-/* $OpenBSD: pfkdump.c,v 1.37 2015/01/16 06:39:58 deraadt Exp $ */
+/* $OpenBSD: pfkdump.c,v 1.38 2015/04/14 12:22:15 mikeb Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
static void print_key(struct sadb_ext *, struct sadb_msg *);
static void print_life(struct sadb_ext *, struct sadb_msg *);
static void print_ident(struct sadb_ext *, struct sadb_msg *);
-static void print_auth(struct sadb_ext *, struct sadb_msg *);
-static void print_cred(struct sadb_ext *, struct sadb_msg *);
static void print_udpenc(struct sadb_ext *, struct sadb_msg *);
static void print_tag(struct sadb_ext *, struct sadb_msg *);
static void print_tap(struct sadb_ext *, struct sadb_msg *);
{ SADB_X_EXT_SA2, "sa2", print_sa },
{ SADB_X_EXT_DST2, "dst2", print_addr },
{ SADB_X_EXT_POLICY, "policy", print_policy },
- { SADB_X_EXT_LOCAL_AUTH, "local_auth", print_auth },
{ SADB_X_EXT_SUPPORTED_COMP, "supported_comp", print_supp },
- { SADB_X_EXT_REMOTE_AUTH, "remote_auth", print_auth },
- { SADB_X_EXT_LOCAL_CREDENTIALS, "local_cred", print_cred },
- { SADB_X_EXT_REMOTE_CREDENTIALS,"remote_cred", print_cred },
{ SADB_X_EXT_UDPENCAP, "udpencap", print_udpenc },
{ SADB_X_EXT_LIFETIME_LASTUSE, "lifetime_lastuse", print_life },
{ SADB_X_EXT_TAG, "tag", print_tag },
{ 0, NULL, NULL }
};
-struct idname cred_types[] = {
- { SADB_X_CREDTYPE_X509, "x509-asn1", NULL },
- { SADB_X_CREDTYPE_KEYNOTE, "keynote", NULL },
- { 0, NULL, NULL }
-};
-
struct idname enc_types[] = {
{ SADB_EALG_NONE, "none", NULL },
{ SADB_EALG_3DESCBC, "3des-cbc", NULL },
{ 0, NULL, NULL }
};
-struct idname xauth_types[] = {
- { SADB_X_AUTHTYPE_NONE, "none", NULL },
- { SADB_X_AUTHTYPE_PASSPHRASE, "passphrase", NULL },
- { SADB_X_AUTHTYPE_RSA, "rsa", NULL },
- { 0, NULL, NULL }
-};
-
struct idname flag_types[] = {
{ SADB_SAFLAGS_PFS, "pfs", NULL },
{ SADB_X_SAFLAGS_TUNNEL, "tunnel", NULL },
ident->sadb_ident_id, (char *)(ident + 1));
}
-/* ARGSUSED1 */
-static void
-print_auth(struct sadb_ext *ext, struct sadb_msg *msg)
-{
- struct sadb_x_cred *x_cred = (struct sadb_x_cred *)ext;
-
- printf("type %s",
- lookup_name(xauth_types, x_cred->sadb_x_cred_type));
-}
-
-/* ARGSUSED1 */
-static void
-print_cred(struct sadb_ext *ext, struct sadb_msg *msg)
-{
- struct sadb_x_cred *x_cred = (struct sadb_x_cred *)ext;
- printf("type %s",
- lookup_name(cred_types, x_cred->sadb_x_cred_type));
-}
-
/* ARGSUSED1 */
static void
print_policy(struct sadb_ext *ext, struct sadb_msg *msg)
-/* $OpenBSD: pf_key_v2.c,v 1.192 2015/03/26 12:21:37 mikeb Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.193 2015/04/14 12:22:15 mikeb Exp $ */
/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */
/*
u_int8_t *pp;
int idtype;
struct ipsec_sa *isa = sa->data;
- struct sadb_x_cred *cred;
struct sadb_protocol flowtype, tprotocol;
struct sadb_x_udpencap udpencap;
char *addr_str, *s;
sid = 0;
}
- /*
- * Send received credentials to the kernel. We don't bother with
- * our credentials, since the process either knows them (if it
- * specified them with setsockopt()), or has no business looking at
- * them (e.g., system wide certs).
- */
- if (isakmp_sa->recv_cert) {
- switch (isakmp_sa->recv_certtype) {
- case ISAKMP_CERTENC_NONE:
- /* Nothing to be done here. */
- break;
-
- case ISAKMP_CERTENC_KEYNOTE:
- len = strlen(isakmp_sa->recv_cert);
- cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred,
- sizeof(u_int8_t));
- if (!cred)
- goto cleanup;
-
- cred->sadb_x_cred_len =
- ((sizeof *cred) / PF_KEY_V2_CHUNK) +
- PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK;
- cred->sadb_x_cred_exttype =
- SADB_X_EXT_REMOTE_CREDENTIALS;
- cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
- memcpy(cred + 1, isakmp_sa->recv_cert, len);
-
- if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred,
- PF_KEY_V2_NODE_MALLOCED) == -1)
- goto cleanup;
- break;
-
- case ISAKMP_CERTENC_X509_SIG:
- {
- u_int8_t *data;
- u_int32_t datalen;
- struct cert_handler *handler;
-
- /* We do it this way to avoid weird includes.*/
- handler = cert_get(ISAKMP_CERTENC_X509_SIG);
- if (!handler)
- break;
- handler->cert_serialize(isakmp_sa->recv_cert,
- &data, &datalen);
- if (!data)
- break;
-
- len = datalen;
- cred =
- calloc(PF_KEY_V2_ROUND(len) + sizeof *cred,
- sizeof(u_int8_t));
- if (!cred) {
- free(data);
- goto cleanup;
- }
- cred->sadb_x_cred_len =
- ((sizeof *cred) / PF_KEY_V2_CHUNK) +
- PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK;
- cred->sadb_x_cred_exttype =
- SADB_X_EXT_REMOTE_CREDENTIALS;
- cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
- memcpy(cred + 1, data, len);
- free(data);
-
- if (pf_key_v2_msg_add(update,
- (struct sadb_ext *) cred,
- PF_KEY_V2_NODE_MALLOCED) == -1)
- goto cleanup;
- }
- break;
- }
- }
-
- /*
- * Tell the kernel what the peer used to authenticate, unless it was a
- * passphrase.
