summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/cert.c8
-rw-r--r--sbin/isakmpd/cert.h13
-rw-r--r--sbin/isakmpd/exchange.c84
-rw-r--r--sbin/isakmpd/exchange.h8
-rw-r--r--sbin/isakmpd/ike_auth.c24
-rw-r--r--sbin/isakmpd/x509.c31
6 files changed, 88 insertions, 80 deletions
diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c
index f11149158e1..4751abb644b 100644
--- a/sbin/isakmpd/cert.c
+++ b/sbin/isakmpd/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.17 2001/05/31 20:21:25 angelos Exp $ */
+/* $OpenBSD: cert.c,v 1.18 2001/06/05 05:59:42 niklas Exp $ */
/* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */
/*
@@ -108,7 +108,11 @@ cert_get (u_int16_t id)
return 0;
}
-/* Decode a CERTREQ and return a parsed structure. */
+/*
+ * Decode the certificate request of type TYPE contained in DATA extending
+ * DATALEN bytes. Return a certreq_aca structure which the caller is
+ * responsible for deallocating.
+ */
struct certreq_aca *
certreq_decode (u_int16_t type, u_int8_t *data, u_int32_t datalen)
{
diff --git a/sbin/isakmpd/cert.h b/sbin/isakmpd/cert.h
index accb03db0e3..387432c1e66 100644
--- a/sbin/isakmpd/cert.h
+++ b/sbin/isakmpd/cert.h
@@ -1,9 +1,9 @@
-/* $OpenBSD: cert.h,v 1.7 2001/05/31 20:20:26 angelos Exp $ */
+/* $OpenBSD: cert.h,v 1.8 2001/06/05 05:59:42 niklas Exp $ */
/* $EOM: cert.h,v 1.8 2000/09/28 12:53:27 niklas Exp $ */
/*
* Copyright (c) 1998, 1999 Niels Provos. All rights reserved.
- * Copyright (c) 2000 Niklas Hallqvist. All rights reserved.
+ * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -45,8 +45,8 @@
/*
* CERT handler for each kind of certificate:
*
- * cert_init - Initialize CERT handler - called only once
- * cert_get - Get a certificate in internal representation from raw data
+ * cert_init - Initialize CERT handler - called only once.
+ * cert_get - Get a certificate in internal representation from raw data.
* cert_validate - validated a certificate, if it returns != 0 we can use it.
* cert_insert - inserts cert into memory storage, we can retrieve with
* cert_obtain.
@@ -77,14 +77,13 @@ struct cert_handler {
void *(*cert_from_printable) (char *);
};
-/* the acceptable authority of cert request */
-
+/* The acceptable authority of cert request. */
struct certreq_aca {
TAILQ_ENTRY (certreq_aca) link;
u_int16_t id;
struct cert_handler *handler;
- void *data; /* if NULL everything is acceptable */
+ void *data; /* if NULL everything is acceptable. */
};
struct certreq_aca *certreq_decode (u_int16_t, u_int8_t *, u_int32_t);
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index 63cd1e9d19f..cbf6351aa1c 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.c,v 1.48 2001/06/05 01:29:05 angelos Exp $ */
+/* $OpenBSD: exchange.c,v 1.49 2001/06/05 05:59:43 niklas Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
@@ -202,7 +202,7 @@ exchange_validate (struct message *msg)
while (*pc != EXCHANGE_SCRIPT_END && *pc != EXCHANGE_SCRIPT_SWITCH)
{
- LOG_DBG ((LOG_EXCHANGE, 90,
+ LOG_DBG ((LOG_EXCHANGE, 90,
"exchange_validate: checking for required %s",
*pc >= ISAKMP_PAYLOAD_NONE
? constant_name (isakmp_payload_cst, *pc)
@@ -317,7 +317,7 @@ exchange_run (struct message *msg)
message_free (msg);
return;
}
- }
+ }
else
{
done = exchange_validate (msg);
@@ -348,7 +348,7 @@ exchange_run (struct message *msg)
if ((payload->flags & PL_MARK) == 0)
if (!doi->handle_leftover_payload
|| doi->handle_leftover_payload (msg, i, payload))
- LOG_DBG ((LOG_EXCHANGE, 10,
+ LOG_DBG ((LOG_EXCHANGE, 10,
"exchange_run: unexpected payload %s",
constant_name (isakmp_payload_cst, i)));
@@ -378,7 +378,7 @@ exchange_run (struct message *msg)
}
}
- LOG_DBG ((LOG_EXCHANGE, 40,
+ LOG_DBG ((LOG_EXCHANGE, 40,
"exchange_run: exchange %p finished step %d, advancing...",
exchange, exchange->step));
exchange->step++;
@@ -402,7 +402,7 @@ exchange_init ()
{
LIST_INIT (&exchange_tab[i]);
}
-
+
}
void
@@ -460,7 +460,7 @@ exchange_lookup_by_name (char *name, int phase)
exchange->name ? exchange->name : "<unnamed>", phase,
exchange->phase));
- /*
+ /*
* Match by name, but don't select finished exchanges, i.e
* where MSG_LAST are set in last_sent msg.
