Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
author: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
committer: mikeb <mikeb@openbsd.org> 2015-04-14 12:22:15 +0000
commit: d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree: 94abd855aef439a610ba03c01d04359e6ea4ee98 /sys
parent: Convert openssl(1) s_time to new option handling. (diff)
download: wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz
wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip
13 files changed, 49 insertions, 541 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index bcc9b67d137..b29f50e0c88 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -529,18 +529,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 	if (sa->tdb_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len);
 
-	if (sa->tdb_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len);
-
-	if (sa->tdb_remote_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len);
-
-	if (sa->tdb_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len);
-
-	if (sa->tdb_remote_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len);
-
 	if (sa->tdb_amxkey)
 		i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen);
 
@@ -637,28 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 		export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
 	}
 
-	/* Export credentials, if present */
-	if (sa->tdb_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_LOCAL);
-	}
-
-	if (sa->tdb_remote_cred) {
-		headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_REMOTE);
-	}
-
-	/* Export authentication information, if present */
-	if (sa->tdb_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_LOCAL);
-	}
-
-	if (sa->tdb_remote_auth) {
-		headers[SADB_X_EXT_REMOTE_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_REMOTE);
-	}
-
 	/* Export authentication key, if present */
 	if (sa->tdb_amxkey) {
 		headers[SADB_EXT_KEY_AUTH] = p;
@@ -1033,16 +999,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    PFKEYV2_IDENTITY_SRC);
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1200,16 +1156,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
 
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1863,7 +1809,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 {
 	void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
 	struct sadb_ident *srcid, *dstid;
-	struct sadb_x_cred *lcred, *lauth;
 	struct sadb_comb *sadb_comb;
 	struct sadb_address *sadd;
 	struct sadb_prop *sa_prop;
@@ -1891,12 +1836,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	if (ipo->ipo_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len);
 
-	if (ipo->ipo_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-
-	if (ipo->ipo_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-
 	/* Allocate */
 	if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
 		rval = ENOMEM;
@@ -1964,43 +1903,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 		    sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len);
 	}
 
-	if (ipo->ipo_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-		lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS];
-		lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_cred->ref_type) {
-		case IPSP_CRED_KEYNOTE:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-			break;
-		case IPSP_CRED_X509:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-			break;
-		}
-		bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len);
-	}
-
-	if (ipo->ipo_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-		lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH];
-		lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_auth->ref_type) {
-		case IPSP_AUTH_PASSPHRASE:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-			break;
-		case IPSP_AUTH_RSA:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-			break;
-		}
-
-		bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len);
-	}
-
 	headers[SADB_EXT_PROPOSAL] = p;
 	p += sizeof(struct sadb_prop);
 	sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index cf915b3cfb7..7ffab950ab8 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.65 2014/12/28 10:02:37 tedu Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  * 
@@ -199,13 +199,6 @@ struct sadb_x_policy {
 	u_int32_t sadb_x_policy_seq;
 };
 
-struct sadb_x_cred {
-	uint16_t sadb_x_cred_len;
-	uint16_t sadb_x_cred_exttype;
-	uint16_t sadb_x_cred_type;
-	uint16_t sadb_x_cred_reserved;
-};
-
 struct sadb_x_udpencap {
 	uint16_t sadb_x_udpencap_len;
 	uint16_t sadb_x_udpencap_exttype;
@@ -365,24 +358,6 @@ struct sadb_x_tap {
 #define PFKEYV2_SENDMESSAGE_BROADCAST  3
 #endif /* _KERNEL */
 
-#define SADB_X_CREDTYPE_NONE         0
-#define SADB_X_CREDTYPE_X509         1   /* ASN1 encoding of the certificate */
-#define SADB_X_CREDTYPE_KEYNOTE      2   /* NUL-terminated buffer */
-#define SADB_X_CREDTYPE_MAX          3
-
-#ifdef _KERNEL
-#define PFKEYV2_AUTH_LOCAL           0
-#define PFKEYV2_AUTH_REMOTE          1
-
-#define PFKEYV2_CRED_LOCAL           0
-#define PFKEYV2_CRED_REMOTE          1
-#endif /* _KERNEL */
-
-#define SADB_X_AUTHTYPE_NONE         0
-#define SADB_X_AUTHTYPE_PASSPHRASE   1
-#define SADB_X_AUTHTYPE_RSA          2
-#define SADB_X_AUTHTYPE_MAX          2
-
 #define SADB_X_FLOW_TYPE_USE           1
 #define SADB_X_FLOW_TYPE_ACQUIRE       2
 #define SADB_X_FLOW_TYPE_REQUIRE       3
@@ -452,22 +427,18 @@ int pfdatatopacket(void *, int, struct mbuf **);
 void export_address(void **, struct sockaddr *);
 void export_identity(void **, struct tdb *, int);
 void export_lifetime(void **, struct tdb *, int);
-void export_credentials(void **, struct tdb *, int);
 void export_sa(void **, struct tdb *);
 void export_flow(void **, u_int8_t, struct sockaddr_encap *,
     struct sockaddr_encap *, void **);
 void export_key(void **, struct tdb *, int);
-void export_auth(void **, struct tdb *, int);
 void export_udpencap(void **, struct tdb *);
 void export_tag(void **, struct tdb *);
 void export_tap(void **, struct tdb *);
 
-void import_auth(struct tdb *, struct sadb_x_cred *, int);
 void import_address(struct sockaddr *, struct sadb_address *);
 void import_identity(struct tdb *, struct sadb_ident *, int);
 void import_key(struct ipsecinit *, struct sadb_key *, int);
 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
-void import_credentials(struct tdb *, struct sadb_x_cred *, int);
 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
 void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
     struct sadb_address *, struct sadb_address *, struct sadb_address *,
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 95e6429cd7d..08cf583aa04 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.47 2015/02/06 03:04:49 blambert Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -700,82 +700,6 @@ export_address(void **p, struct sockaddr *sa)
 }
 
 /*
- * Import authentication information into the TDB.
- */
-void
-import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_auth)
-		return;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	*ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_auth->sadb_x_cred_type) {
-	case SADB_X_AUTHTYPE_PASSPHRASE:
-		(*ipr)->ref_type = IPSP_AUTH_PASSPHRASE;
-		break;
-	case SADB_X_AUTHTYPE_RSA:
-		(*ipr)->ref_type = IPSP_AUTH_RSA;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
- * Import a set of credentials into the TDB.
- */
-void
-import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_cred)
-		return;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	*ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_cred->sadb_x_cred_type) {
-	case SADB_X_CREDTYPE_X509:
-		(*ipr)->ref_type = IPSP_CRED_X509;
-		break;
-	case SADB_X_CREDTYPE_KEYNOTE:
-		(*ipr)->ref_type = IPSP_CRED_KEYNOTE;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
  * Import an identity payload into the TDB.
  */
 void
@@ -820,60 +744,6 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type)
 }
 