- */
- if (isakmp_sa->recv_key) {
- u_int8_t *data;
-
- /*
- * If it's a private key, we shouldn't pass it to the kernel
- * for processes to see; successful authentication of Phase 1
- * implies that the process already knew the passphrase. On
- * the other hand, we don't want to reveal to processes any
- * system-wide passphrases used for authentication with remote
- * systems. Same reason we don't send up the key (private or
- * passphrase) we used to authenticate with the peer.
- */
- if (isakmp_sa->recv_keytype == ISAKMP_KEY_PASSPHRASE)
- goto doneauth;
-
- key_serialize(isakmp_sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC,
- isakmp_sa->recv_key, &data, &len);
- if (!data)
- goto cleanup;
-
- cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred,
- sizeof(u_int8_t));
- if (!cred) {
- free(data);
- goto cleanup;
- }
- cred->sadb_x_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) +
- PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK;
- cred->sadb_x_cred_exttype = SADB_X_EXT_REMOTE_AUTH;
- memcpy(cred + 1, data, len);
- free(data);
-
- switch (isakmp_sa->recv_keytype) {
- case ISAKMP_KEY_RSA:
- cred->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
- break;
-
- default:
- log_print("pf_key_v2_set_spi: "
- "unknown received key type %d",
- isakmp_sa->recv_keytype);
- free(cred);
- goto cleanup;
- }
-
- if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred,
- PF_KEY_V2_NODE_MALLOCED) == -1)
- goto cleanup;
- }
-doneauth:
-
/* Setup the flow type extension. */
bzero(&flowtype, sizeof flowtype);
flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
u_int8_t tproto = 0;
char tmbuf[sizeof sport * 3 + 1], *xform;
int connlen;
- struct sadb_x_cred *cred = 0, *sauth = 0;
/* This needs to be dynamically allocated. */
connlen = 22;
sproto = ext->seg;
tproto = sproto->sadb_protocol_proto;
- ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_CREDENTIALS);
- if (ext)
- cred = (struct sadb_x_cred *) ext->seg;
- else
- cred = 0;
-
- ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_AUTH);
- if (ext)
- sauth = (struct sadb_x_cred *) ext->seg;
- else
- sauth = 0;
-
bzero(ssflow, sizeof ssflow);
bzero(sdflow, sizeof sdflow);
bzero(ssmask, sizeof ssmask);
conf_end(af, 0);
goto fail;
}
- /* Store any credentials passed to us. */
- if (cred) {
- struct cert_handler *handler = 0;
- void *cert;
- char num[12], *certprint;
-
- /* Convert to bytes in-place. */
- cred->sadb_x_cred_len *= PF_KEY_V2_CHUNK;
-
- if (cred->sadb_x_cred_len <= sizeof *cred) {
- log_print("pf_key_v2_acquire: "
- "zero-length credentials, aborting SA "
- "acquisition");
- conf_end(af, 0);
- goto fail;
- }
- switch (cred->sadb_x_cred_type) {
- case SADB_X_CREDTYPE_X509:
- snprintf(num, sizeof num, "%d",
- ISAKMP_CERTENC_X509_SIG);
- handler = cert_get(ISAKMP_CERTENC_X509_SIG);
- break;
- case SADB_X_CREDTYPE_KEYNOTE:
- snprintf(num, sizeof num, "%d",
- ISAKMP_CERTENC_KEYNOTE);
- handler = cert_get(ISAKMP_CERTENC_KEYNOTE);
- break;
- default:
- log_print("pf_key_v2_acquire: "
- "unknown credential type %d",
- cred->sadb_x_cred_type);
- conf_end(af, 0);
- goto fail;
- }
-
- if (!handler) {
- log_print("pf_key_v2_acquire: "
- "cert_get (%s) failed", num);
- conf_end(af, 0);
- goto fail;
- }
- /* Set the credential type as a number. */
- if (conf_set(af, peer, "Credential_type", num, 0, 0)) {
- conf_end(af, 0);
- goto fail;
- }
- /* Get the certificate. */
- cert = handler->cert_get((u_int8_t *) (cred + 1),
- cred->sadb_x_cred_len - sizeof *cred);
-
- /* Now convert to printable format. */
- certprint = handler->cert_printable(cert);
- handler->cert_free(cert);
- if (!certprint ||
- conf_set(af, peer, "Credentials", certprint, 0,
- 0)) {
- free(certprint);
- conf_end(af, 0);
- goto fail;
- }
- free(certprint);
- }
/* Phase 1 configuration. */
if (!conf_get_str(confname, "exchange_type")) {
- /*
- * We may have been provided with authentication
- * material.
