diff options
author | Niels Provos <provos@cvs.openbsd.org> | 2000-12-11 20:32:16 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 2000-12-11 20:32:16 +0000 |
commit | cd40f5ad40cd4912648f1cb155bf3167202ddc89 (patch) | |
tree | 899be9d91efe2a2e54f34007cf0f464d7093af92 /sbin | |
parent | 99d6fb1f5b489b0e62fcb603c5f6fbeeb11d37fb (diff) |
remove lots of unnecssary code, on the way to new spd framework.
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/photurisd/config.c | 43 | ||||
-rw-r--r-- | sbin/photurisd/config.h | 4 | ||||
-rw-r--r-- | sbin/photurisd/handle_identity_request.c | 4 | ||||
-rw-r--r-- | sbin/photurisd/handle_identity_response.c | 4 | ||||
-rw-r--r-- | sbin/photurisd/handle_spi_update.c | 4 | ||||
-rw-r--r-- | sbin/photurisd/kernel.c | 551 | ||||
-rw-r--r-- | sbin/photurisd/kernel.h | 8 | ||||
-rw-r--r-- | sbin/photurisd/photurisd.8 | 39 | ||||
-rw-r--r-- | sbin/photurisd/photurisd.c | 11 | ||||
-rw-r--r-- | sbin/photurisd/server.c | 5 | ||||
-rw-r--r-- | sbin/photurisd/spi.c | 20 | ||||
-rw-r--r-- | sbin/photurisd/spi.h | 6 | ||||
-rw-r--r-- | sbin/photurisd/state.c | 4 | ||||
-rw-r--r-- | sbin/photurisd/state.h | 5 |
14 files changed, 57 insertions, 651 deletions
diff --git a/sbin/photurisd/config.c b/sbin/photurisd/config.c index 245dcfaa104..d4fdd10f9f3 100644 --- a/sbin/photurisd/config.c +++ b/sbin/photurisd/config.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: config.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; +static char rcsid[] = "$Id: config.c,v 1.3 2000/12/11 20:32:14 provos Exp $"; #endif #define _CONFIG_C_ @@ -644,40 +644,6 @@ startup_parse(struct stateob *st, char *p2) continue; } } - } else if (!strncmp(p, OPT_TSRC, strlen(OPT_TSRC))) { - p = strsep(&p3, "/"); - if (p == NULL || p3 == NULL) { - log_error(0, "tsrc missing addr/mask in startup_parse()"); - continue; - } - if ((st->isrc = inet_addr(p)) == -1) { - log_error(0, "invalid tsrc addr %s in startup_parse()", - p); - continue; - } - if ((st->ismask = inet_addr(p3)) == -1 && - strcmp(p3, "255.255.255.255")) { - log_error(0, "invalid tsrc mask %s in startup_parse()", - p3); - st->isrc = -1; - continue; - } - } else if (!strncmp(p, OPT_TDST, strlen(OPT_TDST))) { - p = strsep(&p3, "/"); - if (p == NULL || p3 == NULL) { - log_error(0, "tdst missing addr/mask in startup_parse()"); - continue; - } - if ((st->idst = inet_addr(p)) == -1) { - log_error(0, "invalid tdst addr %s in startup_parse()", p); - continue; - } - if ((st->idmask = inet_addr(p3)) == -1 && - strcmp(p3, "255.255.255.255")) { - log_error(0, "invalid tdst mask %s in startup_parse()", p3); - st->idst = -1; - continue; - } } } } @@ -697,9 +663,6 @@ startup_end(struct stateob *st) if (st->flags == 0) st->flags = IPSEC_OPT_ENC | IPSEC_OPT_AUTH; - if (st->isrc != -1 && st->idst != -1 && st->isrc && st->idst) - st->flags |= IPSEC_OPT_TUNNEL; - #ifdef DEBUG printf("Starting exchange with: %s:%d and options:", st->address, st->port); @@ -707,10 +670,6 @@ startup_end(struct stateob *st) printf("%s ", OPT_ENC); if (st->flags & IPSEC_OPT_AUTH) printf("%s ", OPT_AUTH); - if (st->flags & IPSEC_OPT_TUNNEL) - printf("(tunnel mode) "); - else - printf("(transport mode) "); if (st->user != NULL) printf("for user %s", st->user); printf("\n"); diff --git a/sbin/photurisd/config.h b/sbin/photurisd/config.h index 8eb1cc493e5..3feae374af3 100644 --- a/sbin/photurisd/config.h +++ b/sbin/photurisd/config.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: config.h,v 1.1 1998/11/14 23:37:22 deraadt Exp $ */ +/* $Id: config.h,v 1.2 2000/12/11 20:32:15 provos Exp $ */ /* * config.h: * handling config @@ -96,8 +96,6 @@ void reconfig(int sig); # define OPT_ENC "enc" # define OPT_AUTH "auth" #define OPT_USER "user" -#define OPT_TSRC "tsrc" -#define OPT_TDST "tdst" struct cfgx { struct cfgx *next; diff --git a/sbin/photurisd/handle_identity_request.c b/sbin/photurisd/handle_identity_request.c index b25a4bf7c1b..3d3b1fd329d 100644 --- a/sbin/photurisd/handle_identity_request.c +++ b/sbin/photurisd/handle_identity_request.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_identity_request.c,v 1.1 1998/11/14 23:37:23 deraadt Exp $"; +static char rcsid[] = "$Id: handle_identity_request.c,v 1.2 2000/12/11 20:32:15 provos Exp $"; #endif #include <stdio.h> @@ -327,8 +327,6 @@ handle_identity_request(u_char *packet, int size, char *address, /* Make session keys for User */ make_session_keys(st, spi); - spi_set_tunnel(st, spi); - spi_insert(spi); #ifdef IPSEC kernel_insert_spi(st, spi); diff --git a/sbin/photurisd/handle_identity_response.c b/sbin/photurisd/handle_identity_response.c index d3618e4aa60..4378fb4de09 100644 --- a/sbin/photurisd/handle_identity_response.c +++ b/sbin/photurisd/handle_identity_response.