13 files changed, 49 insertions, 541 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index bcc9b67d137..b29f50e0c88 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.140 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -529,18 +529,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 	if (sa->tdb_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(sa->tdb_dstid->ref_len);
 
-	if (sa->tdb_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_cred->ref_len);
-
-	if (sa->tdb_remote_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_cred->ref_len);
-
-	if (sa->tdb_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_local_auth->ref_len);
-
-	if (sa->tdb_remote_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(sa->tdb_remote_auth->ref_len);
-
 	if (sa->tdb_amxkey)
 		i += sizeof(struct sadb_key) + PADUP(sa->tdb_amxkeylen);
 
@@ -637,28 +625,6 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp)
 		export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
 	}
 
-	/* Export credentials, if present */
-	if (sa->tdb_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_LOCAL);
-	}
-
-	if (sa->tdb_remote_cred) {
-		headers[SADB_X_EXT_REMOTE_CREDENTIALS] = p;
-		export_credentials(&p, sa, PFKEYV2_CRED_REMOTE);
-	}
-
-	/* Export authentication information, if present */
-	if (sa->tdb_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_LOCAL);
-	}
-
-	if (sa->tdb_remote_auth) {
-		headers[SADB_X_EXT_REMOTE_AUTH] = p;
-		export_auth(&p, sa, PFKEYV2_AUTH_REMOTE);
-	}
-
 	/* Export authentication key, if present */
 	if (sa->tdb_amxkey) {
 		headers[SADB_EXT_KEY_AUTH] = p;
@@ -1033,16 +999,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    PFKEYV2_IDENTITY_SRC);
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1200,16 +1156,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
 			    PFKEYV2_IDENTITY_DST);
 
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_LOCAL_CREDENTIALS],
-			    PFKEYV2_CRED_LOCAL);
-			import_credentials(newsa,
-			    headers[SADB_X_EXT_REMOTE_CREDENTIALS],
-			    PFKEYV2_CRED_REMOTE);
-			import_auth(newsa, headers[SADB_X_EXT_LOCAL_AUTH],
-			    PFKEYV2_AUTH_LOCAL);
-			import_auth(newsa, headers[SADB_X_EXT_REMOTE_AUTH],
-			    PFKEYV2_AUTH_REMOTE);
 			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
@@ -1863,7 +1809,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 {
 	void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL;
 	struct sadb_ident *srcid, *dstid;
-	struct sadb_x_cred *lcred, *lauth;
 	struct sadb_comb *sadb_comb;
 	struct sadb_address *sadd;
 	struct sadb_prop *sa_prop;
@@ -1891,12 +1836,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	if (ipo->ipo_dstid)
 		i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len);
 
-	if (ipo->ipo_local_cred)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-
-	if (ipo->ipo_local_auth)
-		i += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-
 	/* Allocate */
 	if (!(p = malloc(i, M_PFKEY, M_NOWAIT | M_ZERO))) {
 		rval = ENOMEM;
@@ -1964,43 +1903,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 		    sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len);
 	}
 
-	if (ipo->ipo_local_cred) {
-		headers[SADB_X_EXT_LOCAL_CREDENTIALS] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_cred->ref_len);
-		lcred = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_CREDENTIALS];
-		lcred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_cred->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_cred->ref_type) {
-		case IPSP_CRED_KEYNOTE:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-			break;
-		case IPSP_CRED_X509:
-			lcred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-			break;
-		}
-		bcopy(ipo->ipo_local_cred + 1, headers[SADB_X_EXT_LOCAL_CREDENTIALS] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_cred->ref_len);
-	}
-
-	if (ipo->ipo_local_auth) {
-		headers[SADB_X_EXT_LOCAL_AUTH] = p;
-		p += sizeof(struct sadb_x_cred) + PADUP(ipo->ipo_local_auth->ref_len);
-		lauth = (struct sadb_x_cred *) headers[SADB_X_EXT_LOCAL_AUTH];
-		lauth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-		    PADUP(ipo->ipo_local_auth->ref_len)) / sizeof(u_int64_t);
-		switch (ipo->ipo_local_auth->ref_type) {
-		case IPSP_AUTH_PASSPHRASE:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-			break;
-		case IPSP_AUTH_RSA:
-			lauth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-			break;
-		}
-
-		bcopy(ipo->ipo_local_auth + 1, headers[SADB_X_EXT_LOCAL_AUTH] +
-		    sizeof(struct sadb_x_cred), ipo->ipo_local_auth->ref_len);
-	}
-
 	headers[SADB_EXT_PROPOSAL] = p;
 	p += sizeof(struct sadb_prop);
 	sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL];
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index cf915b3cfb7..7ffab950ab8 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.65 2014/12/28 10:02:37 tedu Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  * 
@@ -199,13 +199,6 @@ struct sadb_x_policy {
 	u_int32_t sadb_x_policy_seq;
 };
 