- */
- if (sauth) {
- char *authm;
-
- /* Convert to bytes in-place. */
- sauth->sadb_x_cred_len *= PF_KEY_V2_CHUNK;
-
- switch (sauth->sadb_x_cred_type) {
- case SADB_X_AUTHTYPE_PASSPHRASE:
- if (conf_set(af, confname,
- "Transforms", "3DES-SHA", 0, 0)) {
- conf_end(af, 0);
- goto fail;
- }
- if (sauth->sadb_x_cred_len <=
- sizeof *sauth) {
- log_print("pf_key_v2_acquire: "
- "zero-length passphrase, "
- "aborting SA acquisition");
- conf_end(af, 0);
- goto fail;
- }
- authm = malloc(sauth->sadb_x_cred_len -
- sizeof *sauth + 1);
- if (!authm) {
- log_error("pf_key_v2_acquire: "
- "malloc (%lu) failed",
- sauth->sadb_x_cred_len -
- (unsigned long) sizeof *sauth + 1);
- conf_end(af, 0);
- goto fail;
- }
- memcpy(authm, sauth + 1,
- sauth->sadb_x_cred_len -
- sizeof *sauth + 1);
-
- /* Set the passphrase in the peer. */
- if (conf_set(af, peer,
- "Authentication", authm, 0, 0)) {
- free(authm);
- conf_end(af, 0);
- goto fail;
- }
- free(authm);
- break;
-
- case SADB_X_AUTHTYPE_RSA:
- if (conf_set(af, confname,
- "Transforms", "3DES-SHA-RSA_SIG",
- 0, 0)) {
- conf_end(af, 0);
- goto fail;
- }
- if (sauth->sadb_x_cred_len <=
- sizeof *sauth) {
- log_print("pf_key_v2_acquire: "
- "zero-length RSA key, "
- "aborting SA acquisition");
- conf_end(af, 0);
- goto fail;
- }
- authm = key_printable(ISAKMP_KEY_RSA,
- ISAKMP_KEYTYPE_PRIVATE,
- (u_int8_t *)(sauth + 1),
- sauth->sadb_x_cred_len -
- sizeof *sauth);
- if (!authm) {
- log_print("pf_key_v2_acquire: "
- "failed to convert "
- "private key to printable "
- "format (size %lu)",
- sauth->sadb_x_cred_len -
- (unsigned long) sizeof *sauth);
- conf_end(af, 0);
- goto fail;
- }
- /*
- * Set the key in the peer. We don't
- * use "Authentication" to avoid
- * potential conflicts with file-based
- * configurations that use public key
- * authentication but still specify
- * an "Authentication" tag (typically
- * as a remnant of passphrase-based
- * testing).
- */
- if (conf_set(af, peer,
- "PKAuthentication", authm, 0, 0)) {
- free(authm);
- conf_end(af, 0);
- goto fail;
- }
- free(authm);
- break;
-
- default:
- log_print("pf_key_v2_acquire: "
- "unknown authentication "
- "material type %d received from "
- "kernel", sauth->sadb_x_cred_type);
- conf_end(af, 0);
- goto fail;
- }
- } else {
- xform = conf_get_str(
- "Default-phase-1-configuration",
- "Transforms");
- if (conf_set(af, confname, "Transforms",
- xform ? xform : "3DES-SHA-RSA_SIG", 0,
- 0)) {
- conf_end(af, 0);
- goto fail;
- }
+ xform = conf_get_str("Default-phase-1-configuration",
+ "Transforms");
+ if (conf_set(af, confname, "Transforms", xform ? xform :
+ "3DES-SHA-RSA_SIG", 0, 0)) {
+ conf_end(af, 0);
+ goto fail;
}
if (conf_set(af, confname, "Exchange_Type", "ID_PROT",
-/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
if (sa->tdb_dstid)
i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len);
- if (sa->tdb_local_cred)
- i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len);
-
- if (sa->tdb_remote_cred)
- i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len);
-
- if (sa->tdb_local_auth)
- i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len);
-
- if (sa->tdb_remote_auth)
- i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len);
-
if (sa->tdb_amxkey)
i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen);
export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
}
- /* Export credentials, if present */
- if (sa->tdb_local_cred) {
- headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
- export_credentials(&p, sa, PFKEYV2_CRED_LOCAL);
- }
-
- if (sa->tdb_remote_cred) {
- headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p;
- export_credentials(&p, sa, PFKEYV2_CRED_REMOTE);
- }
-
- /* Export authentication information, if present */
- if (sa->tdb_local_auth) {
- headers[SADB_X_EXT_LOCAL_AUTH] = p;
- export_auth(&p, sa, PFKEYV2_AUTH_LOCAL);
- }
-
- if (sa->tdb_remote_auth) {
- headers[SADB_X_EXT_REMOTE_AUTH] = p;
- export_auth(&p, sa, PFKEYV2_AUTH_REMOTE);
- }
-
/* Export authentication key, if present */
if (sa->tdb_amxkey) {
headers[SADB_EXT_KEY_AUTH] = p;
PFKEYV2_IDENTITY_SRC);
import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
PFKEYV2_IDENTITY_DST);
- import_credentials(newsa,
- headers[SADB_X_EXT_LOCAL_CREDENTIALS],
- PFKEYV2_CRED_LOCAL);
- import_credentials(newsa,
- headers[SADB_X_EXT_REMOTE_CREDENTIALS],
- PFKEYV2_CRED_REMOTE);
- import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
- PFKEYV2_AUTH_LOCAL);
- import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
- PFKEYV2_AUTH_REMOTE);
import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
headers[SADB_X_EXT_SRC_FLOW],
headers[SADB_X_EXT_SRC_MASK],
import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
PFKEYV2_IDENTITY_DST);
- import_credentials(newsa,
- headers[SADB_X_EXT_LOCAL_CREDENTIALS],
- PFKEYV2_CRED_LOCAL);
- import_credentials(newsa,
- headers[SADB_X_EXT_REMOTE_CREDENTIALS],
- PFKEYV2_CRED_REMOTE);
- import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
- PFKEYV2_AUTH_LOCAL);
- import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
- PFKEYV2_AUTH_REMOTE);
import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
headers[SADB_X_EXT_SRC_FLOW],
headers[SADB_X_EXT_SRC_MASK],
{
void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
