diff options
| -rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 40 | ||||
| -rw-r--r-- | sbin/isakmpd/sa.h | 3 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.c | 18 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 124 |
6 files changed, 8 insertions, 186 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index bb2a7ac4fe8..0fe9eab46cb 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.191 2014/10/29 06:26:40 deraadt Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.192 2015/03/26 12:21:37 mikeb Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -798,14 +798,6 @@ pf_key_v2_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, sizeof(struct sockaddr_in6)); } - ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_PROXY); - if (ext) { - sa = (struct sockaddr *)ext->seg; - memcpy(sa, &ksa.proxy, - sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6)); - } - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_UDPENCAP); if (ext) { udpencap = (struct sadb_x_udpencap *)ext->seg; @@ -1205,36 +1197,6 @@ pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, goto cleanup; addr = 0; -#if 0 - /* XXX I am not sure about what to do here just yet. */ - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) { - len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(dst)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - memcpy(addr + 1, dst, SA_LEN(dst)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; -#if 0 - msg->em_odst = msg->em_dst; - msg->em_osrc = msg->em_src; -#endif - } -#endif - if (proto->proto != IPSEC_PROTO_IPCOMP) { /* Setup the KEY extensions. */ if (hashlen) { diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index adca02f41d1..257d1839a70 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.51 2015/01/16 06:39:59 deraadt Exp $ */ +/* $OpenBSD: sa.h,v 1.52 2015/03/26 12:21:37 mikeb Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -301,7 +301,6 @@ struct sa_kinfo { struct sockaddr_storage dst; struct sockaddr_storage src; - struct sockaddr_storage proxy; u_int32_t spi; u_int16_t udpencap_port; diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 0af998fcf4d..93a88777180 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.138 2014/12/19 17:14:40 tedu Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.139 2015/03/26 12:21:37 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -523,9 +523,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_src.sa)); i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_dst.sa)); - if (sa->tdb_proxy.sa.sa_family) - i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); - if (sa->tdb_srcid) i += sizeof(struct sadb_ident) + PADUP(sa->tdb_srcid->ref_len); @@ -628,12 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) headers[SADB_EXT_ADDRESS_DST] = p; export_address(&p, (struct sockaddr *) &sa->tdb_dst); - /* Export TDB proxy address, if present */ - if (SA_LEN(&sa->tdb_proxy.sa)) { - headers[SADB_EXT_ADDRESS_PROXY] = p; - export_address(&p, (struct sockaddr *) &sa->tdb_proxy); - } - /* Export source identity, if present */ if (sa->tdb_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; @@ -1027,8 +1018,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_ADDRESS_SRC]); import_address((struct sockaddr *) &newsa->tdb_dst, headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], PFKEYV2_LIFETIME_CURRENT); @@ -1095,8 +1084,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) * change lifetimes and some other information; we're * not allowed to change keys, addresses or identities. */ - if (headers[SADB_EXT_ADDRESS_PROXY] || - headers[SADB_EXT_KEY_AUTH] || + if (headers[SADB_EXT_KEY_AUTH] || headers[SADB_EXT_KEY_ENCRYPT] || headers[SADB_EXT_IDENTITY_SRC] || headers[SADB_EXT_IDENTITY_DST] || @@ -1193,8 +1181,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_ADDRESS_SRC]); import_address((struct sockaddr *) &newsa->tdb_dst, headers[SADB_EXT_ADDRESS_DST]); - import_address((struct sockaddr *) &newsa->tdb_proxy, - headers[SADB_EXT_ADDRESS_PROXY]); import_lifetime(newsa, headers[SADB_EXT_LIFETIME_CURRENT], diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 4be905bb45a..b8aef48d779 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.47 2013/04/10 08:50:59 mpi Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -96,7 +96,6 @@ #define BITMAP_LIFETIME_SOFT (1LL << SADB_EXT_LIFETIME_SOFT) #define BITMAP_ADDRESS_SRC (1LL << SADB_EXT_ADDRESS_SRC) #define BITMAP_ADDRESS_DST (1LL << SADB_EXT_ADDRESS_DST) -#define BITMAP_ADDRESS_PROXY (1LL << SADB_EXT_ADDRESS_PROXY) #define BITMAP_KEY_AUTH (1LL << SADB_EXT_KEY_AUTH) #define BITMAP_KEY_ENCRYPT (1LL << SADB_EXT_KEY_ENCRYPT) #define BITMAP_IDENTITY_SRC (1LL << SADB_EXT_IDENTITY_SRC) @@ -107,7 +106,7 @@ #define BITMAP_SUPPORTED_ENCRYPT (1LL << SADB_EXT_SUPPORTED_ENCRYPT) #define BITMAP_SPIRANGE (1LL << SADB_EXT_SPIRANGE) #define BITMAP_LIFETIME (BITMAP_LIFETIME_CURRENT | BITMAP_LIFETIME_HARD | BITMAP_LIFETIME_SOFT) -#define BITMAP_ADDRESS (BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_ADDRESS_PROXY) +#define BITMAP_ADDRESS (BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST) #define BITMAP_KEY (BITMAP_KEY_AUTH | BITMAP_KEY_ENCRYPT) #define BITMAP_IDENTITY (BITMAP_IDENTITY_SRC | BITMAP_IDENTITY_DST) #define BITMAP_MSG 1 @@ -472,7 +471,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) case SADB_X_EXT_SRC_FLOW: case SADB_X_EXT_DST_FLOW: case SADB_X_EXT_DST2: - case SADB_EXT_ADDRESS_PROXY: { struct sadb_address *sadb_address = (struct sadb_address *)p; diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 63f07c7ab37..74ff80f4456 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.160 2015/01/19 18:36:51 deraadt Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.161 2015/03/26 12:21:37 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -342,7 +342,6 @@ struct tdb { /* tunnel descriptor block */ union sockaddr_union tdb_dst; /* Destination address */ union sockaddr_union tdb_src; /* Source address */ - union sockaddr_union tdb_proxy; u_int8_t *tdb_amxkey; /* Raw authentication key */ u_int8_t *tdb_emxkey; /* Raw encryption key */ diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 3d75a997aab..9973fcdc155 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.126 2015/01/24 00:29:06 deraadt Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.127 2015/03/26 12:21:37 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -374,37 +374,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ipn will now contain the inner IPv4 header */ m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET && - tdbp->tdb_proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - tdbp->tdb_proxy.sin.sin_addr.s_addr) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET, &ipn.ip_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #ifdef INET6 @@ -420,36 +389,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ip6n will now contain the inner IPv6 header. */ m_copydata(m, skip, sizeof(struct ip6_hdr), (caddr_t) &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&tdbp->tdb_proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &tdbp->tdb_proxy.sin6.sin6_addr)) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET6 && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET6_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET6, &ip6n.ip6_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #endif /* INET6 */ } @@ -487,37 +426,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, } /* ipn will now contain the inner IPv4 header */ m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET && - tdbp->tdb_proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - tdbp->tdb_proxy.sin.sin_addr.s_addr) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET, &ipn.ip_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } /* IPv6-in-IP encapsulation */ @@ -532,36 +440,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* ip6n will now contain the inner IPv6 header. */ m_copydata(m, skip, sizeof(struct ip6_hdr), (caddr_t) &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((tdbp->tdb_proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&tdbp->tdb_proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &tdbp->tdb_proxy.sin6.sin6_addr)) || - (tdbp->tdb_proxy.sa.sa_family != AF_INET6 && - tdbp->tdb_proxy.sa.sa_family != 0)) { -#if ENCDEBUG - char addr[INET6_ADDRSTRLEN]; -#endif - - DPRINTF(("ipsec_common_input_cb(): inner " - "source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08x\n", - inet_ntop(AF_INET6, &ip6n.ip6_src, - addr, sizeof(addr)), - ipsp_address(tdbp->tdb_proxy), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } } #endif /* INET6 */ |