-struct sadb_x_cred {
-	uint16_t sadb_x_cred_len;
-	uint16_t sadb_x_cred_exttype;
-	uint16_t sadb_x_cred_type;
-	uint16_t sadb_x_cred_reserved;
-};
-
 struct sadb_x_udpencap {
 	uint16_t sadb_x_udpencap_len;
 	uint16_t sadb_x_udpencap_exttype;
@@ -365,24 +358,6 @@ struct sadb_x_tap {
 #define PFKEYV2_SENDMESSAGE_BROADCAST  3
 #endif /* _KERNEL */
 
-#define SADB_X_CREDTYPE_NONE         0
-#define SADB_X_CREDTYPE_X509         1   /* ASN1 encoding of the certificate */
-#define SADB_X_CREDTYPE_KEYNOTE      2   /* NUL-terminated buffer */
-#define SADB_X_CREDTYPE_MAX          3
-
-#ifdef _KERNEL
-#define PFKEYV2_AUTH_LOCAL           0
-#define PFKEYV2_AUTH_REMOTE          1
-
-#define PFKEYV2_CRED_LOCAL           0
-#define PFKEYV2_CRED_REMOTE          1
-#endif /* _KERNEL */
-
-#define SADB_X_AUTHTYPE_NONE         0
-#define SADB_X_AUTHTYPE_PASSPHRASE   1
-#define SADB_X_AUTHTYPE_RSA          2
-#define SADB_X_AUTHTYPE_MAX          2
-
 #define SADB_X_FLOW_TYPE_USE           1
 #define SADB_X_FLOW_TYPE_ACQUIRE       2
 #define SADB_X_FLOW_TYPE_REQUIRE       3
@@ -452,22 +427,18 @@ int pfdatatopacket(void *, int, struct mbuf **);
 void export_address(void **, struct sockaddr *);
 void export_identity(void **, struct tdb *, int);
 void export_lifetime(void **, struct tdb *, int);
-void export_credentials(void **, struct tdb *, int);
 void export_sa(void **, struct tdb *);
 void export_flow(void **, u_int8_t, struct sockaddr_encap *,
     struct sockaddr_encap *, void **);
 void export_key(void **, struct tdb *, int);
-void export_auth(void **, struct tdb *, int);
 void export_udpencap(void **, struct tdb *);
 void export_tag(void **, struct tdb *);
 void export_tap(void **, struct tdb *);
 
-void import_auth(struct tdb *, struct sadb_x_cred *, int);
 void import_address(struct sockaddr *, struct sadb_address *);
 void import_identity(struct tdb *, struct sadb_ident *, int);
 void import_key(struct ipsecinit *, struct sadb_key *, int);
 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
-void import_credentials(struct tdb *, struct sadb_x_cred *, int);
 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
 void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
     struct sadb_address *, struct sadb_address *, struct sadb_address *,
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 95e6429cd7d..08cf583aa04 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.47 2015/02/06 03:04:49 blambert Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -700,82 +700,6 @@ export_address(void **p, struct sockaddr *sa)
 }
 
 /*
- * Import authentication information into the TDB.
- */
-void
-import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_auth)
-		return;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	*ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_auth->sadb_x_cred_type) {
-	case SADB_X_AUTHTYPE_PASSPHRASE:
-		(*ipr)->ref_type = IPSP_AUTH_PASSPHRASE;
-		break;
-	case SADB_X_AUTHTYPE_RSA:
-		(*ipr)->ref_type = IPSP_AUTH_RSA;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
- * Import a set of credentials into the TDB.
- */
-void
-import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred)
-{
-	struct ipsec_ref **ipr;
-
-	if (!sadb_cred)
-		return;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	*ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) +
-	    sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK);
-	(*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred);
-
-	switch (sadb_cred->sadb_x_cred_type) {
-	case SADB_X_CREDTYPE_X509:
-		(*ipr)->ref_type = IPSP_CRED_X509;
-		break;
-	case SADB_X_CREDTYPE_KEYNOTE:
-		(*ipr)->ref_type = IPSP_CRED_KEYNOTE;
-		break;
-	default:
-		free(*ipr, M_CREDENTIALS, 0);
-		*ipr = NULL;
-		return;
-	}
-	(*ipr)->ref_count = 1;
-	(*ipr)->ref_malloctype = M_CREDENTIALS;
-	bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred),
-	    (*ipr) + 1, (*ipr)->ref_len);
-}
-
-/*
  * Import an identity payload into the TDB.
  */
 void
@@ -820,60 +744,6 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type)
 }
 