struct sadb_ident *srcid, *dstid;
- struct sadb_x_cred *lcred, *lauth;
struct sadb_comb *sadb_comb;
struct sadb_address *sadd;
struct sadb_prop *sa_prop;
if (ipo->ipo_dstid)
i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len);
- if (ipo->ipo_local_cred)
- i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-
- if (ipo->ipo_local_auth)
- i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-
/* Allocate */
if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
rval = ENOMEM;
sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len);
}
- if (ipo->ipo_local_cred) {
- headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
- p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
- lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS];
- lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
- PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t);
- switch (ipo->ipo_local_cred->ref_type) {
- case IPSP_CRED_KEYNOTE:
- lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
- break;
- case IPSP_CRED_X509:
- lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
- break;
- }
- bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] +
- sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len);
- }
-
- if (ipo->ipo_local_auth) {
- headers[SADB_X_EXT_LOCAL_AUTH] = p;
- p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
- lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH];
- lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
- PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t);
- switch (ipo->ipo_local_auth->ref_type) {
- case IPSP_AUTH_PASSPHRASE:
- lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
- break;
- case IPSP_AUTH_RSA:
- lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
- break;
- }
-
- bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] +
- sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len);
- }
-
headers[SADB_EXT_PROPOSAL] = p;
p += sizeof(struct sadb_prop);
sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];
-/* $OpenBSD: pfkeyv2.h,v 1.65 2014/12/28 10:02:37 tedu Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) January 1998
*
u_int32_t sadb_x_policy_seq;
};
-struct sadb_x_cred {
- uint16_t sadb_x_cred_len;
- uint16_t sadb_x_cred_exttype;
- uint16_t sadb_x_cred_type;
- uint16_t sadb_x_cred_reserved;
-};
-
struct sadb_x_udpencap {
uint16_t sadb_x_udpencap_len;
uint16_t sadb_x_udpencap_exttype;
#define PFKEYV2_SENDMESSAGE_BROADCAST 3
#endif /* _KERNEL */
-#define SADB_X_CREDTYPE_NONE 0
-#define SADB_X_CREDTYPE_X509 1 /* ASN1 encoding of the certificate */
-#define SADB_X_CREDTYPE_KEYNOTE 2 /* NUL-terminated buffer */
-#define SADB_X_CREDTYPE_MAX 3
-
-#ifdef _KERNEL
-#define PFKEYV2_AUTH_LOCAL 0
-#define PFKEYV2_AUTH_REMOTE 1
-
-#define PFKEYV2_CRED_LOCAL 0
-#define PFKEYV2_CRED_REMOTE 1
-#endif /* _KERNEL */
-
-#define SADB_X_AUTHTYPE_NONE 0
-#define SADB_X_AUTHTYPE_PASSPHRASE 1
-#define SADB_X_AUTHTYPE_RSA 2
-#define SADB_X_AUTHTYPE_MAX 2
-
#define SADB_X_FLOW_TYPE_USE 1
#define SADB_X_FLOW_TYPE_ACQUIRE 2
#define SADB_X_FLOW_TYPE_REQUIRE 3
void export_address(void **, struct sockaddr *);
void export_identity(void **, struct tdb *, int);
void export_lifetime(void **, struct tdb *, int);
-void export_credentials(void **, struct tdb *, int);
void export_sa(void **, struct tdb *);
void export_flow(void **, u_int8_t, struct sockaddr_encap *,
struct sockaddr_encap *, void **);
void export_key(void **, struct tdb *, int);
-void export_auth(void **, struct tdb *, int);
void export_udpencap(void **, struct tdb *);
void export_tag(void **, struct tdb *);
void export_tap(void **, struct tdb *);
-void import_auth(struct tdb *, struct sadb_x_cred *, int);
void import_address(struct sockaddr *, struct sadb_address *);
void import_identity(struct tdb *, struct sadb_ident *, int);
void import_key(struct ipsecinit *, struct sadb_key *, int);
void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
-void import_credentials(struct tdb *, struct sadb_x_cred *, int);
void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
struct sadb_address *, struct sadb_address *, struct sadb_address *,
-/* $OpenBSD: pfkeyv2_convert.c,v 1.47 2015/02/06 03:04:49 blambert Exp $ */
+/* $OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
*
*p += PADUP(SA_LEN(sa));
}
-/*
- * Import authentication information into the TDB.
- */
-void
-import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth)
-{
- struct ipsec_ref **ipr;
-
- if (!sadb_auth)
- return;
-
- if (dstauth == PFKEYV2_AUTH_REMOTE)
- ipr = &tdb->tdb_remote_auth;
- else
- ipr = &tdb->tdb_local_auth;
-
- *ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) +
- sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
- (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred);
-
- switch (sadb_auth->sadb_x_cred_type) {
- case SADB_X_AUTHTYPE_PASSPHRASE:
- (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE;
- break;
- case SADB_X_AUTHTYPE_RSA:
- (*ipr)->ref_type = IPSP_AUTH_RSA;
- break;
- default:
- free(*ipr, M_CREDENTIALS, 0);
- *ipr = NULL;
- return;
- }
- (*ipr)->ref_count = 1;
- (*ipr)->ref_malloctype = M_CREDENTIALS;
- bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred),
- (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
- * Import a set of credentials into the TDB.