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_identity_response.c,v 1.1 1998/11/14 23:37:24 deraadt Exp $"; +static char rcsid[] = "$Id: handle_identity_response.c,v 1.2 2000/12/11 20:32:15 provos Exp $"; #endif #include <stdio.h> @@ -274,8 +274,6 @@ handle_identity_response(u_char *packet, int size, char *address, /* Session keys for User */ make_session_keys(st, spi); - spi_set_tunnel(st, spi); - spi_insert(spi); #ifdef IPSEC kernel_insert_spi(st, spi); diff --git a/sbin/photurisd/handle_spi_update.c b/sbin/photurisd/handle_spi_update.c index a0dd91725cb..401d8f808d0 100644 --- a/sbin/photurisd/handle_spi_update.c +++ b/sbin/photurisd/handle_spi_update.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_spi_update.c,v 1.2 1999/03/27 21:18:00 provos Exp $"; +static char rcsid[] = "$Id: handle_spi_update.c,v 1.3 2000/12/11 20:32:15 provos Exp $"; #endif #include <stdio.h> @@ -176,8 +176,6 @@ handle_spi_update(u_char *packet, int size, char *address, bcopy(st->icookie, spi->icookie, COOKIE_SIZE); spi->lifetime = time(NULL) + lifetime; - spi_set_tunnel(st, spi); - make_session_keys(st, spi); spi_insert(spi); diff --git a/sbin/photurisd/kernel.c b/sbin/photurisd/kernel.c index fba0e02469e..71e19885ffe 100644 --- a/sbin/photurisd/kernel.c +++ b/sbin/photurisd/kernel.c @@ -39,7 +39,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: kernel.c,v 1.8 2000/12/11 02:16:50 provos Exp $"; +static char rcsid[] = "$Id: kernel.c,v 1.9 2000/12/11 20:32:15 provos Exp $"; #endif #include <time.h> @@ -170,7 +170,7 @@ kernel_valid(attrib_t *enc, attrib_t *auth) return AT_ENC; if (!(xf_auth->flags & ESP_NEW)) return AT_AUTH; - return 0; + return (0); } /* @@ -185,7 +185,7 @@ kernel_valid_auth(attrib_t *auth, u_int8_t *flag, u_int16_t size) transform *xf_auth = kernel_get_transform(auth->id); if (xf_auth == NULL) - return -1; /* We don't know this attribute */ + return (-1); /* We don't know this attribute */ for (i=0; i<size; i++) { switch (flag[i]) { @@ -198,11 +198,11 @@ kernel_valid_auth(attrib_t *auth, u_int8_t *flag, u_int16_t size) } if (!hmac && !(xf_auth->flags & AH_OLD)) - return -1; + return (-1); if (hmac && !(xf_auth->flags & AH_NEW)) - return -1; + return (-1); - return 0; + return (0); } int @@ -219,7 +219,7 @@ init_kernel(void) if (kernel_register(regsd) == -1) crit_error(0, "PFKEY socket registration failed in init_kernel()"); - return 1; + return (1); } int @@ -262,12 +262,12 @@ kernel_xf_set(int sd, char *buffer, int blen, struct iovec *iov, if (writev(sd, iov, cnt) != len) { perror("writev() in kernel_xf_set()"); - return 0; + return (0); } if (buffer) return kernel_xf_read(sd, buffer, blen, seq); - return 1; + return (1); } int @@ -284,16 +284,16 @@ kernel_xf_read(int sd, char *buffer, int blen, int seq) do { if (recv(sd, sres, sizeof(*sres), MSG_PEEK) != sizeof(*sres)) { perror("read() in kernel_xf_read()"); - return 0; + return (0); } len = sres->sadb_msg_len * 8; if (len >= BUFFER_SIZE) { log_error(0, "PFKEYV2 message len %d too big in kernel_xf_read()", len); - return 0; + return (0); } if (read(sd, sres, len) != len) { perror("read() in kernel_xf_read()"); - return 0; + return (0); } } while (seq && (sres->sadb_msg_seq != seq || (sres->sadb_msg_pid && sres->sadb_msg_pid != pfkey_pid) @@ -302,13 +302,13 @@ kernel_xf_read(int sd, char *buffer, int blen, int seq) if (sres->sadb_msg_errno) { log_error(0, "kernel_xf_read: PFKEYV2 result: %s", strerror(sres->sadb_msg_errno)); - return 0; + return (0); } if (sres->sadb_msg_pid && sres->sadb_msg_pid != pfkey_pid) return (0); - return 1; + return (1); } int @@ -338,7 +338,7 @@ kernel_register(int sd) if (!kernel_xf_set(regsd, buffer, BUFFER_SIZE, iov, cnt, smsg.sadb_msg_len*8)) { log_error(1, "kernel_xf_set() in kernel_reserve_single_spi()"); - return -1; + return (-1); } /* Register for ESP */ @@ -347,7 +347,7 @@ kernel_register(int sd) if (!kernel_xf_set(regsd, buffer, BUFFER_SIZE, iov, cnt, smsg.sadb_msg_len*8)) { log_error(1, "kernel_xf_set() in kernel_reserve_single_spi()"); - return -1; + return (-1); } /* @@ -361,14 +361,14 @@ kernel_register(int sd) log_error(0, "SADB_REGISTER did not return a SADB_EXT_SUPORTED " "struct: %d in kernel_register()", ssup->sadb_supported_exttype); - return -1; + return (-1); } len = ssup->sadb_supported_len * 8 - sizeof(*ssup); if (len != (ssup->sadb_supported_nauth + ssup->sadb_supported_nencrypt) * sizeof(struct sadb_alg)) { log_error(0, "SADB_SUPPORTED length mismatch in kernel_register()"); - return -1; + return (-1); } salg = (struct sadb_alg *)(ssup + 1); @@ -377,7 +377,7 @@ kernel_register(int sd) for (cnt = 0; cnt < ssup->sadb_supported_nencrypt; cnt++, salg++) kernel_transform_seen(salg->sadb_alg_type, XF_ENC); - return 0; + return (0); } u_int32_t @@ -491,7 +491,7 @@ kernel_reserve_single_spi(char *srcaddress, char *dstaddress, u_int32_t spi, if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { log_error(1, "kernel_xf_set() in kernel_reserve_single_spi()"); - return 0; + return (0); } sres = (struct sadb_msg *)buffer; @@ -499,7 +499,7 @@ kernel_reserve_single_spi(char *srcaddress, char *dstaddress, u_int32_t spi, if (ssa->sadb_sa_exttype != SADB_EXT_SA) { log_error(0, "SADB_GETSPI did not return a SADB_EXT_SA struct: %d", ssa->sadb_sa_exttype); - return 0; + return (0); } return ntohl(ssa->sadb_sa_spi); @@ -523,7 +523,7 @@ kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets, int hmac) if (xf == NULL || !(xf->flags & XF_AUTH)) { log_error(0, "%d is not an auth transform in kernel_ah()", ob->id); - return -1; + return (-1); } bzero(&sa, sizeof(sa)); @@ -580,8 +580,6 @@ kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets, int hmac) sr.sadb_sa_state = SADB_SASTATE_MATURE; sr.sadb_sa_auth = xf->kernel_id; sr.sadb_sa_encrypt = 0; - if (SPI->flags & SPI_TUNNEL) - sr.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; if (!hmac) sr.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; sa.sadb_msg_len += sr.sadb_sa_len; @@ -610,13 +608,11 @@ kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets, int hmac) iov[cnt].iov_base = secrets; len += iov[cnt++].iov_len = ((ob->klen + 7) / 8) * 8; - kernel_debug(("kernel_ah: %08x. %s-Mode\n", - ntohl(sr.sadb_sa_spi), - SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport")); + kernel_debug(("kernel_ah: %08x\n", ntohl(sr.sadb_sa_spi))); if (!KERNEL_XF_SET(len)) { log_error(1, "kernel_xf_set() in kernel_ah()"); - return -1; + return (-1); } return ob->klen; } @@ -643,7 +639,7 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) if (ob->type & AT_AUTH) { if (ob2 == NULL || ob2->type != AT_ENC) { log_error(0, "No encryption after auth given in kernel_esp()"); - return -1; + return (-1); } attenc = ob2; attauth = ob; @@ -658,13 +654,13 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) } } else { log_error(0, "No encryption transform given in kernel_esp()"); - return -1; + return (-1); } xf_enc = kernel_get_transform(attenc->id); if ((xf_enc->flags & ESP_OLD) && attauth != NULL) { log_error(0, "Old ESP does not support AH in kernel_esp()"); - return -1; + return (-1); } if (attauth != NULL) @@ -703,8 +699,6 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) sr.sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING; sr.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; } - if (SPI->flags & SPI_TUNNEL) - sr.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; sa.sadb_msg_len += sr.sadb_sa_len; iov[cnt].iov_base = &sr; @@ -771,414 +765,16 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) iov[cnt++].iov_len = ((attauth->klen + 7) / 8) * 8; } - kernel_debug(("kernel_esp: %08x. %s-Mode\n", - ntohl(sr.sadb_sa_spi), - SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport")); + kernel_debug(("kernel_esp: %08x\n", ntohl(sr.sadb_sa_spi))); if (!KERNEL_XF_SET(sa.sadb_msg_len * 8)) { log_error(1, "kernel_xf_set() in kernel_esp()"); - return -1; + return (-1); } return attenc->klen + (attauth ? attauth->klen : 0); } -/* Group an ESP SPI with an AH SPI */ - -int -kernel_group_spi(char *address, u_int8_t *spi) -{ -#ifndef OPENBSD_IPSEC_API_VERSION - struct sadb_msg smsg; - struct sadb_sa sa, sa2; - struct sadb_address sad1, sad2; - struct sadb_protocol sproto; - union sockaddr_union dst1, dst2; - struct iovec iov[8]; - int cnt = 0; - u_int32_t SPI; - - SPI = SPITOINT(spi); - - bzero(&smsg, sizeof(smsg)); - bzero(&sa, sizeof(sa)); - bzero(&sa2, sizeof(sa2)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&dst1, sizeof(dst1)); - bzero(&dst2, sizeof(dst2)); - - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_X_GRPSPIS; - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - smsg.sadb_msg_len = sizeof(smsg) / 8; - - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - sa.sadb_sa_len = sizeof(sa) / 8; - sa.sadb_sa_exttype = SADB_EXT_SA; - sa.sadb_sa_spi = htonl(SPI); - sa.sadb_sa_state = SADB_SASTATE_MATURE; - smsg.sadb_msg_len += sa.sadb_sa_len; - - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - sa2.sadb_sa_len = sizeof(sa2) / 8; - sa2.sadb_sa_exttype = SADB_X_EXT_SA2; - sa2.sadb_sa_spi = htonl(SPI); - sa2.sadb_sa_state = SADB_SASTATE_MATURE; - smsg.sadb_msg_len += sa2.sadb_sa_len; - - iov[cnt].iov_base = &sa2; - iov[cnt++].iov_len = sizeof(sa2); - - sad1.sadb_address_len = (sizeof(sad1) + sizeof(struct