Make ipsp_ids_gc() timeout(9) handler mpsafe. `ipsec_flows_mtx' mutex(9)
protects related data.

ok bluhm

Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference. If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb(). This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@

add the glue between ipsec security associations and sec(4) interfaces.

if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the
sec(4) driver to keep track of instead of wiring it up for security
associations to use.

when sec(4) transmits a packet, it will look up it's list of tdbs
to find the right SA to encrypt and send the packet out with.

if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed
to sec(4) to be injected back into the network stack as if it was
received on the sec interface, instead of being reinjected into the
IP stack like normal SA/SPD processing does.

note that this means you do not have to configure tunnel endpoints
on sec(4) interfaces, instead you line the interface unit number
in the ipsec config up with the minor number of the sec(4) interfaces.
the peer IPs used on the SAs are what's used as the traffic endpoints.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

timeout(9): remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK()

We have too many timeout(9) initialization functions and macros.
Let's slim it down and combine some interfaces.

- Remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK().
- Expand timeout_set_flags(), TIMEOUT_INITIALIZER_FLAGS() to accept
an additional "kclock" parameter.
- Reimplement timeout_set(), timeout_set_proc() with timeout_set_flags().
- Reimplement TIMEOUT_INITIALIZER() with TIMEOUT_INITIALIZER_FLAGS().
- Update the sole timeout_set_flags() user to pass a kclock parameter.
- Update the sole timeout_set_kclock() user to call timeout_set_flags().
- Update the sole TIMEOUT_INITIALIZER_FLAGS() user to provide a kclock
parameter.

The timeout(9) code is now a bit out of sync with the manpage. This
will be corrected in a subsequent commit.

ok kn@

Fix kernel build without IPSEC option.

ok deraadt@

Clean up the netlock macros. Merge NET_RLOCK_IN_SOFTNET and
NET_RLOCK_IN_IOCTL, which have the same implementation. The R and
W are hard to see, call the new macro NET_LOCK_SHARED. Rename the
opposite assertion from NET_ASSERT_WLOCKED to NET_ASSERT_LOCKED_EXCLUSIVE.
Update some outdated comments about net locking.
OK mpi@ mvs@

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@

Use btrace(8) to debug reference counting. dt(4) provides a static
tracepoint for each type of refcnt we have. As a start, add inpcb
and tdb refcnt. When the counter changes, btrace may print the
actual object, the current counter, the change value and optionally
the stack trace.
discussed with visa@; OK mpi@

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@

branches: 1.269.2;
Use atomic load and store functions to access refcnt and wait
variables. Although not necessary everywhere, using atomic functions
exclusively for variables marked as atomic is clearer.
OK mvs@ visa@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@

Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@

The network stack currently uses IPL_SOFTNET. Consistently initialize
the TDB sadb mutex with that. The old IPL_NET was chosen by accident.
OK mpi@

Using a void pointer for temporary allocated TDB in pfkeyv2 does
not make sense. Do not use the freeme pointer for TDB in pfkeyv2_send().
The pattern is tdb_alloc() and tdb_unref() in case of error. Replace
tdb_free() in reserve_spi() with tdb_unref() to keep this consistent.
Only tdb_unref() should call tdb_free().
OK mvs@

Put a mutex assert locked into puttdb_locked().
OK tobhe@

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Fix whitespace and long lines.

printing udpencap_port in ddb requires ntohs not ntohl. use better format
string. help claudio@ ok bluhm@

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@

The crypto layer needs the kernel lock. ah_zeroize() takes it when
called from tdb_walk(). tdb_walk() needs mutex tdb_sadb_mtx to
protect the loop traversal. First take the kernel lock in tdb_walk()
to preserve lock order.
found by witness
OK tobhe@ mvs@

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@

Protect the tdb hashes with a mutex. Move initialization out of
the processing path. If rehashing fails due to low memory, just
keep the old hash buckets.
OK tobhe@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Remove `ids' from `ipsec_ids_tree' while following ipsp_ids_insert()
error path. This fixes use-after-free issue. Also fix debug message
mistype pointed by bluhm@ in error path.

ok millert@ bluhm@

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

spelling

ok gnezdo@ semarie@ mpi@

Use pool to allocate tdbs.

ok patrick@ bluhm@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@

unbreak the build without IPSEC.
ok claudio@ deraadt@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce a tdb_reaper() function to prevent a use-after-free when a
timeout is blocking on the NET_LOCK().