- */
-void
-import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred)
-{
- struct ipsec_ref **ipr;
-
- if (!sadb_cred)
- return;
-
- if (dstcred == PFKEYV2_CRED_REMOTE)
- ipr = &tdb->tdb_remote_cred;
- else
- ipr = &tdb->tdb_local_cred;
-
- *ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) +
- sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
- (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred);
-
- switch (sadb_cred->sadb_x_cred_type) {
- case SADB_X_CREDTYPE_X509:
- (*ipr)->ref_type = IPSP_CRED_X509;
- break;
- case SADB_X_CREDTYPE_KEYNOTE:
- (*ipr)->ref_type = IPSP_CRED_KEYNOTE;
- break;
- default:
- free(*ipr, M_CREDENTIALS, 0);
- *ipr = NULL;
- return;
- }
- (*ipr)->ref_count = 1;
- (*ipr)->ref_malloctype = M_CREDENTIALS;
- bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred),
- (*ipr) + 1, (*ipr)->ref_len);
-}
-
/*
* Import an identity payload into the TDB.
*/
(*ipr)->ref_len);
}
-void
-export_credentials(void **p, struct tdb *tdb, int dstcred)
-{
- struct ipsec_ref **ipr;
- struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p;
-
- if (dstcred == PFKEYV2_CRED_REMOTE)
- ipr = &tdb->tdb_remote_cred;
- else
- ipr = &tdb->tdb_local_cred;
-
- sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
- PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
- switch ((*ipr)->ref_type) {
- case IPSP_CRED_KEYNOTE:
- sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
- break;
- case IPSP_CRED_X509:
- sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
- break;
- }
- *p += sizeof(struct sadb_x_cred);
- bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
- *p += PADUP((*ipr)->ref_len);
-}
-
-void
-export_auth(void **p, struct tdb *tdb, int dstauth)
-{
- struct ipsec_ref **ipr;
- struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p;
-
- if (dstauth == PFKEYV2_AUTH_REMOTE)
- ipr = &tdb->tdb_remote_auth;
- else
- ipr = &tdb->tdb_local_auth;
-
- sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
- PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
- switch ((*ipr)->ref_type) {
- case IPSP_AUTH_PASSPHRASE:
- sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
- break;
- case IPSP_AUTH_RSA:
- sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
- break;
- }
- *p += sizeof(struct sadb_x_cred);
- bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
- *p += PADUP((*ipr)->ref_len);
-}
-
void
export_identity(void **p, struct tdb *tdb, int type)
{
-/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $ */
+/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
#define BITMAP_X_SA2 (1LL << SADB_X_EXT_SA2)
#define BITMAP_X_DST2 (1LL << SADB_X_EXT_DST2)
#define BITMAP_X_POLICY (1LL << SADB_X_EXT_POLICY)
-#define BITMAP_X_LOCAL_CREDENTIALS (1LL << SADB_X_EXT_LOCAL_CREDENTIALS)
-#define BITMAP_X_REMOTE_CREDENTIALS (1LL << SADB_X_EXT_REMOTE_CREDENTIALS)
-#define BITMAP_X_LOCAL_AUTH (1LL << SADB_X_EXT_LOCAL_AUTH)
-#define BITMAP_X_REMOTE_AUTH (1LL << SADB_X_EXT_REMOTE_AUTH)
-#define BITMAP_X_CREDENTIALS (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH)
#define BITMAP_X_FLOW (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE)
#define BITMAP_X_SUPPORTED_COMP (1LL << SADB_X_EXT_SUPPORTED_COMP)
#define BITMAP_X_UDPENCAP (1LL << SADB_X_EXT_UDPENCAP)
/* GETSPI */
BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
/* UPDATE */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
/* ADD */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
/* DELETE */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* GET */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* ACQUIRE */
- BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+ BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
/* REGISTER */
0,
/* EXPIRE */
/* GETSPI */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* UPDATE */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
/* ADD */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
/* DELETE */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* GET */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
/* ACQUIRE */
- BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+ BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
/* REGISTER */
BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP,
/* EXPIRE */
}
}
break;
- case SADB_X_EXT_LOCAL_AUTH:
- case SADB_X_EXT_REMOTE_AUTH:
- {
- struct sadb_x_cred *sadb_cred =
- (struct sadb_x_cred *)p;
-
- if (i < sizeof(struct sadb_x_cred)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length for AUTH extension header %d\n",
- sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
-
- if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown auth "
- "type %d in AUTH extension header %d\n",
- sadb_cred->sadb_x_cred_type,
- sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
-
- if (sadb_cred->sadb_x_cred_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved field"
- " set in AUTH extension header %d\n",
- sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
- }
- break;
- case SADB_X_EXT_LOCAL_CREDENTIALS:
- case SADB_X_EXT_REMOTE_CREDENTIALS:
- {
- struct sadb_x_cred *sadb_cred =
- (struct sadb_x_cred *)p;
-
- if (i < sizeof(struct sadb_x_cred)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length of CREDENTIALS extension header "