sockaddr_in)) / 8; - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - dst1.sin.sin_family = AF_INET; - dst1.sin.sin_len = sizeof(struct sockaddr_in); - dst1.sin.sin_addr.s_addr = inet_addr(address); - smsg.sadb_msg_len += sad1.sadb_address_len; - iov[cnt].iov_base = &dst1; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - sad2.sadb_address_len = (sizeof(sad2) + sizeof(struct sockaddr_in)) / 8; - sad2.sadb_address_exttype = SADB_X_EXT_DST2; - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - dst2.sin.sin_family = AF_INET; - dst2.sin.sin_len = sizeof(struct sockaddr_in); - dst2.sin.sin_addr.s_addr = inet_addr(address); - smsg.sadb_msg_len += sad2.sadb_address_len; - iov[cnt].iov_base = &dst2; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - sproto.sadb_protocol_len = sizeof(sproto) / 8; - sproto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - sproto.sadb_protocol_proto = SADB_SATYPE_AH; - smsg.sadb_msg_len += sproto.sadb_protocol_len; - iov[cnt].iov_base = &sproto; - iov[cnt++].iov_len = sizeof(sproto); - - kernel_debug(("kernel_group_spi: %s, %08x\n", address, SPI)); - - if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { - log_error(1, "kernel_xf_set() in kernel_group_spi()"); - return -1; - } -#endif - - return 1; -} - -int -kernel_bind_spis(struct spiob *spi1, struct spiob *spi2) -{ -#ifndef OPENBSD_IPSEC_API_VERSION - struct sadb_msg smsg; - struct sadb_sa sa, sa2; - struct sadb_address sad1, sad2; - struct sadb_protocol sproto; - union sockaddr_union dst1, dst2; - struct iovec iov[8]; - int cnt = 0; - u_int32_t inspi = SPITOINT(spi1->SPI); - u_int32_t outspi = SPITOINT(spi2->SPI); - - bzero(&smsg, sizeof(smsg)); - bzero(&sa, sizeof(sa)); - bzero(&sa2, sizeof(sa2)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&dst1, sizeof(dst1)); - bzero(&dst2, sizeof(dst2)); - - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_X_BINDSA; - smsg.sadb_msg_satype = spi1->flags & SPI_ESP ? - SADB_SATYPE_ESP : SADB_SATYPE_AH; - smsg.sadb_msg_len = sizeof(smsg) / 8; - - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - sa.sadb_sa_len = sizeof(sa) / 8; - sa.sadb_sa_exttype = SADB_EXT_SA; - sa.sadb_sa_spi = htonl(inspi); - sa.sadb_sa_state = SADB_SASTATE_MATURE; - smsg.sadb_msg_len += sa.sadb_sa_len; - - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - sa2.sadb_sa_len = sizeof(sa2) / 8; - sa2.sadb_sa_exttype = SADB_X_EXT_SA2; - sa2.sadb_sa_spi = htonl(outspi); - sa2.sadb_sa_state = SADB_SASTATE_MATURE; - smsg.sadb_msg_len += sa2.sadb_sa_len; - - iov[cnt].iov_base = &sa2; - iov[cnt++].iov_len = sizeof(sa2); - - sad1.sadb_address_len = (sizeof(sad1) + sizeof(struct sockaddr_in)) / 8; - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - dst1.sin.sin_family = AF_INET; - dst1.sin.sin_len = sizeof(struct sockaddr_in); - dst1.sin.sin_addr.s_addr = inet_addr(spi1->local_address); - smsg.sadb_msg_len += sad1.sadb_address_len; - iov[cnt].iov_base = &dst1; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - sad2.sadb_address_len = (sizeof(sad2) + sizeof(struct sockaddr_in)) / 8; - sad2.sadb_address_exttype = SADB_X_EXT_DST2; - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - dst2.sin.sin_family = AF_INET; - dst2.sin.sin_len = sizeof(struct sockaddr_in); - dst2.sin.sin_addr.s_addr = inet_addr(spi2->address); - smsg.sadb_msg_len += sad2.sadb_address_len; - iov[cnt].iov_base = &dst2; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - sproto.sadb_protocol_len = sizeof(sproto) / 8; - sproto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - sproto.sadb_protocol_proto = spi2->flags & SPI_ESP ? - SADB_SATYPE_ESP : SADB_SATYPE_AH; - smsg.sadb_msg_len += sproto.sadb_protocol_len; - iov[cnt].iov_base = &sproto; - iov[cnt++].iov_len = sizeof(sproto); - - kernel_debug(("kernel_bind_spi: <%s, %08x> -> <%s, %08x>\n", - spi1->local_address, inspi, spi2->address, outspi)); - - if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { - log_error(1, "kernel_xf_set() in kernel_bind_spi()"); - return -1; - } -#endif - - return 1; -} - -int -kernel_enable_spi(in_addr_t isrc, in_addr_t ismask, - in_addr_t idst, in_addr_t idmask, - char *address, u_int8_t *spi, int proto, int flags) -{ -#ifndef OPENBSD_IPSEC_API_VERSION - struct sadb_msg smsg; - struct sadb_sa sa; - struct sadb_address sad, sad1, sad2, sad3, sad4; - union sockaddr_union dst, osrc, osmask, odst, odmask; - struct iovec iov[12]; - u_int32_t SPI; - int cnt = 0; - SPI = SPITOINT(spi); - - bzero(&smsg, sizeof(smsg)); - bzero(&sa, sizeof(sa)); - bzero(&sad, sizeof(sad)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sad3, sizeof(sad3)); - bzero(&sad4, sizeof(sad4)); - bzero(&dst, sizeof(dst)); - bzero(&osrc, sizeof(osrc)); - bzero(&osmask, sizeof(osmask)); - bzero(&odst, sizeof(odst)); - bzero(&odmask, sizeof(odmask)); - - smsg.sadb_msg_len = sizeof(smsg) / 8; - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_X_ADDFLOW; - smsg.sadb_msg_satype = proto == IPPROTO_ESP ? - SADB_SATYPE_ESP : SADB_SATYPE_AH; - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - sa.sadb_sa_len = sizeof(sa) / 8; - sa.sadb_sa_exttype = SADB_EXT_SA; - sa.sadb_sa_state = SADB_SASTATE_MATURE; - sa.sadb_sa_spi = htonl(SPI); - sa.sadb_sa_flags = flags; - smsg.sadb_msg_len += sa.sadb_sa_len; - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - sad.sadb_address_len = (sizeof(sad) + sizeof(struct sockaddr_in)) / 8; - sad.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - smsg.sadb_msg_len += sad.sadb_address_len; - iov[cnt].iov_base = &sad; - iov[cnt++].iov_len = sizeof(sad); - - dst.sin.sin_family = AF_INET; - dst.sin.sin_len = sizeof(struct sockaddr_in); - dst.sin.sin_addr.s_addr = inet_addr(address); - iov[cnt].iov_base = &dst; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - sad1.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; - sad2.sadb_address_exttype = SADB_X_EXT_SRC_MASK; - sad3.sadb_address_exttype = SADB_X_EXT_DST_FLOW; - sad4.sadb_address_exttype = SADB_X_EXT_DST_MASK; - - sad1.sadb_address_len = (sizeof(sad1) + sizeof(struct sockaddr_in)) / 8; - sad2.sadb_address_len = (sizeof(sad2) + sizeof(struct sockaddr_in)) / 8; - sad3.sadb_address_len = (sizeof(sad3) + sizeof(struct sockaddr_in)) / 8; - sad4.sadb_address_len = (sizeof(sad4) + sizeof(struct sockaddr_in)) / 8; - - osrc.sin.sin_family = odst.sin.sin_family = AF_INET; - osmask.sin.sin_family = odmask.sin.sin_family = AF_INET; - osrc.sin.sin_len = odst.sin.sin_len = sizeof(struct sockaddr_in); - osmask.sin.sin_len = sizeof(struct sockaddr_in); - odmask.sin.sin_len = sizeof(struct sockaddr_in); - - osrc.sin.sin_addr.s_addr = isrc; - osmask.sin.sin_addr.s_addr = ismask; - odst.sin.sin_addr.s_addr = idst; - odmask.sin.sin_addr.s_addr = idmask; - smsg.sadb_msg_len += sad1.sadb_address_len * 4; - - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - iov[cnt].iov_base = &osrc; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - iov[cnt].iov_base = &osmask; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad3; - iov[cnt++].iov_len = sizeof(sad3); - iov[cnt].iov_base = &odst; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad4; - iov[cnt++].iov_len = sizeof(sad4); - iov[cnt].iov_base = &odmask; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - kernel_debug(("kernel_enable_spi: %08x\n", SPI)); - - if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { - log_error(1, "kernel_xf_set() in kernel_enable_spi()"); - return -1; - } -#endif - - return 1; -} - -int -kernel_disable_spi(in_addr_t isrc, in_addr_t ismask, - in_addr_t idst, in_addr_t idmask, - char *address, u_int8_t *spi, int proto, int flags) -{ -#ifndef OPENBSD_IPSEC_API_VERSION - struct sadb_msg smsg; - struct sadb_sa sa; - struct sadb_address sad1, sad2, sad3, sad4; - union sockaddr_union osrc, osmask, odst, odmask; - struct iovec iov[12]; - u_int32_t SPI; - int cnt = 0; - SPI = SPITOINT(spi); - - bzero(&smsg, sizeof(smsg)); - bzero(&sa, sizeof(sa)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sad3, sizeof(sad3)); - bzero(&sad4, sizeof(sad4)); - bzero(&osrc, sizeof(osrc)); - bzero(&osmask, sizeof(osmask)); - bzero(&odst, sizeof(odst)); - bzero(&odmask, sizeof(odmask)); - - smsg.sadb_msg_len = sizeof(smsg) / 8; - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_X_DELFLOW; - smsg.sadb_msg_satype = proto == IPPROTO_ESP ? - SADB_SATYPE_ESP : SADB_SATYPE_AH; - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - sa.sadb_sa_len = sizeof(sa) / 8; - sa.sadb_sa_exttype = SADB_EXT_SA; - sa.sadb_sa_state = SADB_SASTATE_MATURE; - sa.sadb_sa_spi = htonl(SPI); - sa.sadb_sa_flags = flags; - smsg.sadb_msg_len += sa.sadb_sa_len; - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - sad1.