From d0aa6ebacff682ebdba22deb3b54c1111107207c Mon Sep 17 00:00:00 2001 From: mikeb Date: Tue, 14 Apr 2015 12:22:15 +0000 Subject: [PATCH] Remove support for storing credentials and auth information in the kernel. This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus. --- sbin/ipsecctl/pfkdump.c | 40 +--- sbin/isakmpd/pf_key_v2.c | 328 +-------------------------------- sys/net/pfkeyv2.c | 100 +--------- sys/net/pfkeyv2.h | 31 +--- sys/net/pfkeyv2_convert.c | 132 +------------ sys/net/pfkeyv2_parsemessage.c | 80 +------- sys/netinet/in.h | 10 +- sys/netinet/in_pcb.c | 6 +- sys/netinet/in_pcb.h | 4 +- sys/netinet/ip_ipsp.c | 55 ++---- sys/netinet/ip_ipsp.h | 23 +-- sys/netinet/ip_output.c | 71 +------ sys/netinet/ip_spd.c | 41 ++--- sys/netinet/tcp_input.c | 23 +-- sys/netinet/udp_usrreq.c | 14 +- 15 files changed, 57 insertions(+), 901 deletions(-) diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index 7c7ec2f9906..3d08093e7ad 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.37 2015/01/16 06:39:58 deraadt Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.38 2015/04/14 12:22:15 mikeb Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -52,8 +52,6 @@ static void print_addr(struct sadb_ext *, struct sadb_msg *); static void print_key(struct sadb_ext *, struct sadb_msg *); static void print_life(struct sadb_ext *, struct sadb_msg *); static void print_ident(struct sadb_ext *, struct sadb_msg *); -static void print_auth(struct sadb_ext *, struct sadb_msg *); -static void print_cred(struct sadb_ext *, struct sadb_msg *); static void print_udpenc(struct sadb_ext *, struct sadb_msg *); static void print_tag(struct sadb_ext *, struct sadb_msg *); static void print_tap(struct sadb_ext *, struct sadb_msg *); @@ -100,11 +98,7 @@ struct idname ext_types[] = { { SADB_X_EXT_SA2, "sa2", print_sa }, { SADB_X_EXT_DST2, "dst2", print_addr }, { SADB_X_EXT_POLICY, "policy", print_policy }, - { SADB_X_EXT_LOCAL_AUTH, "local_auth", print_auth }, { SADB_X_EXT_SUPPORTED_COMP, "supported_comp", print_supp }, - { SADB_X_EXT_REMOTE_AUTH, "remote_auth", print_auth }, - { SADB_X_EXT_LOCAL_CREDENTIALS, "local_cred", print_cred }, - { SADB_X_EXT_REMOTE_CREDENTIALS,"remote_cred", print_cred }, { SADB_X_EXT_UDPENCAP, "udpencap", print_udpenc }, { SADB_X_EXT_LIFETIME_LASTUSE, "lifetime_lastuse", print_life }, { SADB_X_EXT_TAG, "tag", print_tag }, @@ -160,12 +154,6 @@ struct idname auth_types[] = { { 0, NULL, NULL } }; -struct idname cred_types[] = { - { SADB_X_CREDTYPE_X509, "x509-asn1", NULL }, - { SADB_X_CREDTYPE_KEYNOTE, "keynote", NULL }, - { 0, NULL, NULL } -}; - struct idname enc_types[] = { { SADB_EALG_NONE, "none", NULL }, { SADB_EALG_3DESCBC, "3des-cbc", NULL }, @@ -194,13 +182,6 @@ struct idname comp_types[] = { { 0, NULL, NULL } }; -struct idname xauth_types[] = { - { SADB_X_AUTHTYPE_NONE, "none", NULL }, - { SADB_X_AUTHTYPE_PASSPHRASE, "passphrase", NULL }, - { SADB_X_AUTHTYPE_RSA, "rsa", NULL }, - { 0, NULL, NULL } -}; - struct idname flag_types[] = { { SADB_SAFLAGS_PFS, "pfs", NULL }, { SADB_X_SAFLAGS_TUNNEL, "tunnel", NULL }, @@ -549,25 +530,6 @@ print_ident(struct sadb_ext *ext, struct sadb_msg *msg) ident->sadb_ident_id, (char *)(ident + 1)); } -/* ARGSUSED1 */ -static void -print_auth(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_cred *x_cred = (struct sadb_x_cred *)ext; - - printf("type %s", - lookup_name(xauth_types, x_cred->sadb_x_cred_type)); -} - -/* ARGSUSED1 */ -static void -print_cred(struct sadb_ext *ext, struct sadb_msg *msg) -{ - struct sadb_x_cred *x_cred = (struct sadb_x_cred *)ext; - printf("type %s", - lookup_name(cred_types, x_cred->sadb_x_cred_type)); -} - /* ARGSUSED1 */ static void print_policy(struct sadb_ext *ext, struct sadb_msg *msg) diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 0fe9eab46cb..a4857523971 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.192 2015/03/26 12:21:37 mikeb Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.193 2015/04/14 12:22:15 mikeb Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -889,7 +889,6 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, u_int8_t *pp; int idtype; struct ipsec_sa *isa = sa->data; - struct sadb_x_cred *cred; struct sadb_protocol flowtype, tprotocol; struct sadb_x_udpencap udpencap; char *addr_str, *s; @@ -1302,134 +1301,6 @@ nodid: sid = 0; } - /* - * Send received credentials to the kernel. We don't bother with - * our credentials, since the process either knows them (if it - * specified them with setsockopt()), or has no business looking at - * them (e.g., system wide certs). - */ - if (isakmp_sa->recv_cert) { - switch (isakmp_sa->recv_certtype) { - case ISAKMP_CERTENC_NONE: - /* Nothing to be done here. */ - break; - - case ISAKMP_CERTENC_KEYNOTE: - len = strlen(isakmp_sa->recv_cert); - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) - goto cleanup; - - cred->sadb_x_cred_len = - ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = - SADB_X_EXT_REMOTE_CREDENTIALS; - cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; - memcpy(cred + 1, isakmp_sa->recv_cert, len); - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - break; - - case ISAKMP_CERTENC_X509_SIG: - { - u_int8_t *data; - u_int32_t datalen; - struct cert_handler *handler; - - /* We do it this way to avoid weird includes.