
+ {
+ log_error ("ipsec_finalize_exchange: "
+ "ipsec_set_network failed");
+ return;
+ }
+ }
else
- /* Responder is source, initiator is destination. */
- ipsec_set_network (ie->id_cr, ie->id_ci, isa);
+ {
+ /* Responder is source, initiator is destination. */
+ if (ipsec_set_network (ie->id_cr, ie->id_ci, isa))
+ {
+ log_error ("ipsec_finalize_exchange: "
+ "ipsec_set_network failed");
+ return;
+ }
+ }
#ifdef USE_DEBUG
if (sockaddr2text (isa->src_net, &addr1, 0))
@@ -354,7 +368,7 @@ ipsec_finalize_exchange (struct message *msg)
LOG_DBG ((LOG_EXCHANGE, 50,
"ipsec_finalize_exchange: "
- "src %x %x dst %x %x tproto %u sport %u dport %u",
+ "src %s %s dst %s %s tproto %u sport %u dport %u",
addr1 ? addr1 : "<???>" , mask1 ? mask1 : "<???>",
addr2 ? addr2 : "<???>" , mask2 ? mask2 : "<???>",
ntohs (isa->tproto), isa->sport, ntohs (isa->dport)));
@@ -389,7 +403,7 @@ ipsec_finalize_exchange (struct message *msg)
}
/* Set the client addresses in ISA from SRC_ID and DST_ID. */
-static void
+static int
ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
{
int id;
@@ -402,12 +416,15 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV4_ADDR_SUBNET:
isa->src_net =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));
- /* XXX this may fail ! */
+ if (!isa->src_net)
+ return -1;
isa->src_net->sa_family = AF_INET;
isa->src_net->sa_len = sizeof (struct sockaddr_in);
+
isa->src_mask =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));
- /* XXX this may fail ! */
+ if (!isa->src_mask)
+ return -1;
isa->src_mask->sa_family = AF_INET;
isa->src_mask->sa_len = sizeof (struct sockaddr_in);
break;
@@ -416,12 +433,15 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV6_ADDR_SUBNET:
isa->src_net =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));
- /* XXX this may fail ! */
+ if (!isa->src_net)
+ return -1;
isa->src_net->sa_family = AF_INET6;
isa->src_net->sa_len = sizeof (struct sockaddr_in6);
+
isa->src_mask =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));
- /* XXX this may fail ! */
+ if (!isa->src_mask)
+ return -1;
isa->src_mask->sa_family = AF_INET6;
isa->src_mask->sa_len = sizeof (struct sockaddr_in6);
break;
@@ -459,25 +479,32 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV4_ADDR_SUBNET:
isa->dst_net =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));
- /* XXX this may fail ! */
+ if (!isa->dst_net)
+ return -1;
isa->dst_net->sa_family = AF_INET;
isa->dst_net->sa_len = sizeof (struct sockaddr_in);
+
isa->dst_mask =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in));
- /* XXX this may fail ! */
+ if (!isa->dst_mask)
+ return -1;
isa->dst_mask->sa_family = AF_INET;
isa->dst_mask->sa_len = sizeof (struct sockaddr_in);
break;
+
case IPSEC_ID_IPV6_ADDR:
case IPSEC_ID_IPV6_ADDR_SUBNET:
isa->dst_net =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));
- /* XXX this may fail ! */
+ if (!isa->dst_net)
+ return -1;
isa->dst_net->sa_family = AF_INET6;
isa->dst_net->sa_len = sizeof (struct sockaddr_in6);
+
isa->dst_mask =
(struct sockaddr *)calloc (1, sizeof (struct sockaddr_in6));
- /* XXX this may fail ! */
+ if (!isa->dst_mask)
+ return -1;
isa->dst_mask->sa_family = AF_INET6;
isa->dst_mask->sa_len = sizeof (struct sockaddr_in6);
break;
@@ -506,6 +533,7 @@ ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
IPSEC_ID_PROTO_LEN);
memcpy (&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
IPSEC_ID_PORT_LEN);
+ return 0;
}
/* Free the DOI-specific exchange data pointed to by VIE. */
@@ -1238,7 +1266,7 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,
sa->seconds = decode_32 (value);
break;
default:
- /* XXX Log. */
+ log_print ("ipsec_decode_attribute: unreasonable lifetime");
}
break;
case IKE_DURATION_KILOBYTES:
@@ -1251,11 +1279,11 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,
sa->kilobytes = decode_32 (value);
break;
default:
- /* XXX Log. */
+ log_print ("ipsec_decode_attribute: unreasonable lifetime");
}
break;
default:
- /* XXX Log! */
+ log_print ("ipsec_decode_attribute: unknown lifetime type");
}
break;
case IKE_ATTR_PRF:
@@ -1289,7 +1317,7 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,
sa->seconds = decode_32 (value);
break;
default:
- /* XXX Log. */
+ log_print ("ipsec_decode_attribute: unreasonable lifetime");
}
break;
case IPSEC_DURATION_KILOBYTES:
@@ -1302,11 +1330,11 @@ ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len,
sa->kilobytes = decode_32 (value);
break;
default:
- /* XXX Log. */
+ log_print ("ipsec_decode_attribute: unreasonable lifetime");
}
break;
default:
- /* XXX Log! */
+ log_print ("ipsec_decode_attribute: unknown lifetime type");
}
break;
case IPSEC_ATTR_GROUP_DESCRIPTION:
@@ -1791,6 +1819,7 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
{
int id_type;
char *addr = 0, *mask = 0;
+ u_int32_t *idp;
if (id)
{
@@ -1802,6 +1831,7 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
}
id_type = GET_ISAKMP_ID_TYPE (id);
+ idp = (u_int32_t *)(id + ISAKMP_ID_DATA_OFF);
switch (id_type)
{
case IPSEC_ID_IPV4_ADDR:
@@ -1814,11 +1844,20 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
util_ntoa (&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4);
snprintf (buf, size, "%08x/%08x: %s/%s",
decode_32 (id + ISAKMP_ID_DATA_OFF),
- decode_32 (id + ISAKMP_ID_DATA_OFF + 4),
- addr, mask);
+ decode_32 (id + ISAKMP_ID_DATA_OFF + 4), addr, mask);
break;
case IPSEC_ID_IPV6_ADDR:
- /* XXX */
+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
+ snprintf (buf, size, "%08x%08x%08x%08x: %s", *idp, *(idp + 1),
+ *(idp + 2), *(idp + 3), addr);
+ break;
+ case IPSEC_ID_IPV6_ADDR_SUBNET:
+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
+ util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF +
+ sizeof (struct in6_addr));
+ snprintf (buf, size, "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s",
+ *idp, *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4),
+ *(idp + 5), *(idp + 6), *(idp + 7), addr, mask);
break;
case IPSEC_ID_FQDN:
@@ -1830,12 +1869,12 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
buf[id_len] = '\0';
break;
default:
- snprintf (buf, size, "<type unknown: %x>", id_type);
+ snprintf (buf, size, "<id type unknown: %x>", id_type);
break;
}
}
else
- snprintf (buf, size, "<no id>");
+ snprintf (buf, size, "<no ipsec id>");
if (addr)
free (addr);
if (mask)