*/
@@ -499,7 +499,7 @@ exchange_lookup_active (char *name, int phase)
if (exchange->step > 1)
return exchange;
else
- LOG_DBG ((LOG_EXCHANGE, 80,
+ LOG_DBG ((LOG_EXCHANGE, 80,
"exchange_lookup_active: avoided early (pre-step 1) "
"exchange %p", exchange));
}
@@ -864,7 +864,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
log_print ("exchange_establish_p2: DOI \"%s\" unsupported", str);
return;
}
-
+
/* What exchange type do we want? */
if (!type)
{
@@ -913,9 +913,9 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
exchange_enter (exchange);
exchange_dump ("exchange_establish_p2", exchange);
- /*
- * Do not create SA's for informational exchanges.
- * XXX How to handle new group mode?
+ /*
+ * Do not create SA's for informational exchanges.
+ * XXX How to handle new group mode?
*/
if (exchange->type != ISAKMP_EXCH_INFO)
{
@@ -931,7 +931,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
msg = message_alloc (isakmp_sa->transport, 0, ISAKMP_HDR_SZ);
msg->isakmp_sa = isakmp_sa;
sa_reference (isakmp_sa);
-
+
msg->extra = args;
/* This needs to be done late or else get_keystate won't work right. */
@@ -1087,16 +1087,16 @@ exchange_dump_real (char *header, struct exchange *exchange, int class,
{
char buf[LOG_SIZE];
/* Don't risk overflowing the final log buffer. */
- int bufsize_max = LOG_SIZE - strlen (header) - 32;
+ int bufsize_max = LOG_SIZE - strlen (header) - 32;
struct sa *sa;
- LOG_DBG ((class, level,
+ LOG_DBG ((class, level,
"%s: %p %s %s policy %s phase %d doi %d exchange %d step %d",
header, exchange, exchange->name ? exchange->name : "<unnamed>",
exchange->policy ? exchange->policy : "<no policy>",
exchange->initiator ? "initiator" : "responder", exchange->phase,
exchange->doi->id, exchange->type, exchange->step));
- LOG_DBG ((class, level,
+ LOG_DBG ((class, level,
"%s: icookie %08x%08x rcookie %08x%08x", header,
decode_32 (exchange->cookies), decode_32 (exchange->cookies + 4),
decode_32 (exchange->cookies + 8),
@@ -1106,7 +1106,7 @@ exchange_dump_real (char *header, struct exchange *exchange, int class,
if (exchange->phase == 2)
{
sprintf (buf, "sa_list ");
- for (sa = TAILQ_FIRST (&exchange->sa_list);
+ for (sa = TAILQ_FIRST (&exchange->sa_list);
sa && strlen (buf) < bufsize_max; sa = TAILQ_NEXT (sa, next))
sprintf (buf + strlen (buf), "%p ", sa);
if (sa)
@@ -1115,7 +1115,7 @@ exchange_dump_real (char *header, struct exchange *exchange, int class,
else
buf[0] = '\0';
- LOG_DBG ((class, level, "%s: msgid %08x %s", header,
+ LOG_DBG ((class, level, "%s: msgid %08x %s", header,
decode_32 (exchange->message_id), buf));
}
@@ -1149,7 +1149,7 @@ exchange_free_aux (void *v_exch)
struct sa *sa, *next_sa;
struct cert_handler *handler;
- LOG_DBG ((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p",
+ LOG_DBG ((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p",
exchange));
if (exchange->last_received)
@@ -1248,12 +1248,12 @@ exchange_check_old_sa (struct sa *sa, void *v_arg)
struct sa *new_sa = v_arg;
char res1[1024];
- if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY) ||
- (sa->flags & SA_FLAG_REPLACED))