*/ - handler = cert_get(ISAKMP_CERTENC_X509_SIG); - if (!handler) - break; - handler->cert_serialize(isakmp_sa->recv_cert, - &data, &datalen); - if (!data) - break; - - len = datalen; - cred = - calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) { - free(data); - goto cleanup; - } - cred->sadb_x_cred_len = - ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = - SADB_X_EXT_REMOTE_CREDENTIALS; - cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; - memcpy(cred + 1, data, len); - free(data); - - if (pf_key_v2_msg_add(update, - (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - } - break; - } - } - - /* - * Tell the kernel what the peer used to authenticate, unless it was a - * passphrase. - */ - if (isakmp_sa->recv_key) { - u_int8_t *data; - - /* - * If it's a private key, we shouldn't pass it to the kernel - * for processes to see; successful authentication of Phase 1 - * implies that the process already knew the passphrase. On - * the other hand, we don't want to reveal to processes any - * system-wide passphrases used for authentication with remote - * systems. Same reason we don't send up the key (private or - * passphrase) we used to authenticate with the peer. - */ - if (isakmp_sa->recv_keytype == ISAKMP_KEY_PASSPHRASE) - goto doneauth; - - key_serialize(isakmp_sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, - isakmp_sa->recv_key, &data, &len); - if (!data) - goto cleanup; - - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) { - free(data); - goto cleanup; - } - cred->sadb_x_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = SADB_X_EXT_REMOTE_AUTH; - memcpy(cred + 1, data, len); - free(data); - - switch (isakmp_sa->recv_keytype) { - case ISAKMP_KEY_RSA: - cred->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; - break; - - default: - log_print("pf_key_v2_set_spi: " - "unknown received key type %d", - isakmp_sa->recv_keytype); - free(cred); - goto cleanup; - } - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - } -doneauth: - /* Setup the flow type extension. */ bzero(&flowtype, sizeof flowtype); flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; @@ -2470,7 +2341,6 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) u_int8_t tproto = 0; char tmbuf[sizeof sport * 3 + 1], *xform; int connlen; - struct sadb_x_cred *cred = 0, *sauth = 0; /* This needs to be dynamically allocated. */ connlen = 22; @@ -2563,18 +2433,6 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) sproto = ext->seg; tproto = sproto->sadb_protocol_proto; - ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_CREDENTIALS); - if (ext) - cred = (struct sadb_x_cred *) ext->seg; - else - cred = 0; - - ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_AUTH); - if (ext) - sauth = (struct sadb_x_cred *) ext->seg; - else - sauth = 0; - bzero(ssflow, sizeof ssflow); bzero(sdflow, sizeof sdflow); bzero(ssmask, sizeof ssmask); @@ -3263,187 +3121,15 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) conf_end(af, 0); goto fail; } - /* Store any credentials passed to us. */ - if (cred) { - struct cert_handler *handler = 0; - void *cert; - char num[12], *certprint; - - /* Convert to bytes in-place. */ - cred->sadb_x_cred_len *= PF_KEY_V2_CHUNK; - - if (cred->sadb_x_cred_len <= sizeof *cred) { - log_print("pf_key_v2_acquire: " - "zero-length credentials, aborting SA " - "acquisition"); - conf_end(af, 0); - goto fail; - } - switch (cred->sadb_x_cred_type) { - case SADB_X_CREDTYPE_X509: - snprintf(num, sizeof num, "%d", - ISAKMP_CERTENC_X509_SIG); - handler = cert_get(ISAKMP_CERTENC_X509_SIG); - break; - case SADB_X_CREDTYPE_KEYNOTE: - snprintf(num, sizeof num, "%d", - ISAKMP_CERTENC_KEYNOTE); - handler = cert_get(ISAKMP_CERTENC_KEYNOTE); - break; - default: - log_print("pf_key_v2_acquire: " - "unknown credential type %d", - cred->sadb_x_cred_type); - conf_end(af, 0); - goto fail; - } - - if (!handler) { - log_print("pf_key_v2_acquire: " - "cert_get (%s) failed", num); - conf_end(af, 0); - goto fail; - } - /* Set the credential type as a number. */ - if (conf_set(af, peer, "Credential_type", num, 0, 0)) { - conf_end(af, 0); - goto fail; - } - /* Get the certificate. */ - cert = handler->cert_get((u_int8_t *) (cred + 1), - cred->sadb_x_cred_len - sizeof *cred); - - /* Now convert to printable format. */ - certprint = handler->cert_printable(cert); - handler->cert_free(cert); - if (!certprint || - conf_set(af, peer, "Credentials", certprint, 0, - 0)) { - free(certprint); - conf_end(af, 0); - goto fail; - } - free(certprint); - } /* Phase 1 configuration. */ if (!conf_get_str(confname, "exchange_type")) { - /* - * We may have been provided with authentication - * material. - */ - if (sauth) { - char *authm; - - /* Convert to bytes in-place. */ - sauth->sadb_x_cred_len *= PF_KEY_V2_CHUNK; - - switch (sauth->sadb_x_cred_type) { - case SADB_X_AUTHTYPE_PASSPHRASE: - if (conf_set(af, confname, - "Transforms", "3DES-SHA", 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (sauth->sadb_x_cred_len <= - sizeof *sauth) { - log_print("pf_key_v2_acquire: " - "zero-length passphrase, " - "aborting SA acquisition"); - conf_end(af, 0); - goto fail; - } - authm = malloc(sauth->sadb_x_cred_len - - sizeof *sauth + 1); - if (!authm) { - log_error("pf_key_v2_acquire: " - "malloc (%lu) failed", - sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth + 1); - conf_end(af, 0); - goto fail; - } - memcpy(authm, sauth + 1, - sauth->sadb_x_cred_len - - sizeof *sauth + 1); - - /* Set the passphrase in the peer. */ - if (conf_set(af, peer, - "Authentication", authm, 0, 0)) { - free(authm); - conf_end(af, 0); - goto fail; - } - free(authm); - break; - - case SADB_X_AUTHTYPE_RSA: - if (conf_set(af, confname, - "Transforms", "3DES-SHA-RSA_SIG", - 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (sauth->sadb_x_cred_len <= - sizeof *sauth) { - log_print("pf_key_v2_acquire: " - "zero-length RSA key, " - "aborting SA acquisition"); - conf_end(af, 0); - goto fail; - } - authm = key_printable(ISAKMP_KEY_RSA, - ISAKMP_KEYTYPE_PRIVATE, - (u_int8_t *)(sauth + 1), - sauth->sadb_x_cred_len - - sizeof *sauth); - if (!authm) { - log_print("pf_key_v2_acquire: " - "failed to convert " - "private key to printable " - "format (size %lu)", - sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth); - conf_end(af, 0); - goto fail; - } - /* - * Set the key in the peer. We don't - * use "Authentication" to avoid - * potential conflicts with file-based - * configurations that use public key - * authentication but still specify - * an "Authentication" tag (typically - * as a remnant of passphrase-based - * testing). - */ - if (conf_set(af, peer, - "PKAuthentication", authm, 0, 0)) { - free(authm); - conf_end(af, 0); - goto fail; - } - free(authm); - break; - - default: - log_print("pf_key_v2_acquire: " - "unknown authentication " - "material type %d received from " - "kernel", sauth->sadb_x_cred_type); - conf_end(af, 0); - goto fail; - } - } else { - xform = conf_get_str( - "Default-phase-1-configuration", - "Transforms"); - if (conf_set(af, confname, "Transforms", - xform ? xform : "3DES-SHA-RSA_SIG", 0, - 0)) { - conf_end(af, 0); - goto fail; - } + xform = conf_get_str("Default-phase-1-configuration", + "Transforms"); + if (conf_set(af, confname, "Transforms", xform ? xform : + "3DES-SHA-RSA_SIG", 0, 0)) { + conf_end(af, 0); + goto fail; } if (conf_set(af, confname, "Exchange_Type", "ID_PROT", diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index bcc9b67d137..b29f50e0c88 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -529,18 +529,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) if (sa->tdb_dstid) i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len); - if (sa->tdb_local_cred) - i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len); - - if (sa->tdb_remote_cred) - i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len); - - if (sa->tdb_local_auth) - i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len); - - if (sa->tdb_remote_auth) - i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len); - if (sa->tdb_amxkey) i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen); @@ -637,28 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) export_identity(&p, sa, PFKEYV2_IDENTITY_DST); } - /* Export credentials, if present */ - if (sa->tdb_local_cred) { - headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; - export_credentials(&p, sa, PFKEYV2_CRED_LOCAL); - } - - if (sa->tdb_remote_cred) { - headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p; - export_credentials(&p, sa, PFKEYV2_CRED_REMOTE); - } - - /* Export authentication information, if present */ - if (sa->tdb_local_auth) { - headers[SADB_X_EXT_LOCAL_AUTH] = p; - export_auth(&p, sa, PFKEYV2_AUTH_LOCAL); - } - - if (sa->tdb_remote_auth) { - headers[SADB_X_EXT_REMOTE_AUTH] = p; - export_auth(&p, sa, PFKEYV2_AUTH_REMOTE); - } - /* Export authentication key, if present */ if (sa->tdb_amxkey) { headers[SADB_EXT_KEY_AUTH] = p; @@ -1033,16 +999,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) PFKEYV2_IDENTITY_SRC); import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], PFKEYV2_IDENTITY_DST); - import_credentials(newsa, - headers[SADB_X_EXT_LOCAL_CREDENTIALS], - PFKEYV2_CRED_LOCAL); - import_credentials(newsa, - headers[SADB_X_EXT_REMOTE_CREDENTIALS], - PFKEYV2_CRED_REMOTE); - import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], - PFKEYV2_AUTH_LOCAL); - import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], - PFKEYV2_AUTH_REMOTE); import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], @@ -1200,16 +1156,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], PFKEYV2_IDENTITY_DST); - import_credentials(newsa, - headers[SADB_X_EXT_LOCAL_CREDENTIALS], - PFKEYV2_CRED_LOCAL); - import_credentials(newsa, - headers[SADB_X_EXT_REMOTE_CREDENTIALS], - PFKEYV2_CRED_REMOTE); - import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH], - PFKEYV2_AUTH_LOCAL); - import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH], - PFKEYV2_AUTH_REMOTE); import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], @@ -1863,7 +1809,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, { void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; struct sadb_ident *srcid, *dstid; - struct sadb_x_cred *lcred, *lauth; struct sadb_comb *sadb_comb; struct sadb_address *sadd; struct sadb_prop *sa_prop; @@ -1891,12 +1836,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, if (ipo->ipo_dstid) i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); - if (ipo->ipo_local_cred) - i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); - - if (ipo->ipo_local_auth) - i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); - /* Allocate */ if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) { rval = ENOMEM; @@ -1964,43 +1903,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); } - if (ipo->ipo_local_cred) { - headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p; - p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len); - lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS]; - lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t); - switch (ipo->ipo_local_cred->ref_type) { - case IPSP_CRED_KEYNOTE: - lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; - break; - case IPSP_CRED_X509: - lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; - break; - } - bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] + - sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len); - } - - if (ipo->ipo_local_auth) { - headers[SADB_X_EXT_LOCAL_AUTH] = p; - p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len); - lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH]; - lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t); - switch (ipo->ipo_local_auth->ref_type) { - case IPSP_AUTH_PASSPHRASE: - lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; - break; - case IPSP_AUTH_RSA: - lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; - break; - } - - bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] + - sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len); - } - headers[SADB_EXT_PROPOSAL] = p; p += sizeof(struct sadb_prop); sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index cf915b3cfb7..7ffab950ab8 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.65 2014/12/28 10:02:37 tedu Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -199,13 +199,6 @@ struct sadb_x_policy { u_int32_t sadb_x_policy_seq; }; -struct sadb_x_cred { - uint16_t sadb_x_cred_len; - uint16_t sadb_x_cred_exttype; - uint16_t sadb_x_cred_type; - uint16_t sadb_x_cred_reserved; -}; - struct sadb_x_udpencap { uint16_t sadb_x_udpencap_len; uint16_t sadb_x_udpencap_exttype; @@ -365,24 +358,6 @@ struct sadb_x_tap { #define PFKEYV2_SENDMESSAGE_BROADCAST 3 #endif /* _KERNEL */ -#define SADB_X_CREDTYPE_NONE 0 -#define SADB_X_CREDTYPE_X509 1 /* ASN1 encoding of the certificate */ -#define SADB_X_CREDTYPE_KEYNOTE 2 /* NUL-terminated buffer */ -#define SADB_X_CREDTYPE_MAX 3 - -#ifdef _KERNEL -#define PFKEYV2_AUTH_LOCAL 0 -#define PFKEYV2_AUTH_REMOTE 1 - -#define PFKEYV2_CRED_LOCAL 0 -#define PFKEYV2_CRED_REMOTE 1 -#endif /* _KERNEL */ - -#define SADB_X_AUTHTYPE_NONE 0 -#define SADB_X_AUTHTYPE_PASSPHRASE 1 -#define SADB_X_AUTHTYPE_RSA 2 -#define SADB_X_AUTHTYPE_MAX 2 - #define SADB_X_FLOW_TYPE_USE 1 #define SADB_X_FLOW_TYPE_ACQUIRE 2 #define SADB_X_FLOW_TYPE_REQUIRE 3 @@ -452,22 +427,18 @@ int pfdatatopacket(void *, int, struct mbuf **); void export_address(void **, struct sockaddr *); void export_identity(void **, struct tdb *, int); void export_lifetime(void **, struct tdb *, int); -void export_credentials(void **, struct tdb *, int); void export_sa(void **, struct tdb *); void export_flow(void **, u_int8_t, struct sockaddr_encap *, struct sockaddr_encap *, void **); void export_key(void **, struct tdb *, int); -void export_auth(void **, struct tdb *, int); void export_udpencap(void **, struct tdb *); void export_tag(void **, struct tdb *); void export_tap(void **, struct tdb *); -void import_auth(struct tdb *, struct sadb_x_cred *, int); void import_address(struct sockaddr *, struct sadb_address *); void import_identity(struct tdb *, struct sadb_ident *, int); void import_key(struct ipsecinit *, struct sadb_key *, int); void import_lifetime(struct tdb *, struct sadb_lifetime *, int); -void import_credentials(struct tdb *, struct sadb_x_cred *, int); void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *); void import_flow(struct sockaddr_encap *, struct sockaddr_encap *, struct sadb_address *, struct sadb_address *, struct sadb_address *, diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 95e6429cd7d..08cf583aa04 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.47 2015/02/06 03:04:49 blambert Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -699,82 +699,6 @@ export_address(void **p, struct sockaddr *sa) *p += PADUP(SA_LEN(sa)); } -/* - * Import authentication information into the TDB. - */ -void -import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth) -{ - struct ipsec_ref **ipr; - - if (!sadb_auth) - return; - - if (dstauth == PFKEYV2_AUTH_REMOTE) - ipr = &tdb->tdb_remote_auth; - else - ipr = &tdb->tdb_local_auth; - - *ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) + - sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); - (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred); - - switch (sadb_auth->sadb_x_cred_type) { - case SADB_X_AUTHTYPE_PASSPHRASE: - (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE; - break; - case SADB_X_AUTHTYPE_RSA: - (*ipr)->ref_type = IPSP_AUTH_RSA; - break; - default: - free(*ipr, M_CREDENTIALS, 0); - *ipr = NULL; - return; - } - (*ipr)->ref_count = 1; - (*ipr)->ref_malloctype = M_CREDENTIALS; - bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred), - (*ipr) + 1, (*ipr)->ref_len); -} - -/* - * Import a set of credentials into the TDB. - */ -void -import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred) -{ - struct ipsec_ref **ipr; - - if (!sadb_cred) - return; - - if (dstcred == PFKEYV2_CRED_REMOTE) - ipr = &tdb->tdb_remote_cred; - else - ipr = &tdb->tdb_local_cred; - - *ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) + - sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); - (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred); - - switch (sadb_cred->sadb_x_cred_type) { - case SADB_X_CREDTYPE_X509: - (*ipr)->ref_type = IPSP_CRED_X509; - break; - case SADB_X_CREDTYPE_KEYNOTE: - (*ipr)->ref_type = IPSP_CRED_KEYNOTE; - break; - default: - free(*ipr, M_CREDENTIALS, 0); - *ipr = NULL; - return; - } - (*ipr)->ref_count = 1; - (*ipr)->ref_malloctype = M_CREDENTIALS; - bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred), - (*ipr) + 1, (*ipr)->ref_len); -} - /* * Import an identity payload into the TDB. */ @@ -819,60 +743,6 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) (*ipr)->ref_len); } -void -export_credentials(void **p, struct tdb *tdb, int dstcred) -{ - struct ipsec_ref **ipr; - struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p; - - if (dstcred == PFKEYV2_CRED_REMOTE) - ipr = &tdb->tdb_remote_cred; - else - ipr = &tdb->tdb_local_cred; - - sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP((*ipr)->ref_len)) / sizeof(uint64_t); - - switch ((*ipr)->ref_type) { - case IPSP_CRED_KEYNOTE: - sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; - break; - case IPSP_CRED_X509: - sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; - break; - } - *p += sizeof(struct sadb_x_cred); - bcopy((*ipr) + 1, *p, (*ipr)->ref_len); - *p += PADUP((*ipr)->ref_len); -} - -void -export_auth(void **p, struct tdb *tdb, int dstauth) -{ - struct ipsec_ref **ipr; - struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p; - - if (dstauth == PFKEYV2_AUTH_REMOTE) - ipr = &tdb->tdb_remote_auth; - else - ipr = &tdb->tdb_local_auth; - - sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + - PADUP((*ipr)->ref_len)) / sizeof(uint64_t); - - switch ((*ipr)->ref_type) { - case IPSP_AUTH_PASSPHRASE: - sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; - break; - case IPSP_AUTH_RSA: - sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; - break; - } - *p += sizeof(struct sadb_x_cred); - bcopy((*ipr) + 1, *p, (*ipr)->ref_len); - *p += PADUP((*ipr)->ref_len); -} - void export_identity(void **p, struct tdb *tdb, int type) { diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index b8aef48d779..433b9313cc5 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -119,11 +119,6 @@ #define BITMAP_X_SA2 (1LL << SADB_X_EXT_SA2) #define BITMAP_X_DST2 (1LL << SADB_X_EXT_DST2) #define BITMAP_X_POLICY (1LL << SADB_X_EXT_POLICY) -#define BITMAP_X_LOCAL_CREDENTIALS (1LL << SADB_X_EXT_LOCAL_CREDENTIALS) -#define BITMAP_X_REMOTE_CREDENTIALS (1LL << SADB_X_EXT_REMOTE_CREDENTIALS) -#define BITMAP_X_LOCAL_AUTH (1LL << SADB_X_EXT_LOCAL_AUTH) -#define BITMAP_X_REMOTE_AUTH (1LL << SADB_X_EXT_REMOTE_AUTH) -#define BITMAP_X_CREDENTIALS (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH) #define BITMAP_X_FLOW (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE) #define BITMAP_X_SUPPORTED_COMP (1LL << SADB_X_EXT_SUPPORTED_COMP) #define BITMAP_X_UDPENCAP (1LL << SADB_X_EXT_UDPENCAP) @@ -138,15 +133,15 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] = /* GETSPI */ BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP, /* DELETE */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* GET */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* ACQUIRE */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL, /* REGISTER */ 0, /* EXPIRE */ @@ -210,15 +205,15 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] = /* GETSPI */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP, /* DELETE */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* GET */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP, /* ACQUIRE */ - BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS, + BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL, /* REGISTER */ BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, /* EXPIRE */ @@ -653,65 +648,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) } } break; - case SADB_X_EXT_LOCAL_AUTH: - case SADB_X_EXT_REMOTE_AUTH: - { - struct sadb_x_cred *sadb_cred = - (struct sadb_x_cred *)p; - - if (i < sizeof(struct sadb_x_cred)) { - DPRINTF(("pfkeyv2_parsemessage: bad header " - "length for AUTH extension header %d\n", - sadb_ext->sadb_ext_type)); - return (EINVAL); - } - - if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) { - DPRINTF(("pfkeyv2_parsemessage: unknown auth " - "type %d in AUTH extension header %d\n", - sadb_cred->sadb_x_cred_type, - sadb_ext->sadb_ext_type)); - return (EINVAL); - } - - if (sadb_cred->sadb_x_cred_reserved) { - DPRINTF(("pfkeyv2_parsemessage: reserved field" - " set in AUTH extension header %d\n", - sadb_ext->sadb_ext_type)); - return (EINVAL); - } - } - break; - case SADB_X_EXT_LOCAL_CREDENTIALS: - case SADB_X_EXT_REMOTE_CREDENTIALS: - { - struct sadb_x_cred *sadb_cred = - (struct sadb_x_cred *)p; - - if (i < sizeof(struct sadb_x_cred)) { - DPRINTF(("pfkeyv2_parsemessage: bad header " - "length of CREDENTIALS extension header " - "%d\n", sadb_ext->sadb_ext_type)); - return (EINVAL); - } - - if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) { - DPRINTF(("pfkeyv2_parsemessage: unknown " - "credential type %d in CREDENTIALS " - "extension header %d\n", - sadb_cred->sadb_x_cred_type, - sadb_ext->sadb_ext_type)); - return (EINVAL); - } - - if (sadb_cred->sadb_x_cred_reserved) { - DPRINTF(("pfkeyv2_parsemessage: reserved " - "field set in CREDENTIALS extension " - "header %d\n", sadb_ext->sadb_ext_type)); - return (EINVAL); - } - } - break; case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: { diff --git a/sys/netinet/in.h b/sys/netinet/in.h index b7b55eb154d..7c206e5d5cb 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in.h,v 1.113 2015/04/10 13:58:20 dlg Exp $ */ +/* $OpenBSD: in.h,v 1.114 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */ /* @@ -294,10 +294,10 @@ struct ip_opts { #define IP_ESP_NETWORK_LEVEL 22 /* int; full-packet encryption */ #define IP_IPSEC_LOCAL_ID 23 /* buf; IPsec local ID */ #define IP_IPSEC_REMOTE_ID 24 /* buf; IPsec remote ID */ -#define IP_IPSEC_LOCAL_CRED 25 /* buf; IPsec local credentials */ -#define IP_IPSEC_REMOTE_CRED 26 /* buf; IPsec remote credentials */ -#define IP_IPSEC_LOCAL_AUTH 27 /* buf; IPsec local auth material */ -#define IP_IPSEC_REMOTE_AUTH 28 /* buf; IPsec remote auth material */ +#define IP_IPSEC_LOCAL_CRED 25 /* buf; was: IPsec local credentials */ +#define IP_IPSEC_REMOTE_CRED 26 /* buf; was: IPsec remote credentials */ +#define IP_IPSEC_LOCAL_AUTH 27 /* buf; was: IPsec local auth material */ +#define IP_IPSEC_REMOTE_AUTH 28 /* buf; was: IPsec remote auth material */ #define IP_IPCOMP_LEVEL 29 /* int; compression used */ #define IP_RECVIF 30 /* bool; receive reception if w/dgram */ #define IP_RECVTTL 31 /* bool; receive IP TTL w/dgram */ diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 0d51cc450ec..4c110d46435 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.168 2015/02/10 03:07:56 claudio Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.169 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -538,10 +538,6 @@ in_pcbdetach(struct inpcb *inp) if (inp->inp_tdb_out) TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, inp_tdb_out_next); - if (inp->inp_ipsec_remotecred) - ipsp_reffree(inp->inp_ipsec_remotecred); - if (inp->inp_ipsec_remoteauth) - ipsp_reffree(inp->inp_ipsec_remoteauth); if (inp->inp_ipo) ipsec_delete_policy(inp->inp_ipo); #endif diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index e40a7110b07..43a45b05248 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.87 2014/11/15 10:55:47 dlg Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.88 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -140,8 +140,6 @@ struct inpcb { TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next; struct tdb *inp_tdb_in, *inp_tdb_out; struct ipsec_policy *inp_ipo; - struct ipsec_ref *inp_ipsec_remotecred; - struct ipsec_ref *inp_ipsec_remoteauth; #define inp_flowinfo inp_hu.hu_ipv6.ip6_flow int inp_cksum6; diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 0c93cf6e480..0cf6b7148aa 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -324,17 +324,15 @@ gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, } /* - * Check that credentials and IDs match. Return true if so. The t* - * range of arguments contains information from TDBs; the p* - * range of arguments contains information from policies or - * already established TDBs. + * Check that IDs match. Return true if so. The t* range of + * arguments contains information from TDBs; the p* range of + * arguments contains information from policies or already + * established TDBs. */ int ipsp_aux_match(struct tdb *tdb, struct ipsec_ref *psrcid, struct ipsec_ref *pdstid, - struct ipsec_ref *plcred, - struct ipsec_ref *prcred, struct sockaddr_encap *pfilter, struct sockaddr_encap *pfiltermask) { @@ -348,16 +346,6 @@ ipsp_aux_match(struct tdb *tdb, !ipsp_ref_match(tdb->tdb_dstid, pdstid)) return 0; - if (plcred != NULL) - if (tdb->tdb_local_cred == NULL || - !ipsp_ref_match(tdb->tdb_local_cred, plcred)) - return 0; - - if (prcred != NULL) - if (tdb->tdb_remote_cred == NULL || - !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) - return 0; - /* Check for filter matches. */ if (pfilter != NULL && pfiltermask != NULL && tdb->tdb_filter.sen_type) { @@ -385,8 +373,7 @@ ipsp_aux_match(struct tdb *tdb, struct tdb * gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, struct ipsec_ref *srcid, struct ipsec_ref *dstid, - struct ipsec_ref *local_cred, struct sockaddr_encap *filter, - struct sockaddr_encap *filtermask) + struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) { u_int32_t hashval; struct tdb *tdbp; @@ -401,9 +388,9 @@ gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, (tdbp->tdb_rdomain == rdomain) && ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { - /* Do IDs and local credentials match ? */ - if (!ipsp_aux_match(tdbp, srcid, dstid, - local_cred, NULL, filter, filtermask)) + /* Do IDs match ? */ + if (!ipsp_aux_match(tdbp, srcid, dstid, filter, + filtermask)) continue; break; } @@ -434,8 +421,8 @@ gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { /* Check whether IDs match */ - if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, - filter, filtermask)) + if (!ipsp_aux_match(tdbp, dstid, srcid, filter, + filtermask)) continue; break; } @@ -824,16 +811,6 @@ tdb_free(struct tdb *tdbp) timeout_del(&tdbp->tdb_stimer_tmo); timeout_del(&tdbp->tdb_sfirst_tmo); - if (tdbp->tdb_local_auth) { - ipsp_reffree(tdbp->tdb_local_auth); - tdbp->tdb_local_auth = NULL; - } - - if (tdbp->tdb_remote_auth) { - ipsp_reffree(tdbp->tdb_remote_auth); - tdbp->tdb_remote_auth = NULL; - } - if (tdbp->tdb_srcid) { ipsp_reffree(tdbp->tdb_srcid); tdbp->tdb_srcid = NULL; @@ -844,16 +821,6 @@ tdb_free(struct tdb *tdbp) tdbp->tdb_dstid = NULL; } - if (tdbp->tdb_local_cred) { - ipsp_reffree(tdbp->tdb_local_cred); - tdbp->tdb_local_cred = NULL; - } - - if (tdbp->tdb_remote_cred) { - ipsp_reffree(tdbp->tdb_remote_cred); - tdbp->tdb_remote_cred = NULL; - } - #if NPF > 0 if (tdbp->tdb_tag) { pf_tag_unref(tdbp->tdb_tag); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index f436e4935eb..5c3e2665947 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.163 2015/04/13 16:48:01 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -215,8 +215,6 @@ struct ipsec_policy { struct ipsec_ref *ipo_srcid; struct