 void
-export_credentials(void **p, struct tdb *tdb, int dstcred)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p;
-
-	if (dstcred == PFKEYV2_CRED_REMOTE)
-		ipr = &tdb->tdb_remote_cred;
-	else
-		ipr = &tdb->tdb_local_cred;
-
-	sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_CRED_KEYNOTE:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
-		break;
-	case IPSP_CRED_X509:
-		sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
-export_auth(void **p, struct tdb *tdb, int dstauth)
-{
-	struct ipsec_ref **ipr;
-	struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p;
-
-	if (dstauth == PFKEYV2_AUTH_REMOTE)
-		ipr = &tdb->tdb_remote_auth;
-	else
-		ipr = &tdb->tdb_local_auth;
-
-	sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
-	    PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
-
-	switch ((*ipr)->ref_type) {
-	case IPSP_AUTH_PASSPHRASE:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
-		break;
-	case IPSP_AUTH_RSA:
-		sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
-		break;
-	}
-	*p += sizeof(struct sadb_x_cred);
-	bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
-	*p += PADUP((*ipr)->ref_len);
-}
-
-void
 export_identity(void **p, struct tdb *tdb, int type)
 {
 	struct ipsec_ref **ipr;
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index b8aef48d779..433b9313cc5 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.48 2015/03/26 12:21:37 mikeb Exp $	*/
+/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.49 2015/04/14 12:22:15 mikeb Exp $	*/
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -119,11 +119,6 @@
 #define BITMAP_X_SA2                   (1LL << SADB_X_EXT_SA2)
 #define BITMAP_X_DST2                  (1LL << SADB_X_EXT_DST2)
 #define BITMAP_X_POLICY                (1LL << SADB_X_EXT_POLICY)
-#define BITMAP_X_LOCAL_CREDENTIALS     (1LL << SADB_X_EXT_LOCAL_CREDENTIALS)
-#define BITMAP_X_REMOTE_CREDENTIALS    (1LL << SADB_X_EXT_REMOTE_CREDENTIALS)
-#define BITMAP_X_LOCAL_AUTH            (1LL << SADB_X_EXT_LOCAL_AUTH)
-#define BITMAP_X_REMOTE_AUTH           (1LL << SADB_X_EXT_REMOTE_AUTH)
-#define BITMAP_X_CREDENTIALS           (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH)
 #define BITMAP_X_FLOW                  (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE)
 #define BITMAP_X_SUPPORTED_COMP        (1LL << SADB_X_EXT_SUPPORTED_COMP)
 #define BITMAP_X_UDPENCAP              (1LL << SADB_X_EXT_UDPENCAP)
@@ -138,15 +133,15 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	0,
 	/* EXPIRE */
@@ -210,15 +205,15 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] =
 	/* GETSPI */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* UPDATE */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_FLOW_TYPE | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_TAG | BITMAP_X_TAP,
 	/* ACQUIRE */
-	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL | BITMAP_X_CREDENTIALS,
+	BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL,
 	/* REGISTER */
 	BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP,
 	/* EXPIRE */
@@ -653,65 +648,6 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
 			}
 		}
 		break;
-		case SADB_X_EXT_LOCAL_AUTH:
-		case SADB_X_EXT_REMOTE_AUTH:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length for AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_AUTHTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown auth "
-				    "type %d in AUTH extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved field"
-				    " set in AUTH extension header %d\n",
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
-		case SADB_X_EXT_LOCAL_CREDENTIALS:
-		case SADB_X_EXT_REMOTE_CREDENTIALS:
-		{
-			struct sadb_x_cred *sadb_cred =
-			    (struct sadb_x_cred *)p;
-
-			if (i < sizeof(struct sadb_x_cred)) {
-				DPRINTF(("pfkeyv2_parsemessage: bad header "
-				    "length of CREDENTIALS extension header "
-				    "%d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_type > SADB_X_CREDTYPE_MAX) {
-				DPRINTF(("pfkeyv2_parsemessage: unknown "
-				    "credential type %d in CREDENTIALS "
-				    "extension header %d\n",
-				    sadb_cred->sadb_x_cred_type,
-				    sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-
-			if (sadb_cred->sadb_x_cred_reserved) {
-				DPRINTF(("pfkeyv2_parsemessage: reserved "
-				    "field set in CREDENTIALS extension "
-				    "header %d\n", sadb_ext->sadb_ext_type));
-				return (EINVAL);
-			}
-		}
-		break;
 		case SADB_EXT_IDENTITY_SRC:
 		case SADB_EXT_IDENTITY_DST:
 		{
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index b7b55eb154d..7c206e5d5cb 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.113 2015/04/10 13:58:20 dlg Exp $	*/
+/*	$OpenBSD: in.h,v 1.114 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -294,10 +294,10 @@ struct ip_opts {
 #define IP_ESP_NETWORK_LEVEL	22   /* int; full-packet encryption */
 #define IP_IPSEC_LOCAL_ID	23   /* buf; IPsec local ID */
 #define IP_IPSEC_REMOTE_ID	24   /* buf; IPsec remote ID */
-#define IP_IPSEC_LOCAL_CRED	25   /* buf; IPsec local credentials */
-#define IP_IPSEC_REMOTE_CRED	26   /* buf; IPsec remote credentials */
-#define IP_IPSEC_LOCAL_AUTH	27   /* buf; IPsec local auth material */
-#define IP_IPSEC_REMOTE_AUTH	28   /* buf; IPsec remote auth material */
+#define IP_IPSEC_LOCAL_CRED	25   /* buf; was: IPsec local credentials */
+#define IP_IPSEC_REMOTE_CRED	26   /* buf; was: IPsec remote credentials */
+#define IP_IPSEC_LOCAL_AUTH	27   /* buf; was: IPsec local auth material */
+#define IP_IPSEC_REMOTE_AUTH	28   /* buf; was: IPsec remote auth material */
 #define IP_IPCOMP_LEVEL		29   /* int; compression used */
 #define IP_RECVIF		30   /* bool; receive reception if w/dgram */
 #define IP_RECVTTL		31   /* bool; receive IP TTL w/dgram */
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 0d51cc450ec..4c110d46435 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.c,v 1.168 2015/02/10 03:07:56 claudio Exp $	*/
+/*	$OpenBSD: in_pcb.c,v 1.169 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $	*/
 
