summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/ipsec.c58
-rw-r--r--sbin/isakmpd/policy.c111
2 files changed, 79 insertions, 90 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index eb17946787d..47ef4eabe4e 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.57 2001/08/24 09:29:14 ho Exp $ */
+/* $OpenBSD: ipsec.c,v 1.58 2001/08/25 22:22:11 niklas Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -72,6 +72,7 @@
#include "timer.h"
#include "transport.h"
#include "util.h"
+#include "x509.h"
/* Backwards compatibility. */
#ifndef NI_MAXHOST
@@ -1844,6 +1845,10 @@ ipsec_get_id (char *section, int *id, struct sockaddr **addr,
return 0;
}
+/*
+ * XXX I rather want this function to return a status code, and fail if
+ * we cannot fit the information in the supplied buffer.
+ */
static void
ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
int isakmpform)
@@ -1856,9 +1861,9 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
{
if (!isakmpform)
{
- /* exchanges and SAs dont carry the IDs in ISAKMP form */
- id -= ISAKMP_ID_TYPE_OFF;
- id_len += ISAKMP_ID_TYPE_OFF;
+ /* Exchanges and SAs dont carry the IDs in ISAKMP form. */
+ id -= ISAKMP_GEN_SZ;
+ id_len += ISAKMP_GEN_SZ;
}
id_type = GET_ISAKMP_ID_TYPE (id);
@@ -1870,6 +1875,7 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
snprintf (buf, size, "%08x: %s",
decode_32 (id + ISAKMP_ID_DATA_OFF), addr);
break;
+
case IPSEC_ID_IPV4_ADDR_SUBNET:
util_ntoa (&addr, AF_INET, id + ISAKMP_ID_DATA_OFF);
util_ntoa (&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4);
@@ -1877,11 +1883,13 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
decode_32 (id + ISAKMP_ID_DATA_OFF),
decode_32 (id + ISAKMP_ID_DATA_OFF + 4), addr, mask);
break;
+
case IPSEC_ID_IPV6_ADDR:
util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
snprintf (buf, size, "%08x%08x%08x%08x: %s", *idp, *(idp + 1),
*(idp + 2), *(idp + 3), addr);
break;
+
case IPSEC_ID_IPV6_ADDR_SUBNET:
util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
util_ntoa (&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF +
@@ -1899,6 +1907,21 @@ ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len,
memcpy (buf, id + ISAKMP_ID_DATA_OFF, id_len);
buf[id_len] = '\0';
break;
+
+#ifdef USE_X509
+ case IPSEC_ID_DER_ASN1_DN:
+ addr = x509_DN_string (id + ISAKMP_ID_DATA_OFF,
+ id_len - ISAKMP_ID_DATA_OFF);
+ if (!addr)
+ {
+ snprintf(buf, size, "unparsable ASN1 DN ID");
+ return;
+ }
+ strncpy (buf, addr, size - 1);
+ buf[size - 1] = '\0';
+ break;
+#endif
+
default:
snprintf (buf, size, "<id type unknown: %x>", id_type);
break;
@@ -2279,7 +2302,7 @@ ipsec_id_string (u_int8_t *id, size_t id_len)
{
char *buf = 0;
char *addrstr = 0;
- size_t len;
+ size_t len, size;
/*
* XXX Real ugly way of making the offsets correct. Be aware that id now
@@ -2291,9 +2314,14 @@ ipsec_id_string (u_int8_t *id, size_t id_len)
/* This is the actual length of the ID data field. */
id_len += ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF;
- /* Conservative allocation. */
- buf = malloc (MAX (sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
- sizeof "ufqdn/" + id_len - ISAKMP_ID_DATA_OFF));
+ /*
+ * Conservative allocation.
+ * XXX I think the ASN1 DN case can be thought through to give a better
+ * estimate.