ipsec_ref *ipo_dstid; - struct ipsec_ref *ipo_local_cred; - struct ipsec_ref *ipo_local_auth; TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ @@ -244,16 +242,6 @@ struct ipsec_policy { #define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ #define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */ -/* Authentication types */ -#define IPSP_AUTH_NONE 0 -#define IPSP_AUTH_PASSPHRASE 1 -#define IPSP_AUTH_RSA 2 - -/* Credential types */ -#define IPSP_CRED_NONE 0 -#define IPSP_CRED_KEYNOTE 1 -#define IPSP_CRED_X509 2 - /* Identity types */ #define IPSP_IDENTITY_NONE 0 #define IPSP_IDENTITY_PREFIX 1 @@ -354,12 +342,8 @@ struct tdb { /* tunnel descriptor block */ u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ - struct ipsec_ref *tdb_local_cred; - struct ipsec_ref *tdb_remote_cred; struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ - struct ipsec_ref *tdb_local_auth;/* Local authentication material */ - struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */ u_int32_t tdb_mtu; /* MTU at this point in the chain */ u_int64_t tdb_mtutimeout; /* When to ignore this entry */ @@ -505,7 +489,7 @@ uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, union sockaddr_union *, u_int8_t, int *); struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t); struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t, - struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, + struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, struct sockaddr_encap *); struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, struct ipsec_ref *, struct ipsec_ref *, @@ -603,8 +587,7 @@ void ipsp_reffree(struct ipsec_ref *); void ipsp_skipcrypto_mark(struct tdb_ident *); void ipsp_skipcrypto_unmark(struct tdb_ident *); int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *, - struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, - struct sockaddr_encap *); + struct sockaddr_encap *, struct sockaddr_encap *); int ipsec_common_input(struct mbuf *, int, int, int, int, int); int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e25ef158b7e..e99105f2097 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.276 2014/12/17 09:57:13 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.277 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -1145,16 +1145,8 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, #endif break; - case IP_IPSEC_REMOTE_CRED: - case IP_IPSEC_REMOTE_AUTH: - /* Can't set the remote credential or key */ - error = EOPNOTSUPP; - break; - case IP_IPSEC_LOCAL_ID: case IP_IPSEC_REMOTE_ID: - case IP_IPSEC_LOCAL_CRED: - case IP_IPSEC_LOCAL_AUTH: #ifndef IPSEC error = EOPNOTSUPP; #else @@ -1175,7 +1167,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_srcid = NULL; } break; - case IP_IPSEC_REMOTE_ID: if (inp->inp_ipo != NULL && inp->inp_ipo->ipo_dstid != NULL) { @@ -1183,22 +1174,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_dstid = NULL; } break; - - case IP_IPSEC_LOCAL_CRED: - if (inp->inp_ipo != NULL && - inp->inp_ipo->ipo_local_cred != NULL) { - ipsp_reffree(inp->inp_ipo->ipo_local_cred); - inp->inp_ipo->ipo_local_cred = NULL; - } - break; - - case IP_IPSEC_LOCAL_AUTH: - if (inp->inp_ipo != NULL && - inp->inp_ipo->ipo_local_auth != NULL) { - ipsp_reffree(inp->inp_ipo->ipo_local_auth); - inp->inp_ipo->ipo_local_auth = NULL; - } - break; } error = 0; @@ -1261,28 +1236,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_dstid = ipr; } break; - case IP_IPSEC_LOCAL_CRED: - if (ipr->ref_type < IPSP_CRED_KEYNOTE || - ipr->ref_type > IPSP_CRED_X509) { - free(ipr, M_CREDENTIALS, iprlen); - error = EINVAL; - } else { - if (inp->inp_ipo->ipo_local_cred != NULL) - ipsp_reffree(inp->inp_ipo->ipo_local_cred); - inp->inp_ipo->ipo_local_cred = ipr; - } - break; - case IP_IPSEC_LOCAL_AUTH: - if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || - ipr->ref_type > IPSP_AUTH_RSA) { - free(ipr, M_CREDENTIALS, iprlen); - error = EINVAL; - } else { - if (inp->inp_ipo->ipo_local_auth != NULL) - ipsp_reffree(inp->inp_ipo->ipo_local_auth); - inp->inp_ipo->ipo_local_auth = ipr; - } - break; } /* Unlink cached output TDB to force a re-search */ @@ -1461,10 +1414,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, break; case IP_IPSEC_LOCAL_ID: case IP_IPSEC_REMOTE_ID: - case IP_IPSEC_LOCAL_CRED: - case IP_IPSEC_REMOTE_CRED: - case IP_IPSEC_LOCAL_AUTH: - case IP_IPSEC_REMOTE_AUTH: #ifndef IPSEC error = EOPNOTSUPP; #else @@ -1482,24 +1431,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, ipr = inp->inp_ipo->ipo_dstid; opt16val = IPSP_IDENTITY_NONE; break; - case IP_IPSEC_LOCAL_CRED: - if (inp->inp_ipo != NULL) - ipr = inp->inp_ipo->ipo_local_cred; - opt16val = IPSP_CRED_NONE; - break; - case IP_IPSEC_REMOTE_CRED: - ipr = inp->inp_ipsec_remotecred; - opt16val = IPSP_CRED_NONE; - break; - case IP_IPSEC_LOCAL_AUTH: - if (inp->inp_ipo != NULL) - ipr = inp->inp_ipo->ipo_local_auth; - opt16val = IPSP_AUTH_NONE; - break; - case IP_IPSEC_REMOTE_AUTH: - ipr = inp->inp_ipsec_remoteauth; - opt16val = IPSP_AUTH_NONE; - break; } if (ipr == NULL) *mtod(m, u_int16_t *) = opt16val; diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 25a8d135956..ec34c81c2d8 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.82 2015/04/14 12:22:15 mikeb Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -368,7 +368,6 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, if (!ipsp_aux_match(ipo->ipo_tdb, srcid ? srcid : ipo->ipo_srcid, dstid ? dstid : ipo->ipo_dstid, - ipo->ipo_local_cred, NULL, &ipo->ipo_addr, &ipo->ipo_mask)) goto nomatchout; @@ -406,8 +405,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, ipo->ipo_sproto, srcid ? srcid : ipo->ipo_srcid, dstid ? dstid : ipo->ipo_dstid, - ipo->ipo_local_cred, &ipo->ipo_addr, - &ipo->ipo_mask); + &ipo->ipo_addr, &ipo->ipo_mask); if (ipo->ipo_tdb) { TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, ipo, ipo_tdb_next); @@ -494,9 +492,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, /* * We only need to check that the correct * security protocol and security gateway are - * set; credentials/IDs will be the same, - * since the cached entry is linked on this - * policy. + * set; IDs will be the same since the cached + * entry is linked on this policy. */ if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && !memcmp(&ipo->ipo_tdb->tdb_src, @@ -609,10 +606,6 @@ ipsec_delete_policy(struct ipsec_policy *ipo) ipsp_reffree(ipo->ipo_srcid); if (ipo->ipo_dstid) ipsp_reffree(ipo->ipo_dstid); - if (ipo->ipo_local_cred) - ipsp_reffree(ipo->ipo_local_cred); - if (ipo->ipo_local_auth) - ipsp_reffree(ipo->ipo_local_auth); if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) ipsec_in_use--; @@ -765,15 +758,10 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, struct ipsec_acquire *ipa; /* - * If this is a socket policy, it has to have authentication - * information accompanying it --- can't tell key mgmt. to - * "find" it for us. This avoids abusing key mgmt. to authenticate - * on an application's behalf, even if the application doesn't - * have/know (and shouldn't) the appropriate authentication - * material (passphrase, private key, etc.) + * ACQUIRE on local sockets is restricted to avoid abuse of + * authentication keys that the IKE daemon has already loaded. */ - if (ipo->ipo_flags & IPSP_POLICY_SOCKET && - ipo->ipo_local_auth == NULL) + if (ipo->ipo_flags & IPSP_POLICY_SOCKET) return EINVAL; /* Check whether request has been made already. */ @@ -969,9 +957,9 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, SA_LEN(&tdbp->tdb_src.sa)) && - ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, - inp->inp_ipo->ipo_dstid, NULL, NULL, - &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask)) + ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, + inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr, + &inp->inp_ipo->ipo_mask)) goto justreturn; else { *error = -EINVAL; @@ -992,8 +980,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, SA_LEN(&tdbp->tdb_src.sa)) && ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, - inp->inp_ipo->ipo_dstid, NULL, NULL, - &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask)) + inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr, + &inp->inp_ipo->ipo_mask)) goto justreturn; /* @@ -1069,7 +1057,6 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, inp->inp_ipo->ipo_sproto, inp->inp_ipo->ipo_srcid, inp->inp_ipo->ipo_dstid, - inp->inp_ipo->ipo_local_cred, &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask); } @@ -1082,8 +1069,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, IPSP_DIRECTION_OUT); tdb = gettdbbydst(rtable_l2(inp->inp_rtableid), - &sipon.ipo_dst, IPPROTO_ESP, NULL, - NULL, NULL, &sipon.ipo_addr, &sipon.ipo_mask); + &sipon.ipo_dst, IPPROTO_ESP, NULL, NULL, + &sipon.ipo_addr, &sipon.ipo_mask); } /* If we found an appropriate SA... */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index ba45329f2fa..68749872653 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.287 2015/02/08 04:40:50 yasuoka Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.288 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -913,18 +913,6 @@ findpcb: inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } - if (inp->inp_ipsec_remotecred == NULL && - tdb->tdb_remote_cred != NULL) { - inp->inp_ipsec_remotecred = - tdb->tdb_remote_cred; - tdb->tdb_remote_cred->ref_count++; - } - if (inp->inp_ipsec_remoteauth == NULL && - tdb->tdb_remote_auth != NULL) { - inp->inp_ipsec_remoteauth = - tdb->tdb_remote_auth; - tdb->tdb_remote_auth->ref_count++; - } } else { /* Just reset */ TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, inp_tdb_in_next); @@ -3711,15 +3699,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th, newinp->inp_ipo = inp->inp_ipo; inp->inp_ipo->ipo_ref_count++; } - if (inp->inp_ipsec_remotecred != NULL) { - newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred; - inp->inp_ipsec_remotecred->ref_count++; - } - if (inp->inp_ipsec_remoteauth != NULL) { - newinp->inp_ipsec_remoteauth - = inp->inp_ipsec_remoteauth; - inp->inp_ipsec_remoteauth->ref_count++; - } } #endif /* IPSEC */ #ifdef INET6 diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index a9b0f6b55b7..2ea8666d5fc 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.196 2015/03/04 11:10:55 mpi Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.197 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -632,18 +632,6 @@ udp_input(struct mbuf *m, ...) inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } - if (inp->inp_ipsec_remotecred == NULL && - tdb->tdb_remote_cred != NULL) { - inp->inp_ipsec_remotecred = - tdb->tdb_remote_cred; - tdb->tdb_remote_cred->ref_count++; - } - if (inp->inp_ipsec_remoteauth == NULL && - tdb->tdb_remote_auth != NULL) { - inp->inp_ipsec_remoteauth = - tdb->tdb_remote_auth; - tdb->tdb_remote_auth->ref_count++; - } } else { /* Just reset */ TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, inp_tdb_in_next); -- 2.20.1