 /*
@@ -538,10 +538,6 @@ in_pcbdetach(struct inpcb *inp)
 	if (inp->inp_tdb_out)
 		TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp,
 			     inp_tdb_out_next);
-	if (inp->inp_ipsec_remotecred)
-		ipsp_reffree(inp->inp_ipsec_remotecred);
-	if (inp->inp_ipsec_remoteauth)
-		ipsp_reffree(inp->inp_ipsec_remoteauth);
 	if (inp->inp_ipo)
 		ipsec_delete_policy(inp->inp_ipo);
 #endif
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index e40a7110b07..43a45b05248 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.87 2014/11/15 10:55:47 dlg Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.88 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -140,8 +140,6 @@ struct inpcb {
 	TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next;
 	struct tdb     *inp_tdb_in, *inp_tdb_out;
 	struct ipsec_policy *inp_ipo;
-	struct ipsec_ref *inp_ipsec_remotecred;
-	struct ipsec_ref *inp_ipsec_remoteauth;
 #define	inp_flowinfo	inp_hu.hu_ipv6.ip6_flow
 
 	int	inp_cksum6;
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 0c93cf6e480..0cf6b7148aa 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.208 2015/04/13 16:52:26 mikeb Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -324,17 +324,15 @@ gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src,
 }
 
 /*
- * Check that credentials and IDs match. Return true if so. The t*
- * range of arguments contains information from TDBs; the p*
- * range of arguments contains information from policies or
- * already established TDBs.
+ * Check that IDs match. Return true if so. The t* range of
+ * arguments contains information from TDBs; the p* range of
+ * arguments contains information from policies or already
+ * established TDBs.
  */
 int
 ipsp_aux_match(struct tdb *tdb,
     struct ipsec_ref *psrcid,
     struct ipsec_ref *pdstid,
-    struct ipsec_ref *plcred,
-    struct ipsec_ref *prcred,
     struct sockaddr_encap *pfilter,
     struct sockaddr_encap *pfiltermask)
 {
@@ -348,16 +346,6 @@ ipsp_aux_match(struct tdb *tdb,
 		    !ipsp_ref_match(tdb->tdb_dstid, pdstid))
 			return 0;
 