 void
-export_credentials(void **p, struct tdb *tdb, int dstcred)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_CRED_KEYNOTE:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-		break;
-	case IPSP_CRED_X509:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
-export_auth(void **p, struct tdb *tdb, int dstauth)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_AUTH_PASSPHRASE:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-		break;
-	case IPSP_AUTH_RSA:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
 export_identity(void **p, struct tdb *tdb, int type)
 {
 	struct ipsec_ref **ipr;
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index b8aef48d779..433b9313cc5 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $	*/
+/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $	*/
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -119,11 +119,6 @@
 #define BITMAP_X_SA2                   (1LL << SADB_X_EXT_SA2)
 #define BITMAP_X_DST2                  (1LL << SADB_X_EXT_DST2)
 #define BITMAP_X_POLICY                (1LL << SADB_X_EXT_POLICY)
-#define BITMAP_X_LOCAL_CREDENTIALS     (1LL << SADB_X_EXT_LOCAL_CREDENTIALS)
-#define BITMAP_X_REMOTE_CREDENTIALS    (1LL << SADB_X_EXT_REMOTE_CREDENTIALS)
-#define BITMAP_X_LOCAL_AUTH            (1LL << SADB_X_EXT_LOCAL_AUTH)
-#define BITMAP_X_REMOTE_AUTH           (1LL << SADB_X_EXT_REMOTE_AUTH)
-#define BITMAP_X_CREDENTIALS           (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH)
 #define BITMAP_X_FLOW                  (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE)
 #define BITMAP_X_SUPPORTED_COMP        (1LL << SADB_X_EXT_SUPPORTED_COMP)
 #define BITMAP_X_UDPENCAP              (1LL << SADB_X_EXT_UDPENCAP)
@@ -138,15 +133,15 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	0,
 	/* EXPIRE */
@@ -210,15 +205,15 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP,
 	/* EXPIRE */
@@ -653,65 +648,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
 			}
 		}
 		break;
-		case SADB_X_EXT_LOCAL_AUTH:
-		case SADB_X_EXT_REMOTE_AUTH:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length for AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown auth "
-				    "type %d in AUTH extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved field"
-				    " set in AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
-		case SADB_X_EXT_LOCAL_CREDENTIALS:
-		case SADB_X_EXT_REMOTE_CREDENTIALS:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length of CREDENTIALS extension header "
-				    "%d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown "
-				    "credential type %d in CREDENTIALS "
-				    "extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved "
-				    "field set in CREDENTIALS extension "
-				    "header %d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
 		case SADB_EXT_IDENTITY_SRC:
 		case SADB_EXT_IDENTITY_DST:
 		{
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index b7b55eb154d..7c206e5d5cb 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.113 2015/04/10 13:58:20 dlg Exp $	*/
+/*	$OpenBSD: in.h,v 1.114 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -294,10 +294,10 @@ struct ip_opts {
 #define IP_ESP_NETWORK_LEVEL	22   /* int; full-packet encryption */
 #define IP_IPSEC_LOCAL_ID	23   /* buf; IPsec local ID */
 #define IP_IPSEC_REMOTE_ID	24   /* buf; IPsec remote ID */
-#define IP_IPSEC_LOCAL_CRED	25   /* buf; IPsec local credentials */
-#define IP_IPSEC_REMOTE_CRED	26   /* buf; IPsec remote credentials */
-#define IP_IPSEC_LOCAL_AUTH	27   /* buf; IPsec local auth material */
-#define IP_IPSEC_REMOTE_AUTH	28   /* buf; IPsec remote auth material */
+#define IP_IPSEC_LOCAL_CRED	25   /* buf; was: IPsec local credentials */
+#define IP_IPSEC_REMOTE_CRED	26   /* buf; was: IPsec remote credentials */
+#define IP_IPSEC_LOCAL_AUTH	27   /* buf; was: IPsec local auth material */
+#define IP_IPSEC_REMOTE_AUTH	28   /* buf; was: IPsec remote auth material */
 #define IP_IPCOMP_LEVEL		29   /* int; compression used */
 #define IP_RECVIF		30   /* bool; receive reception if w/dgram */
 #define IP_RECVTTL		31   /* bool; receive IP TTL w/dgram */
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 0d51cc450ec..4c110d46435 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.c,v 1.168 2015/02/10 03:07:56 claudio Exp $	*/
+/*	$OpenBSD: in_pcb.c,v 1.169 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $	*/
 
