diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2015-04-14 12:22:16 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2015-04-14 12:22:16 +0000 |
| commit | 8791286df0730faf5646ff96b743d2e4330153d0 (patch) | |
| tree | fa72bdcc707c44082a3e0b412f9d6d5c71b244a9 /sys/netinet | |
| parent | 8ffe49acc19549169982184f1fa07bad01897ad1 (diff) | |
Remove support for storing credentials and auth information in the kernel.
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/in.h | 10 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.c | 6 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.h | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 55 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 23 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 71 | ||||
| -rw-r--r-- | sys/netinet/ip_spd.c | 41 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 23 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 14 |
9 files changed, 38 insertions, 209 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index b7b55eb154d..7c206e5d5cb 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in.h,v 1.113 2015/04/10 13:58:20 dlg Exp $ */ +/* $OpenBSD: in.h,v 1.114 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */ /* @@ -294,10 +294,10 @@ struct ip_opts { #define IP_ESP_NETWORK_LEVEL 22 /* int; full-packet encryption */ #define IP_IPSEC_LOCAL_ID 23 /* buf; IPsec local ID */ #define IP_IPSEC_REMOTE_ID 24 /* buf; IPsec remote ID */ -#define IP_IPSEC_LOCAL_CRED 25 /* buf; IPsec local credentials */ -#define IP_IPSEC_REMOTE_CRED 26 /* buf; IPsec remote credentials */ -#define IP_IPSEC_LOCAL_AUTH 27 /* buf; IPsec local auth material */ -#define IP_IPSEC_REMOTE_AUTH 28 /* buf; IPsec remote auth material */ +#define IP_IPSEC_LOCAL_CRED 25 /* buf; was: IPsec local credentials */ +#define IP_IPSEC_REMOTE_CRED 26 /* buf; was: IPsec remote credentials */ +#define IP_IPSEC_LOCAL_AUTH 27 /* buf; was: IPsec local auth material */ +#define IP_IPSEC_REMOTE_AUTH 28 /* buf; was: IPsec remote auth material */ #define IP_IPCOMP_LEVEL 29 /* int; compression used */ #define IP_RECVIF 30 /* bool; receive reception if w/dgram */ #define IP_RECVTTL 31 /* bool; receive IP TTL w/dgram */ diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 0d51cc450ec..4c110d46435 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.168 2015/02/10 03:07:56 claudio Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.169 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -538,10 +538,6 @@ in_pcbdetach(struct inpcb *inp) if (inp->inp_tdb_out) TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, inp_tdb_out_next); - if (inp->inp_ipsec_remotecred) - ipsp_reffree(inp->inp_ipsec_remotecred); - if (inp->inp_ipsec_remoteauth) - ipsp_reffree(inp->inp_ipsec_remoteauth); if (inp->inp_ipo) ipsec_delete_policy(inp->inp_ipo); #endif diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index e40a7110b07..43a45b05248 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.87 2014/11/15 10:55:47 dlg Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.88 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -140,8 +140,6 @@ struct inpcb { TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next; struct tdb *inp_tdb_in, *inp_tdb_out; struct ipsec_policy *inp_ipo; - struct ipsec_ref *inp_ipsec_remotecred; - struct ipsec_ref *inp_ipsec_remoteauth; #define inp_flowinfo inp_hu.hu_ipv6.ip6_flow int inp_cksum6; diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 0c93cf6e480..0cf6b7148aa 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -324,17 +324,15 @@ gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, } /* - * Check that credentials and IDs match. Return true if so. The t* - * range of arguments contains information from TDBs; the p* - * range of arguments contains information from policies or - * already established TDBs. + * Check that IDs match. Return true if so. The t* range of + * arguments contains information from TDBs; the p* range of + * arguments contains information from policies or already + * established TDBs. */ int ipsp_aux_match(struct tdb *tdb, struct ipsec_ref *psrcid, struct ipsec_ref *pdstid, - struct ipsec_ref *plcred, - struct ipsec_ref *prcred, struct sockaddr_encap *pfilter, struct sockaddr_encap *pfiltermask) { @@ -348,16 +346,6 @@ ipsp_aux_match(struct tdb *tdb, !ipsp_ref_match(tdb->tdb_dstid, pdstid)) return 0; - if (plcred != NULL) - if (tdb->tdb_local_cred == NULL || - !ipsp_ref_match(tdb->tdb_local_cred, plcred)) - return 0; - - if (prcred != NULL) - if (tdb->tdb_remote_cred == NULL || - !