From 052566194b82ff2496a82f79dc741242e80766f6 Mon Sep 17 00:00:00 2001 From: reyk Date: Mon, 19 Oct 2015 11:25:35 +0000 Subject: [PATCH] Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs. OK mikeb@ --- sbin/iked/Makefile | 4 +- sbin/iked/ca.c | 10 +-- sbin/iked/config.c | 4 +- sbin/iked/control.c | 3 +- sbin/iked/iked.c | 21 +---- sbin/iked/iked.h | 5 +- sbin/iked/ikev1.c | 195 ------------------------------------------ sbin/iked/ikev2.c | 37 +------- sbin/iked/ikev2_msg.c | 49 +++++++---- sbin/iked/types.h | 3 +- 10 files changed, 43 insertions(+), 288 deletions(-) delete mode 100644 sbin/iked/ikev1.c diff --git a/sbin/iked/Makefile b/sbin/iked/Makefile index 85d4c39330a..2194a950e07 100644 --- a/sbin/iked/Makefile +++ b/sbin/iked/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.12 2014/08/27 10:28:57 reyk Exp $ +# $OpenBSD: Makefile,v 1.13 2015/10/19 11:25:35 reyk Exp $ PROG= iked SRCS= ca.c chap_ms.c config.c control.c crypto.c dh.c \ - eap.c iked.c ikev1.c ikev2.c ikev2_msg.c ikev2_pld.c \ + eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \ log.c ocsp.c pfkey.c policy.c proc.c timer.c util.c \ imsg_util.c smult_curve25519_ref.c SRCS+= eap_map.c ikev2_map.c diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index dd0ef9e4284..8fcfd3246d6 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.37 2015/10/01 10:59:23 reyk Exp $ */ +/* $OpenBSD: ca.c,v 1.38 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -67,12 +67,10 @@ int ca_x509_subjectaltname(X509 *cert, struct iked_id *); int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); int ca_dispatch_parent(int, struct privsep_proc *, struct imsg *); -int ca_dispatch_ikev1(int, struct privsep_proc *, struct imsg *); int ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); static struct privsep_proc procs[] = { { "parent", PROC_PARENT, ca_dispatch_parent }, - { "ikev1", PROC_IKEV1, ca_dispatch_ikev1 }, { "ikev2", PROC_IKEV2, ca_dispatch_ikev2 } }; @@ -176,12 +174,6 @@ ca_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) return (0); } -int -ca_dispatch_ikev1(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - return (-1); -} - int ca_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg) { diff --git a/sbin/iked/config.c b/sbin/iked/config.c index 1473fb17f89..a38480c03d0 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.38 2015/10/15 18:40:38 mmcc Exp $ */ +/* $OpenBSD: config.c,v 1.39 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -414,7 +414,6 @@ config_setcoupled(struct iked *env, unsigned int couple) unsigned int type; type = couple ? IMSG_CTL_COUPLE : IMSG_CTL_DECOUPLE; - proc_compose_imsg(&env->sc_ps, PROC_IKEV1, -1, type, -1, NULL, 0); proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, type, -1, NULL, 0); return (0); @@ -433,7 +432,6 @@ config_setmode(struct iked *env, unsigned int passive) unsigned int type; type = passive ? IMSG_CTL_PASSIVE : IMSG_CTL_ACTIVE; - proc_compose_imsg(&env->sc_ps, PROC_IKEV1, -1, type, -1, NULL, 0); proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, type, -1, NULL, 0); return (0); diff --git a/sbin/iked/control.c b/sbin/iked/control.c index 393200819d5..484203d99f7 100644 --- a/sbin/iked/control.c +++ b/sbin/iked/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.16 2015/01/16 06:39:58 deraadt Exp $ */ +/* $OpenBSD: control.c,v 1.17 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -284,7 +284,6 @@ control_dispatch_imsg(int fd, short event, void *arg) proc_forward_imsg(&env->sc_ps, &imsg, PROC_PARENT, -1); proc_forward_imsg(&env->sc_ps, &imsg, PROC_IKEV2, -1); - proc_forward_imsg(&env->sc_ps, &imsg, PROC_IKEV1, -1); break; case IMSG_CTL_RELOAD: case IMSG_CTL_RESET: diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 999687fa20a..bdc1b2b0cf4 