 /*
@@ -538,10 +538,6 @@ in_pcbdetach(struct inpcb *inp)
 	if (inp->inp_tdb_out)
 		TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp,
 			     inp_tdb_out_next);
-	if (inp->inp_ipsec_remotecred)
-		ipsp_reffree(inp->inp_ipsec_remotecred);
-	if (inp->inp_ipsec_remoteauth)
-		ipsp_reffree(inp->inp_ipsec_remoteauth);
 	if (inp->inp_ipo)
 		ipsec_delete_policy(inp->inp_ipo);
 #endif
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index e40a7110b07..43a45b05248 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.87 2014/11/15 10:55:47 dlg Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.88 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -140,8 +140,6 @@ struct inpcb {
 	TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next;
 	struct tdb     *inp_tdb_in, *inp_tdb_out;
 	struct ipsec_policy *inp_ipo;
-	struct ipsec_ref *inp_ipsec_remotecred;
-	struct ipsec_ref *inp_ipsec_remoteauth;
 #define	inp_flowinfo	inp_hu.hu_ipv6.ip6_flow
 
 	int	inp_cksum6;
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 0c93cf6e480..0cf6b7148aa 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -324,17 +324,15 @@ gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src,
 }
 
 /*
- * Check that credentials and IDs match. Return true if so. The t*
- * range of arguments contains information from TDBs; the p*
- * range of arguments contains information from policies or
- * already established TDBs.
+ * Check that IDs match. Return true if so. The t* range of
+ * arguments contains information from TDBs; the p* range of
+ * arguments contains information from policies or already
+ * established TDBs.
  */
 int
 ipsp_aux_match(struct tdb *tdb,
     struct ipsec_ref *psrcid,
     struct ipsec_ref *pdstid,
-    struct ipsec_ref *plcred,
-    struct ipsec_ref *prcred,
     struct sockaddr_encap *pfilter,
     struct sockaddr_encap *pfiltermask)
 {
@@ -348,16 +346,6 @@ ipsp_aux_match(struct tdb *tdb,
 		    !ipsp_ref_match(tdb->tdb_dstid, pdstid))
 			return 0;
 
-	if (plcred != NULL)
-		if (tdb->tdb_local_cred == NULL ||
-		   !ipsp_ref_match(tdb->tdb_local_cred, plcred))
-			return 0;
-
-	if (prcred != NULL)
-		if (tdb->tdb_remote_cred == NULL ||
-		    !ipsp_ref_match(tdb->tdb_remote_cred, prcred))
-			return 0;
-
 	/* Check for filter matches. */
 	if (pfilter != NULL && pfiltermask != NULL &&
 	    tdb->tdb_filter.sen_type) {
@@ -385,8 +373,7 @@ ipsp_aux_match(struct tdb *tdb,
 struct tdb *
 gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto,
     struct ipsec_ref *srcid, struct ipsec_ref *dstid,
-    struct ipsec_ref *local_cred, struct sockaddr_encap *filter,
-    struct sockaddr_encap *filtermask)
+    struct sockaddr_encap *filter, struct sockaddr_encap *filtermask)
 {
 	u_int32_t hashval;
 	struct tdb *tdbp;
@@ -401,9 +388,9 @@ gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto,
 		    (tdbp->tdb_rdomain == rdomain) &&
 		    ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
 		    (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) {
-			/* Do IDs and local credentials match ? */
-			if (!ipsp_aux_match(tdbp, srcid, dstid,
-			    local_cred, NULL, filter, filtermask))
+			/* Do IDs match ? */
+			if (!ipsp_aux_match(tdbp, srcid, dstid, filter,
+			    filtermask))
 				continue;
 			break;
 		}
@@ -434,8 +421,8 @@ gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto,
 		    ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
 		    (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) {
 			/* Check whether IDs match */
-			if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL,
-			    filter, filtermask))
+			if (!ipsp_aux_match(tdbp, dstid, srcid, filter,
+			    filtermask))
 				continue;
 			break;
 		}
@@ -824,16 +811,6 @@ tdb_free(struct tdb *tdbp)
 	timeout_del(&tdbp->tdb_stimer_tmo);
 	timeout_del(&tdbp->tdb_sfirst_tmo);
 
