Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything.  The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

1 files changed, 1 insertions, 99 deletions

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index bcc9b67d137..b29f50e0c88 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -529,18 +529,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 	if (sa->tdb_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len);
 
-	if (sa->tdb_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len);
-
-	if (sa->tdb_remote_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len);
-
-	if (sa->tdb_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len);
-
-	if (sa->tdb_remote_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len);
-
 	if (sa->tdb_amxkey)
 		i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen);
 
@@ -637,28 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 		export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
 	}
 
-	/* Export credentials, if present */
-	if (sa->tdb_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_LOCAL);
-	}
-
-	if (sa->tdb_remote_cred) {
-		headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_REMOTE);
-	}
-
-	/* Export authentication information, if present */
-	if (sa->tdb_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_LOCAL);
-	}
-
-	if (sa->tdb_remote_auth) {
-		headers[SADB_X_EXT_REMOTE_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_REMOTE);
-	}
-
 	/* Export authentication key, if present */
 	if (sa->tdb_amxkey) {
 		headers[SADB_EXT_KEY_AUTH] = p;
@@ -1033,16 +999,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    PFKEYV2_IDENTITY_SRC);
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1200,16 +1156,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
 
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1863,7 +1809,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 {
 	void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
 	struct sadb_ident *srcid, *dstid;
-	struct sadb_x_cred *lcred, *lauth;
 	struct sadb_comb *sadb_comb;
 	struct sadb_address *sadd;
 	struct sadb_prop *sa_prop;
@@ -1891,12 +1836,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	if (ipo->ipo_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len);
 
-	if (ipo->ipo_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-
-	if (ipo->ipo_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-
 	/* Allocate */
 	if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
 		rval = ENOMEM;
@@ -1964,43 +1903,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 		    sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len);
 	}
 
-	if (ipo->ipo_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-		lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS];
-		lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_cred->ref_type) {
-		case IPSP_CRED_KEYNOTE:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-			break;
-		case IPSP_CRED_X509:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-			break;
-		}
-		bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len);
-	}
-
-	if (ipo->ipo_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-		lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH];
-		lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_auth->ref_type) {
-		case IPSP_AUTH_PASSPHRASE:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-			break;
-		case IPSP_AUTH_RSA:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-			break;
-		}
-
-		bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len);
-	}
-
 	headers[SADB_EXT_PROPOSAL] = p;
 	p += sizeof(struct sadb_prop);
 	sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];