+ */
+ size = MAX (sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+ sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF);
+ buf = malloc (size);
if (!buf)
/* XXX Log? */
goto fail;
@@ -2328,6 +2356,20 @@ ipsec_id_string (u_int8_t *id, size_t id_len)
*(buf + len + id_len) = '\0';
break;
+#ifdef USE_X509
+ case IPSEC_ID_DER_ASN1_DN:
+ strcpy (buf, "asn1_dn/");
+ len = strlen(buf);
+ addrstr = x509_DN_string (id + ISAKMP_ID_DATA_OFF,
+ id_len - ISAKMP_ID_DATA_OFF);
+ if (!addrstr)
+ goto fail;
+ if (size < len + strlen (addrstr) + 1)
+ goto fail;
+ strcpy (buf + len, addrstr);
+ break;
+#endif
+
default:
/* Unknown type. */
LOG_DBG ((LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n",
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index f4652b3c0fd..32b703aa9c8 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.44 2001/08/24 11:19:01 ho Exp $ */
+/* $OpenBSD: policy.c,v 1.45 2001/08/25 22:22:11 niklas Exp $ */
/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
/*
@@ -184,7 +184,6 @@ policy_callback (char *name)
time_t tt;
char *addr;
static char mytimeofday[15];
- X509_NAME *x509name;
/* We use all these as a cache. */
static char *esp_present, *ah_present, *comp_present;
@@ -876,31 +875,15 @@ policy_callback (char *name)
case IPSEC_ID_DER_ASN1_DN:
remote_id_type = "ASN1 DN";
- remote_id = calloc (257, sizeof (char));
+ remote_id = x509_DN_string (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ,
+ id_sz - ISAKMP_ID_DATA_OFF
+ + ISAKMP_GEN_SZ);
if (!remote_id)
{
- log_error ("policy_callback: calloc (%d, %d) failed", 257,
- sizeof (char));
- goto bad;
- }
-
- addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
- x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr,
- id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ));
- if (!x509name)
- {
- log_error ("policy_callback: failed to initialize DN");
- goto bad;
- }
- if (!LC (X509_NAME_oneline, (x509name, remote_id, 256)))
- {
LOG_DBG ((LOG_POLICY, 50,
- "policy_callback: failed to decode name"));
- LC (X509_NAME_free, (x509name));
+ "policy_callback: failed to decode name"));
goto bad;
-
}
- LC (X509_NAME_free, (x509name));
break;
case IPSEC_ID_DER_ASN1_GN: /* XXX */
@@ -1148,61 +1131,43 @@ policy_callback (char *name)
case IPSEC_ID_FQDN:
remote_filter_type = "FQDN";
- remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1);
if (!remote_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed",
- idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ log_error ("policy_callback: malloc (%d) failed",
+ idremotesz - ISAKMP_ID_DATA_OFF + 1);
goto bad;
}
memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF,
- idremotesz);
+ idremotesz - ISAKMP_ID_DATA_OFF);
+ remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0';
break;
case IPSEC_ID_USER_FQDN:
remote_filter_type = "User FQDN";
- remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ remote_filter = malloc (idremotesz - ISAKMP_ID_DATA_OFF + 1);
if (!remote_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed",
- idremotesz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ log_error ("policy_callback: malloc (%d) failed",
+ idremotesz - ISAKMP_ID_DATA_OFF + 1);
goto bad;
}
memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF,
- idremotesz);
+ idremotesz - ISAKMP_ID_DATA_OFF);
+ remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] = '\0';
break;
case IPSEC_ID_DER_ASN1_DN:
remote_filter_type = "ASN1 DN";
- remote_filter = calloc (257, sizeof (char));
+ remote_filter = x509_DN_string (idremote + ISAKMP_ID_DATA_OFF,
+ idremotesz - ISAKMP_ID_DATA_OFF);
if (!remote_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed", 257,
- sizeof (char));
- goto bad;
- }
-
- addr = idremote + ISAKMP_ID_DATA_OFF;
- x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr,
- idremotesz - ISAKMP_ID_DATA_OFF));
- if (!x509name)
- {
- log_error ("policy_callback: failed to initialize DN");
- goto bad;
- }
- if (!LC (X509_NAME_oneline, (x509name, remote_filter, 256)))
- {
LOG_DBG ((LOG_POLICY, 50,
"policy_callback: failed to decode name"));
- LC (X509_NAME_free, (x509name));
goto bad;
}
- LC (X509_NAME_free, (x509name));
break;
case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */
@@ -1469,61 +1434,43 @@ policy_callback (char *name)
case IPSEC_ID_FQDN:
local_filter_type = "FQDN";
- local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1);
if (!local_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed",
- idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ log_error ("policy_callback: malloc (%d) failed",
+ idlocalsz - ISAKMP_ID_DATA_OFF + 1);
goto bad;
}
memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF,
- idlocalsz);
+ idlocalsz - ISAKMP_ID_DATA_OFF);
+ local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0';
break;
case IPSEC_ID_USER_FQDN:
local_filter_type = "User FQDN";
- local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ local_filter = malloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1);
if (!local_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed",
- idlocalsz - ISAKMP_ID_DATA_OFF + 1,
- sizeof (char));
+ log_error ("policy_callback: malloc (%d) failed",
+ idlocalsz - ISAKMP_ID_DATA_OFF + 1);
goto bad;
}
memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF,
- idlocalsz);
+ idlocalsz - ISAKMP_ID_DATA_OFF);
+ local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] = '\0';
break;
case IPSEC_ID_DER_ASN1_DN:
local_filter_type = "ASN1 DN";
- local_filter = calloc (257, sizeof (char));
+ local_filter = x509_DN_string (idlocal + ISAKMP_ID_DATA_OFF,
+ idlocalsz - ISAKMP_ID_DATA_OFF);
if (!local_filter)
{
- log_error ("policy_callback: calloc (%d, %d) failed", 257,
- sizeof (char));
- goto bad;
- }
-
- addr = idlocal + ISAKMP_ID_DATA_OFF;
- x509name = LC (d2i_X509_NAME, (NULL, (unsigned char **) &addr,
- idlocalsz - ISAKMP_ID_DATA_OFF));
- if (!x509name)
- {
- log_error ("policy_callback: failed to initialize DN");
- goto bad;
- }
- if (!LC (X509_NAME_oneline, (x509name, local_filter, 256)))
- {
LOG_DBG ((LOG_POLICY, 50,
"policy_callback: failed to decode name"));
- LC (X509_NAME_free, (x509name));
goto bad;
}
- LC (X509_NAME_free, (x509name));
break;
case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 03:41:19 +0000