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; - sad2.sadb_address_exttype = SADB_X_EXT_SRC_MASK; - sad3.sadb_address_exttype = SADB_X_EXT_DST_FLOW; - sad4.sadb_address_exttype = SADB_X_EXT_DST_MASK; - - sad1.sadb_address_len = (sizeof(sad1) + sizeof(struct sockaddr_in)) / 8; - sad2.sadb_address_len = (sizeof(sad2) + sizeof(struct sockaddr_in)) / 8; - sad3.sadb_address_len = (sizeof(sad3) + sizeof(struct sockaddr_in)) / 8; - sad4.sadb_address_len = (sizeof(sad4) + sizeof(struct sockaddr_in)) / 8; - - osrc.sin.sin_family = odst.sin.sin_family = AF_INET; - osmask.sin.sin_family = odmask.sin.sin_family = AF_INET; - osrc.sin.sin_len = odst.sin.sin_len = sizeof(struct sockaddr_in); - osmask.sin.sin_len = sizeof(struct sockaddr_in); - odmask.sin.sin_len = sizeof(struct sockaddr_in); - - osrc.sin.sin_addr.s_addr = isrc; - osmask.sin.sin_addr.s_addr = ismask; - odst.sin.sin_addr.s_addr = idst; - odmask.sin.sin_addr.s_addr = idmask; - smsg.sadb_msg_len += sad1.sadb_address_len * 4; - - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - iov[cnt].iov_base = &osrc; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - iov[cnt].iov_base = &osmask; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad3; - iov[cnt++].iov_len = sizeof(sad3); - iov[cnt].iov_base = &odst; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - iov[cnt].iov_base = &sad4; - iov[cnt++].iov_len = sizeof(sad4); - iov[cnt].iov_base = &odmask; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - - kernel_debug(("kernel_disable_spi: %08x\n", SPI)); - - if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { - log_error(1, "kernel_xf_set() in kernel_disable_spi()"); - return -1; - } -#endif - - return 1; -} - /* * Remove a single SPI from the kernel database. */ @@ -1248,10 +844,10 @@ kernel_delete_spi(char *address, u_int32_t spi, int proto) if (!KERNEL_XF_SET(sa.sadb_msg_len * 8)) { log_error(1, "kernel_xf_set() in kernel_delete_spi()"); - return -1; + return (-1); } - return 1; + return (1); } /* @@ -1267,7 +863,6 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) u_int8_t *attributes; u_int16_t attribsize, ahsize, espsize; u_int8_t *secrets, *ah, *esp; - struct spiob *spi2; attrib_t *attprop; int offset, proto = 0; @@ -1289,7 +884,7 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) if ((attprop = getattrib(esp[count])) == NULL) { log_error(0, "Unknown attribute %d for ESP in kernel_insert_spi()", esp[count]); - return -1; + return (-1); } if (atesp == NULL && attprop->type == AT_ENC) atesp = attprop; @@ -1300,15 +895,12 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) } if (atesp == NULL) { log_error(0, "No encryption attribute in ESP section for SA(%08x, %s->%s) in kernel_insert()", SPITOINT(SPI->SPI), SPI->local_address, SPI->address); - return -1; + return (-1); } - if (vpn_mode) - SPI->flags |= SPI_TUNNEL; - offset = kernel_esp(atesp, atah, SPI, secrets); if (offset == -1) - return -1; + return (-1); secrets += offset; } @@ -1320,7 +912,7 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) if ((attprop = getattrib(ah[count])) == NULL) { log_error(0, "Unknown attribute %d for AH in kernel_insert_spi()", ah[count]); - return -1; + return (-1); } if(atah == NULL && (attprop->type & AT_AUTH)) atah = attprop; @@ -1339,17 +931,12 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) if (atah == NULL) { log_error(0, "No authentication attribute in AH section for SA(%08x, %s->%s) in kernel_insert()", SPITOINT(SPI->SPI), SPI->local_address, SPI->address); - return -1; + return (-1); } - if (vpn_mode && esp == NULL) - SPI->flags |= SPI_TUNNEL; - else - SPI->flags &= ~SPI_TUNNEL; - offset = kernel_ah(atah, SPI, secrets, hmac); if (offset == -1) - return -1; + return (-1); secrets += offset; } @@ -1361,57 +948,17 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) SPI->flags &= ~SPI_ESP; } -#if OPENBSD_IPSEC_API_VERSION == 1 /* * Inform the kernel that we obtained the requested SA */ kernel_notify_result(st, SPI, proto); -#else - /* Group the SPIs for User */ - if (!(SPI->flags & SPI_OWNER) && ah != NULL && esp != NULL) { - if (kernel_group_spi(SPI->address, spi) == -1) - log_error(0, "kernel_group_spi() in kernel_insert_spi()"); - } - if (!(SPI->flags & SPI_OWNER)) { - if (!(SPI->flags & SPI_NOTIFY) || vpn_mode) { - if (kernel_enable_spi(SPI->isrc, SPI->ismask, - SPI->idst, SPI->idmask, - SPI->address, spi, proto, - SADB_X_SAFLAGS_REPLACEFLOW | - (vpn_mode ? /*ENABLE_FLAG_MODIFY*/ : 0)) == -1) - log_error(0, "kernel_enable_spi() in kernel_insert_spi()"); - } else { - /* - * Inform the kernel that we obtained the requested SA - */ - kernel_notify_result(st, SPI, proto); - } - } -#endif - - /* Is this what people call perfect forward security ? */ + /* Erase keys */ bzero(SPI->sessionkey, SPI->sessionkeysize); free(SPI->sessionkey); SPI->sessionkey = NULL; SPI->sessionkeysize = 0; - /* Bind the pair of SPI in the state object */ - if (SPI->flags & SPI_OWNER) - spi2 = spi_find(SPI->address, st->uSPI); - else - spi2 = spi_find(SPI->local_address, st->oSPI); - - if (!spi2) { - log_error(0, "kernel_insert_spi(): can not find second SPI"); - return 0; - } - - if (SPI->flags & SPI_OWNER) - kernel_bind_spis(SPI, spi2); - else - kernel_bind_spis(spi2, SPI); - - return 1; + return (1); } /* @@ -1439,34 +986,16 @@ kernel_unlink_spi(struct spiob *ospi) AT_AH_ATTRIB); if (esp != NULL) { - int flag = (vpn_mode ? /*ENABLE_FLAG_MODIFY*/ : 0); - if (!