-	if (tdbp->tdb_local_auth) {
-		ipsp_reffree(tdbp->tdb_local_auth);
-		tdbp->tdb_local_auth = NULL;
-	}
-
-	if (tdbp->tdb_remote_auth) {
-		ipsp_reffree(tdbp->tdb_remote_auth);
-		tdbp->tdb_remote_auth = NULL;
-	}
-
 	if (tdbp->tdb_srcid) {
 		ipsp_reffree(tdbp->tdb_srcid);
 		tdbp->tdb_srcid = NULL;
@@ -844,16 +821,6 @@ tdb_free(struct tdb *tdbp)
 		tdbp->tdb_dstid = NULL;
 	}
 
-	if (tdbp->tdb_local_cred) {
-		ipsp_reffree(tdbp->tdb_local_cred);
-		tdbp->tdb_local_cred = NULL;
-	}
-
-	if (tdbp->tdb_remote_cred) {
-		ipsp_reffree(tdbp->tdb_remote_cred);
-		tdbp->tdb_remote_cred = NULL;
-	}
-
 #if NPF > 0
 	if (tdbp->tdb_tag) {
 		pf_tag_unref(tdbp->tdb_tag);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index f436e4935eb..5c3e2665947 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.163 2015/04/13 16:48:01 mikeb Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -215,8 +215,6 @@ struct ipsec_policy {
 
 	struct ipsec_ref	*ipo_srcid;
 	struct ipsec_ref	*ipo_dstid;
-	struct ipsec_ref	*ipo_local_cred;
-	struct ipsec_ref	*ipo_local_auth;
 
 	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
 	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
@@ -244,16 +242,6 @@ struct ipsec_policy {
 #define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
 #define NOTIFY_SATYPE_COMP	5       /* SA (IPCA) should use compression */
 
-/* Authentication types */
-#define	IPSP_AUTH_NONE		0
-#define	IPSP_AUTH_PASSPHRASE	1
-#define	IPSP_AUTH_RSA		2
-
-/* Credential types */
-#define	IPSP_CRED_NONE		0
-#define	IPSP_CRED_KEYNOTE	1
-#define	IPSP_CRED_X509		2
-
 /* Identity types */
 #define	IPSP_IDENTITY_NONE		0
 #define	IPSP_IDENTITY_PREFIX		1
@@ -354,12 +342,8 @@ struct tdb {				/* tunnel descriptor block */
 
 	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
 
-	struct ipsec_ref	*tdb_local_cred;
-	struct ipsec_ref	*tdb_remote_cred;
 	struct ipsec_ref	*tdb_srcid;	/* Source ID for this SA */
 	struct ipsec_ref	*tdb_dstid;	/* Destination ID for this SA */
-	struct ipsec_ref	*tdb_local_auth;/* Local authentication material */
-	struct ipsec_ref	*tdb_remote_auth;/* Remote authentication material */
 
 	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
 	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
@@ -505,7 +489,7 @@ uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
 		union sockaddr_union *, u_int8_t, int *);
 struct	tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
 struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
-		struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
+		struct ipsec_ref *, struct ipsec_ref *,
 		struct sockaddr_encap *, struct sockaddr_encap *);
 struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
 		struct ipsec_ref *, struct ipsec_ref *,
@@ -603,8 +587,7 @@ void	ipsp_reffree(struct ipsec_ref *);
 void	ipsp_skipcrypto_mark(struct tdb_ident *);
 void	ipsp_skipcrypto_unmark(struct tdb_ident *);
 int	ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *,
-	    struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *,
-	    struct sockaddr_encap *);
+	    struct sockaddr_encap *, struct sockaddr_encap *);
 
 int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
 int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index e25ef158b7e..e99105f2097 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.276 2014/12/17 09:57:13 mpi Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.277 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -1145,16 +1145,8 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 #endif
 			break;
 