-	if (plcred != NULL)
-		if (tdb->tdb_local_cred == NULL ||
-		   !ipsp_ref_match(tdb->tdb_local_cred, plcred))
-			return 0;
-
-	if (prcred != NULL)
-		if (tdb->tdb_remote_cred == NULL ||
-		    !ipsp_ref_match(tdb->tdb_remote_cred, prcred))
-			return 0;
-
 	/* Check for filter matches. */
 	if (pfilter != NULL && pfiltermask != NULL &&
 	    tdb->tdb_filter.sen_type) {
@@ -385,8 +373,7 @@ ipsp_aux_match(struct tdb *tdb,
 struct tdb *
 gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto,
     struct ipsec_ref *srcid, struct ipsec_ref *dstid,
-    struct ipsec_ref *local_cred, struct sockaddr_encap *filter,
-    struct sockaddr_encap *filtermask)
+    struct sockaddr_encap *filter, struct sockaddr_encap *filtermask)
 {
 	u_int32_t hashval;
 	struct tdb *tdbp;
@@ -401,9 +388,9 @@ gettdbbydst(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto,
 		    (tdbp->tdb_rdomain == rdomain) &&
 		    ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
 		    (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) {
-			/* Do IDs and local credentials match ? */
-			if (!ipsp_aux_match(tdbp, srcid, dstid,
-			    local_cred, NULL, filter, filtermask))
+			/* Do IDs match ? */
+			if (!ipsp_aux_match(tdbp, srcid, dstid, filter,
+			    filtermask))
 				continue;
 			break;
 		}
@@ -434,8 +421,8 @@ gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto,
 		    ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
 		    (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) {
 			/* Check whether IDs match */
-			if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL,
-			    filter, filtermask))
+			if (!ipsp_aux_match(tdbp, dstid, srcid, filter,
+			    filtermask))
 				continue;
 			break;
 		}
@@ -824,16 +811,6 @@ tdb_free(struct tdb *tdbp)
 	timeout_del(&tdbp->tdb_stimer_tmo);
 	timeout_del(&tdbp->tdb_sfirst_tmo);
 
-	if (tdbp->tdb_local_auth) {
-		ipsp_reffree(tdbp->tdb_local_auth);
-		tdbp->tdb_local_auth = NULL;
-	}
-
-	if (tdbp->tdb_remote_auth) {
-		ipsp_reffree(tdbp->tdb_remote_auth);
-		tdbp->tdb_remote_auth = NULL;
-	}
-
 	if (tdbp->tdb_srcid) {
 		ipsp_reffree(tdbp->tdb_srcid);
 		tdbp->tdb_srcid = NULL;
@@ -844,16 +821,6 @@ tdb_free(struct tdb *tdbp)
 		tdbp->tdb_dstid = NULL;
 	}
 
-	if (tdbp->tdb_local_cred) {
-		ipsp_reffree(tdbp->tdb_local_cred);
-		tdbp->tdb_local_cred = NULL;
-	}
-
-	if (tdbp->tdb_remote_cred) {
-		ipsp_reffree(tdbp->tdb_remote_cred);
-		tdbp->tdb_remote_cred = NULL;
-	}
-
 #if NPF > 0
 	if (tdbp->tdb_tag) {
 		pf_tag_unref(tdbp->tdb_tag);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index f436e4935eb..5c3e2665947 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.163 2015/04/13 16:48:01 mikeb Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -215,8 +215,6 @@ struct ipsec_policy {
 
 	struct ipsec_ref	*ipo_srcid;
 	struct ipsec_ref	*ipo_dstid;
-	struct ipsec_ref	*ipo_local_cred;
-	struct ipsec_ref	*ipo_local_auth;
 
 	TAILQ_HEAD(ipo_acquires_head, ipsec_acquire) ipo_acquires; /* List of acquires */
 	TAILQ_ENTRY(ipsec_policy)	ipo_tdb_next;	/* List TDB policies */
@@ -244,16 +242,6 @@ struct ipsec_policy {
 #define	NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */
 #define NOTIFY_SATYPE_COMP	5       /* SA (IPCA) should use compression */
 
-/* Authentication types */
-#define	IPSP_AUTH_NONE		0
-#define	IPSP_AUTH_PASSPHRASE	1
-#define	IPSP_AUTH_RSA		2
-
-/* Credential types */
-#define	IPSP_CRED_NONE		0
-#define	IPSP_CRED_KEYNOTE	1
-#define	IPSP_CRED_X509		2
-
 /* Identity types */
 #define	IPSP_IDENTITY_NONE		0
 #define	IPSP_IDENTITY_PREFIX		1
@@ -354,12 +342,8 @@ struct tdb {				/* tunnel descriptor block */
 
 	u_int8_t	tdb_iv[4];	/* Used for HALF-IV ESP */
 
-	struct ipsec_ref	*tdb_local_cred;
-	struct ipsec_ref	*tdb_remote_cred;
 	struct ipsec_ref	*tdb_srcid;	/* Source ID for this SA */
 	struct ipsec_ref	*tdb_dstid;	/* Destination ID for this SA */
-	struct ipsec_ref	*tdb_local_auth;/* Local authentication material */
-	struct ipsec_ref	*tdb_remote_auth;/* Remote authentication material */
 
 	u_int32_t	tdb_mtu;	/* MTU at this point in the chain */
 	u_int64_t	tdb_mtutimeout;	/* When to ignore this entry */
@@ -505,7 +489,7 @@ uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
 		union sockaddr_union *, u_int8_t, int *);
 struct	tdb *gettdb(u_int, u_int32_t, union sockaddr_union *, u_int8_t);
 struct	tdb *gettdbbydst(u_int, union sockaddr_union *, u_int8_t,
-		struct ipsec_ref *, struct ipsec_ref *, struct ipsec_ref *,
+		struct ipsec_ref *, struct ipsec_ref *,
 		struct sockaddr_encap *, struct sockaddr_encap *);
 struct	tdb *gettdbbysrc(u_int, union sockaddr_union *, u_int8_t,
 		struct ipsec_ref *, struct ipsec_ref *,
@@ -603,8 +587,7 @@ void	ipsp_reffree(struct ipsec_ref *);
 void	ipsp_skipcrypto_mark(struct tdb_ident *);
 void	ipsp_skipcrypto_unmark(struct tdb_ident *);
 int	ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *,
-	    struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *,
-	    struct sockaddr_encap *);
+	    struct sockaddr_encap *, struct sockaddr_encap *);
 
 int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
 int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index e25ef158b7e..e99105f2097 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.276 2014/12/17 09:57:13 mpi Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.277 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -1145,16 +1145,8 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 #endif
 			break;
 
-		case IP_IPSEC_REMOTE_CRED:
-		case IP_IPSEC_REMOTE_AUTH:
-			/* Can't set the remote credential or key */
-			error = EOPNOTSUPP;
-			break;
-
 		case IP_IPSEC_LOCAL_ID:
 		case IP_IPSEC_REMOTE_ID:
-		case IP_IPSEC_LOCAL_CRED:
-		case IP_IPSEC_LOCAL_AUTH:
 #ifndef IPSEC
 			error = EOPNOTSUPP;
 #else
@@ -1175,7 +1167,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 						inp->inp_ipo->ipo_srcid = NULL;
 					}
 					break;
-
 				case IP_IPSEC_REMOTE_ID:
 					if (inp->inp_ipo != NULL &&
 					    inp->inp_ipo->ipo_dstid != NULL) {
@@ -1183,22 +1174,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 						inp->inp_ipo->ipo_dstid = NULL;
 					}
 					break;
-
-				case IP_IPSEC_LOCAL_CRED:
-					if (inp->inp_ipo != NULL &&
-					    inp->inp_ipo->ipo_local_cred != NULL) {
-						ipsp_reffree(inp->inp_ipo->ipo_local_cred);
-						inp->inp_ipo->ipo_local_cred = NULL;
-					}
-					break;
-
-				case IP_IPSEC_LOCAL_AUTH:
-					if (inp->inp_ipo != NULL &&
-					    inp->inp_ipo->ipo_local_auth != NULL) {
-						ipsp_reffree(inp->inp_ipo->ipo_local_auth);
-						inp->inp_ipo->ipo_local_auth = NULL;
-					}
-					break;
 				}
 
 				error = 0;
@@ -1261,28 +1236,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					inp->inp_ipo->ipo_dstid = ipr;
 				}
 				break;
-			case IP_IPSEC_LOCAL_CRED:
-				if (ipr->ref_type < IPSP_CRED_KEYNOTE ||
-				    ipr->ref_type > IPSP_CRED_X509) {
-					free(ipr, M_CREDENTIALS, iprlen);
-					error = EINVAL;
-				} else {
-					if (inp->inp_ipo->ipo_local_cred != NULL)
-						ipsp_reffree(inp->inp_ipo->ipo_local_cred);
-					inp->inp_ipo->ipo_local_cred = ipr;
-				}
-				break;
-			case IP_IPSEC_LOCAL_AUTH:
-				if (ipr->ref_type < IPSP_AUTH_PASSPHRASE ||
-				    ipr->ref_type > IPSP_AUTH_RSA) {
-					free(ipr, M_CREDENTIALS, iprlen);
-					error = EINVAL;
-				} else {
-					if (inp->inp_ipo->ipo_local_auth != NULL)
-						ipsp_reffree(inp->inp_ipo->ipo_local_auth);
-					inp->inp_ipo->ipo_local_auth = ipr;
-				}
-				break;
 			}
 
