diff options
| author |   mikeb <mikeb@openbsd.org> | 2015-04-14 12:22:15 +0000 |
|---|---|---|
| committer | mikeb <mikeb@openbsd.org> | 2015-04-14 12:22:15 +0000 |
| commit | d0aa6ebacff682ebdba22deb3b54c1111107207c (patch) | |
| tree | 94abd855aef439a610ba03c01d04359e6ea4ee98 /sys/netinet/ip_ipsp.c | |
| parent | Convert openssl(1) s_time to new option handling. (diff) | |
| download | wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip | |
Remove support for storing credentials and auth information in the kernel.
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
Diffstat (limited to 'sys/netinet/ip_ipsp.c')
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 55 |
1 files changed, 11 insertions, 44 deletions
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 0c93cf6e480..0cf6b7148aa 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -324,17 +324,15 @@ gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, } /* - * Check that credentials and IDs match. Return true if so. The t* - * range of arguments contains information from TDBs; the p* - * range of arguments contains information from policies or - * already established TDBs. + * Check that IDs match. Return true if so. The t* range of + * arguments contains information from TDBs; the p* range of + * arguments contains information from policies or already + * established TDBs. */ int ipsp_aux_match(struct tdb *tdb, struct ipsec_ref *psrcid, struct ipsec_ref *pdstid, - struct ipsec_ref *plcred, - struct ipsec_ref *prcred, struct sockaddr_encap *pfilter, struct sockaddr_encap *pfiltermask) { @@ -348,16 +346,6 @@ ipsp_aux_match(struct tdb *tdb, !ipsp_ref_match(tdb->tdb_dstid, pdstid)) return 0; - if (plcred != NULL) - if (tdb->tdb_local_cred == NULL || - !ipsp_ref_match(tdb->tdb_local_cred, plcred)) - return 0; - - if (prcred != NULL) - if (tdb->tdb_remote_cred == NULL || - !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) - return 0; - /* Check for filter matches. */ if (pfilter != NULL && pfiltermask != NULL && tdb->tdb_filter.sen_type) { @@ -385,8 +373,7 @@ ipsp_aux_match(struct tdb *tdb, struct tdb * gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, struct ipsec_ref *srcid, struct ipsec_ref *dstid, - struct ipsec_ref *local_cred, struct sockaddr_encap *filter, - struct sockaddr_encap *filtermask) + struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) { u_int32_t hashval; struct tdb *tdbp; @@ -401,9 +388,9 @@ gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, (tdbp->tdb_rdomain == rdomain) && ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { - /* Do IDs and local credentials match ? */ - if (!ipsp_aux_match(tdbp, srcid, dstid, - local_cred, NULL, filter, filtermask)) + /* Do IDs match ? */ + if (!ipsp_aux_match(tdbp, srcid, dstid, filter, + filtermask)) continue; break; } @@ -434,8 +421,8 @@ gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { /* Check whether IDs match */ - if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, - filter, filtermask)) + if (!ipsp_aux_match(tdbp, dstid, srcid, filter, + filtermask)) continue; break; } @@ -824,16 +811,6 @@ tdb_free(struct tdb *tdbp) timeout_del(&tdbp->tdb_stimer_tmo); timeout_del(&tdbp->tdb_sfirst_tmo); - if (tdbp->tdb_local_auth) { - ipsp_reffree(tdbp->tdb_local_auth); - tdbp->tdb_local_auth = NULL; - } - - if (tdbp->tdb_remote_auth) { - ipsp_reffree(tdbp->tdb_remote_auth); - tdbp->tdb_remote_auth = NULL; - } - if (tdbp->tdb_srcid) { ipsp_reffree(tdbp->tdb_srcid); tdbp->tdb_srcid = NULL; @@ -844,16 +821,6 @@ tdb_free(struct tdb *tdbp) tdbp->tdb_dstid = NULL; } - if (tdbp->tdb_local_cred) { - ipsp_reffree(tdbp->tdb_local_cred); - tdbp->tdb_local_cred = NULL; - } - - if (tdbp->tdb_remote_cred) { - ipsp_reffree(tdbp->tdb_remote_cred); - tdbp->tdb_remote_cred = NULL; - } - #if NPF > 0 if (tdbp->tdb_tag) { pf_tag_unref(tdbp->tdb_tag); |