Issue reported by Harald Dunkel, ok visa@, bluhm@

Fix kernel builds without IPSEC.

OK mikeb@

branches: 1.229.2;
Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Remove lie talking about splsoftclock().

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@

Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@

Expand SA_LEN(), there is no benefit for using the macro in the
kernel. It was only used in IPsec sources. No binary change
OK deraadt@

Get rid of recursive splsoftnet()/splx() dances and convert a timeout to
the timeout_set_proc(9) variant to take the NET_LOCK().

ok mikeb@, bluhm@

Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.

This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.

Inputs from and ok bluhm@, ok dlg@

TDB timers need a context process, so convert them to timeout_set_proc(9).

ok phessler@, bluhm@ as part of a larger diff

Sprinkle splsoftnets in TDB timeout callbacks; ok bluhm

convert bcopy to memcpy. from david hill.

move from RB macros to RBT functions

shaves a bunch of bytes off kernels

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

Remove unused ipsp_parse_headers that was supposed to parse packets
returned by IPsec-enabled NICs; OK markus, hshoexer

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

make ipsp_address thread safe; ok mpi

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Make filter argument to ipsp_aux_match optional like the rest of them.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

replace the guts of tdb_hash with SipHash24

tested by (including some statistical measurement) and ok mikeb@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

Userland (base & ports) was adapted to always include <netinet/in.h>
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

More malloc() -> mallocarray() in the kernel.

ok deraadt@ tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

remove uneeded route.h includes
ok miod@ mpi@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Remove various external variable declaration from sources files and
move them to the corresponding header with an appropriate comment if
necessary.

ok guenther@

Remove read-only ipsec variables and directly use defines instead.

ok mikeb@, markus@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Pre-allocate memory to avoid sleeping after performing a lookup, which
may lead to a race.

ok markus@ mikeb@

- use nitems(); no binary change

ok claudio@

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

remove proc.h include from uvm_map.h. This has far reaching effects, as
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

don't confuse chars with strings; ok oga@

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@

Fix an off-by-one in the ddb-only debugging function tdb_hashstats.

when we check if a hash chain is over 15 long, we would access one past
the end of the array. change the static array size to a define because
it makes this checking easier to verify.

Found by Parfait.

ok deraadt@.

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@

#if INET => #ifdef INET
#if INET6 => #ifdef INET6

remove dead stores and newly created unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpf@ looks good mk@ ok henning@

Convert timeout_add() calls using multiples of hz to timeout_add_sec()

Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.

ok art@, krw@

use arc4random_uniform() for random number requests that are not a
power of two.

use arc4random_bytes() when requesting more than a word of PRNG
output.

ok deraadt@

MALLOC/FREE -> malloc/free

ok krw@

MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time.

As with many of the last commits, looked at by chl@ in an earlier
version.

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@

Remove kernfs, okay deraadt@.

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

long overdue snprintf cleanup in kernfs related code
ok cloder

handle return value of snprintf correctly

ok deraadt@

Plug memory leak. Found by pat@. Thanks!

ok myself markus@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

simpler ipsp_aux_match() API; ok henning, hshoexer

in gettdbbysrcdst(), allow matching with either src or dst beeing a wildcard
(emtpy) entry
ok markus@

check TDBF_INVALID for TCP MD5 SA lookups; ok mcbride, henning

in gettdbbysrcdst(): hash by SRC and lookup SA in the tdbsrc[] hash table
with hshoexer@

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@

string cleaning; ok tedu

string cleaning; tedu ok

Use queue.h macros

whitespace

Comment out currently-unused code (it's there for the ethernet-ipsec
cards, none of which we support at the moment).

Move some common code to separate routines; also, fix the problem of
using the same SA for different traffic classes. Now, different SAs
will be renegotiated as needed.

XXX It's a sub-optimal (but correct) solution, as it looks for an
exact match -- it should be checking for subset/subnet. One of these
days...

First round of __P removal in sys

Print compression algorithm name too.

branches: 1.144.2;
KNF whack

If the TDB doesn't have an attached src/dst ID, it can be used for any
type of traffic.

use %ll instead of %q

Remove IPCOMP option, it's now part of IPSEC option. You still need to
enable ipcomp via sysctl to use it. deraadt@ ok.

IPComp support. angelos@ ok.

Minor nits.

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF

KNF

Copyright.

print mtu of tdb if discovered

Print TDBF_USEDTUNNEL in ipsp_kern()

Having to update queue(3) for DLIST_* is a major PITA; thus, just use
SLIST and be done with it.

Use DLIST for tags.

Trim include files.

Simplify SPD logic (and correct some input cases).

That DPRINTF() is not needed.

Clear acquires only if TDB was established correctly.

Correct credential matching logic.

use a faster arc4random() for random spi generation; angelos@ ok

Merge two m_copydata() calls into one, and (hopefully) correct the
self-describing padding verification.

ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and
creates a tag for each of the ESP/AH headers. This will be used by
IPsec-aware NIC device drivers that need to notify IPsec that crypto
processing has already been done.

There is an excessive amount of m_copydata() calls used by this
routine, but there's no way around it that I can think of.

IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth
in kernfs

Free remote authentication material on TDB free.

Free local auth on TDB free.

Keep track of when a TDB was last marked/unmared as SKIPCRYPTO, and
print the relevant information on KERNFS.

Add ipsp_skipcrypto_{mark,unmark}()

ipsp_copy_ident() no longer needed.

Simplify option printing. ok deraadt@

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@

Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.

Move offsetof define into sys/param.h

tdb_inp -> (tdb_inp_in, tdb_inp_out)

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

Fix a problem with how TDB timeouts were used in pfkeyv2.
When we allocated a tdb we did a timeout_add before a timeout_set.
This was a problem in itself, but it shouldn't hurt too much.
What did hurt was that we did a timeout_set after the timeout_add,
timeout_set marked the timeout as not being on the timeout list and if we
did a timeout_del (or timeout_add) later (before the timeout fired) we
ended up with a chunk of freed memory on the timeout queue or maybe
even dangling pointers (or a circular list).

This should probably cure the timeout queue corruption some people were
seeing lately.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

Force a new search for an SA if the latched one is deleted.

Store peer's credentials in TDB.

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.

Remove unused and confusing reporting line.

Extra argument in the function to tdb_walk(), indicating last TDB.

Minor sanity check.

send expire messages also for sa's that do not have been used.
okay angelos@

SA bundles.

Lots and lots of changes.

Don't even need to reset ip_sum, if we're not going to compute it here
but in ip_output()

Avoid unnecessary call to in_cksum().

Zeroize ip_sum before computing checksum (just general paranoia).

IPv6 IPsec, outbound direction.

restriction: if there's any extension header (except fragment)
and outbound packet matches tdb, we can't encrypt it.
packet will not go out of the node (dropped).

Correct function declaration.

Pull in the right header for ip6_sprintf(), fix argument.

Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()

Print++

Get rid of tdb_ref, keep indirect pointer to TDB.

Fix the German's comment typos.

Should learn how to count...

Oops, remove bogus comment.

Beautify a little bit.

Use ipsp_spd_lookup() in ip_output()

ipsp_acquire_sa()

ipsp_spd_lookup()

tdb_ref should be signed, this avoid a problem with flushing the TDB
table causing repeated allocations of bypass TDBs.

Allow authentication-only ESP (must have broken it in the previous
round of commits).

Set the protocol family in the destination address of bypass flows.

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.

branches: 1.79.2;
don't need netinet6/in6.h

fix include file path related to ip6.

Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.

Print number of ingress flows in /kern/ipsec

put_flow(), find_flow(), and delete_flow() get a third argument (for
ingress or egress flow)

Correct sa_require handling.

Fix check for sen_type.

Use default values when requesting dynamic VPNs.

Only use defaults if they have sane values.

Add 10 new ipsec-related sysctl variables...they are currently under
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some
such.

Some more code for dealing with socket IPsec options.

Only setup an expiration for embryonic SAs if
net.inet.ip.ipsec-invalid-life >=0

Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the
amount of time embryonic SAs will be kept before they have to be
initialized by key management (this only affects automated key
management).

1) Setup a silent TDB expiration for embryonic SAs.
2) Fix check_ipsec_policy() to deal with v6 PCBs.
3) Fix ACL protocol check.

Free ACL when deleting TDB.

Ports in network order...

Print associated interface, if present.

Change some function prototypes, dont unnecessarily initialize some
variables.

Move the IPsec packet-processing loop to a separate routine, so we can
reuse it in ip6_output and the bridge. The policy-lookup code will
probably follow suit in a separate routine sometime soon.

comment out call to inet_ntoa6() as we don't have the code yet.

New ESP code that's v4 and v6 friendly.

Fix an INET6 dependency (niklas@)

Address independence, IPv6 support, and the -local flag in ipsecadm is
no longer needed.

Add tdb for IPsec bypass flows. gettdb() should be called at spltdb().

inet_ntoa4 should manage 4-calls, not just 2

Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb

Add tdb_walk. tdb_delete() should clean up routes when deleting flows.

A good hashing function for IPsec SAs that should remove the risks
of running out of memory when adding SPIs.

Protect better against rehashing make the kernel run out of resources

From angelos@, edits by me, demand keying for PF_KEY

ipsec_in_use could get out of sync. (Also niklas@. angelos@ ok)

Added support for TCP MD5 option (RFC 2385).

Fix use of uninitialized TDB hash table in tdb_delete(), introduced
along with the dynamically-resized TDB table (report and fix
suggestion by henric@ncal.verio.com)

forgot to zero sunion

SA hash table resizing

Fix a bug where the ordered expiration list could get out of order. Add
invariant checking of the lists when DIAGNOSTIC compiled. Extend the
critical region to cover all of tdb_expiration so the tdb won't
disappear behind our back.

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.

A new scalable IPsec SA expiration model.

move encdebug to a useful place

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Implement lifetime expiration notifications. Fix some typos. Remove statics.

be more careful with freeing TDBs

more paranoid maintenance

Prettier reporting, report number of flows in use per SA.

Print more information in /kern/ipsec

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.

remove panic() calls, consistent error reporting

Please GCC

Break long lines. Use correct format for expiry times
Present "first use" expirations correctly.

SPIs are kept in network byte order

Remove NULL deref condition

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

fix tdb_delete() when using SPI chains.

Changes made for GCC 2.8 -Wall pleasures

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.

conditional error logging

should report unsigned quantities

log() needs a \n

AH changes, after interoperating at the ANX bakeoff.

make it compile

expiration messages, fixes, updates, all sorts of things

bail properly if malloc fails

enablespi/disablespi in encap + print spi's in hostorder

flags for tunnels and replacing existing routes, sysctl! + tiny bug fix

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.

fix neglected _FLEN's + reserve_spi + output reserved spi's without alg.
correctly.

major restructuring

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes

u_int32_t changes, need testing

ah-sha1 + esp-3des + indentation

OpenBSD tags + some prototyping police

Removed no longer necessary cautionary comment.

-nostdinc and big endian cleanup

Fixed error introduced with last patch.

Removed some of the ugliness in ipsp_kern().

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference. If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb(). This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@

add the glue between ipsec security associations and sec(4) interfaces.

if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the
sec(4) driver to keep track of instead of wiring it up for security
associations to use.

when sec(4) transmits a packet, it will look up it's list of tdbs
to find the right SA to encrypt and send the packet out with.

if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed
to sec(4) to be injected back into the network stack as if it was
received on the sec interface, instead of being reinjected into the
IP stack like normal SA/SPD processing does.

note that this means you do not have to configure tunnel endpoints
on sec(4) interfaces, instead you line the interface unit number
in the ipsec config up with the minor number of the sec(4) interfaces.
the peer IPs used on the SAs are what's used as the traffic endpoints.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

timeout(9): remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK()

We have too many timeout(9) initialization functions and macros.
Let's slim it down and combine some interfaces.

- Remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK().
- Expand timeout_set_flags(), TIMEOUT_INITIALIZER_FLAGS() to accept
an additional "kclock" parameter.
- Reimplement timeout_set(), timeout_set_proc() with timeout_set_flags().
- Reimplement TIMEOUT_INITIALIZER() with TIMEOUT_INITIALIZER_FLAGS().
- Update the sole timeout_set_flags() user to pass a kclock parameter.
- Update the sole timeout_set_kclock() user to call timeout_set_flags().
- Update the sole TIMEOUT_INITIALIZER_FLAGS() user to provide a kclock
parameter.

The timeout(9) code is now a bit out of sync with the manpage. This
will be corrected in a subsequent commit.

ok kn@

Fix kernel build without IPSEC option.

ok deraadt@

Clean up the netlock macros. Merge NET_RLOCK_IN_SOFTNET and
NET_RLOCK_IN_IOCTL, which have the same implementation. The R and
W are hard to see, call the new macro NET_LOCK_SHARED. Rename the
opposite assertion from NET_ASSERT_WLOCKED to NET_ASSERT_LOCKED_EXCLUSIVE.
Update some outdated comments about net locking.
OK mpi@ mvs@

Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.

No functional changes.

ok bluhm@

Use btrace(8) to debug reference counting. dt(4) provides a static
tracepoint for each type of refcnt we have. As a start, add inpcb
and tdb refcnt. When the counter changes, btrace may print the
actual object, the current counter, the change value and optionally
the stack trace.
discussed with visa@; OK mpi@

When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do
`id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list'
list modifications, otherwise concurrent ipsp_ids_insert() could remove
this dying `ids' from the list before if was placed there by
ipsp_ids_free(). This makes atomic operations with `id_refcount' useless.
Also prevent ipsp_ids_lookup() to return dying `ids'.

ok bluhm@

branches: 1.269.2;
Use atomic load and store functions to access refcnt and wait
variables. Although not necessary everywhere, using atomic functions
exclusively for variables marked as atomic is clearer.
OK mvs@ visa@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Start documenting the locking strategy of struct tdb fields. Note
that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in
udpencap_ctlinput() to protect the access to tdb_snext. Make the
braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED()
into the functions where the read access happens.
OK mvs@

In ipo_tdb the flow contains a reference counted TDB cache. This
may prevent that tdb_free() is called. It is not a real leak as
ipsecctl -F or termination of iked flush this cache when they remove
the IPsec policy. Move the code from tdb_free() to tdb_delete(),
then the kernel does the cleanup itself.
OK mvs@ tobhe@

Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().

ok bluhm@ mvs@

Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@

Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@

The network stack currently uses IPL_SOFTNET. Consistently initialize
the TDB sadb mutex with that. The old IPL_NET was chosen by accident.
OK mpi@

Using a void pointer for temporary allocated TDB in pfkeyv2 does
not make sense. Do not use the freeme pointer for TDB in pfkeyv2_send().
The pattern is tdb_alloc() and tdb_unref() in case of error. Replace
tdb_free() in reserve_spi() with tdb_unref() to keep this consistent.
Only tdb_unref() should call tdb_free().
OK mvs@

Put a mutex assert locked into puttdb_locked().
OK tobhe@

Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Fix whitespace and long lines.

printing udpencap_port in ddb requires ntohs not ntohl. use better format
string. help claudio@ ok bluhm@

To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@

The crypto layer needs the kernel lock. ah_zeroize() takes it when
called from tdb_walk(). tdb_walk() needs mutex tdb_sadb_mtx to
protect the loop traversal. First take the kernel lock in tdb_walk()
to preserve lock order.
found by witness
OK tobhe@ mvs@

Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a
mutex locking against myself panic introduced by my previous commit.
OK beck@ patrick@

Protect the tdb hashes with a mutex. Move initialization out of
the processing path. If rehashing fails due to low memory, just
keep the old hash buckets.
OK tobhe@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Global variables to track initialisation behave poorly with MP.
Move the tdb pool init into an init function.
OK mvs@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Remove `ids' from `ipsec_ids_tree' while following ipsp_ids_insert()
error path. This fixes use-after-free issue. Also fix debug message
mistype pointed by bluhm@ in error path.

ok millert@ bluhm@

Introduce and use garbage collector for 'ipsec_ids' struct entities
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().

ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.

ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.

Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.

tests and feedback by hrvoje@
ok bluhm@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

spelling

ok gnezdo@ semarie@ mpi@

Use pool to allocate tdbs.

ok patrick@ bluhm@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Add support for autmatically moving traffic between rdomains on ipsec(4)
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.

The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.

The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.

Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.

As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.

discussed with chris@ and kn@
ok markus@, patrick@

unbreak the build without IPSEC.
ok claudio@ deraadt@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce a tdb_reaper() function to prevent a use-after-free when a
timeout is blocking on the NET_LOCK().

Issue reported by Harald Dunkel, ok visa@, bluhm@

Fix kernel builds without IPSEC.

OK mikeb@

branches: 1.229.2;
Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Remove lie talking about splsoftclock().

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Split a part of tdb_delete() into tdb_unlink() so that we can remove
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().

ok claudio@

The function name ip4_input() is confusing as it also handles IPv6
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@

Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Convert the xformsw definition to C99 style initializer. Also fix
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@

Expand SA_LEN(), there is no benefit for using the macro in the
kernel. It was only used in IPsec sources. No binary change
OK deraadt@

Get rid of recursive splsoftnet()/splx() dances and convert a timeout to
the timeout_set_proc(9) variant to take the NET_LOCK().

ok mikeb@, bluhm@

Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.

This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.

Inputs from and ok bluhm@, ok dlg@

TDB timers need a context process, so convert them to timeout_set_proc(9).

ok phessler@, bluhm@ as part of a larger diff

Sprinkle splsoftnets in TDB timeout callbacks; ok bluhm

convert bcopy to memcpy. from david hill.

move from RB macros to RBT functions

shaves a bunch of bytes off kernels

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

Remove unused ipsp_parse_headers that was supposed to parse packets
returned by IPsec-enabled NICs; OK markus, hshoexer

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

make ipsp_address thread safe; ok mpi

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Make filter argument to ipsp_aux_match optional like the rest of them.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

replace the guts of tdb_hash with SipHash24

tested by (including some statistical measurement) and ok mikeb@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

Userland (base & ports) was adapted to always include <netinet/in.h>
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

More malloc() -> mallocarray() in the kernel.

ok deraadt@ tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

remove uneeded proc.h includes
ok mpi@ kspillner@

remove uneeded route.h includes
ok miod@ mpi@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

These functions are only used in debug code, so put them under
ifdef ENCDEBUG to make sure we don't use them elsewhere.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Remove various external variable declaration from sources files and
move them to the corresponding header with an appropriate comment if
necessary.

ok guenther@

Remove read-only ipsec variables and directly use defines instead.

ok mikeb@, markus@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Pre-allocate memory to avoid sleeping after performing a lookup, which
may lead to a race.

ok markus@ mikeb@

- use nitems(); no binary change

ok claudio@

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

remove proc.h include from uvm_map.h. This has far reaching effects, as
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

don't confuse chars with strings; ok oga@

Shuffle function declarations a bit; ipsp_kern doesn't actually exist,
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare
it as extern in ip_ipsp.h

ok claudio@ henning@

Fix an off-by-one in the ddb-only debugging function tdb_hashstats.

when we check if a hash chain is over 15 long, we would access one past
the end of the array. change the static array size to a define because
it makes this checking easier to verify.

Found by Parfait.

ok deraadt@.

pfsync v5, mostly written at n2k9, but based on work done at n2k8.

WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC

this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.

huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.

ok beck@ mcbride@ "good." deraadt@

#if INET => #ifdef INET
#if INET6 => #ifdef INET6

remove dead stores and newly created unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpf@ looks good mk@ ok henning@

Convert timeout_add() calls using multiples of hz to timeout_add_sec()

Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.

ok art@, krw@

use arc4random_uniform() for random number requests that are not a
power of two.

use arc4random_bytes() when requesting more than a word of PRNG
output.

ok deraadt@

MALLOC/FREE -> malloc/free

ok krw@

MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time.

As with many of the last commits, looked at by chl@ in an earlier
version.

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

Path MTU discovery for NAT-T.
OK markus@, "looks good" hshoexer@

Remove kernfs, okay deraadt@.

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

long overdue snprintf cleanup in kernfs related code
ok cloder

handle return value of snprintf correctly

ok deraadt@

Plug memory leak. Found by pat@. Thanks!

ok myself markus@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

simpler ipsp_aux_match() API; ok henning, hshoexer

in gettdbbysrcdst(), allow matching with either src or dst beeing a wildcard
(emtpy) entry
ok markus@

check TDBF_INVALID for TCP MD5 SA lookups; ok mcbride, henning

in gettdbbysrcdst(): hash by SRC and lookup SA in the tdbsrc[] hash table
with hshoexer@

add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@

UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@

string cleaning; ok tedu

string cleaning; tedu ok

Use queue.h macros

whitespace

Comment out currently-unused code (it's there for the ethernet-ipsec
cards, none of which we support at the moment).

Move some common code to separate routines; also, fix the problem of
using the same SA for different traffic classes. Now, different SAs
will be renegotiated as needed.

XXX It's a sub-optimal (but correct) solution, as it looks for an
exact match -- it should be checking for subset/subnet. One of these
days...

First round of __P removal in sys

Print compression algorithm name too.

branches: 1.144.2;
KNF whack

If the TDB doesn't have an attached src/dst ID, it can be used for any
type of traffic.

use %ll instead of %q

Remove IPCOMP option, it's now part of IPSEC option. You still need to
enable ipcomp via sysctl to use it. deraadt@ ok.

IPComp support. angelos@ ok.

Minor nits.

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF

KNF

Copyright.

print mtu of tdb if discovered

Print TDBF_USEDTUNNEL in ipsp_kern()

Having to update queue(3) for DLIST_* is a major PITA; thus, just use
SLIST and be done with it.

Use DLIST for tags.

Trim include files.

Simplify SPD logic (and correct some input cases).

That DPRINTF() is not needed.

Clear acquires only if TDB was established correctly.

Correct credential matching logic.