- "%d\n", sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
-
- if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown "
- "credential type %d in CREDENTIALS "
- "extension header %d\n",
- sadb_cred->sadb_x_cred_type,
- sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
-
- if (sadb_cred->sadb_x_cred_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved "
- "field set in CREDENTIALS extension "
- "header %d\n", sadb_ext->sadb_ext_type));
- return (EINVAL);
- }
- }
- break;
case SADB_EXT_IDENTITY_SRC:
case SADB_EXT_IDENTITY_DST:
{
-/* $OpenBSD: in.h,v 1.113 2015/04/10 13:58:20 dlg Exp $ */
+/* $OpenBSD: in.h,v 1.114 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */
/*
#define IP_ESP_NETWORK_LEVEL 22 /* int; full-packet encryption */
#define IP_IPSEC_LOCAL_ID 23 /* buf; IPsec local ID */
#define IP_IPSEC_REMOTE_ID 24 /* buf; IPsec remote ID */
-#define IP_IPSEC_LOCAL_CRED 25 /* buf; IPsec local credentials */
-#define IP_IPSEC_REMOTE_CRED 26 /* buf; IPsec remote credentials */
-#define IP_IPSEC_LOCAL_AUTH 27 /* buf; IPsec local auth material */
-#define IP_IPSEC_REMOTE_AUTH 28 /* buf; IPsec remote auth material */
+#define IP_IPSEC_LOCAL_CRED 25 /* buf; was: IPsec local credentials */
+#define IP_IPSEC_REMOTE_CRED 26 /* buf; was: IPsec remote credentials */
+#define IP_IPSEC_LOCAL_AUTH 27 /* buf; was: IPsec local auth material */
+#define IP_IPSEC_REMOTE_AUTH 28 /* buf; was: IPsec remote auth material */
#define IP_IPCOMP_LEVEL 29 /* int; compression used */
#define IP_RECVIF 30 /* bool; receive reception if w/dgram */
#define IP_RECVTTL 31 /* bool; receive IP TTL w/dgram */
-/* $OpenBSD: in_pcb.c,v 1.168 2015/02/10 03:07:56 claudio Exp $ */
+/* $OpenBSD: in_pcb.c,v 1.169 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */
/*
if (inp->inp_tdb_out)
TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp,
inp_tdb_out_next);
- if (inp->inp_ipsec_remotecred)
- ipsp_reffree(inp->inp_ipsec_remotecred);
- if (inp->inp_ipsec_remoteauth)
- ipsp_reffree(inp->inp_ipsec_remoteauth);
if (inp->inp_ipo)
ipsec_delete_policy(inp->inp_ipo);
#endif
-/* $OpenBSD: in_pcb.h,v 1.87 2014/11/15 10:55:47 dlg Exp $ */
+/* $OpenBSD: in_pcb.h,v 1.88 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */
/*
TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next;
struct tdb *inp_tdb_in, *inp_tdb_out;
struct ipsec_policy *inp_ipo;
- struct ipsec_ref *inp_ipsec_remotecred;
- struct ipsec_ref *inp_ipsec_remoteauth;
#define inp_flowinfo inp_hu.hu_ipv6.ip6_flow
int inp_cksum6;
-/* $OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
}
/*
- * Check that credentials and IDs match. Return true if so. The t*
- * range of arguments contains information from TDBs; the p*
- * range of arguments contains information from policies or
- * already established TDBs.
+ * Check that IDs match. Return true if so. The t* range of
+ * arguments contains information from TDBs; the p* range of
+ * arguments contains information from policies or already
+ * established TDBs.
*/
int
ipsp_aux_match(struct tdb *tdb,
struct ipsec_ref *psrcid,
struct ipsec_ref *pdstid,
- struct ipsec_ref *plcred,
- struct ipsec_ref *prcred,
struct sockaddr_encap *pfilter,
struct sockaddr_encap *pfiltermask)
{
!ipsp_ref_match(tdb->tdb_dstid, pdstid))
return 0;
- if (plcred != NULL)
- if (tdb->tdb_local_cred == NULL ||
- !ipsp_ref_match(tdb->tdb_local_cred, plcred))
- return 0;
-
- if (prcred != NULL)
- if (tdb->tdb_remote_cred == NULL ||
- !ipsp_ref_match(tdb->tdb_remote_cred, prcred))
- return 0;
-
/* Check for filter matches. */
if (pfilter != NULL && pfiltermask != NULL &&
tdb->tdb_filter.sen_type) {
struct tdb *
gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto,
struct ipsec_ref *srcid, struct ipsec_ref *dstid,
- struct ipsec_ref *local_cred, struct sockaddr_encap *filter,
- struct sockaddr_encap *filtermask)
+ struct sockaddr_encap *filter, struct sockaddr_encap *filtermask)
{
u_int32_t hashval;
struct tdb *tdbp;
(tdbp->tdb_rdomain == rdomain) &&
((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
(!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) {
- /* Do IDs and local credentials match ? */
- if (!ipsp_aux_match(tdbp, srcid, dstid,
- local_cred, NULL, filter, filtermask))
+ /* Do IDs match ? */
+ if (!ipsp_aux_match(tdbp, srcid, dstid, filter,
+ filtermask))
continue;
break;
}
((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
(!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) {
/* Check whether IDs match */
- if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL,
- filter, filtermask))
+ if (!ipsp_aux_match(tdbp, dstid, srcid, filter,
+ filtermask))
continue;
break;
}
timeout_del(&tdbp->tdb_stimer_tmo);
timeout_del(&tdbp->tdb_sfirst_tmo);
- if (tdbp->tdb_local_auth) {
- ipsp_reffree(tdbp->tdb_local_auth);
- tdbp->tdb_local_auth = NULL;
- }
-
- if (tdbp->tdb_remote_auth) {
- ipsp_reffree(tdbp->tdb_remote_auth);
- tdbp->tdb_remote_auth = NULL;
- }
-
if (tdbp->tdb_srcid) {
ipsp_reffree(tdbp->tdb_srcid);
tdbp->tdb_srcid = NULL;
tdbp->tdb_dstid = NULL;
}
- if (tdbp->tdb_local_cred) {
- ipsp_reffree(tdbp->tdb_local_cred);
- tdbp->tdb_local_cred = NULL;
- }
-
- if (tdbp->tdb_remote_cred) {
- ipsp_reffree(tdbp->tdb_remote_cred);
- tdbp->tdb_remote_cred = NULL;
- }
-
#if NPF > 0
if (tdbp->tdb_tag) {
pf_tag_unref(tdbp->tdb_tag);
-/* $OpenBSD: ip_ipsp.h,v 1.163 2015/04/13 16:48:01 mikeb Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
struct ipsec_ref *ipo_srcid;
struct ipsec_ref *ipo_dstid;
- struct ipsec_ref *ipo_local_cred;
- struct ipsec_ref *ipo_local_auth;
TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */
#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */
#define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */
-/* Authentication types */
-#define IPSP_AUTH_NONE 0
-#define IPSP_AUTH_PASSPHRASE 1
-#define IPSP_AUTH_RSA 2
-
-/* Credential types */
-#define IPSP_CRED_NONE 0
-#define IPSP_CRED_KEYNOTE 1
-#define IPSP_CRED_X509 2
-
/* Identity types */
#define IPSP_IDENTITY_NONE 0
#define IPSP_IDENTITY_PREFIX 1
u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */
- struct ipsec_ref *tdb_local_cred;
- struct ipsec_ref *tdb_remote_cred;
struct ipsec_ref *tdb_srcid; /* Source ID for this SA */
struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */
- struct ipsec_ref *tdb_local_auth;/* Local authentication material */
- struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */
u_int32_t tdb_mtu; /* MTU at this point in the chain */
u_int64_t tdb_mtutimeout; /* When to ignore this entry */
union sockaddr_union *, u_int8_t, int *);
struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
- struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
+ struct ipsec_ref *, struct ipsec_ref *,
struct sockaddr_encap *, struct sockaddr_encap *);
struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
struct ipsec_ref *, struct ipsec_ref *,
void ipsp_skipcrypto_mark(struct tdb_ident *);
void ipsp_skipcrypto_unmark(struct tdb_ident *);
int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *,
- struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *,
- struct sockaddr_encap *);
+ struct sockaddr_encap *, struct sockaddr_encap *);
int ipsec_common_input(struct mbuf *, int, int, int, int, int);
int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
-/* $OpenBSD: ip_output.c,v 1.276 2014/12/17 09:57:13 mpi Exp $ */
+/* $OpenBSD: ip_output.c,v 1.277 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
#endif
break;
- case IP_IPSEC_REMOTE_CRED:
- case IP_IPSEC_REMOTE_AUTH:
- /* Can't set the remote credential or key */
- error = EOPNOTSUPP;
- break;
-
case IP_IPSEC_LOCAL_ID:
case IP_IPSEC_REMOTE_ID:
- case IP_IPSEC_LOCAL_CRED:
- case IP_IPSEC_LOCAL_AUTH:
#ifndef IPSEC
error = EOPNOTSUPP;
#else
inp->inp_ipo->ipo_srcid = NULL;
}
break;
-
case IP_IPSEC_REMOTE_ID:
if (inp->inp_ipo != NULL &&
inp->inp_ipo->ipo_dstid != NULL) {
inp->inp_ipo->ipo_dstid = NULL;
}
break;
-
- case IP_IPSEC_LOCAL_CRED:
- if (inp->inp_ipo != NULL &&
- inp->inp_ipo->ipo_local_cred != NULL) {
- ipsp_reffree(inp->inp_ipo->ipo_local_cred);
- inp->inp_ipo->ipo_local_cred = NULL;
- }
- break;
-
- case IP_IPSEC_LOCAL_AUTH:
- if (inp->inp_ipo != NULL &&
- inp->inp_ipo->ipo_local_auth != NULL) {
- ipsp_reffree(inp->inp_ipo->ipo_local_auth);
- inp->inp_ipo->ipo_local_auth = NULL;
- }
- break;
}
error = 0;
inp->inp_ipo->ipo_dstid = ipr;
}
break;
- case IP_IPSEC_LOCAL_CRED:
- if (ipr->ref_type < IPSP_CRED_KEYNOTE ||
- ipr->ref_type > IPSP_CRED_X509) {
- free(ipr, M_CREDENTIALS, iprlen);
- error = EINVAL;
- } else {
- if (inp->inp_ipo->ipo_local_cred != NULL)
- ipsp_reffree(inp->inp_ipo->ipo_local_cred);
- inp->inp_ipo->ipo_local_cred = ipr;
- }
- break;
- case IP_IPSEC_LOCAL_AUTH:
- if (ipr->ref_type < IPSP_AUTH_PASSPHRASE ||
- ipr->ref_type > IPSP_AUTH_RSA) {
- free(ipr, M_CREDENTIALS, iprlen);
- error = EINVAL;
- } else {
- if (inp->inp_ipo->ipo_local_auth != NULL)
- ipsp_reffree(inp->inp_ipo->ipo_local_auth);
- inp->inp_ipo->ipo_local_auth = ipr;
- }
- break;
}
/* Unlink cached output TDB to force a re-search */
break;
case IP_IPSEC_LOCAL_ID:
case IP_IPSEC_REMOTE_ID:
- case IP_IPSEC_LOCAL_CRED:
- case IP_IPSEC_REMOTE_CRED:
- case IP_IPSEC_LOCAL_AUTH:
- case IP_IPSEC_REMOTE_AUTH:
#ifndef IPSEC
error = EOPNOTSUPP;
#else
ipr = inp->inp_ipo->ipo_dstid;
opt16val = IPSP_IDENTITY_NONE;
break;
- case IP_IPSEC_LOCAL_CRED:
- if (inp->inp_ipo != NULL)
- ipr = inp->inp_ipo->ipo_local_cred;
- opt16val = IPSP_CRED_NONE;
- break;
- case IP_IPSEC_REMOTE_CRED:
- ipr = inp->inp_ipsec_remotecred;
- opt16val = IPSP_CRED_NONE;
- break;
- case IP_IPSEC_LOCAL_AUTH:
- if (inp->inp_ipo != NULL)
- ipr = inp->inp_ipo->ipo_local_auth;
- opt16val = IPSP_AUTH_NONE;
- break;
- case IP_IPSEC_REMOTE_AUTH:
- ipr = inp->inp_ipsec_remoteauth;
- opt16val = IPSP_AUTH_NONE;
- break;
}
if (ipr == NULL)
*mtod(m, u_int16_t *) = opt16val;
-/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.82 2015/04/14 12:22:15 mikeb Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
if (!ipsp_aux_match(ipo->ipo_tdb,
srcid ? srcid : ipo->ipo_srcid,
dstid ? dstid : ipo->ipo_dstid,
- ipo->ipo_local_cred, NULL,
&ipo->ipo_addr, &ipo->ipo_mask))
goto nomatchout;
ipo->ipo_sproto,
srcid ? srcid : ipo->ipo_srcid,
dstid ? dstid : ipo->ipo_dstid,
- ipo->ipo_local_cred, &ipo->ipo_addr,
- &ipo->ipo_mask);
+ &ipo->ipo_addr, &ipo->ipo_mask);
if (ipo->ipo_tdb) {
TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head,
ipo, ipo_tdb_next);
/*
* We only need to check that the correct
* security protocol and security gateway are
- * set; credentials/IDs will be the same,
- * since the cached entry is linked on this
- * policy.