-		case IP_IPSEC_REMOTE_CRED:
-		case IP_IPSEC_REMOTE_AUTH:
-			/* Can't set the remote credential or key */
-			error = EOPNOTSUPP;
-			break;
-
 		case IP_IPSEC_LOCAL_ID:
 		case IP_IPSEC_REMOTE_ID:
-		case IP_IPSEC_LOCAL_CRED:
-		case IP_IPSEC_LOCAL_AUTH:
 #ifndef IPSEC
 			error = EOPNOTSUPP;
 #else
@@ -1175,7 +1167,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 						inp->inp_ipo->ipo_srcid = NULL;
 					}
 					break;
-
 				case IP_IPSEC_REMOTE_ID:
 					if (inp->inp_ipo != NULL &&
 					    inp->inp_ipo->ipo_dstid != NULL) {
@@ -1183,22 +1174,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 						inp->inp_ipo->ipo_dstid = NULL;
 					}
 					break;
-
-				case IP_IPSEC_LOCAL_CRED:
-					if (inp->inp_ipo != NULL &&
-					    inp->inp_ipo->ipo_local_cred != NULL) {
-						ipsp_reffree(inp->inp_ipo->ipo_local_cred);
-						inp->inp_ipo->ipo_local_cred = NULL;
-					}
-					break;
-
-				case IP_IPSEC_LOCAL_AUTH:
-					if (inp->inp_ipo != NULL &&
-					    inp->inp_ipo->ipo_local_auth != NULL) {
-						ipsp_reffree(inp->inp_ipo->ipo_local_auth);
-						inp->inp_ipo->ipo_local_auth = NULL;
-					}
-					break;
 				}
 
 				error = 0;
@@ -1261,28 +1236,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					inp->inp_ipo->ipo_dstid = ipr;
 				}
 				break;
-			case IP_IPSEC_LOCAL_CRED:
-				if (ipr->ref_type < IPSP_CRED_KEYNOTE ||
-				    ipr->ref_type > IPSP_CRED_X509) {
-					free(ipr, M_CREDENTIALS, iprlen);
-					error = EINVAL;
-				} else {
-					if (inp->inp_ipo->ipo_local_cred != NULL)
-						ipsp_reffree(inp->inp_ipo->ipo_local_cred);
-					inp->inp_ipo->ipo_local_cred = ipr;
-				}
-				break;
-			case IP_IPSEC_LOCAL_AUTH:
-				if (ipr->ref_type < IPSP_AUTH_PASSPHRASE ||
-				    ipr->ref_type > IPSP_AUTH_RSA) {
-					free(ipr, M_CREDENTIALS, iprlen);
-					error = EINVAL;
-				} else {
-					if (inp->inp_ipo->ipo_local_auth != NULL)
-						ipsp_reffree(inp->inp_ipo->ipo_local_auth);
-					inp->inp_ipo->ipo_local_auth = ipr;
-				}
-				break;
 			}
 
 			/* Unlink cached output TDB to force a re-search */
@@ -1461,10 +1414,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 			break;
 		case IP_IPSEC_LOCAL_ID:
 		case IP_IPSEC_REMOTE_ID:
-		case IP_IPSEC_LOCAL_CRED:
-		case IP_IPSEC_REMOTE_CRED:
-		case IP_IPSEC_LOCAL_AUTH:
-		case IP_IPSEC_REMOTE_AUTH:
 #ifndef IPSEC
 			error = EOPNOTSUPP;
 #else
@@ -1482,24 +1431,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					ipr = inp->inp_ipo->ipo_dstid;
 				opt16val = IPSP_IDENTITY_NONE;
 				break;
-			case IP_IPSEC_LOCAL_CRED:
-				if (inp->inp_ipo != NULL)
-					ipr = inp->inp_ipo->ipo_local_cred;
-				opt16val = IPSP_CRED_NONE;
-				break;
-			case IP_IPSEC_REMOTE_CRED:
-				ipr = inp->inp_ipsec_remotecred;
-				opt16val = IPSP_CRED_NONE;
-				break;
-			case IP_IPSEC_LOCAL_AUTH:
-				if (inp->inp_ipo != NULL)
-					ipr = inp->inp_ipo->ipo_local_auth;
-				opt16val = IPSP_AUTH_NONE;
-				break;
-			case IP_IPSEC_REMOTE_AUTH:
-				ipr = inp->inp_ipsec_remoteauth;
-				opt16val = IPSP_AUTH_NONE;
-				break;
 			}
 			if (ipr == NULL)
 				*mtod(m, u_int16_t *) = opt16val;
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 25a8d135956..ec34c81c2d8 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.82 2015/04/14 12:22:15 mikeb Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -368,7 +368,6 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 			if (!ipsp_aux_match(ipo->ipo_tdb,
 			    srcid ? srcid : ipo->ipo_srcid,
 			    dstid ? dstid : ipo->ipo_dstid,
-			    ipo->ipo_local_cred, NULL,
 			    &ipo->ipo_addr, &ipo->ipo_mask))
 				goto nomatchout;
 