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) - return 0; - /* Check for filter matches. */ if (pfilter != NULL && pfiltermask != NULL && tdb->tdb_filter.sen_type) { @@ -385,8 +373,7 @@ ipsp_aux_match(struct tdb *tdb, struct tdb * gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, struct ipsec_ref *srcid, struct ipsec_ref *dstid, - struct ipsec_ref *local_cred, struct sockaddr_encap *filter, - struct sockaddr_encap *filtermask) + struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) { u_int32_t hashval; struct tdb *tdbp; @@ -401,9 +388,9 @@ gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, (tdbp->tdb_rdomain == rdomain) && ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { - /* Do IDs and local credentials match ? */ - if (!ipsp_aux_match(tdbp, srcid, dstid, - local_cred, NULL, filter, filtermask)) + /* Do IDs match ? */ + if (!ipsp_aux_match(tdbp, srcid, dstid, filter, + filtermask)) continue; break; } @@ -434,8 +421,8 @@ gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, ((tdbp->tdb_flags & TDBF_INVALID) == 0) && (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { /* Check whether IDs match */ - if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, - filter, filtermask)) + if (!ipsp_aux_match(tdbp, dstid, srcid, filter, + filtermask)) continue; break; } @@ -824,16 +811,6 @@ tdb_free(struct tdb *tdbp) timeout_del(&tdbp->tdb_stimer_tmo); timeout_del(&tdbp->tdb_sfirst_tmo); - if (tdbp->tdb_local_auth) { - ipsp_reffree(tdbp->tdb_local_auth); - tdbp->tdb_local_auth = NULL; - } - - if (tdbp->tdb_remote_auth) { - ipsp_reffree(tdbp->tdb_remote_auth); - tdbp->tdb_remote_auth = NULL; - } - if (tdbp->tdb_srcid) { ipsp_reffree(tdbp->tdb_srcid); tdbp->tdb_srcid = NULL; @@ -844,16 +821,6 @@ tdb_free(struct tdb *tdbp) tdbp->tdb_dstid = NULL; } - if (tdbp->tdb_local_cred) { - ipsp_reffree(tdbp->tdb_local_cred); - tdbp->tdb_local_cred = NULL; - } - - if (tdbp->tdb_remote_cred) { - ipsp_reffree(tdbp->tdb_remote_cred); - tdbp->tdb_remote_cred = NULL; - } - #if NPF > 0 if (tdbp->tdb_tag) { pf_tag_unref(tdbp->tdb_tag); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index f436e4935eb..5c3e2665947 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.163 2015/04/13 16:48:01 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -215,8 +215,6 @@ struct ipsec_policy { struct ipsec_ref *ipo_srcid; struct ipsec_ref *ipo_dstid; - struct ipsec_ref *ipo_local_cred; - struct ipsec_ref *ipo_local_auth; TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */ TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List TDB policies */ @@ -244,16 +242,6 @@ struct ipsec_policy { #define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ #define NOTIFY_SATYPE_COMP 5 /* SA (IPCA) should use compression */ -/* Authentication types */ -#define IPSP_AUTH_NONE 0 -#define IPSP_AUTH_PASSPHRASE 1 -#define IPSP_AUTH_RSA 2 - -/* Credential types */ -#define IPSP_CRED_NONE 0 -#define IPSP_CRED_KEYNOTE 1 -#define IPSP_CRED_X509 2 - /* Identity types */ #define IPSP_IDENTITY_NONE 0 #define IPSP_IDENTITY_PREFIX 1 @@ -354,12 +342,8 @@ struct tdb { /* tunnel descriptor block */ u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ - struct ipsec_ref *tdb_local_cred; - struct ipsec_ref *tdb_remote_cred; struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ - struct ipsec_ref *tdb_local_auth;/* Local authentication material */ - struct ipsec_ref *tdb_remote_auth;/* Remote authentication material */ u_int32_t tdb_mtu; /* MTU at this point in the chain */ u_int64_t tdb_mtutimeout; /* When to ignore this entry */ @@ -505,7 +489,7 @@ uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, union sockaddr_union *, u_int8_t, int *); struct tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t); struct tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t, - struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *, + struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, struct sockaddr_encap *); struct tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t, struct ipsec_ref *, struct ipsec_ref *, @@ -603,8 +587,7 @@ void ipsp_reffree(struct ipsec_ref *); void ipsp_skipcrypto_mark(struct tdb_ident *); void ipsp_skipcrypto_unmark(struct tdb_ident *); int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *, - struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, - struct sockaddr_encap *); + struct sockaddr_encap *, struct sockaddr_encap *); int ipsec_common_input(struct mbuf *, int, int, int, int, int); int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e25ef158b7e..e99105f2097 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.276 2014/12/17 09:57:13 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.277 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -1145,16 +1145,8 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, #endif break; - case IP_IPSEC_REMOTE_CRED: - case IP_IPSEC_REMOTE_AUTH: - /* Can't set the remote credential or key */ - error = EOPNOTSUPP; - break; - case IP_IPSEC_LOCAL_ID: case IP_IPSEC_REMOTE_ID: - case IP_IPSEC_LOCAL_CRED: - case IP_IPSEC_LOCAL_AUTH: #ifndef IPSEC error = EOPNOTSUPP; #else @@ -1175,7 +1167,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_srcid = NULL; } break; - case IP_IPSEC_REMOTE_ID: if (inp->inp_ipo != NULL && inp->inp_ipo->ipo_dstid != NULL) { @@ -1183,22 +1174,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_dstid = NULL; } break; - - case IP_IPSEC_LOCAL_CRED: - if (inp->inp_ipo != NULL && - inp->inp_ipo->ipo_local_cred != NULL) { - ipsp_reffree(inp->inp_ipo->ipo_local_cred); - inp->inp_ipo->ipo_local_cred = NULL; - } - break; - - case IP_IPSEC_LOCAL_AUTH: - if (inp->inp_ipo != NULL && - inp->inp_ipo->ipo_local_auth != NULL) { - ipsp_reffree(inp->inp_ipo->ipo_local_auth); - inp->inp_ipo->ipo_local_auth = NULL; - } - break; } error = 0; @@ -1261,28 +1236,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, inp->inp_ipo->ipo_dstid = ipr; } break; - case IP_IPSEC_LOCAL_CRED: - if (ipr->ref_type < IPSP_CRED_KEYNOTE || - ipr->ref_type > IPSP_CRED_X509) { - free(ipr, M_CREDENTIALS, iprlen); - error = EINVAL; - } else { - if (inp->inp_ipo->ipo_local_cred != NULL) - ipsp_reffree(inp->inp_ipo->ipo_local_cred); - inp->inp_ipo->ipo_local_cred = ipr; - } - break; - case IP_IPSEC_LOCAL_AUTH: - if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || - ipr->ref_type > IPSP_AUTH_RSA) { - free(ipr, M_CREDENTIALS, iprlen); - error = EINVAL; - } else { - if (inp->inp_ipo->ipo_local_auth != NULL) - ipsp_reffree(inp->inp_ipo->ipo_local_auth); - inp->inp_ipo->ipo_local_auth = ipr; - } - break; } /* Unlink cached output TDB to force a re-search */ @@ -1461,10 +1414,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, break; case IP_IPSEC_LOCAL_ID: case IP_IPSEC_REMOTE_ID: - case IP_IPSEC_LOCAL_CRED: - case IP_IPSEC_REMOTE_CRED: - case IP_IPSEC_LOCAL_AUTH: - case IP_IPSEC_REMOTE_AUTH: #ifndef IPSEC error = EOPNOTSUPP; #else @@ -1482,24 +1431,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname, ipr = inp->inp_ipo->ipo_dstid; opt16val = IPSP_IDENTITY_NONE; break; - case IP_IPSEC_LOCAL_CRED: - if (inp->inp_ipo != NULL) - ipr = inp->inp_ipo->ipo_local_cred; - opt16val = IPSP_CRED_NONE; - break; - case IP_IPSEC_REMOTE_CRED: - ipr = inp->inp_ipsec_remotecred; - opt16val = IPSP_CRED_NONE; - break; - case IP_IPSEC_LOCAL_AUTH: - if (inp->inp_ipo != NULL) - ipr = inp->inp_ipo->ipo_local_auth; - opt16val = IPSP_AUTH_NONE; - break; - case IP_IPSEC_REMOTE_AUTH: - ipr = inp->inp_ipsec_remoteauth; - opt16val = IPSP_AUTH_NONE; - break; } if (ipr == NULL) *mtod(m, u_int16_t *) = opt16val; diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 25a8d135956..ec34c81c2d8 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.82 2015/04/14 12:22:15 mikeb Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -368,7 +368,6 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, if (!ipsp_aux_match(ipo->ipo_tdb, srcid ? srcid : ipo->ipo_srcid, dstid ? dstid : ipo->ipo_dstid, - ipo->ipo_local_cred, NULL, &ipo->ipo_addr, &ipo->ipo_mask)) goto nomatchout; @@ -406,8 +405,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, ipo->ipo_sproto, srcid ? srcid : ipo->ipo_srcid, dstid ? dstid : ipo->ipo_dstid, - ipo->ipo_local_cred, &ipo->ipo_addr, - &ipo->ipo_mask); + &ipo->ipo_addr, &ipo->ipo_mask); if (ipo->ipo_tdb) { TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head, ipo, ipo_tdb_next); @@ -494,9 +492,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, /* * We only need to check that the correct * security protocol and security gateway are - * set; credentials/IDs will be the same, - * since the cached entry is linked on this - * policy. + * set; IDs will be the same since the cached + * entry is linked on this policy. */ if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto && !memcmp(&ipo->ipo_tdb->tdb_src, @@ -609,10 +606,6 @@ ipsec_delete_policy(struct ipsec_policy *ipo) ipsp_reffree(ipo->ipo_srcid); if (ipo->ipo_dstid) ipsp_reffree(ipo->ipo_dstid); - if (ipo->ipo_local_cred) - ipsp_reffree(ipo->ipo_local_cred); - if (ipo->ipo_local_auth) - ipsp_reffree(ipo->ipo_local_auth); if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET)) ipsec_in_use--; @@ -765,15 +758,10 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, struct ipsec_acquire *ipa; /* - * If this is a socket policy, it has to have authentication - * information accompanying it --- can't tell key mgmt. to - * "find" it for us. This avoids abusing key mgmt. to authenticate - * on an application's behalf, even if the application doesn't - * have/know (and shouldn't) the appropriate authentication - * material (passphrase, private key, etc.) + * ACQUIRE on local sockets is restricted to avoid abuse of + * authentication keys that the IKE daemon has already loaded. */ - if (ipo->ipo_flags & IPSP_POLICY_SOCKET && - ipo->ipo_local_auth == NULL) + if (ipo->ipo_flags & IPSP_POLICY_SOCKET) return EINVAL; /* Check whether request has been made already. */ @@ -969,9 +957,9 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto && !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, SA_LEN(&tdbp->tdb_src.sa)) && - ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, - inp->inp_ipo->ipo_dstid, NULL, NULL, - &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask)) + ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, + inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr, + &inp->inp_ipo->ipo_mask)) goto justreturn; else { *error = -EINVAL; @@ -992,8 +980,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst, SA_LEN(&tdbp->tdb_src.sa)) && ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, - inp->inp_ipo->ipo_dstid, NULL, NULL, - &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask)) + inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr, + &inp->inp_ipo->ipo_mask)) goto justreturn; /* @@ -1069,7 +1057,6 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, inp->inp_ipo->ipo_sproto, inp->inp_ipo->ipo_srcid, inp->inp_ipo->ipo_dstid, - inp->inp_ipo->ipo_local_cred, &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask); } @@ -1082,8 +1069,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, IPSP_DIRECTION_OUT); tdb = gettdbbydst(rtable_l2(inp->inp_rtableid), - &sipon.ipo_dst, IPPROTO_ESP, NULL, - NULL, NULL, &sipon.ipo_addr, &sipon.ipo_mask); + &sipon.ipo_dst, IPPROTO_ESP, NULL, NULL, + &sipon.ipo_addr, &sipon.ipo_mask); } /* If we found an appropriate SA... */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index ba45329f2fa..68749872653 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.287 2015/02/08 04:40:50 yasuoka Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.288 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -913,18 +913,6 @@ findpcb: inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } - if (inp->inp_ipsec_remotecred == NULL && - tdb->tdb_remote_cred != NULL) { - inp->inp_ipsec_remotecred = - tdb->tdb_remote_cred; - tdb->tdb_remote_cred->ref_count++; - } - if (inp->inp_ipsec_remoteauth == NULL && - tdb->tdb_remote_auth != NULL) { - inp->inp_ipsec_remoteauth = - tdb->tdb_remote_auth; - tdb->tdb_remote_auth->ref_count++; - } } else { /* Just reset */ TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, inp_tdb_in_next); @@ -3711,15 +3699,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th, newinp->inp_ipo = inp->inp_ipo; inp->inp_ipo->ipo_ref_count++; } - if (inp->inp_ipsec_remotecred != NULL) { - newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred; - inp->inp_ipsec_remotecred->ref_count++; - } - if (inp->inp_ipsec_remoteauth != NULL) { - newinp->inp_ipsec_remoteauth - = inp->inp_ipsec_remoteauth; - inp->inp_ipsec_remoteauth->ref_count++; - } } #endif /* IPSEC */ #ifdef INET6 diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index a9b0f6b55b7..2ea8666d5fc 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.196 2015/03/04 11:10:55 mpi Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.197 2015/04/14 12:22:15 mikeb Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -632,18 +632,6 @@ udp_input(struct mbuf *m, ...) inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } - if (inp->inp_ipsec_remotecred == NULL && - tdb->tdb_remote_cred != NULL) { - inp->inp_ipsec_remotecred = - tdb->tdb_remote_cred; - tdb->tdb_remote_cred->ref_count++; - } - if (inp->inp_ipsec_remoteauth == NULL && - tdb->tdb_remote_auth != NULL) { - inp->inp_ipsec_remoteauth = - tdb->tdb_remote_auth; - tdb->tdb_remote_auth->ref_count++; - } } else { /* Just reset */ TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, inp_tdb_in_next); |