diff options
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/cert.c | 8 | ||||
-rw-r--r-- | sbin/isakmpd/cert.h | 13 | ||||
-rw-r--r-- | sbin/isakmpd/exchange.c | 84 | ||||
-rw-r--r-- | sbin/isakmpd/exchange.h | 8 | ||||
-rw-r--r-- | sbin/isakmpd/ike_auth.c | 24 | ||||
-rw-r--r-- | sbin/isakmpd/x509.c | 31 |
6 files changed, 88 insertions, 80 deletions
diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c index f11149158e1..4751abb644b 100644 --- a/sbin/isakmpd/cert.c +++ b/sbin/isakmpd/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.17 2001/05/31 20:21:25 angelos Exp $ */ +/* $OpenBSD: cert.c,v 1.18 2001/06/05 05:59:42 niklas Exp $ */ /* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -108,7 +108,11 @@ cert_get (u_int16_t id) return 0; } -/* Decode a CERTREQ and return a parsed structure. */ +/* + * Decode the certificate request of type TYPE contained in DATA extending + * DATALEN bytes. Return a certreq_aca structure which the caller is + * responsible for deallocating. + */ struct certreq_aca * certreq_decode (u_int16_t type, u_int8_t *data, u_int32_t datalen) { diff --git a/sbin/isakmpd/cert.h b/sbin/isakmpd/cert.h index accb03db0e3..387432c1e66 100644 --- a/sbin/isakmpd/cert.h +++ b/sbin/isakmpd/cert.h @@ -1,9 +1,9 @@ -/* $OpenBSD: cert.h,v 1.7 2001/05/31 20:20:26 angelos Exp $ */ +/* $OpenBSD: cert.h,v 1.8 2001/06/05 05:59:42 niklas Exp $ */ /* $EOM: cert.h,v 1.8 2000/09/28 12:53:27 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -45,8 +45,8 @@ /* * CERT handler for each kind of certificate: * - * cert_init - Initialize CERT handler - called only once - * cert_get - Get a certificate in internal representation from raw data + * cert_init - Initialize CERT handler - called only once. + * cert_get - Get a certificate in internal representation from raw data. * cert_validate - validated a certificate, if it returns != 0 we can use it. * cert_insert - inserts cert into memory storage, we can retrieve with * cert_obtain. @@ -77,14 +77,13 @@ struct cert_handler { void *(*cert_from_printable) (char *); }; -/* the acceptable authority of cert request */ - +/* The acceptable authority of cert request. */ struct certreq_aca { TAILQ_ENTRY (certreq_aca) link; u_int16_t id; struct cert_handler *handler; - void *data; /* if NULL everything is acceptable */ + void *data; /* if NULL everything is acceptable. */ }; struct certreq_aca *certreq_decode (u_int16_t, u_int8_t *, u_int32_t); diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 63cd1e9d19f..cbf6351aa1c 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.48 2001/06/05 01:29:05 angelos Exp $ */ +/* $OpenBSD: exchange.c,v 1.49 2001/06/05 05:59:43 niklas Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -202,7 +202,7 @@ exchange_validate (struct message *msg) while (*pc != EXCHANGE_SCRIPT_END && *pc != EXCHANGE_SCRIPT_SWITCH) { - LOG_DBG ((LOG_EXCHANGE, 90, + LOG_DBG ((LOG_EXCHANGE, 90, "exchange_validate: checking for required %s", *pc >= ISAKMP_PAYLOAD_NONE ? constant_name (isakmp_payload_cst, *pc) @@ -317,7 +317,7 @@ exchange_run (struct message *msg) message_free (msg); return; } - } + } else { done = exchange_validate (msg); @@ -348,7 +348,7 @@ exchange_run (struct message *msg) if ((payload->flags & PL_MARK) == 0) if (!doi->handle_leftover_payload || doi->handle_leftover_payload (msg, i, payload)) - LOG_DBG ((LOG_EXCHANGE, 10, + LOG_DBG ((LOG_EXCHANGE, 10, "exchange_run: unexpected payload %s", constant_name (isakmp_payload_cst, i))); @@ -378,7 +378,7 @@ exchange_run (struct message *msg) } } - LOG_DBG ((LOG_EXCHANGE, 40, + LOG_DBG ((LOG_EXCHANGE, 40, "exchange_run: exchange %p finished step %d, advancing...", exchange, exchange->step)); exchange->step++; @@ -402,7 +402,7 @@ exchange_init () { LIST_INIT (&exchange_tab[i]); } - + } void @@ -460,7 +460,7 @@ exchange_lookup_by_name (char *name, int phase) exchange->name ? exchange->name : "<unnamed>", phase, exchange->phase)); - /* + /* * Match by name, but don't select finished exchanges, i.e * where MSG_LAST are set in last_sent msg. */ @@ -499,7 +499,7 @@ exchange_lookup_active (char *name, int phase) if (exchange->step > 1) return exchange; else - LOG_DBG ((LOG_EXCHANGE, 80, + LOG_DBG ((LOG_EXCHANGE, 80, "exchange_lookup_active: avoided early (pre-step 1) " "exchange %p", exchange)); } @@ -864,7 +864,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, log_print ("exchange_establish_p2: DOI \"%s\" unsupported", str); return; } - + /* What exchange type do we want? */ if (!type) { @@ -913,9 +913,9 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, exchange_enter (exchange); exchange_dump ("exchange_establish_p2", exchange); - /* - * Do not create SA's for informational exchanges. - * XXX How to handle new group mode? + /* + * Do not create SA's for informational exchanges. + * XXX How to handle new group mode? */ if (exchange->type != ISAKMP_EXCH_INFO) { @@ -931,7 +931,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, msg = message_alloc (isakmp_sa->transport, 0, ISAKMP_HDR_SZ); msg->isakmp_sa = isakmp_sa; sa_reference (isakmp_sa); - + msg->extra = args; /* This needs to be done late or else get_keystate won't work right. */ @@ -1087,16 +1087,16 @@ exchange_dump_real (char *header, struct exchange *exchange, int class, { char buf[LOG_SIZE]; /* Don't risk overflowing the final log buffer. */ - int bufsize_max = LOG_SIZE - strlen (header) - 32; + int bufsize_max = LOG_SIZE - strlen (header) - 32; struct sa *sa; - LOG_DBG ((class, level, + LOG_DBG ((class, level, "%s: %p %s %s policy %s phase %d doi %d exchange %d step %d", header, exchange, exchange->name ? exchange->name : "<unnamed>", exchange->policy ? exchange->policy : "<no policy>", exchange->initiator ? "initiator" : "responder", exchange->phase, exchange->doi->id, exchange->type, exchange->step)); - LOG_DBG ((class, level, + LOG_DBG ((class, level, "%s: icookie %08x%08x rcookie %08x%08x", header, decode_32 (exchange->cookies), decode_32 (exchange->cookies + 4), decode_32 (exchange->cookies + 8), @@ -1106,7 +1106,7 @@ exchange_dump_real (char *header, struct exchange *exchange, int class, if (exchange->phase == 2) { sprintf (buf, "sa_list "); - for (sa = TAILQ_FIRST (&exchange->sa_list); + for (sa = TAILQ_FIRST (&exchange->sa_list); sa && strlen (buf) < bufsize_max; sa = TAILQ_NEXT (sa, next)) sprintf (buf + strlen (buf), "%p ", sa); if (sa) @@ -1115,7 +1115,7 @@ exchange_dump_real (char *header, struct exchange *exchange, int class, else buf[0] = '\0'; - LOG_DBG ((class, level, "%s: msgid %08x %s", header, + LOG_DBG ((class, level, "%s: msgid %08x %s", header, decode_32 (exchange->message_id), buf)); } @@ -1149,7 +1149,7 @@ exchange_free_aux (void *v_exch) struct sa *sa, *next_sa; struct cert_handler *handler; - LOG_DBG ((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p", + LOG_DBG ((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p", exchange)); if (exchange->last_received) @@ -1248,12 +1248,12 @@ exchange_check_old_sa (struct sa *sa, void *v_arg) struct sa *new_sa = v_arg; char res1[1024]; - if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY) || - (sa->flags & SA_FLAG_REPLACED)) + if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY) + || (sa->flags & SA_FLAG_REPLACED)) return 0; - if (sa->phase != new_sa->phase || new_sa->name == NULL || - strcasecmp (sa->name, new_sa->name)) + if (sa->phase != new_sa->phase || new_sa->name == NULL + || strcasecmp (sa->name, new_sa->name)) return 0; if (sa->initiator) @@ -1264,18 +1264,15 @@ exchange_check_old_sa (struct sa *sa, void *v_arg) sa->id_i_len, 0), sizeof res1); LOG_DBG ((LOG_EXCHANGE, 30, - "checking whether new SA replaces existing SA with IDs %s", - res1)); + "checking whether new SA replaces existing SA with IDs %s", res1)); if (new_sa->initiator) return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_i, - new_sa->id_i_len, - new_sa->id_r, + new_sa->id_i_len, new_sa->id_r, new_sa->id_r_len, 0)) == 0; else return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_r, - new_sa->id_r_len, - new_sa->id_i, + new_sa->id_r_len, new_sa->id_i, new_sa->id_i_len, 0)) == 0; } @@ -1396,7 +1393,8 @@ exchange_finalize (struct message *msg) 0), msg->isakmp_sa == NULL || msg->isakmp_sa->transport == NULL ? "<no transport>" - : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa->transport))); + : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa + ->transport))); } exchange->doi->finalize_exchange (msg); @@ -1404,10 +1402,10 @@ exchange_finalize (struct message *msg) exchange->finalize (exchange, exchange->finalize_arg, 0); exchange->finalize = 0; - /* copy the ID from phase 1 to exchange or phase 2 SA */ - if (msg->isakmp_sa) + /* Copy the ID from phase 1 to exchange or phase 2 SA. */ + if (msg->isakmp_sa) { - if (exchange->id_i && exchange->id_r) + if (exchange->id_i && exchange->id_r) { ipsec_clone_id (&msg->isakmp_sa->id_i, &msg->isakmp_sa->id_i_len, exchange->id_i, exchange->id_i_len); @@ -1520,25 +1518,23 @@ exchange_save_certreq (struct message *msg) { struct payload *cp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_CERT_REQ]); struct exchange *exchange = msg->exchange; - struct certreq_aca *tmp; + struct certreq_aca *aca; for ( ; cp; cp = TAILQ_NEXT (cp, link)) { cp->flags |= PL_MARK; - tmp = certreq_decode (GET_ISAKMP_CERTREQ_TYPE (cp->p), + aca = certreq_decode (GET_ISAKMP_CERTREQ_TYPE (cp->p), cp->p + ISAKMP_CERTREQ_AUTHORITY_OFF, - GET_ISAKMP_GEN_LENGTH (cp->p) - + GET_ISAKMP_GEN_LENGTH (cp->p) - ISAKMP_CERTREQ_AUTHORITY_OFF); - if (!tmp) - continue; - TAILQ_INSERT_TAIL (&exchange->aca_list, tmp, link); + if (aca) + TAILQ_INSERT_TAIL (&exchange->aca_list, aca, link); } return 0; } -/* Free the list of pending CERTREQ */ - +/* Free the list of pending CERTREQ. */ void exchange_free_aca_list (struct exchange *exchange) { @@ -1572,10 +1568,10 @@ exchange_add_certs (struct message *msg) id = exchange->initiator ? exchange->id_r : exchange->id_i; id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len; - for (aca = TAILQ_FIRST (&exchange->aca_list); aca; + for (aca = TAILQ_FIRST (&exchange->aca_list); aca; aca = TAILQ_NEXT (aca, link)) { - /* XXX? If we can not satisfy a CERTREQ we drop the message */ + /* XXX? If we can not satisfy a CERTREQ we drop the message. */ if (!aca->handler->cert_obtain (id, id_len, aca->data, &cert, &certlen)) { log_print ("exchange_add_certs: could not obtain cert for a type %d " @@ -1599,7 +1595,7 @@ exchange_add_certs (struct message *msg) } } - /* We dont need the CERT REQs any more, they are anwsered */ + /* We dont need the CERT REQs any more, they are answered. */ exchange_free_aca_list (exchange); return 0; diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h index 6c3efe9ddf3..faae678c901 100644 --- a/sbin/isakmpd/exchange.h +++ b/sbin/isakmpd/exchange.h @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.h,v 1.19 2001/05/31 20:23:52 angelos Exp $ */ +/* $OpenBSD: exchange.h,v 1.20 2001/06/05 05:59:43 niklas Exp $ */ /* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */ /* @@ -145,7 +145,7 @@ struct exchange { u_int8_t *id_r; size_t id_r_len; - /* Policy session identifier, where applicable */ + /* Policy session identifier, where applicable. */ int policy_id; /* Crypto info needed to encrypt/decrypt packets in this exchange. */ @@ -191,12 +191,12 @@ struct exchange { void *sent_cert; /* Certificate (to be) sent to peer, native format */ void *sent_key; /* Key we'll use to authenticate to peer, native format */ - /* ACQUIRE sequence number */ + /* ACQUIRE sequence number. */ u_int32_t seq; /* XXX This is no longer necessary, it is covered by policy. */ - /* Acceptable authorities for cert requests */ + /* Acceptable authorities for cert requests. */ TAILQ_HEAD (aca_head, certreq_aca) aca_list; /* DOI-specific opaque data. */ diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 6dea4606ba2..04ea1a1957b 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_auth.c,v 1.42 2001/06/05 05:08:26 angelos Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.43 2001/06/05 05:59:42 niklas Exp $ */ /* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ /* @@ -386,8 +386,8 @@ pre_shared_gen_skeyid (struct exchange *exchange, size_t *sz) if (buf) free (buf); - /* Fail if no key could be found */ - if (key == NULL) + /* Fail if no key could be found. */ + if (!key) return 0; /* Store the secret key for later policy processing. */ @@ -611,7 +611,7 @@ rsa_sig_decode_hash (struct message *msg) } #endif /* USE_POLICY || USE_KEYNOTE */ - /* Obtain a certificate from our certificate storage */ + /* Obtain a certificate from our certificate storage. */ if (handler->cert_obtain (id, id_len, 0, &rawcert, &rawcertlen)) { if (handler->id == ISAKMP_CERTENC_X509_SIG) @@ -667,7 +667,7 @@ rsa_sig_decode_hash (struct message *msg) GET_ISAKMP_CERT_ENCODING (p->p)))); continue; } - + cert = handler->cert_get (p->p + ISAKMP_CERT_DATA_OFF, GET_ISAKMP_GEN_LENGTH (p->p) - ISAKMP_CERT_DATA_OFF); @@ -764,15 +764,15 @@ rsa_sig_decode_hash (struct message *msg) found++; } - /* If no certificate provided a key, try to find a validated DNSSEC KEY. */ #if defined(USE_DNSSEC) + /* If no certificate provided a key, try to find a validated DNSSEC KEY. */ if (!found) { rawkey = dns_get_key (IKE_AUTH_RSA_SIG, msg, &rawkeylen); if (rawkey) found++; - - /* We need to convert 'void *rawkey' into 'RSA *key'. */ + + /* We need to convert 'void *rawkey' into 'RSA *key'. */ if (dns_RSA_dns_to_x509 (rawkey, rawkeylen, &key) == -1) { log_print ("rsa_sig_decode_hash: KEY to RSA key conversion failed"); @@ -858,10 +858,10 @@ pre_shared_encode_hash (struct message *msg) buf = ipsec_add_hash_payload (msg, hashsize); if (!buf) return -1; - + if (ike_auth_hash (exchange, buf + ISAKMP_HASH_DATA_OFF) == -1) return -1; - + snprintf (header, 80, "pre_shared_encode_hash: HASH_%c", initiator ? 'I' : 'R'); LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize)); @@ -1019,7 +1019,7 @@ rsa_sig_encode_hash (struct message *msg) id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); break; - /* XXX Support more ID types ? */ + /* XXX Support more ID types? */ default: buf2 = NULL; break; @@ -1076,7 +1076,7 @@ rsa_sig_encode_hash (struct message *msg) free (buf); return -1; } - + snprintf (header, 80, "rsa_sig_encode_hash: HASH_%c", initiator ? 'I' : 'R'); LOG_DBG_BUF ((LOG_MISC, 80, header, buf, hashsize)); diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index b953df6295d..43a66cfe533 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.51 2001/05/31 20:20:59 angelos Exp $ */ +/* $OpenBSD: x509.c,v 1.52 2001/06/05 05:59:43 niklas Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -1029,7 +1029,7 @@ x509_certreq_decode (u_int8_t *asn, u_int32_t len) if (!asn_template_clone (&aca, 1) || (asn = asn_decode_sequence (asn, len, &aca)) == 0) { - log_print ("x509_certreq_validate: can not decode 'acceptable CA' info"); + log_print ("x509_certreq_decode: can not decode 'acceptable CA' info"); goto fail; } memset (&naca, 0, sizeof (naca)); @@ -1138,8 +1138,17 @@ x509_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, if (!scert) return 0; + *certlen = LC (i2d_X509, (scert, NULL)); + p = *cert = malloc (*certlen); + if (!p) + { + log_error ("x509_cert_obtain: malloc (%d) failed", *certlen); + return 0; + } + *certlen = LC (i2d_X509, (scert, &p)); + x509_serialize (scert, cert, certlen); - if (*cert == NULL) + if (!*cert) return 0; return 1; } @@ -1373,15 +1382,15 @@ x509_printable (void *cert) int i; x509_serialize (cert, &data, &datalen); - if (data == NULL) - return NULL; + if (!data) + return 0; s = malloc (datalen * 2); - if (s == NULL) + if (!s) { free (data); log_error ("x509_printable: malloc (%d) failed", datalen * 2); - return NULL; + return 0; } for (i = 0; i < datalen; i++) @@ -1400,10 +1409,10 @@ x509_from_printable (char *cert) plen = (strlen (cert) + 1) / 2; buf = malloc (plen); - if (buf == NULL) + if (!buf) { log_error ("x509_from_printable: malloc (%d) failed", plen); - return NULL; + return 0; } ret = hex2raw (cert, buf, plen); @@ -1411,12 +1420,12 @@ x509_from_printable (char *cert) { free (buf); log_error ("x509_from_printable: badly formatted cert"); - return NULL; + return 0; } foo = x509_cert_get (buf, plen); free (buf); - if (foo == NULL) + if (!foo) log_error ("x509_from_printable: could not retrieve certificate"); return foo; } |