@@ -406,8 +405,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 				ipo->ipo_sproto,
 				srcid ? srcid : ipo->ipo_srcid,
 				dstid ? dstid : ipo->ipo_dstid,
-				ipo->ipo_local_cred, &ipo->ipo_addr,
-				&ipo->ipo_mask);
+				&ipo->ipo_addr, &ipo->ipo_mask);
 			if (ipo->ipo_tdb) {
 				TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head,
 				    ipo, ipo_tdb_next);
@@ -494,9 +492,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 			/*
 			 * We only need to check that the correct
 			 * security protocol and security gateway are
-			 * set; credentials/IDs will be the same,
-			 * since the cached entry is linked on this
-			 * policy.
+			 * set; IDs will be the same since the cached
+			 * entry is linked on this policy.
 			 */
 			if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto &&
 			    !memcmp(&ipo->ipo_tdb->tdb_src,
@@ -609,10 +606,6 @@ ipsec_delete_policy(struct ipsec_policy *ipo)
 		ipsp_reffree(ipo->ipo_srcid);
 	if (ipo->ipo_dstid)
 		ipsp_reffree(ipo->ipo_dstid);
-	if (ipo->ipo_local_cred)
-		ipsp_reffree(ipo->ipo_local_cred);
-	if (ipo->ipo_local_auth)
-		ipsp_reffree(ipo->ipo_local_auth);
 
 	if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET))
 		ipsec_in_use--;
@@ -765,15 +758,10 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	struct ipsec_acquire *ipa;
 
 	/*
-	 * If this is a socket policy, it has to have authentication
-	 * information accompanying it --- can't tell key mgmt. to
-	 * "find" it for us. This avoids abusing key mgmt. to authenticate
-	 * on an application's behalf, even if the application doesn't
-	 * have/know (and shouldn't) the appropriate authentication
-	 * material (passphrase, private key, etc.)
+	 * ACQUIRE on local sockets is restricted to avoid abuse of
+	 * authentication keys that the IKE daemon has already loaded.
 	 */
-	if (ipo->ipo_flags & IPSP_POLICY_SOCKET &&
-	    ipo->ipo_local_auth == NULL)
+	if (ipo->ipo_flags & IPSP_POLICY_SOCKET)
 		return EINVAL;
 
 	/* Check whether request has been made already. */
@@ -969,9 +957,9 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto &&
 			    !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
 			    SA_LEN(&tdbp->tdb_src.sa)) &&
-			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, 
-			    inp->inp_ipo->ipo_dstid, NULL, NULL,
-			    &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
+			    inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+			    &inp->inp_ipo->ipo_mask))
 				goto justreturn;
 			else {
 				*error = -EINVAL;
@@ -992,8 +980,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			    !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
 			    SA_LEN(&tdbp->tdb_src.sa)) &&
 			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
-			    inp->inp_ipo->ipo_dstid, NULL, NULL,
-			    &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+			    inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+			    &inp->inp_ipo->ipo_mask))
 				goto justreturn;
 