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.c,v 1.26 2015/10/15 18:40:38 mmcc Exp $ */ +/* $OpenBSD: iked.c,v 1.27 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -39,13 +39,11 @@ __dead void usage(void); void parent_shutdown(struct iked *); void parent_sig_handler(int, short, void *); -int parent_dispatch_ikev1(int, struct privsep_proc *, struct imsg *); int parent_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); int parent_dispatch_ca(int, struct privsep_proc *, struct imsg *); int parent_configure(struct iked *); static struct privsep_proc procs[] = { - { "ikev1", PROC_IKEV1, parent_dispatch_ikev1, ikev1 }, { "ikev2", PROC_IKEV2, parent_dispatch_ikev2, ikev2 }, { "ca", PROC_CERT, parent_dispatch_ca, caproc, IKED_CA } }; @@ -200,7 +198,6 @@ parent_configure(struct iked *env) config_setpfkey(env, PROC_IKEV2); /* Now compile the policies and calculate skip steps */ - config_setcompile(env, PROC_IKEV1); config_setcompile(env, PROC_IKEV2); bzero(&ss, sizeof(ss)); @@ -236,7 +233,6 @@ parent_reload(struct iked *env, int reset, const char *filename) log_debug("%s: level %d config file %s", __func__, reset, filename); if (reset == RESET_RELOAD) { - config_setreset(env, RESET_POLICY, PROC_IKEV1); config_setreset(env, RESET_POLICY, PROC_IKEV2); config_setreset(env, RESET_CA, PROC_CERT); @@ -246,14 +242,12 @@ parent_reload(struct iked *env, int reset, const char *filename) } /* Re-compile policies and skip steps */ - config_setcompile(env, PROC_IKEV1); config_setcompile(env, PROC_IKEV2); config_setcoupled(env, env->sc_decoupled ? 0 : 1); config_setmode(env, env->sc_passive ? 1 : 0); config_setocsp(env); } else { - config_setreset(env, reset, PROC_IKEV1); config_setreset(env, reset, PROC_IKEV2); config_setreset(env, reset, PROC_CERT); } @@ -334,17 +328,6 @@ parent_sig_handler(int sig, short event, void *arg) } } -int -parent_dispatch_ikev1(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - switch (imsg->hdr.type) { - default: - break; - } - - return (-1); -} - int parent_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg) { @@ -374,8 +357,6 @@ parent_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg) case IMSG_CTL_DECOUPLE: case IMSG_CTL_ACTIVE: case IMSG_CTL_PASSIVE: - proc_compose_imsg(&env->sc_ps, PROC_IKEV1, -1, - type, -1, NULL, 0); proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, type, -1, NULL, 0); break; diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 12cb10cad6f..ea6da507422 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.89 2015/10/01 10:59:23 reyk Exp $ */ +/* $OpenBSD: iked.h,v 1.90 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -738,9 +738,6 @@ int dsa_update(struct iked_dsa *, const void *, size_t); ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); -/* ikev1.c */ -pid_t ikev1(struct privsep *, struct privsep_proc *); - /* ikev2.c */ pid_t ikev2(struct privsep *, struct privsep_proc *); void ikev2_recv(struct iked *, struct iked_message *); diff --git a/sbin/iked/ikev1.c b/sbin/iked/ikev1.c deleted file mode 100644 index dd2f3ec526e..00000000000 --- a/sbin/iked/ikev1.c +++ /dev/null @@ -1,195 +0,0 @@ -/* $OpenBSD: ikev1.c,v 1.18 2015/08/21 11:59:27 reyk Exp $ */ - -/* - * Copyright (c) 2010-2013 Reyk Floeter - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * XXX Either implement IKEv1, - * XXX or find a way to pass IKEv1 messages to isakmpd, - * XXX or remove this file and ikev1 from the iked tree. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "iked.h" -#include "ikev2.h" - -int ikev1_dispatch_parent(int, struct privsep_proc *, struct imsg *); -int ikev1_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); -int ikev1_dispatch_cert(int, struct privsep_proc *, struct imsg *); - -void ikev1_msg_cb(int, short, void *); -void ikev1_recv(struct iked *, struct iked_message *); - -static struct privsep_proc procs[] = { - { "parent", PROC_PARENT, ikev1_dispatch_parent }, - { "ikev2", PROC_IKEV2, ikev1_dispatch_ikev2 }, - { "certstore", PROC_CERT, ikev1_dispatch_cert } -}; - -pid_t -ikev1(struct privsep *ps, struct privsep_proc *p) -{ - return (proc_run(ps, p, procs, nitems(procs), NULL, NULL)); -} - -int -ikev1_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - struct iked *env = p->p_env; - - switch (imsg->hdr.type) { - case IMSG_CTL_RESET: - log_debug("%s: config reload", __func__); - return (0); - case IMSG_CTL_COUPLE: - case IMSG_CTL_DECOUPLE: - return (0); - case IMSG_CTL_ACTIVE: - case IMSG_CTL_PASSIVE: - return (0); - case IMSG_UDP_SOCKET: - return (config_getsocket(env, imsg, ikev1_msg_cb)); - case IMSG_COMPILE: - return (0); - default: - break; - } - - return (-1); -} - -int -ikev1_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - struct iked *env = p->p_env; - struct iked_message msg; - uint8_t *buf; - ssize_t len; - - switch (imsg->hdr.type) { - case IMSG_IKE_MESSAGE: - log_debug("%s: message", __func__); - IMSG_SIZE_CHECK(imsg, &msg); - memcpy(&msg, imsg->data, sizeof(msg)); - - len = IMSG_DATA_SIZE(imsg) - sizeof(msg); - buf = (uint8_t *)imsg->data + sizeof(msg); - if (len <= 0 || (msg.msg_data = ibuf_new(buf, len)) == NULL) { - log_debug("%s: short message", __func__); - return (0); - } - - log_debug("%s: message length %zd", __func__, len); - - ikev1_recv(env, &msg); - ikev2_msg_cleanup(env, &msg); - return (0); - default: - break; - } - - return (-1); -} - -int -ikev1_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - return (-1); -} - -void -ikev1_msg_cb(int fd, short event, void *arg) -{ - struct iked_socket *sock = arg; - struct iked *env = sock->sock_env; - struct iked_message msg; - struct ike_header hdr; - uint8_t buf[IKED_MSGBUF_MAX]; - size_t len; - struct iovec iov[2]; - - msg.msg_peerlen = sizeof(msg.msg_peer); - msg.msg_locallen = sizeof(msg.msg_local); - - if ((len = recvfromto(fd, buf, sizeof(buf), 0, - (struct sockaddr*)&msg.msg_peer, &msg.msg_peerlen, - (struct sockaddr*)&msg.msg_local, &msg.msg_locallen)) < 1) - return; - - if ((size_t)len <= sizeof(hdr)) - return; - memcpy(&hdr, buf, sizeof(hdr)); - - if ((msg.msg_data = ibuf_new(buf, len)) == NULL) - return; - - if (hdr.ike_version == IKEV2_VERSION) { - iov[0].iov_base = &msg; - iov[0].iov_len = sizeof(msg); - iov[1].iov_base = buf; - iov[1].iov_len = len; - - proc_composev_imsg(&env->sc_ps, PROC_IKEV2, -1, - IMSG_IKE_MESSAGE, -1, iov, 2); - goto done; - } - - ikev1_recv(env, &msg); - - done: - ikev2_msg_cleanup(env, &msg); -} - -void -ikev1_recv(struct iked *env, struct iked_message *msg) -{ - struct ike_header *hdr; - - if (ibuf_size(msg->msg_data) <= sizeof(*hdr)) { - log_debug("%s: short message", __func__); - return; - } - - hdr = (struct ike_header *)ibuf_data(msg->msg_data); - - log_debug("%s: header ispi %s rspi %s" - " nextpayload %u version 0x%02x exchange %u flags 0x%02x" - " msgid %u length %u", __func__, - print_spi(betoh64(hdr->ike_ispi), 8), - print_spi(betoh64(hdr->ike_rspi), 8), - hdr->ike_nextpayload, - hdr->ike_version, - hdr->ike_exchange, - hdr->ike_flags, - betoh32(hdr->ike_msgid), - betoh32(hdr->ike_length)); - - log_debug("%s: IKEv1 not supported", __func__); -} diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index f96fac9e7d0..28071a2d0be 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.126 2015/10/15 18:40:38 mmcc Exp $ */ +/* $OpenBSD: ikev2.c,v 1.127 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -46,7 +46,6 @@ #include "dh.h" int ikev2_dispatch_parent(int, struct privsep_proc *, struct imsg *); -int ikev2_dispatch_ikev1(int, struct privsep_proc *, struct imsg *); int ikev2_dispatch_cert(int, struct