+ if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY)
+ || (sa->flags & SA_FLAG_REPLACED))
return 0;
- if (sa->phase != new_sa->phase || new_sa->name == NULL ||
- strcasecmp (sa->name, new_sa->name))
+ if (sa->phase != new_sa->phase || new_sa->name == NULL
+ || strcasecmp (sa->name, new_sa->name))
return 0;
if (sa->initiator)
@@ -1264,18 +1264,15 @@ exchange_check_old_sa (struct sa *sa, void *v_arg)
sa->id_i_len, 0), sizeof res1);
LOG_DBG ((LOG_EXCHANGE, 30,
- "checking whether new SA replaces existing SA with IDs %s",
- res1));
+ "checking whether new SA replaces existing SA with IDs %s", res1));
if (new_sa->initiator)
return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_i,
- new_sa->id_i_len,
- new_sa->id_r,
+ new_sa->id_i_len, new_sa->id_r,
new_sa->id_r_len, 0)) == 0;
else
return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_r,
- new_sa->id_r_len,
- new_sa->id_i,
+ new_sa->id_r_len, new_sa->id_i,
new_sa->id_i_len, 0)) == 0;
}
@@ -1396,7 +1393,8 @@ exchange_finalize (struct message *msg)
0),
msg->isakmp_sa == NULL || msg->isakmp_sa->transport == NULL
? "<no transport>"
- : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa->transport)));
+ : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa
+ ->transport)));
}
exchange->doi->finalize_exchange (msg);
@@ -1404,10 +1402,10 @@ exchange_finalize (struct message *msg)
exchange->finalize (exchange, exchange->finalize_arg, 0);
exchange->finalize = 0;
- /* copy the ID from phase 1 to exchange or phase 2 SA */
- if (msg->isakmp_sa)
+ /* Copy the ID from phase 1 to exchange or phase 2 SA. */
+ if (msg->isakmp_sa)
{
- if (exchange->id_i && exchange->id_r)
+ if (exchange->id_i && exchange->id_r)
{
ipsec_clone_id (&msg->isakmp_sa->id_i, &msg->isakmp_sa->id_i_len,
exchange->id_i, exchange->id_i_len);
@@ -1520,25 +1518,23 @@ exchange_save_certreq (struct message *msg)
{
struct payload *cp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_CERT_REQ]);
struct exchange *exchange = msg->exchange;
- struct certreq_aca *tmp;
+ struct certreq_aca *aca;
for ( ; cp; cp = TAILQ_NEXT (cp, link))
{
cp->flags |= PL_MARK;
- tmp = certreq_decode (GET_ISAKMP_CERTREQ_TYPE (cp->p),
+ aca = certreq_decode (GET_ISAKMP_CERTREQ_TYPE (cp->p),
cp->p + ISAKMP_CERTREQ_AUTHORITY_OFF,
- GET_ISAKMP_GEN_LENGTH (cp->p) -
+ GET_ISAKMP_GEN_LENGTH (cp->p) -
ISAKMP_CERTREQ_AUTHORITY_OFF);
- if (!tmp)
- continue;
- TAILQ_INSERT_TAIL (&exchange->aca_list, tmp, link);
+ if (aca)
+ TAILQ_INSERT_TAIL (&exchange->aca_list, aca, link);
}
return 0;
}
-/* Free the list of pending CERTREQ */
-
+/* Free the list of pending CERTREQ. */
void
exchange_free_aca_list (struct exchange *exchange)
{
@@ -1572,10 +1568,10 @@ exchange_add_certs (struct message *msg)
id = exchange->initiator ? exchange->id_r : exchange->id_i;
id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len;
- for (aca = TAILQ_FIRST (&exchange->aca_list); aca;
+ for (aca = TAILQ_FIRST (&exchange->aca_list); aca;
aca = TAILQ_NEXT (aca, link))
{
- /* XXX? If we can not satisfy a CERTREQ we drop the message */
+ /* XXX? If we can not satisfy a CERTREQ we drop the message. */