(ospi->flags & SPI_OWNER) && - kernel_disable_spi(ospi->isrc, ospi->ismask, - ospi->idst, ospi->idmask, - ospi->address, ospi->SPI, - IPPROTO_ESP, flag) == -1) - log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); - if (kernel_delete_spi(p, SPITOINT(ospi->SPI), IPPROTO_ESP) == -1) log_error(0, "kernel_delete_spi() in kernel_unlink_spi()"); } if (ah != NULL) { - if (esp == NULL) { - int flag = (vpn_mode ? /*ENABLE_FLAG_MODIFY*/ : 0); - if (!(ospi->flags & SPI_OWNER) && - kernel_disable_spi(ospi->isrc, ospi->ismask, - ospi->idst, ospi->idmask, - ospi->address, ospi->SPI, - IPPROTO_AH, flag) == -1) - log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); - } - if (kernel_delete_spi(p, SPITOINT(ospi->SPI), IPPROTO_AH) == -1) log_error(0, "kernel_delete_spi() in kernel_unlink_spi()"); } - return 1; + return (1); } /* diff --git a/sbin/photurisd/kernel.h b/sbin/photurisd/kernel.h index ed49f72da79..d36f81d3310 100644 --- a/sbin/photurisd/kernel.h +++ b/sbin/photurisd/kernel.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: kernel.h,v 1.5 2000/11/17 19:32:56 millert Exp $ */ +/* $Id: kernel.h,v 1.6 2000/12/11 20:32:15 provos Exp $ */ /* * kernel.h: * security paramter index creation. @@ -90,12 +90,6 @@ int kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, int kernel_group_spi(char *address, u_int8_t *spi); int kernel_bind_spis(struct spiob *spi1, struct spiob *spi2); -int kernel_enable_spi(in_addr_t isrc, in_addr_t ismask, - in_addr_t idst, in_addr_t idmask, - char *address, u_int8_t *spi, int proto, int flags); -int kernel_disable_spi(in_addr_t isrc, in_addr_t ismask, - in_addr_t idst, in_addr_t idmask, - char *address, u_int8_t *spi, int proto, int flags); int kernel_delete_spi(char *address, u_int32_t spi, int proto); int kernel_request_sa(void *em /* struct encap_msghdr *em */); diff --git a/sbin/photurisd/photurisd.8 b/sbin/photurisd/photurisd.8 index 85a90a01090..706b370807d 100644 --- a/sbin/photurisd/photurisd.8 +++ b/sbin/photurisd/photurisd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: photurisd.8,v 1.7 2000/03/18 22:56:02 aaron Exp $ +.\" $OpenBSD: photurisd.8,v 1.8 2000/12/11 20:32:15 provos Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -38,7 +38,7 @@ .Nd IPSec key management daemon .Sh SYNOPSIS .Nm photurisd -.Op Fl cvi +.Op Fl ci .Op Fl d Ar directory .Op Fl p Ar port .Sh DESCRIPTION @@ -59,13 +59,6 @@ The options are as follows: The .Fl c option is used to force a primality check of the bootstrapped moduli. -.It Fl v -The -.Fl v -options is used to start -.Xr photurisd 8 -in VPN (Virtual Private Network) mode, see -.Xr vpn 8 . .It Fl i The .Fl i @@ -229,32 +222,6 @@ Possible values are .Dq enc and .Dq auth . -.It Ic tsrc -If both -.Ic tsrc -and -.Ic tdst -(see below) are specified, a tunnel (IP over IP) is setup. -The -.Ic tsrc -option is a network address with netmask used for matching the source -IP address of a packet. -When both the source and the destination -addresses match their respective options the packet will be routed into the -tunnel. -.It Ic tdst -If both -.Ic tsrc -(see above) and -.Ic tdst -are specified, a tunnel (IP over IP) is setup. -The -.Ic tdst -option is a network address with netmask used for matching the destination -IP address of a packet. -When both the source and the destination -addresses match their respective options the packet will be routed into the -tunnel. .It Ic exchange_lifetime Determines the lifetime of the exchange. After an exchange expires @@ -282,8 +249,6 @@ entry: .Pp .Bd -literal dst=134.100.106.2 port=468 options=auth -tsrc=134.100.104.0/255.255.255.255 -tdst=134.100.106.0/255.255.255.255 .Ed .Sh SEE ALSO .Xr startkey 1 , diff --git a/sbin/photurisd/photurisd.c b/sbin/photurisd/photurisd.c index 1821fd5e528..fba902f912b 100644 --- a/sbin/photurisd/photurisd.c +++ b/sbin/photurisd/photurisd.c @@ -32,7 +32,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: photurisd.c,v 1.4 1999/12/17 18:57:03 deraadt Exp $"; +static char rcsid[] = "$Id: photurisd.c,v 1.5 2000/12/11 20:32:15 provos Exp $"; #endif #define _PHOTURIS_C_ @@ -71,7 +71,6 @@ usage(void) fprintf(f, "usage: photurisd [-cvi] [-d directory] [-p port]\n"); fprintf(f, "\t-c check primes on startup\n"); - fprintf(f, "\t-v start in VPN mode\n"); fprintf(f, "\t-i ignore startup file %s\n", PHOTURIS_STARTUP); fprintf(f, "\t-d specifies the startup dir\n"); fprintf(f, "\t-p specifies the local port to bind to\n"); @@ -120,16 +119,12 @@ main(int argc, char **argv) daemon_mode = 0; global_port = 0; - vpn_mode = 0; - while ((ch = getopt(argc, argv, "vcid:p:")) != -1) + while ((ch = getopt(argc, argv, "cid:p:")) != -1) switch((char)ch) { case 'c': primes = 1; break; - case 'v': - vpn_mode = 1; - break; case 'i': ignore = 1; break; @@ -181,7 +176,7 @@ main(int argc, char **argv) init_server(); /* Startup preconfigured exchanges */ - if( !ignore && !vpn_mode) + if(!ignore) init_startup(); server(); diff --git a/sbin/photurisd/server.c b/sbin/photurisd/server.c index c9558334e6e..cb9f5f868f3 100644 --- a/sbin/photurisd/server.c +++ b/sbin/photurisd/server.c @@ -35,7 +35,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: server.c,v 1.2 2000/12/11 02:16:50 provos Exp $"; +static char rcsid[] = "$Id: server.c,v 1.3 2000/12/11 20:32:15 provos Exp $"; #endif #define _SERVER_C_ @@ -285,11 +285,12 @@ server(void) if (select(sockets[num_ifs-1]+1, readfds, (fd_set *) NULL, (fd_set *) NULL, - (timeout.tv_sec == -1 ? NULL : &timeout)) < 0) + (timeout.tv_sec == -1 ? NULL : &timeout)) < 0) { if (errno == EINTR) continue; else crit_error(1, "select() in server()"); + } for (i=0; i<num_ifs; i++) { if (FD_ISSET(sockets[i], readfds)) { diff --git a/sbin/photurisd/spi.c b/sbin/photurisd/spi.c index f51cae995db..4444d68da77 100644 --- a/sbin/photurisd/spi.c +++ b/sbin/photurisd/spi.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: spi.c,v 1.2 1999/03/27 21:18:02 provos Exp $"; +static char rcsid[] = "$Id: spi.c,v 1.3 2000/12/11 20:32:15 provos Exp $"; #endif #define _SPI_C_ @@ -105,24 +105,6 @@ make_spi(struct stateob *st, char *local_address, return 0; } -int -spi_set_tunnel(struct stateob *st, struct spiob *spi) -{ - if (st->flags & IPSEC_OPT_TUNNEL) { - spi->flags |= SPI_TUNNEL; - spi->isrc = st->isrc; - spi->ismask = st->ismask; - spi->idst = st->idst; - spi->idmask = st->idmask; - } else { - spi->isrc = inet_addr(spi->local_address); - spi->ismask = inet_addr("255.255.255.255"); - spi->idst = inet_addr(spi->address); - spi->idmask = inet_addr("255.255.255.255"); - } - return 1; -} - int spi_insert(struct spiob *ob) diff --git a/sbin/photurisd/spi.h b/sbin/photurisd/spi.h index 5bb7edd9516..19ca0535560 100644 --- a/sbin/photurisd/spi.h +++ b/sbin/photurisd/spi.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: spi.h,v 1.2 1999/03/27 21:18:02 provos Exp $ */ +/* $Id: spi.h,v 1.3 2000/12/11 20:32:15 provos Exp $ */ /* * spi.h: * security paramter index creation. @@ -50,15 +50,12 @@ #define SPI_OWNER 1 #define SPI_NOTIFY 2 -#define SPI_TUNNEL 4 #define SPI_ESP 8 /* Is used for ESP */ struct spiob { struct spiob *next; /* Linked list */ char *address; char *local_address; - in_addr_t isrc, ismask; - in_addr_t idst, idmask; int flags; u_int8_t SPI[SPI_SIZE]; /* SPI */ u_int8_t icookie[COOKIE_SIZE]; /* Initator cookie */ @@ -74,7 +71,6 @@ EXTERN int make_spi(struct stateob *st, char *local_address, u_int8_t *SPI, time_t *lifetime, u_int8_t **attributes, u_int16_t *attribsize); -EXTERN int spi_set_tunnel(struct stateob *st, struct spiob *spi); EXTERN int spi_insert(struct spiob *); EXTERN int spi_unlink(struct spiob *); EXTERN struct spiob *spi_new(char *, u_int8_t *); diff --git a/sbin/photurisd/state.c b/sbin/photurisd/state.c index d97e83b4787..528ef0e1a7d 100644 --- a/sbin/photurisd/state.c +++ b/sbin/photurisd/state.c @@ -120,10 +120,6 @@ state_copy_flags(struct stateob *src, struct stateob *dst) dst->user = strdup(src->user); dst->flags = src->flags; - dst->isrc = src->isrc; - dst->ismask = src->ismask; - dst->idst = src->idst; - dst->idmask = src->idmask; strncpy(dst->address, src->address, sizeof(src->address)-1); dst->address[sizeof(dst->address)-1] = 0; diff --git a/sbin/photurisd/state.h b/sbin/photurisd/state.h index a43dd63b20e..f33b37dda8e 100644 --- a/sbin/photurisd/state.h +++ b/sbin/photurisd/state.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: state.h,v 1.3 2000/12/11 02:16:51 provos Exp $ */ +/* $Id: state.h,v 1.4 2000/12/11 20:32:15 provos Exp $ */ /* * state.h: * state object @@ -50,7 +50,6 @@ /* Possible values of flags */ #define IPSEC_OPT_ENC 0x0001 /* Negotiate encryption */ #define IPSEC_OPT_AUTH 0x0002 /* Negotiate authentication */ -#define IPSEC_OPT_TUNNEL 0x0004 /* Negotiate tunne mode */ #define IPSEC_OPT_REPLAY 0x0100 /* Encryption with replay protection */ #define IPSEC_OPT_ENC_AUTH 0x0200 /* Encryption with authentication */ #define IPSEC_OPT_XOR 0x0400 /* Encryption with XOR */ @@ -65,8 +64,6 @@ struct stateob { char *user; /* User name for which do the exchange */ int flags; /* Possible flags for this exchange */ - in_addr_t isrc, ismask; /* Accept source for tunnel */ - in_addr_t idst, idmask; /* Accept destination for tunnel */ char address[16]; /* Remote address */ u_int16_t port; /* Remote port for Photuris daemon */ |