From d9c0b9d5c66492218adb2bc09af65060864b4d93 Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Thu, 31 May 2001 20:25:11 +0000 Subject: Copy the new information from the exchange to the sa at the end of the exchange, and generalize certificate copying by taking advantage of the new routines in the cert handler. --- sbin/isakmpd/exchange.c | 83 +++++++++++++++++++++---------------------------- 1 file changed, 36 insertions(+), 47 deletions(-) (limited to 'sbin/isakmpd/exchange.c') diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 4900fe7376f..02b41a00d3c 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.46 2001/05/05 00:48:11 angelos Exp $ */ +/* $OpenBSD: exchange.c,v 1.47 2001/05/31 20:25:10 angelos Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -63,9 +63,7 @@ #include "ipsec.h" #include "sa.h" #include "util.h" -#ifdef USE_X509 -#include "x509.h" -#endif +#include "key.h" /* Initial number of bits from the cookies used as hash. */ #define INITIAL_BUCKET_BITS 6 @@ -1181,11 +1179,21 @@ exchange_free_aux (void *v_exch) handler = cert_get (exchange->recv_certtype); if (handler) handler->cert_free (exchange->recv_cert); - else if (exchange->recv_certtype == ISAKMP_CERTENC_NONE) - free (exchange->recv_cert); + } + if (exchange->sent_cert) + { + handler = cert_get (exchange->sent_certtype); + if (handler) + handler->cert_free (exchange->sent_cert); } if (exchange->recv_key) - free (exchange->recv_key); + key_free (exchange->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, + exchange->recv_key); + if (exchange->sent_key) + key_free (exchange->sent_keytype, ISAKMP_KEYTYPE_PRIVATE, + exchange->sent_key); + if (exchange->keynote_key) + free (exchange->keynote_key); /* This is just a string */ #if defined(POLICY) || defined(KEYNOTE) if (exchange->policy_id != -1) @@ -1279,6 +1287,7 @@ exchange_finalize (struct message *msg) struct proto *proto; struct conf_list *attrs; struct conf_list_node *attr; + struct cert_handler *handler; int i; exchange_dump ("exchange_finalize", exchange); @@ -1347,55 +1356,35 @@ exchange_finalize (struct message *msg) exchange->keystate = 0; msg->isakmp_sa->recv_certtype = exchange->recv_certtype; - msg->isakmp_sa->recv_certlen = exchange->recv_certlen; + msg->isakmp_sa->sent_certtype = exchange->sent_certtype; + msg->isakmp_sa->recv_keytype = exchange->recv_keytype; + msg->isakmp_sa->sent_keytype = exchange->sent_keytype; msg->isakmp_sa->recv_key = exchange->recv_key; + msg->isakmp_sa->sent_key = exchange->sent_key; + msg->isakmp_sa->keynote_key = exchange->keynote_key; exchange->recv_key = NULL; /* Reset */ + exchange->sent_key = NULL; /* Reset */ + exchange->keynote_key = NULL; /* Reset */ msg->isakmp_sa->policy_id = exchange->policy_id; exchange->policy_id = -1; /* Reset */ msg->isakmp_sa->id_i_len = exchange->id_i_len; msg->isakmp_sa->id_r_len = exchange->id_r_len; msg->isakmp_sa->initiator = exchange->initiator; - switch (exchange->recv_certtype) - { - case ISAKMP_CERTENC_NONE: - case ISAKMP_CERTENC_KEYNOTE: /* No need for special handling */ - msg->isakmp_sa->recv_cert = malloc (exchange->recv_certlen); - if (!msg->isakmp_sa->recv_cert) - { - log_error ("exchange_finalize: malloc (%d) failed", - exchange->recv_certlen); - /* XXX How to cleanup? */ - return; - } - memcpy (msg->isakmp_sa->recv_cert, exchange->recv_cert, - msg->isakmp_sa->recv_certlen); - break; - - case ISAKMP_CERTENC_X509_SIG: -#ifdef USE_X509 - msg->isakmp_sa->recv_cert = LC (X509_dup, - ((X509 *) exchange->recv_cert)); - if (!msg->isakmp_sa->recv_cert) - { - log_print ("exchange_finalize: " - "failed copying X509 certificate to isakmp_sa"); - /* XXX How to cleanup? */ - return; - } - break; -#endif + if (exchange->recv_certtype && exchange->recv_cert) + { + handler = cert_get (exchange->recv_certtype); + if (handler) + msg->isakmp_sa->recv_cert = + handler->cert_dup (exchange->recv_cert); + } - /* XXX Eventually handle these */ - case ISAKMP_CERTENC_PKCS: - case ISAKMP_CERTENC_PGP: - case ISAKMP_CERTENC_DNS: - case ISAKMP_CERTENC_X509_KE: - case ISAKMP_CERTENC_KERBEROS: - case ISAKMP_CERTENC_CRL: - case ISAKMP_CERTENC_ARL: - case ISAKMP_CERTENC_SPKI: - case ISAKMP_CERTENC_X509_ATTR: + if (exchange->sent_certtype) + { + handler = cert_get (exchange->sent_certtype); + if (handler) + msg->isakmp_sa->sent_cert = + handler->cert_dup (exchange->sent_cert); } LOG_DBG ((LOG_EXCHANGE, 10, -- cgit v1.2.3