if (!aca->handler->cert_obtain (id, id_len, aca->data, &cert, &certlen))
{
log_print ("exchange_add_certs: could not obtain cert for a type %d "
@@ -1599,7 +1595,7 @@ exchange_add_certs (struct message *msg)
}
}
- /* We dont need the CERT REQs any more, they are anwsered */
+ /* We dont need the CERT REQs any more, they are answered. */
exchange_free_aca_list (exchange);
return 0;
diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h
index 6c3efe9ddf3..faae678c901 100644
--- a/sbin/isakmpd/exchange.h
+++ b/sbin/isakmpd/exchange.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.h,v 1.19 2001/05/31 20:23:52 angelos Exp $ */
+/* $OpenBSD: exchange.h,v 1.20 2001/06/05 05:59:43 niklas Exp $ */
/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */
/*
@@ -145,7 +145,7 @@ struct exchange {
u_int8_t *id_r;
size_t id_r_len;
- /* Policy session identifier, where applicable */
+ /* Policy session identifier, where applicable. */
int policy_id;
/* Crypto info needed to encrypt/decrypt packets in this exchange. */
@@ -191,12 +191,12 @@ struct exchange {
void *sent_cert; /* Certificate (to be) sent to peer, native format */
void *sent_key; /* Key we'll use to authenticate to peer, native format */
- /* ACQUIRE sequence number */
+ /* ACQUIRE sequence number. */
u_int32_t seq;
/* XXX This is no longer necessary, it is covered by policy. */
- /* Acceptable authorities for cert requests */
+ /* Acceptable authorities for cert requests. */
TAILQ_HEAD (aca_head, certreq_aca) aca_list;
/* DOI-specific opaque data. */
diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c
index 6dea4606ba2..04ea1a1957b 100644
--- a/sbin/isakmpd/ike_auth.c
+++ b/sbin/isakmpd/ike_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_auth.c,v 1.42 2001/06/05 05:08:26 angelos Exp $ */
+/* $OpenBSD: ike_auth.c,v 1.43 2001/06/05 05:59:42 niklas Exp $ */
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
/*
@@ -386,8 +386,8 @@ pre_shared_gen_skeyid (struct exchange *exchange, size_t *sz)
if (buf)
free (buf);
- /* Fail if no key could be found */
- if (key == NULL)
+ /* Fail if no key could be found. */
+ if (!key)
return 0;
/* Store the secret key for later policy processing. */
@@ -611,7 +611,7 @@ rsa_sig_decode_hash (struct message *msg)
}
#endif /* USE_POLICY || USE_KEYNOTE */
- /* Obtain a certificate from our certificate storage */
+ /* Obtain a certificate from our certificate storage. */
if (handler->cert_obtain (id, id_len, 0, &rawcert, &rawcertlen))
{
if (handler->id == ISAKMP_CERTENC_X509_SIG)
@@ -667,7 +667,7 @@ rsa_sig_decode_hash (struct message *msg)
GET_ISAKMP_CERT_ENCODING (p->p))));
continue;
}
-
+
cert = handler->cert_get (p->p + ISAKMP_CERT_DATA_OFF,
GET_ISAKMP_GEN_LENGTH (p->p)
- ISAKMP_CERT_DATA_OFF);
@@ -764,15 +764,15 @@ rsa_sig_decode_hash (struct message *msg)
found++;
}
- /* If no certificate provided a key, try to find a validated DNSSEC KEY. */
#if defined(USE_DNSSEC)
+ /* If no certificate provided a key, try to find a validated DNSSEC KEY. */
if (!found)
{
rawkey = dns_get_key (IKE_AUTH_RSA_SIG, msg, &rawkeylen);