 			/* Unlink cached output TDB to force a re-search */
@@ -1461,10 +1414,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 			break;
 		case IP_IPSEC_LOCAL_ID:
 		case IP_IPSEC_REMOTE_ID:
-		case IP_IPSEC_LOCAL_CRED:
-		case IP_IPSEC_REMOTE_CRED:
-		case IP_IPSEC_LOCAL_AUTH:
-		case IP_IPSEC_REMOTE_AUTH:
 #ifndef IPSEC
 			error = EOPNOTSUPP;
 #else
@@ -1482,24 +1431,6 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					ipr = inp->inp_ipo->ipo_dstid;
 				opt16val = IPSP_IDENTITY_NONE;
 				break;
-			case IP_IPSEC_LOCAL_CRED:
-				if (inp->inp_ipo != NULL)
-					ipr = inp->inp_ipo->ipo_local_cred;
-				opt16val = IPSP_CRED_NONE;
-				break;
-			case IP_IPSEC_REMOTE_CRED:
-				ipr = inp->inp_ipsec_remotecred;
-				opt16val = IPSP_CRED_NONE;
-				break;
-			case IP_IPSEC_LOCAL_AUTH:
-				if (inp->inp_ipo != NULL)
-					ipr = inp->inp_ipo->ipo_local_auth;
-				opt16val = IPSP_AUTH_NONE;
-				break;
-			case IP_IPSEC_REMOTE_AUTH:
-				ipr = inp->inp_ipsec_remoteauth;
-				opt16val = IPSP_AUTH_NONE;
-				break;
 			}
 			if (ipr == NULL)
 				*mtod(m, u_int16_t *) = opt16val;
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 25a8d135956..ec34c81c2d8 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.82 2015/04/14 12:22:15 mikeb Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -368,7 +368,6 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 			if (!ipsp_aux_match(ipo->ipo_tdb,
 			    srcid ? srcid : ipo->ipo_srcid,
 			    dstid ? dstid : ipo->ipo_dstid,
-			    ipo->ipo_local_cred, NULL,
 			    &ipo->ipo_addr, &ipo->ipo_mask))
 				goto nomatchout;
 
@@ -406,8 +405,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 				ipo->ipo_sproto,
 				srcid ? srcid : ipo->ipo_srcid,
 				dstid ? dstid : ipo->ipo_dstid,
-				ipo->ipo_local_cred, &ipo->ipo_addr,
-				&ipo->ipo_mask);
+				&ipo->ipo_addr, &ipo->ipo_mask);
 			if (ipo->ipo_tdb) {
 				TAILQ_INSERT_TAIL(&ipo->ipo_tdb->tdb_policy_head,
 				    ipo, ipo_tdb_next);
@@ -494,9 +492,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 			/*
 			 * We only need to check that the correct
 			 * security protocol and security gateway are
-			 * set; credentials/IDs will be the same,
-			 * since the cached entry is linked on this
-			 * policy.
+			 * set; IDs will be the same since the cached
+			 * entry is linked on this policy.
 			 */
 			if (ipo->ipo_sproto == ipo->ipo_tdb->tdb_sproto &&
 			    !memcmp(&ipo->ipo_tdb->tdb_src,
@@ -609,10 +606,6 @@ ipsec_delete_policy(struct ipsec_policy *ipo)
 		ipsp_reffree(ipo->ipo_srcid);
 	if (ipo->ipo_dstid)
 		ipsp_reffree(ipo->ipo_dstid);
-	if (ipo->ipo_local_cred)
-		ipsp_reffree(ipo->ipo_local_cred);
-	if (ipo->ipo_local_auth)
-		ipsp_reffree(ipo->ipo_local_auth);
 
 	if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET))
 		ipsec_in_use--;
@@ -765,15 +758,10 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
 	struct ipsec_acquire *ipa;
 
 	/*
-	 * If this is a socket policy, it has to have authentication
-	 * information accompanying it --- can't tell key mgmt. to
-	 * "find" it for us. This avoids abusing key mgmt. to authenticate
-	 * on an application's behalf, even if the application doesn't
-	 * have/know (and shouldn't) the appropriate authentication
-	 * material (passphrase, private key, etc.)
+	 * ACQUIRE on local sockets is restricted to avoid abuse of
+	 * authentication keys that the IKE daemon has already loaded.
 	 */
-	if (ipo->ipo_flags & IPSP_POLICY_SOCKET &&
-	    ipo->ipo_local_auth == NULL)
+	if (ipo->ipo_flags & IPSP_POLICY_SOCKET)
 		return EINVAL;
 
 	/* Check whether request has been made already. */
@@ -969,9 +957,9 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			if (tdbp->tdb_sproto == inp->inp_ipo->ipo_sproto &&
 			    !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
 			    SA_LEN(&tdbp->tdb_src.sa)) &&
-			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid, 
-			    inp->inp_ipo->ipo_dstid, NULL, NULL,
-			    &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
+			    inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+			    &inp->inp_ipo->ipo_mask))
 				goto justreturn;
 			else {
 				*error = -EINVAL;
@@ -992,8 +980,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			    !memcmp(&tdbp->tdb_src, &inp->inp_ipo->ipo_dst,
 			    SA_LEN(&tdbp->tdb_src.sa)) &&
 			    ipsp_aux_match(tdbp, inp->inp_ipo->ipo_srcid,
-			    inp->inp_ipo->ipo_dstid, NULL, NULL,
-			    &inp->inp_ipo->ipo_addr, &inp->inp_ipo->ipo_mask))
+			    inp->inp_ipo->ipo_dstid, &inp->inp_ipo->ipo_addr,
+			    &inp->inp_ipo->ipo_mask))
 				goto justreturn;
 
 			/*
@@ -1069,7 +1057,6 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 				    inp->inp_ipo->ipo_sproto,
 				    inp->inp_ipo->ipo_srcid,
 				    inp->inp_ipo->ipo_dstid,
-				    inp->inp_ipo->ipo_local_cred,
 				    &inp->inp_ipo->ipo_addr,
 				    &inp->inp_ipo->ipo_mask);
 			}
@@ -1082,8 +1069,8 @@ ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
 			    IPSP_DIRECTION_OUT);
 
 			tdb = gettdbbydst(rtable_l2(inp->inp_rtableid),
-			    &sipon.ipo_dst, IPPROTO_ESP, NULL,
-			    NULL, NULL, &sipon.ipo_addr, &sipon.ipo_mask);
+			    &sipon.ipo_dst, IPPROTO_ESP, NULL, NULL,
+			    &sipon.ipo_addr, &sipon.ipo_mask);
 		}
 
 		/* If we found an appropriate SA... */
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index ba45329f2fa..68749872653 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.287 2015/02/08 04:40:50 yasuoka Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.288 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -913,18 +913,6 @@ findpcb:
 				inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
 				tdb->tdb_srcid->ref_count++;
 			}
-			if (inp->inp_ipsec_remotecred == NULL &&
-			    tdb->tdb_remote_cred != NULL) {
-				inp->inp_ipsec_remotecred =
-				    tdb->tdb_remote_cred;
-				tdb->tdb_remote_cred->ref_count++;
-			}
-			if (inp->inp_ipsec_remoteauth == NULL &&
-			    tdb->tdb_remote_auth != NULL) {
-				inp->inp_ipsec_remoteauth =
-				    tdb->tdb_remote_auth;
-				tdb->tdb_remote_auth->ref_count++;
-			}
 		} else { /* Just reset */
 		        TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
 				     inp_tdb_in_next);
@@ -3711,15 +3699,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
 		  newinp->inp_ipo = inp->inp_ipo;
 		  inp->inp_ipo->ipo_ref_count++;
 	  }
-	  if (inp->inp_ipsec_remotecred != NULL) {
-		  newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred;
-		  inp->inp_ipsec_remotecred->ref_count++;
-	  }
-	  if (inp->inp_ipsec_remoteauth != NULL) {
-		  newinp->inp_ipsec_remoteauth
-		      = inp->inp_ipsec_remoteauth;
-		  inp->inp_ipsec_remoteauth->ref_count++;
-	  }
 	}
 #endif /* IPSEC */
 #ifdef INET6
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index a9b0f6b55b7..2ea8666d5fc 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.196 2015/03/04 11:10:55 mpi Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.197 2015/04/14 12:22:15 mikeb Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -632,18 +632,6 @@ udp_input(struct mbuf *m, ...)
 				inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
 				tdb->tdb_srcid->ref_count++;
 			}
-			if (inp->inp_ipsec_remotecred == NULL &&
-			    tdb->tdb_remote_cred != NULL) {
-				inp->inp_ipsec_remotecred =
-				    tdb->tdb_remote_cred;
-				tdb->tdb_remote_cred->ref_count++;
-			}
-			if (inp->inp_ipsec_remoteauth == NULL &&
-			    tdb->tdb_remote_auth != NULL) {
-				inp->inp_ipsec_remoteauth =
-				    tdb->tdb_remote_auth;
-				tdb->tdb_remote_auth->ref_count++;
-			}
 		} else { /* Just reset */
 			TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
 			    inp_tdb_in_next);