privsep_proc *, struct imsg *); struct iked_sa * @@ -131,7 +130,6 @@ ssize_t ikev2_add_sighashnotify(struct ibuf *, struct ikev2_payload **, static struct privsep_proc procs[] = { { "parent", PROC_PARENT, ikev2_dispatch_parent }, - { "ikev1", PROC_IKEV1, ikev2_dispatch_ikev1 }, { "certstore", PROC_CERT, ikev2_dispatch_cert } }; @@ -177,39 +175,6 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) return (-1); } -int -ikev2_dispatch_ikev1(int fd, struct privsep_proc *p, struct imsg *imsg) -{ - struct iked *env = p->p_env; - struct iked_message msg; - uint8_t *buf; - ssize_t len; - - switch (imsg->hdr.type) { - case IMSG_IKE_MESSAGE: - log_debug("%s: message", __func__); - IMSG_SIZE_CHECK(imsg, &msg); - memcpy(&msg, imsg->data, sizeof(msg)); - - len = IMSG_DATA_SIZE(imsg) - sizeof(msg); - buf = (uint8_t *)imsg->data + sizeof(msg); - if (len <= 0 || (msg.msg_data = ibuf_new(buf, len)) == NULL) { - log_debug("%s: short message", __func__); - return (0); - } - - log_debug("%s: message length %zd", __func__, len); - - ikev2_recv(env, &msg); - ikev2_msg_cleanup(env, &msg); - return (0); - default: - break; - } - - return (-1); -} - int ikev2_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg) { diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c index fa9d678641a..3fe71563752 100644 --- a/sbin/iked/ikev2_msg.c +++ b/sbin/iked/ikev2_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_msg.c,v 1.44 2015/10/15 18:40:38 mmcc Exp $ */ +/* $OpenBSD: ikev2_msg.c,v 1.45 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -43,6 +43,7 @@ #include "eap.h" #include "dh.h" +void ikev1_recv(struct iked *, struct iked_message *); void ikev2_msg_response_timeout(struct iked *, void *); void ikev2_msg_retransmit_timeout(struct iked *, void *); @@ -57,7 +58,6 @@ ikev2_msg_cb(int fd, short event, void *arg) uint8_t buf[IKED_MSGBUF_MAX]; ssize_t len; off_t off; - struct iovec iov[2]; bzero(&msg, sizeof(msg)); bzero(buf, sizeof(buf)); @@ -89,25 +89,44 @@ ikev2_msg_cb(int fd, short event, void *arg) if ((msg.msg_data = ibuf_new(buf + off, len - off)) == NULL) return; - if (hdr.ike_version == IKEV1_VERSION) { - iov[0].iov_base = &msg; - iov[0].iov_len = sizeof(msg); - iov[1].iov_base = buf; - iov[1].iov_len = len; - - proc_composev_imsg(&env->sc_ps, PROC_IKEV1, -1, - IMSG_IKE_MESSAGE, -1, iov, 2); - goto done; - } TAILQ_INIT(&msg.msg_proposals); - msg.msg_fd = fd; - ikev2_recv(env, &msg); - done: + if (hdr.ike_version == IKEV1_VERSION) + ikev1_recv(env, &msg); + else + ikev2_recv(env, &msg); + ikev2_msg_cleanup(env, &msg); } +void +ikev1_recv(struct iked *env, struct iked_message *msg) +{ + struct ike_header *hdr; + + if (ibuf_size(msg->msg_data) <= sizeof(*hdr)) { + log_debug("%s: short message", __func__); + return; + } + + hdr = (struct ike_header *)ibuf_data(msg->msg_data); + + log_debug("%s: header ispi %s rspi %s" + " nextpayload %u version 0x%02x exchange %u flags 0x%02x" + " msgid %u length %u", __func__, + print_spi(betoh64(hdr->ike_ispi), 8), + print_spi(betoh64(hdr->ike_rspi), 8), + hdr->ike_nextpayload, + hdr->ike_version, + hdr->ike_exchange, + hdr->ike_flags, + betoh32(hdr->ike_msgid), + betoh32(hdr->ike_length)); + + log_debug("%s: IKEv1 not supported", __func__); +} + struct ibuf * ikev2_msg_init(struct iked *env, struct iked_message *msg, struct sockaddr_storage *peer, socklen_t peerlen, diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 476e8454380..fc43b54cf34 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.21 2015/08/21 11:59:28 reyk Exp $ */ +/* $OpenBSD: types.h,v 1.22 2015/10/19 11:25:35 reyk Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -113,7 +113,6 @@ enum imsg_type { enum privsep_procid { PROC_PARENT = 0, - PROC_IKEV1, PROC_IKEV2, PROC_CERT, PROC_MAX -- 2.20.1