Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
author: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
committer: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
commit: d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree: 94abd855aef439a610ba03c01d04359e6ea4ee98 /sys/net/pfkeyv2_parsemessage.c
parent: Convert openssl(1) s_time to new option handling. (diff)
download: wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz
wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip
1 files changed, 8 insertions, 72 deletions
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index b8aef48d779..433b9313cc5 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $	*/
+/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $	*/
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -119,11 +119,6 @@
 #define BITMAP_X_SA2                   (1LL << SADB_X_EXT_SA2)
 #define BITMAP_X_DST2                  (1LL << SADB_X_EXT_DST2)
 #define BITMAP_X_POLICY                (1LL << SADB_X_EXT_POLICY)
-#define BITMAP_X_LOCAL_CREDENTIALS     (1LL << SADB_X_EXT_LOCAL_CREDENTIALS)
-#define BITMAP_X_REMOTE_CREDENTIALS    (1LL << SADB_X_EXT_REMOTE_CREDENTIALS)
-#define BITMAP_X_LOCAL_AUTH            (1LL << SADB_X_EXT_LOCAL_AUTH)
-#define BITMAP_X_REMOTE_AUTH           (1LL << SADB_X_EXT_REMOTE_AUTH)
-#define BITMAP_X_CREDENTIALS           (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH)
 #define BITMAP_X_FLOW                  (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE)
 #define BITMAP_X_SUPPORTED_COMP        (1LL << SADB_X_EXT_SUPPORTED_COMP)
 #define BITMAP_X_UDPENCAP              (1LL << SADB_X_EXT_UDPENCAP)
@@ -138,15 +133,15 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	0,
 	/* EXPIRE */
@@ -210,15 +205,15 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP,
 	/* EXPIRE */
@@ -653,65 +648,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
 			}
 		}
 		break;
-		case SADB_X_EXT_LOCAL_AUTH:
-		case SADB_X_EXT_REMOTE_AUTH:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length for AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown auth "
-				    "type %d in AUTH extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved field"
-				    " set in AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
-		case SADB_X_EXT_LOCAL_CREDENTIALS:
-		case SADB_X_EXT_REMOTE_CREDENTIALS:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length of CREDENTIALS extension header "
-				    "%d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown "
-				    "credential type %d in CREDENTIALS "
-				    "extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved "
-				    "field set in CREDENTIALS extension "
-				    "header %d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
 		case SADB_EXT_IDENTITY_SRC:
 		case SADB_EXT_IDENTITY_DST:
 		{
author	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
committer	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
commit	d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree	94abd855aef439a610ba03c01d04359e6ea4ee98 /sys/net/pfkeyv2_parsemessage.c
parent	Convert openssl(1) s_time to new option handling. (diff)
download	wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip