Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
author: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
committer: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
commit: d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree: 94abd855aef439a610ba03c01d04359e6ea4ee98 /sys/net
parent: Convert openssl(1) s_time to new option handling. (diff)
download: wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz
wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip
4 files changed, 11 insertions, 332 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index bcc9b67d137..b29f50e0c88 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -529,18 +529,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 	if (sa->tdb_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len);
 
-	if (sa->tdb_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len);
-
-	if (sa->tdb_remote_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len);
-
-	if (sa->tdb_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len);
-
-	if (sa->tdb_remote_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len);
-
 	if (sa->tdb_amxkey)
 		i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen);
 
@@ -637,28 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 		export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
 	}
 
-	/* Export credentials, if present */
-	if (sa->tdb_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_LOCAL);
-	}
-
-	if (sa->tdb_remote_cred) {
-		headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_REMOTE);
-	}
-
-	/* Export authentication information, if present */
-	if (sa->tdb_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_LOCAL);
-	}
-
-	if (sa->tdb_remote_auth) {
-		headers[SADB_X_EXT_REMOTE_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_REMOTE);
-	}
-
 	/* Export authentication key, if present */
 	if (sa->tdb_amxkey) {
 		headers[SADB_EXT_KEY_AUTH] = p;
@@ -1033,16 +999,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    PFKEYV2_IDENTITY_SRC);
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1200,16 +1156,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
 
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1863,7 +1809,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 {
 	void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
 	struct sadb_ident *srcid, *dstid;
-	struct sadb_x_cred *lcred, *lauth;
 	struct sadb_comb *sadb_comb;
 	struct sadb_address *sadd;
 	struct sadb_prop *sa_prop;
@@ -1891,12 +1836,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	if (ipo->ipo_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len);
 
-	if (ipo->ipo_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-
-	if (ipo->ipo_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-
 	/* Allocate */
 	if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
 		rval = ENOMEM;
@@ -1964,43 +1903,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 		    sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len);
 	}
 
-	if (ipo->ipo_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-		lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS];
-		lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_cred->ref_type) {
-		case IPSP_CRED_KEYNOTE:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-			break;
-		case IPSP_CRED_X509:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-			break;
-		}
-		bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len);
-	}
-
-	if (ipo->ipo_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-		lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH];
-		lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_auth->ref_type) {
-		case IPSP_AUTH_PASSPHRASE:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-			break;
-		case IPSP_AUTH_RSA:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-			break;
-		}
-
-		bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len);
-	}
-
 	headers[SADB_EXT_PROPOSAL] = p;
 	p += sizeof(struct sadb_prop);
 	sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index cf915b3cfb7..7ffab950ab8 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.65 2014/12/28 10:02:37 tedu Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  * 
@@ -199,13 +199,6 @@ struct sadb_x_policy {
 	u_int32_t sadb_x_policy_seq;
 };
 
-struct sadb_x_cred {
-	uint16_t sadb_x_cred_len;
-	uint16_t sadb_x_cred_exttype;
-	uint16_t sadb_x_cred_type;
-	uint16_t sadb_x_cred_reserved;
-};
-
 struct sadb_x_udpencap {
 	uint16_t sadb_x_udpencap_len;
 	uint16_t sadb_x_udpencap_exttype;
@@ -365,24 +358,6 @@ struct sadb_x_tap {
 #define PFKEYV2_SENDMESSAGE_BROADCAST  3
 #endif /* _KERNEL */
 
-#define SADB_X_CREDTYPE_NONE         0
-#define SADB_X_CREDTYPE_X509         1   /* ASN1 encoding of the certificate */
-#define SADB_X_CREDTYPE_KEYNOTE      2   /* NUL-terminated buffer */
-#define SADB_X_CREDTYPE_MAX          3
-
-#ifdef _KERNEL
-#define PFKEYV2_AUTH_LOCAL           0
-#define PFKEYV2_AUTH_REMOTE          1
-
-#define PFKEYV2_CRED_LOCAL           0
-#define PFKEYV2_CRED_REMOTE          1
-#endif /* _KERNEL */
-
-#define SADB_X_AUTHTYPE_NONE         0
-#define SADB_X_AUTHTYPE_PASSPHRASE   1
-#define SADB_X_AUTHTYPE_RSA          2
-#define SADB_X_AUTHTYPE_MAX          2
-
 #define SADB_X_FLOW_TYPE_USE           1
 #define SADB_X_FLOW_TYPE_ACQUIRE       2
 #define SADB_X_FLOW_TYPE_REQUIRE       3
@@ -452,22 +427,18 @@ int pfdatatopacket(void *, int, struct mbuf **);
 void export_address(void **, struct sockaddr *);
 void export_identity(void **, struct tdb *, int);
 void export_lifetime(void **, struct tdb *, int);
-void export_credentials(void **, struct tdb *, int);
 void export_sa(void **, struct tdb *);
 void export_flow(void **, u_int8_t, struct sockaddr_encap *,
     struct sockaddr_encap *, void **);
 void export_key(void **, struct tdb *, int);
-void export_auth(void **, struct tdb *, int);
 void export_udpencap(void **, struct tdb *);
 void export_tag(void **, struct tdb *);
 void export_tap(void **, struct tdb *);
 
-void import_auth(struct tdb *, struct sadb_x_cred *, int);
 void import_address(struct sockaddr *, struct sadb_address *);
 void import_identity(struct tdb *, struct sadb_ident *, int);
 void import_key(struct ipsecinit *, struct sadb_key *, int);
 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
-void import_credentials(struct tdb *, struct sadb_x_cred *, int);
 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
 void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
     struct sadb_address *, struct sadb_address *, struct sadb_address *,
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 95e6429cd7d..08cf583aa04 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.47 2015/02/06 03:04:49 blambert Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -700,82 +700,6 @@ export_address(void **p, struct sockaddr *sa)
 }
 
 /*
- * Import authentication information into the TDB.
- */
-void
-import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_auth)
-		return;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	*ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_auth->sadb_x_cred_type) {
-	case SADB_X_AUTHTYPE_PASSPHRASE:
-		(*ipr)->ref_type = IPSP_AUTH_PASSPHRASE;
-		break;
-	case SADB_X_AUTHTYPE_RSA:
-		(*ipr)->ref_type = IPSP_AUTH_RSA;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
- * Import a set of credentials into the TDB.
- */
-void
-import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_cred)
-		return;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	*ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_cred->sadb_x_cred_type) {
-	case SADB_X_CREDTYPE_X509:
-		(*ipr)->ref_type = IPSP_CRED_X509;
-		break;
-	case SADB_X_CREDTYPE_KEYNOTE:
-		(*ipr)->ref_type = IPSP_CRED_KEYNOTE;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
  * Import an identity payload into the TDB.
  */
 void
@@ -820,60 +744,6 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type)
 }
 
 void
-export_credentials(void **p, struct tdb *tdb, int dstcred)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_CRED_KEYNOTE:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-		break;
-	case IPSP_CRED_X509:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
-export_auth(void **p, struct tdb *tdb, int dstauth)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_AUTH_PASSPHRASE:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-		break;
-	case IPSP_AUTH_RSA:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
 export_identity(void **p, struct tdb *tdb, int type)
 {
 	struct ipsec_ref **ipr;
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index b8aef48d779..433b9313cc5 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $	*/
+/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $	*/
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -119,11 +119,6 @@
 #define BITMAP_X_SA2                   (1LL << SADB_X_EXT_SA2)
 #define BITMAP_X_DST2                  (1LL << SADB_X_EXT_DST2)
 #define BITMAP_X_POLICY                (1LL << SADB_X_EXT_POLICY)
-#define BITMAP_X_LOCAL_CREDENTIALS     (1LL << SADB_X_EXT_LOCAL_CREDENTIALS)
-#define BITMAP_X_REMOTE_CREDENTIALS    (1LL << SADB_X_EXT_REMOTE_CREDENTIALS)
-#define BITMAP_X_LOCAL_AUTH            (1LL << SADB_X_EXT_LOCAL_AUTH)
-#define BITMAP_X_REMOTE_AUTH           (1LL << SADB_X_EXT_REMOTE_AUTH)
-#define BITMAP_X_CREDENTIALS           (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH)
 #define BITMAP_X_FLOW                  (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE)
 #define BITMAP_X_SUPPORTED_COMP        (1LL << SADB_X_EXT_SUPPORTED_COMP)
 #define BITMAP_X_UDPENCAP              (1LL << SADB_X_EXT_UDPENCAP)
@@ -138,15 +133,15 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	0,
 	/* EXPIRE */
@@ -210,15 +205,15 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP,
 	/* EXPIRE */
@@ -653,65 +648,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
 			}
 		}
 		break;
-		case SADB_X_EXT_LOCAL_AUTH:
-		case SADB_X_EXT_REMOTE_AUTH:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length for AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown auth "
-				    "type %d in AUTH extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved field"
-				    " set in AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
-		case SADB_X_EXT_LOCAL_CREDENTIALS:
-		case SADB_X_EXT_REMOTE_CREDENTIALS:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length of CREDENTIALS extension header "
-				    "%d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown "
-				    "credential type %d in CREDENTIALS "
-				    "extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved "
-				    "field set in CREDENTIALS extension "
-				    "header %d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
 		case SADB_EXT_IDENTITY_SRC:
 		case SADB_EXT_IDENTITY_DST:
 		{
author	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
committer	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
commit	d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree	94abd855aef439a610ba03c01d04359e6ea4ee98 /sys/net
parent	Convert openssl(1) s_time to new option handling. (diff)
download	wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip