Retire CRYPTO_F_MPSAFE it is no longer of any use. The crypto framework
no longer uses a callback and so there is no need to define the
callback as MPSAFE.
OK bluhm@

Shifting signed integers left by 31 is undefined behavior in C.
found by kubsan; joint work with tobhe@; OK miod@

Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Use plen consistently.

ok patrick@

The authenticator is removed elsewhere.

ok patrick@

Merge esp_input_cb() intp esp_input().

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

Remove duplicate variable ibytes, use plen instead.

ok bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

Improve comments in IPsec replay window calculation.
OK tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

Fix whitespaces in IPsec code.

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

Use ESP sequence number as IV for AES-CTR, AES-GCM and Chacha20.
This eliminates the risk for IV reuse because of random collisions
and increases performance a little.

ok patrick@ markus@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@

Cleanup IPsec ESP error handling with consistent goto drop.
with and OK markus@

Do not assume that mbufs within a chain do not have M_PKTHDR set.
This could happen during fragment reassembly. Better check if we
are dealing with the first mbuf of the chain.
m_adj() changes the length of the mbuf, obviously. So when using
this length to calulate the amount of adjustment, do not calculate
it again after m_adj() with wrong input. Use a temporary variable
to save the value.
from Maxime Villard, NetBSD; OK markus@ claudio@

branches: 1.152.2;
Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@

Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

branches: 1.150.4;
Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

add sizes to free() calls

Switch OCF and IPsec over to the new AES

ok djm

Convert bcopy to memcpy where the memory does not overlap, otherwise,
use memmove. While here, change some previous conversions to a simple
assignment.

ok deraadt@

IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworks

ok naddy

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

No need for an extra local variable; no functional change.

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

bzero/bcmp -> memset/memcmp. ok matthew

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

don't leak mbuf if padding failes; ok mikeb@

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert

Support for AES-GCM-16 and ENCR_NULL_AUTH_AES_GMAC in ESP as per
RFC 4106 and 4543.

Authentication hash key is set to be the same as an encryption key.

The length that is specified for the authentication hash descriptor
denotes the the length of Additional Authentication Data (AAD).
The encryption transformation descriptor length denotes the length
of the payload (to be encrypted and authenticated).

ENCR_NULL_AUTH_AES_GMAC treats all input as AAD, thus the encryption
length is set to zero.

This also fixes padding for stream ciphers, so that payload will
be 4-byte aligned.

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

m_copyback can fail to allocate memory, but is a void fucntion so gymnastics
are required to detect that.

Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error

ok claudio@ henning@ krw@

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@

Replace enc(4) with a new implementation as a cloner device. We still
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

rename arc4random_bytes => arc4random_buf to match libc's nicer name;
ok deraadt@

Remove the #define ENCDEBUG that slipped through somehow.
OK hshoexer@

Convert MALLOC/FREE to malloc/free.

ok gilles@

Oops. Forgot to do FREE -> free when I did MALLOC -> malloc.

MALLOC+bzero -> malloc+M_ZERO.

In ip_esp.c all allocated memory is now zero'd in the
"malloc(sizeof(*tc) + alen ..." case. The +alen memory was not
initialized by the bzero() call. Noticed by chl@.

"Looks good" art@ "seems ok" chl@

make enc(4) count; ok markus@ henning@ deraadt@

ugly trailing ws; from bret dot lambert at gmail

Only preemptively increase the replay counter for outbound TDBs.

Another ipsec failover fix from nathanael at polymorpheus dot com.

ok hshoexer@

allow bpf(4) to ignore packets based on their direction (inbound or
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@

use M_READONLY when trying to find out whether we have to copy
the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER
get modified; ok hshoexer

don't panic for SADB_ADD w/o enc/auth, with and ok hshoexer@

use arc4random for random packet padding (largely acedemic because it is
deprecated anyway); ok hshoexer@

Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain
to bpf with either an address family or other header added.

These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.

commit now, tune after deraadt@

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

comment out unused PACKET_TAG_IPSEC_IN_CRYPTO_DONE code; ok hshoexer

AESCTR support for ESP (RFC 3686); ok hshoexer

support NULL encryption for ESP; ok hshoexer, ho

de-register. deraadt ok

m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.

conform to RFC2367 on SADB_xx naming (local name must be prefixed with
SADB_X_xx)

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok

fix whitespace

just as a safety measure, set m_flags to 0 for mbufs allocated on stack.
dhartmei ok

o sanity check mbuf earlier.
o return errno, not NULL.
o add some missing error values
o proper crypto_freereq() in ip_ipcomp.c
From Patrick Latifi; OK angelos@

Avoid using FREEd data when we get a crypto error; Patrick Latifi
Also move the session ID reset into the crp_etype == EAGAIN case
(noticed by angelos@). OK jason@ and angelos@

Based on several comments from tedu:
- two variables 'err' and 'error', whacked
- missing initialization in the error path for the case where an SA expired
while off in crypto land.
- a small bit of knf.

kill unused variables

ok jason@

Remove commons; inspired by netbsd.

m_pad() is expected to have free'd the mbuf if it returns NULL, so
free it in one (rare) error condition. ok angelos@

Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok.

branches: 1.75.2;
Be sure to check the integrity verifier for packets that didn't have it done
in hardware; from angelos

Free crp_opaque only after we've determined we're not going to
re-submit it. From sam@errno.com

KNF

Initialize mo to NULL, for good measure -- sam@errno.com

Same as with ip_ah.c (fix unreachable reference-after-free)

Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree for a while,
and I've forgotten who it was that pointed out the problem.

branches: 1.69.4; 1.69.6;
KNF

Copyright.

merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase

Use blocksize, not ivmask

Trim include files.

Add a few DPRINTF()'s

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.

Update to match prototypes.

Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE
on input.

Pass a NULL packet tag for now to ipsp_common_input_cb().

convert mbuf and cluster allocation to pool, mostly from NetBSD
okay art@ miod@

initial cut at /dev/crypto support. takes original mbuf "try, and discard
if we fail" semantics and extends to two varients of data movement: mbuf,
or an iovec style block.

Move bzero() after test for correct allocation (jj@wabbitt.org)

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

Fix slow mbuf leak.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

*HMAC96->*HMAC

AES support.

Lots and lots of changes.

Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're
defined to be the same in mbuf.h)

The callbacks need to set the appropriate spl level now.

What was the offending payload length?

Initialize tc_ptr to zero if authentication is not used.

Get rid of tdb_ref, keep indirect pointer to TDB.

Check for invalid TDBs right away in the callbacks.

Fix sanity check that caused really short packets (ICMPs with less
than 8 bytes of payload) to be dropped. Did not affect TCP/UDP packets
and most ICMP packets.

when fixing up the header, copy from the right sized datatype (fixes IPsec
on big-endian machines)

only call get_random_bytes() once in m_pad()

Only allocate space for a copy of the authenticator if authentication
is in use.

Note to self: test before committing.

Conform to crypto framework changes for IVs.

Allow authentication-only ESP (must have broken it in the previous
round of commits).

Fix typo causing crash if ESP was used with only authentication or
encryption (not both). Problem noted by jason@openbsd.org

Fix casting so it compiles on alphas (testing by janjaap@stack.nl,
closing pr #1150)

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.

branches: 1.32.2;
fix include file path related to ip6.

Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

Ok, no more IPsec for OpenBSD...I've had enough with it.

IPv6 support should now be complete (well, we need the right hooks in
ip6_input())

New ah_new_input(), protocol-independent processing (still lacking
IPv6-specific protocol header processing).

New ESP code that's v4 and v6 friendly.

gettdb() should be at spltdb().

Support multiple enc interfaces.

remove bogus entry from if_enc address list; and rename enc_softc to encif

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.

A new scalable IPsec SA expiration model.

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.

Make the tdbi handling more robust, removes a panic case

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.

make the packets which were successfully processed by IPSec available to
bpf via the enc0 interface, using linktype DLT_ENC.

avoid source address spoofing for mutual hostile hosts which have SAs to
us, reported by Craig Metz <cmetz@inner.net>.

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.

conditional error logging

log() needs a \n

expiration messages, fixes, updates, all sorts of things

enablespi/disablespi in encap + print spi's in hostorder

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.

major restructuring

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI

u_int32_t changes, need testing

ah-sha1 + esp-3des + indentation

count input/output packets for esp

OpenBSD tags + some prototyping police

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Shifting signed integers left by 31 is undefined behavior in C.
found by kubsan; joint work with tobhe@; OK miod@

Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Use plen consistently.

ok patrick@

The authenticator is removed elsewhere.

ok patrick@

Merge esp_input_cb() intp esp_input().

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

Remove duplicate variable ibytes, use plen instead.

ok bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

Improve comments in IPsec replay window calculation.
OK tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

Fix whitespaces in IPsec code.

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

Use ESP sequence number as IV for AES-CTR, AES-GCM and Chacha20.
This eliminates the risk for IV reuse because of random collisions
and increases performance a little.

ok patrick@ markus@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@

Cleanup IPsec ESP error handling with consistent goto drop.
with and OK markus@

Do not assume that mbufs within a chain do not have M_PKTHDR set.
This could happen during fragment reassembly. Better check if we
are dealing with the first mbuf of the chain.
m_adj() changes the length of the mbuf, obviously. So when using
this length to calulate the amount of adjustment, do not calculate
it again after m_adj() with wrong input. Use a temporary variable
to save the value.
from Maxime Villard, NetBSD; OK markus@ claudio@

branches: 1.152.2;
Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@

Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

branches: 1.150.4;
Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

add sizes to free() calls

Switch OCF and IPsec over to the new AES

ok djm

Convert bcopy to memcpy where the memory does not overlap, otherwise,
use memmove. While here, change some previous conversions to a simple
assignment.

ok deraadt@

IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworks

ok naddy

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

No need for an extra local variable; no functional change.

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

bzero/bcmp -> memset/memcmp. ok matthew

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

don't leak mbuf if padding failes; ok mikeb@

Retire Skipjack

There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.

The libc portion will be removed after the ports hackathon.

djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.

remove m_pad in favor of m_inject as it's equivalent to m_inject
with an offset equal to the actual data length.

ok henning blambert

Support for AES-GCM-16 and ENCR_NULL_AUTH_AES_GMAC in ESP as per
RFC 4106 and 4543.

Authentication hash key is set to be the same as an encryption key.

The length that is specified for the authentication hash descriptor
denotes the the length of Additional Authentication Data (AAD).
The encryption transformation descriptor length denotes the length
of the payload (to be encrypted and authenticated).

ENCR_NULL_AUTH_AES_GMAC treats all input as AAD, thus the encryption
length is set to zero.

This also fixes padding for stream ciphers, so that payload will
be 4-byte aligned.

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

m_copyback can fail to allocate memory, but is a void fucntion so gymnastics
are required to detect that.

Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error

ok claudio@ henning@ krw@

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@

Replace enc(4) with a new implementation as a cloner device. We still
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

rename arc4random_bytes => arc4random_buf to match libc's nicer name;
ok deraadt@

Remove the #define ENCDEBUG that slipped through somehow.
OK hshoexer@

Convert MALLOC/FREE to malloc/free.

ok gilles@

Oops. Forgot to do FREE -> free when I did MALLOC -> malloc.

MALLOC+bzero -> malloc+M_ZERO.

In ip_esp.c all allocated memory is now zero'd in the
"malloc(sizeof(*tc) + alen ..." case. The +alen memory was not
initialized by the bzero() call. Noticed by chl@.

"Looks good" art@ "seems ok" chl@

make enc(4) count; ok markus@ henning@ deraadt@

ugly trailing ws; from bret dot lambert at gmail

Only preemptively increase the replay counter for outbound TDBs.

Another ipsec failover fix from nathanael at polymorpheus dot com.

ok hshoexer@

allow bpf(4) to ignore packets based on their direction (inbound or
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@

use M_READONLY when trying to find out whether we have to copy
the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER
get modified; ok hshoexer

don't panic for SADB_ADD w/o enc/auth, with and ok hshoexer@

use arc4random for random packet padding (largely acedemic because it is
deprecated anyway); ok hshoexer@

Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain
to bpf with either an address family or other header added.

These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.

commit now, tune after deraadt@

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

comment out unused PACKET_TAG_IPSEC_IN_CRYPTO_DONE code; ok hshoexer

AESCTR support for ESP (RFC 3686); ok hshoexer

support NULL encryption for ESP; ok hshoexer, ho

de-register. deraadt ok

m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.

conform to RFC2367 on SADB_xx naming (local name must be prefixed with
SADB_X_xx)

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok

fix whitespace

just as a safety measure, set m_flags to 0 for mbufs allocated on stack.
dhartmei ok

o sanity check mbuf earlier.
o return errno, not NULL.
o add some missing error values
o proper crypto_freereq() in ip_ipcomp.c
From Patrick Latifi; OK angelos@

Avoid using FREEd data when we get a crypto error; Patrick Latifi
Also move the session ID reset into the crp_etype == EAGAIN case
(noticed by angelos@). OK jason@ and angelos@

Based on several comments from tedu:
- two variables 'err' and 'error', whacked
- missing initialization in the error path for the case where an SA expired
while off in crypto land.
- a small bit of knf.

kill unused variables

ok jason@

Remove commons; inspired by netbsd.

m_pad() is expected to have free'd the mbuf if it returns NULL, so
free it in one (rare) error condition. ok angelos@

Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok.

branches: 1.75.2;
Be sure to check the integrity verifier for packets that didn't have it done
in hardware; from angelos

Free crp_opaque only after we've determined we're not going to
re-submit it. From sam@errno.com

KNF

Initialize mo to NULL, for good measure -- sam@errno.com

Same as with ip_ah.c (fix unreachable reference-after-free)

Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree for a while,
and I've forgotten who it was that pointed out the problem.

branches: 1.69.4; 1.69.6;
KNF

Copyright.

merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase

Use blocksize, not ivmask

Trim include files.

Add a few DPRINTF()'s

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.

Update to match prototypes.

Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE
on input.

Pass a NULL packet tag for now to ipsp_common_input_cb().

convert mbuf and cluster allocation to pool, mostly from NetBSD
okay art@ miod@

initial cut at /dev/crypto support. takes original mbuf "try, and discard
if we fail" semantics and extends to two varients of data movement: mbuf,
or an iovec style block.

Move bzero() after test for correct allocation (jj@wabbitt.org)

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

Fix slow mbuf leak.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

*HMAC96->*HMAC

AES support.

Lots and lots of changes.

Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're
defined to be the same in mbuf.h)

The callbacks need to set the appropriate spl level now.

What was the offending payload length?

Initialize tc_ptr to zero if authentication is not used.

Get rid of tdb_ref, keep indirect pointer to TDB.

Check for invalid TDBs right away in the callbacks.

Fix sanity check that caused really short packets (ICMPs with less
than 8 bytes of payload) to be dropped. Did not affect TCP/UDP packets
and most ICMP packets.

when fixing up the header, copy from the right sized datatype (fixes IPsec
on big-endian machines)

only call get_random_bytes() once in m_pad()

Only allocate space for a copy of the authenticator if authentication
is in use.

Note to self: test before committing.

Conform to crypto framework changes for IVs.

Allow authentication-only ESP (must have broken it in the previous
round of commits).

Fix typo causing crash if ESP was used with only authentication or
encryption (not both). Problem noted by jason@openbsd.org

Fix casting so it compiles on alphas (testing by janjaap@stack.nl,
closing pr #1150)

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.

branches: 1.32.2;
fix include file path related to ip6.

Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

Ok, no more IPsec for OpenBSD...I've had enough with it.

IPv6 support should now be complete (well, we need the right hooks in
ip6_input())

New ah_new_input(), protocol-independent processing (still lacking
IPv6-specific protocol header processing).

New ESP code that's v4 and v6 friendly.

gettdb() should be at spltdb().

Support multiple enc interfaces.

remove bogus entry from if_enc address list; and rename enc_softc to encif

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.

A new scalable IPsec SA expiration model.

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.

Make the tdbi handling more robust, removes a panic case

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.

make the packets which were successfully processed by IPSec available to
bpf via the enc0 interface, using linktype DLT_ENC.

avoid source address spoofing for mutual hostile hosts which have SAs to
us, reported by Craig Metz <cmetz@inner.net>.

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.

conditional error logging

log() needs a \n

expiration messages, fixes, updates, all sorts of things

enablespi/disablespi in encap + print spi's in hostorder

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.

major restructuring

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI

u_int32_t changes, need testing

ah-sha1 + esp-3des + indentation

count input/output packets for esp

OpenBSD tags + some prototyping police

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Use plen consistently.

ok patrick@

The authenticator is removed elsewhere.

ok patrick@

Merge esp_input_cb() intp esp_input().

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove 'struct tdb_crypto' allocations from esp_input() and esp_output().
This was needed to pass arguments to the callback function, but is no longer
necessary after the API makeover.

ok bluhm@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

Remove duplicate variable ibytes, use plen instead.

ok bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

Improve comments in IPsec replay window calculation.
OK tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

Fix whitespaces in IPsec code.

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

Use ESP sequence number as IV for AES-CTR, AES-GCM and Chacha20.
This eliminates the risk for IV reuse because of random collisions
and increases performance a little.

ok patrick@ markus@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Introduce new IPsec (per-CPU) statistics and refactor ESP input
callbacks to be able to count dropped packet.

Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.

ok markus@

Cleanup IPsec ESP error handling with consistent goto drop.
with and OK markus@