+ * set; IDs will be the same since the cached
+ * entry is linked on this policy.
*/
if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto &&
!memcmp(&ipo->ipo_tdb->tdb_src,
ipsp_reffree(ipo->ipo_srcid);
if (ipo->ipo_dstid)
ipsp_reffree(ipo->ipo_dstid);
- if (ipo->ipo_local_cred)
- ipsp_reffree(ipo->ipo_local_cred);
- if (ipo->ipo_local_auth)
- ipsp_reffree(ipo->ipo_local_auth);
if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET))
ipsec_in_use--;
struct ipsec_acquire *ipa;
/*
- * If this is a socket policy, it has to have authentication
- * information accompanying it --- can't tell key mgmt. to
- * "find" it for us. This avoids abusing key mgmt. to authenticate
- * on an application's behalf, even if the application doesn't
- * have/know (and shouldn't) the appropriate authentication
- * material (passphrase, private key, etc.)
+ * ACQUIRE on local sockets is restricted to avoid abuse of
+ * authentication keys that the IKE daemon has already loaded.
*/
- if (ipo->ipo_flags & IPSP_POLICY_SOCKET &&
- ipo->ipo_local_auth == NULL)
+ if (ipo->ipo_flags & IPSP_POLICY_SOCKET)
return EINVAL;
/* Check whether request has been made already. */
if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto &&
!memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
SA_LEN(&tdbp->tdb_src.sa)) &&
- ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
- inp->inp_ipo->ipo_dstid, NULL, NULL,
- &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+ ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
+ inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+ &inp->inp_ipo->ipo_mask))
goto justreturn;
else {
*error = -EINVAL;
!memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
SA_LEN(&tdbp->tdb_src.sa)) &&
ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
- inp->inp_ipo->ipo_dstid, NULL, NULL,
- &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+ inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+ &inp->inp_ipo->ipo_mask))
goto justreturn;
/*
inp->inp_ipo->ipo_sproto,
inp->inp_ipo->ipo_srcid,
inp->inp_ipo->ipo_dstid,
- inp->inp_ipo->ipo_local_cred,
&inp->inp_ipo->ipo_addr,
&inp->inp_ipo->ipo_mask);
}
IPSP_DIRECTION_OUT);
tdb = gettdbbydst(rtable_l2(inp->inp_rtableid),
- &sipon.ipo_dst, IPPROTO_ESP, NULL,
- NULL, NULL, &sipon.ipo_addr, &sipon.ipo_mask);
+ &sipon.ipo_dst, IPPROTO_ESP, NULL, NULL,
+ &sipon.ipo_addr, &sipon.ipo_mask);
}
/* If we found an appropriate SA... */
-/* $OpenBSD: tcp_input.c,v 1.287 2015/02/08 04:40:50 yasuoka Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.288 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
tdb->tdb_srcid->ref_count++;
}
- if (inp->inp_ipsec_remotecred == NULL &&
- tdb->tdb_remote_cred != NULL) {
- inp->inp_ipsec_remotecred =
- tdb->tdb_remote_cred;
- tdb->tdb_remote_cred->ref_count++;
- }
- if (inp->inp_ipsec_remoteauth == NULL &&
- tdb->tdb_remote_auth != NULL) {
- inp->inp_ipsec_remoteauth =
- tdb->tdb_remote_auth;
- tdb->tdb_remote_auth->ref_count++;
- }
} else { /* Just reset */
TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
inp_tdb_in_next);
newinp->inp_ipo = inp->inp_ipo;
inp->inp_ipo->ipo_ref_count++;
}
- if (inp->inp_ipsec_remotecred != NULL) {
- newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred;
- inp->inp_ipsec_remotecred->ref_count++;
- }
- if (inp->inp_ipsec_remoteauth != NULL) {
- newinp->inp_ipsec_remoteauth
- = inp->inp_ipsec_remoteauth;
- inp->inp_ipsec_remoteauth->ref_count++;
- }
}
#endif /* IPSEC */
#ifdef INET6
-/* $OpenBSD: udp_usrreq.c,v 1.196 2015/03/04 11:10:55 mpi Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.197 2015/04/14 12:22:15 mikeb Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
tdb->tdb_srcid->ref_count++;
}
- if (inp->inp_ipsec_remotecred == NULL &&
- tdb->tdb_remote_cred != NULL) {
- inp->inp_ipsec_remotecred =
- tdb->tdb_remote_cred;
- tdb->tdb_remote_cred->ref_count++;
- }
- if (inp->inp_ipsec_remoteauth == NULL &&
- tdb->tdb_remote_auth != NULL) {
- inp->inp_ipsec_remoteauth =
- tdb->tdb_remote_auth;
- tdb->tdb_remote_auth->ref_count++;
- }
} else { /* Just reset */
TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
inp_tdb_in_next);
projects / openbsd / commitdiff