 			/*
@@ -1069,7 +1057,6 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 				    inp->inp_ipo->ipo_sproto,
 				    inp->inp_ipo->ipo_srcid,
 				    inp->inp_ipo->ipo_dstid,
-				    inp->inp_ipo->ipo_local_cred,
 				    &inp->inp_ipo->ipo_addr,
 				    &inp->inp_ipo->ipo_mask);
 			}
@@ -1082,8 +1069,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			    IPSP_DIRECTION_OUT);
 
 			tdb = gettdbbydst(rtable_l2(inp->inp_rtableid),
-			    &sipon.ipo_dst, IPPROTO_ESP, NULL,
-			    NULL, NULL, &sipon.ipo_addr, &sipon.ipo_mask);
+			    &sipon.ipo_dst, IPPROTO_ESP, NULL, NULL,
+			    &sipon.ipo_addr, &sipon.ipo_mask);
 		}
 
 		/* If we found an appropriate SA... */
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index ba45329f2fa..68749872653 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.287 2015/02/08 04:40:50 yasuoka Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.288 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -913,18 +913,6 @@ findpcb:
 				inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
 				tdb->tdb_srcid->ref_count++;
 			}
-			if (inp->inp_ipsec_remotecred == NULL &&
-			    tdb->tdb_remote_cred != NULL) {
-				inp->inp_ipsec_remotecred =
-				    tdb->tdb_remote_cred;
-				tdb->tdb_remote_cred->ref_count++;
-			}
-			if (inp->inp_ipsec_remoteauth == NULL &&
-			    tdb->tdb_remote_auth != NULL) {
-				inp->inp_ipsec_remoteauth =
-				    tdb->tdb_remote_auth;
-				tdb->tdb_remote_auth->ref_count++;
-			}
 		} else { /* Just reset */
 		        TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
 				     inp_tdb_in_next);
@@ -3711,15 +3699,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
 		  newinp->inp_ipo = inp->inp_ipo;
 		  inp->inp_ipo->ipo_ref_count++;
 	  }
-	  if (inp->inp_ipsec_remotecred != NULL) {
-		  newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred;
-		  inp->inp_ipsec_remotecred->ref_count++;
-	  }
-	  if (inp->inp_ipsec_remoteauth != NULL) {
-		  newinp->inp_ipsec_remoteauth
-		      = inp->inp_ipsec_remoteauth;
-		  inp->inp_ipsec_remoteauth->ref_count++;
-	  }
 	}
 #endif /* IPSEC */
 #ifdef INET6
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index a9b0f6b55b7..2ea8666d5fc 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.196 2015/03/04 11:10:55 mpi Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.197 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -632,18 +632,6 @@ udp_input(struct mbuf *m, ...)
 				inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
 				tdb->tdb_srcid->ref_count++;
 			}
-			if (inp->inp_ipsec_remotecred == NULL &&
-			    tdb->tdb_remote_cred != NULL) {
-				inp->inp_ipsec_remotecred =
-				    tdb->tdb_remote_cred;
-				tdb->tdb_remote_cred->ref_count++;
-			}
-			if (inp->inp_ipsec_remoteauth == NULL &&
-			    tdb->tdb_remote_auth != NULL) {
-				inp->inp_ipsec_remoteauth =
-				    tdb->tdb_remote_auth;
-				tdb->tdb_remote_auth->ref_count++;
-			}
 		} else { /* Just reset */
 			TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
 			    inp_tdb_in_next);
author	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
committer	mikeb <mikeb@openbsd.org>	2015-04-14 12:22:15 +0000
commit	d0aa6ebacff682ebdba22deb3b54c1111107207c (patch)
tree	94abd855aef439a610ba03c01d04359e6ea4ee98 /sys
parent	Convert openssl(1) s_time to new option handling. (diff)
download	wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.tar.xz wireguard-openbsd-d0aa6ebacff682ebdba22deb3b54c1111107207c.zip