diff options
| author |   mikeb <mikeb@openbsd.org> | 2015-03-26 12:21:37 +0000 |
|---|---|---|
| committer | mikeb <mikeb@openbsd.org> | 2015-03-26 12:21:37 +0000 |
| commit | e1e3bc4fa1c6b774d4daac2f1e7988019e67d04b (patch) | |
| tree | 7398dd207475ee15e07ee02d1be4ce4c458b3173 /sys | |
| parent | Use rt_ifa_add(9) and rt_ifa_del(9) to configure MPLS labels. (diff) | |
| download | wireguard-openbsd-e1e3bc4fa1c6b774d4daac2f1e7988019e67d04b.tar.xz wireguard-openbsd-e1e3bc4fa1c6b774d4daac2f1e7988019e67d04b.zip | |
Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pfkeyv2.c | 18 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 124 |
4 files changed, 6 insertions, 145 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 0af998fcf4d..93a88777180 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.138 2014/12/19 17:14:40 tedu Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.139 2015/03/26 12:21:37 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -523,9 +523,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); - if (sa->tdb_proxy.sa.sa_family) - i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); - if (sa->tdb_srcid) i += sizeof(struct sadb_ident) + PADUP(sa->tdb_srcid->ref_len); @@ -628,12 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) headers[SADB_EXT_ADDRESS_DST] = p; export_address(&p, (struct sockaddr *) &sa->tdb_dst); - /* Export TDB proxy address, if present */ - if (SA_LEN(&sa->tdb_proxy.sa)) { - headers[SADB_EXT_ADDRESS_PROXY] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_proxy); - } - /* Export source identity, if present */ if (sa->tdb_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; @@ -1027,8 +1018,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_ADDRESS_SRC]); import_address((struct sockaddr *) &newsa->tdb_dst, headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], PFKEYV2_LIFETIME_CURRENT); @@ -1095,8 +1084,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) * change lifetimes and some other information; we're * not allowed to change keys, addresses or identities. */ - if (headers[SADB_EXT_ADDRESS_PROXY] || - headers[SADB_EXT_KEY_AUTH] || + if (headers[SADB_EXT_KEY_AUTH] || headers[SADB_EXT_KEY_ENCRYPT] || headers[SADB_EXT_IDENTITY_SRC] || headers[SADB_EXT_IDENTITY_DST] || @@ -1193,8 +1181,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_ADDRESS_SRC]); import_address((struct sockaddr *) &newsa->tdb_dst, headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 4be905bb45a..b8aef48d779 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.47 2013/04/10 08:50:59 mpi Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -96,7 +96,6 @@ #define BITMAP_LIFETIME_SOFT (1LL << SADB_EXT_LIFETIME_SOFT) #define BITMAP_ADDRESS_SRC (1LL << SADB_EXT_ADDRESS_SRC) #define BITMAP_ADDRESS_DST (1LL << SADB_EXT_ADDRESS_DST) -#define BITMAP_ADDRESS_PROXY (1LL << SADB_EXT_ADDRESS_PROXY) #define BITMAP_KEY_AUTH (1LL << SADB_EXT_KEY_AUTH) #define BITMAP_KEY_ENCRYPT (1LL << SADB_EXT_KEY_ENCRYPT) #define BITMAP_IDENTITY_SRC (1LL << SADB_EXT_IDENTITY_SRC) @@ -107,7 +106,7 @@ #define BITMAP_SUPPORTED_ENCRYPT (1LL << SADB_EXT_SUPPORTED_ENCRYPT) #define BITMAP_SPIRANGE (1LL << SADB_EXT_SPIRANGE) #define BITMAP_LIFETIME (BITMAP_LIFETIME_CURRENT | BITMAP_LIFETIME_HARD | BITMAP_LIFETIME_SOFT) -#define BITMAP_ADDRESS (BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_ADDRESS_PROXY) +#define BITMAP_ADDRESS (BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST) #define BITMAP_KEY (BITMAP_KEY_AUTH | BITMAP_KEY_ENCRYPT) #define BITMAP_IDENTITY (BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST) #define BITMAP_MSG 1 @@ -472,7 +471,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) case SADB_X_EXT_SRC_FLOW: case SADB_X_EXT_DST_FLOW: case SADB_X_EXT_DST2: - case SADB_EXT_ADDRESS_PROXY: { struct sadb_address *sadb_address = (struct sadb_address *)p; diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 63f07c7ab37..74ff80f4456 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.160 2015/01/19 18:36:51 deraadt Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.161 2015/03/26 12:21:37 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -342,7 +342,6 @@ struct tdb { /* tunnel descriptor block */ union sockaddr_union tdb_dst; /* Destination address */ union sockaddr_union tdb_src; /* Source address */ - union sockaddr_union tdb_proxy; u_int8_t *tdb_amxkey; /* Raw authentication key */ u_int8_t *tdb_emxkey; /* Raw encryption key */ diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 3d75a997aab..9973fcdc155 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.126 2015/01/24 00:29:06 deraadt Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.127 2015/03/26 12:21:37 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -374,37 +374,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ipn will now contain the inner IPv4 header */ m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET && - tdbp->tdb_proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - tdbp->tdb_proxy.sin.sin_addr.s_addr) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET, &ipn.ip_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #ifdef INET6 @@ -420,36 +389,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ip6n will now contain the inner IPv6 header. */ m_copydata(m, skip, sizeof(struct ip6_hdr), (caddr_t) &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&tdbp->tdb_proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &tdbp->tdb_proxy.sin6.sin6_addr)) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET6 && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET6_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET6, &ip6n.ip6_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #endif /* INET6 */ } @@ -487,37 +426,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, } /* ipn will now contain the inner IPv4 header */ m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET && - tdbp->tdb_proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - tdbp->tdb_proxy.sin.sin_addr.s_addr) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET, &ipn.ip_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } /* IPv6-in-IP encapsulation */ @@ -532,36 +440,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ip6n will now contain the inner IPv6 header. */ m_copydata(m, skip, sizeof(struct ip6_hdr), (caddr_t) &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&tdbp->tdb_proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &tdbp->tdb_proxy.sin6.sin6_addr)) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET6 && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET6_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET6, &ip6n.ip6_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } } #endif /* INET6 */ |