if (rawkey)
found++;
-
- /* We need to convert 'void *rawkey' into 'RSA *key'. */
+
+ /* We need to convert 'void *rawkey' into 'RSA *key'. */
if (dns_RSA_dns_to_x509 (rawkey, rawkeylen, &key) == -1)
{
log_print ("rsa_sig_decode_hash: KEY to RSA key conversion failed");
@@ -858,10 +858,10 @@ pre_shared_encode_hash (struct message *msg)
buf = ipsec_add_hash_payload (msg, hashsize);
if (!buf)
return -1;
-
+
if (ike_auth_hash (exchange, buf + ISAKMP_HASH_DATA_OFF) == -1)
return -1;
-
+
snprintf (header, 80, "pre_shared_encode_hash: HASH_%c",
initiator ? 'I' : 'R');
LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize));
@@ -1019,7 +1019,7 @@ rsa_sig_encode_hash (struct message *msg)
id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ);
break;
- /* XXX Support more ID types ? */
+ /* XXX Support more ID types? */
default:
buf2 = NULL;
break;
@@ -1076,7 +1076,7 @@ rsa_sig_encode_hash (struct message *msg)
free (buf);
return -1;
}
-
+
snprintf (header, 80, "rsa_sig_encode_hash: HASH_%c", initiator ? 'I' : 'R');
LOG_DBG_BUF ((LOG_MISC, 80, header, buf, hashsize));
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index b953df6295d..43a66cfe533 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.51 2001/05/31 20:20:59 angelos Exp $ */
+/* $OpenBSD: x509.c,v 1.52 2001/06/05 05:59:43 niklas Exp $ */
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */
/*
@@ -1029,7 +1029,7 @@ x509_certreq_decode (u_int8_t *asn, u_int32_t len)
if (!asn_template_clone (&aca, 1)
|| (asn = asn_decode_sequence (asn, len, &aca)) == 0)
{
- log_print ("x509_certreq_validate: can not decode 'acceptable CA' info");
+ log_print ("x509_certreq_decode: can not decode 'acceptable CA' info");
goto fail;
}
memset (&naca, 0, sizeof (naca));
@@ -1138,8 +1138,17 @@ x509_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
if (!scert)
return 0;
+ *certlen = LC (i2d_X509, (scert, NULL));
+ p = *cert = malloc (*certlen);
+ if (!p)
+ {
+ log_error ("x509_cert_obtain: malloc (%d) failed", *certlen);
+ return 0;
+ }
+ *certlen = LC (i2d_X509, (scert, &p));
+
x509_serialize (scert, cert, certlen);
- if (*cert == NULL)
+ if (!*cert)
return 0;
return 1;
}
@@ -1373,15 +1382,15 @@ x509_printable (void *cert)
int i;
x509_serialize (cert, &data, &datalen);
- if (data == NULL)
- return NULL;
+ if (!data)
+ return 0;
s = malloc (datalen * 2);
- if (s == NULL)
+ if (!s)
{
free (data);
log_error ("x509_printable: malloc (%d) failed", datalen * 2);
- return NULL;
+ return 0;
}
for (i = 0; i < datalen; i++)
@@ -1400,10 +1409,10 @@ x509_from_printable (char *cert)
plen = (strlen (cert) + 1) / 2;
buf = malloc (plen);
- if (buf == NULL)
+ if (!buf)
{
log_error ("x509_from_printable: malloc (%d) failed", plen);
- return NULL;
+ return 0;
}
ret = hex2raw (cert, buf, plen);
@@ -1411,12 +1420,12 @@ x509_from_printable (char *cert)
{
free (buf);
log_error ("x509_from_printable: badly formatted cert");
- return NULL;
+ return 0;
}
foo = x509_cert_get (buf, plen);
free (buf);
- if (foo == NULL)
+ if (!foo)
log_error ("x509_from_printable: could not retrieve certificate");
return foo;
}